items
* show reasons why we couldn't parse a certificate
expiry time
+ * be more accepting about truncated ASN1 times.
* Fix OpenSSL API issue which could leak small amounts
of memory. Issue reported by Guido Vranken.
* For Access-Reject, call rad_authlog() after running
t.tm_year -= 1900;
}
- if ((end - p) < 10) {
+ if ((end - p) < 4) {
fr_strerror_printf("ASN1 string too short, expected 10 additional bytes, got %zu bytes",
end - p);
return -1;
t.tm_mon += (*(p++) - '0') - 1; // -1 since January is 0 not 1.
t.tm_mday = (*(p++) - '0') * 10;
t.tm_mday += (*(p++) - '0');
+
+ if ((end - p) < 2) goto done;
t.tm_hour = (*(p++) - '0') * 10;
t.tm_hour += (*(p++) - '0');
+
+ if ((end - p) < 2) goto done;
t.tm_min = (*(p++) - '0') * 10;
t.tm_min += (*(p++) - '0');
+
+ if ((end - p) < 2) goto done;
t.tm_sec = (*(p++) - '0') * 10;
t.tm_sec += (*(p++) - '0');
/* Apparently OpenSSL converts all timestamps to UTC? Maybe? */
+done:
*out = timegm(&t);
return 0;
}