aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2013-06-18 12:40:44 -0400
committerDavid Howells <dhowells@redhat.com>2013-09-25 12:17:01 -0400
commit124df926090b32a998483f6e43ebeccdbe5b5302 (patch)
treee9d05eaea4ad42e982e1b46961201dc5d91d8492
parent17334cabc814f8847975cddc0e29291af6093464 (diff)
X.509: Remove certificate date checks
Remove the certificate date checks that are performed when a certificate is parsed. There are two checks: a valid from and a valid to. The first check is causing a lot of problems with system clocks that don't keep good time and the second places an implicit expiry date upon the kernel when used for module signing, so do we really need them? Signed-off-by: David Howells <dhowells@redhat.com> cc: David Woodhouse <dwmw2@infradead.org> cc: Rusty Russell <rusty@rustcorp.com.au> cc: Josh Boyer <jwboyer@redhat.com> cc: Alexander Holler <holler@ahsoftware.de> cc: stable@vger.kernel.org
-rw-r--r--crypto/asymmetric_keys/x509_public_key.c38
1 files changed, 0 insertions, 38 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 0f55e3b027a0..c1540e8f454a 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -108,7 +108,6 @@ EXPORT_SYMBOL_GPL(x509_check_signature);
108static int x509_key_preparse(struct key_preparsed_payload *prep) 108static int x509_key_preparse(struct key_preparsed_payload *prep)
109{ 109{
110 struct x509_certificate *cert; 110 struct x509_certificate *cert;
111 struct tm now;
112 size_t srlen, sulen; 111 size_t srlen, sulen;
113 char *desc = NULL; 112 char *desc = NULL;
114 int ret; 113 int ret;
@@ -150,43 +149,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
150 goto error_free_cert; 149 goto error_free_cert;
151 } 150 }
152 151
153 time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
154 pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
155 now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
156 now.tm_hour, now.tm_min, now.tm_sec);
157 if (now.tm_year < cert->valid_from.tm_year ||
158 (now.tm_year == cert->valid_from.tm_year &&
159 (now.tm_mon < cert->valid_from.tm_mon ||
160 (now.tm_mon == cert->valid_from.tm_mon &&
161 (now.tm_mday < cert->valid_from.tm_mday ||
162 (now.tm_mday == cert->valid_from.tm_mday &&
163 (now.tm_hour < cert->valid_from.tm_hour ||
164 (now.tm_hour == cert->valid_from.tm_hour &&
165 (now.tm_min < cert->valid_from.tm_min ||
166 (now.tm_min == cert->valid_from.tm_min &&
167 (now.tm_sec < cert->valid_from.tm_sec
168 ))))))))))) {
169 pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
170 ret = -EKEYREJECTED;
171 goto error_free_cert;
172 }
173 if (now.tm_year > cert->valid_to.tm_year ||
174 (now.tm_year == cert->valid_to.tm_year &&
175 (now.tm_mon > cert->valid_to.tm_mon ||
176 (now.tm_mon == cert->valid_to.tm_mon &&
177 (now.tm_mday > cert->valid_to.tm_mday ||
178 (now.tm_mday == cert->valid_to.tm_mday &&
179 (now.tm_hour > cert->valid_to.tm_hour ||
180 (now.tm_hour == cert->valid_to.tm_hour &&
181 (now.tm_min > cert->valid_to.tm_min ||
182 (now.tm_min == cert->valid_to.tm_min &&
183 (now.tm_sec > cert->valid_to.tm_sec
184 ))))))))))) {
185 pr_warn("Cert %s has expired\n", cert->fingerprint);
186 ret = -EKEYEXPIRED;
187 goto error_free_cert;
188 }
189
190 cert->pub->algo = pkey_algo[cert->pub->pkey_algo]; 152 cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
191 cert->pub->id_type = PKEY_ID_X509; 153 cert->pub->id_type = PKEY_ID_X509;
192 154