X.509: Remove certificate date checks

Remove the certificate date checks that are performed when a certificate is parsed. There are two checks: a valid from and a valid to. The first check is causing a lot of problems with system clocks that don't keep good time and the second places an implicit expiry date upon the kernel when used for module signing, so do we really need them? Signed-off-by: David Howells <dhowells@redhat.com> cc: David Woodhouse <dwmw2@infradead.org> cc: Rusty Russell <rusty@rustcorp.com.au> cc: Josh Boyer <jwboyer@redhat.com> cc: Alexander Holler <holler@ahsoftware.de> cc: stable@vger.kernel.org
author: David Howells 2013-06-18 11:40:44 -0500
committer: David Howells 2013-09-25 11:17:01 -0500
commit: 124df926090b32a998483f6e43ebeccdbe5b5302 (patch)
tree: e9d05eaea4ad42e982e1b46961201dc5d91d8492 /crypto
parent: 17334cabc814f8847975cddc0e29291af6093464 (diff)
download: linux-phy-124df926090b32a998483f6e43ebeccdbe5b5302.tar.gz
linux-phy-124df926090b32a998483f6e43ebeccdbe5b5302.tar.xz
linux-phy-124df926090b32a998483f6e43ebeccdbe5b5302.zip
1 files changed, 0 insertions, 38 deletions
diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c
index 0f55e3b027a0..c1540e8f454a 100644
--- a/crypto/asymmetric_keys/x509_public_key.c
+++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -108,7 +108,6 @@ EXPORT_SYMBOL_GPL(x509_check_signature);
 static int x509_key_preparse(struct key_preparsed_payload *prep)
 {
        struct x509_certificate *cert;
-        struct tm now;
        size_t srlen, sulen;
        char *desc = NULL;
        int ret;
@@ -150,43 +149,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
                goto error_free_cert;
        }
-        time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
-        pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
-                 now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
-                 now.tm_hour, now.tm_min,  now.tm_sec);
-        if (now.tm_year < cert->valid_from.tm_year ||
-            (now.tm_year == cert->valid_from.tm_year &&
-             (now.tm_mon < cert->valid_from.tm_mon ||
-              (now.tm_mon == cert->valid_from.tm_mon &&
-               (now.tm_mday < cert->valid_from.tm_mday ||
-                (now.tm_mday == cert->valid_from.tm_mday &&
-                 (now.tm_hour < cert->valid_from.tm_hour ||
-                  (now.tm_hour == cert->valid_from.tm_hour &&
-                   (now.tm_min < cert->valid_from.tm_min ||
-                    (now.tm_min == cert->valid_from.tm_min &&
-                     (now.tm_sec < cert->valid_from.tm_sec
-                      ))))))))))) {
-                pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
-                ret = -EKEYREJECTED;
-                goto error_free_cert;
-        }
-        if (now.tm_year > cert->valid_to.tm_year ||
-            (now.tm_year == cert->valid_to.tm_year &&
-             (now.tm_mon > cert->valid_to.tm_mon ||
-              (now.tm_mon == cert->valid_to.tm_mon &&
-               (now.tm_mday > cert->valid_to.tm_mday ||
-                (now.tm_mday == cert->valid_to.tm_mday &&
-                 (now.tm_hour > cert->valid_to.tm_hour ||
-                  (now.tm_hour == cert->valid_to.tm_hour &&
-                   (now.tm_min > cert->valid_to.tm_min ||
-                    (now.tm_min == cert->valid_to.tm_min &&
-                     (now.tm_sec > cert->valid_to.tm_sec
-                      ))))))))))) {
-                pr_warn("Cert %s has expired\n", cert->fingerprint);
-                ret = -EKEYEXPIRED;
-                goto error_free_cert;
-        }
        cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
        cert->pub->id_type = PKEY_ID_X509;
author	David Howells	2013-06-18 11:40:44 -0500
committer	David Howells	2013-09-25 11:17:01 -0500
commit	124df926090b32a998483f6e43ebeccdbe5b5302 (patch)
tree	e9d05eaea4ad42e982e1b46961201dc5d91d8492 /crypto
parent	17334cabc814f8847975cddc0e29291af6093464 (diff)
download	linux-phy-124df926090b32a998483f6e43ebeccdbe5b5302.tar.gz linux-phy-124df926090b32a998483f6e43ebeccdbe5b5302.tar.xz linux-phy-124df926090b32a998483f6e43ebeccdbe5b5302.zip

diff --git a/crypto/asymmetric_keys/x509_public_key.c b/crypto/asymmetric_keys/x509_public_key.c index 0f55e3b027a0..c1540e8f454a 100644 --- a/crypto/asymmetric_keys/x509_public_key.c +++ b/crypto/asymmetric_keys/x509_public_key.c
@@ -108,7 +108,6 @@ EXPORT_SYMBOL_GPL(x509_check_signature);
108	static int x509_key_preparse(struct key_preparsed_payload *prep)	108	static int x509_key_preparse(struct key_preparsed_payload *prep)
109	{	109	{
110	struct x509_certificate *cert;	110	struct x509_certificate *cert;
111	struct tm now;
112	size_t srlen, sulen;	111	size_t srlen, sulen;
113	char *desc = NULL;	112	char *desc = NULL;
114	int ret;	113	int ret;
@@ -150,43 +149,6 @@ static int x509_key_preparse(struct key_preparsed_payload *prep)
150	goto error_free_cert;	149	goto error_free_cert;
151	}	150	}
152		151
153	time_to_tm(CURRENT_TIME.tv_sec, 0, &now);
154	pr_devel("Now: %04ld-%02d-%02d %02d:%02d:%02d\n",
155	now.tm_year + 1900, now.tm_mon + 1, now.tm_mday,
156	now.tm_hour, now.tm_min, now.tm_sec);
157	if (now.tm_year < cert->valid_from.tm_year \|\|
158	(now.tm_year == cert->valid_from.tm_year &&
159	(now.tm_mon < cert->valid_from.tm_mon \|\|
160	(now.tm_mon == cert->valid_from.tm_mon &&
161	(now.tm_mday < cert->valid_from.tm_mday \|\|
162	(now.tm_mday == cert->valid_from.tm_mday &&
163	(now.tm_hour < cert->valid_from.tm_hour \|\|
164	(now.tm_hour == cert->valid_from.tm_hour &&
165	(now.tm_min < cert->valid_from.tm_min \|\|
166	(now.tm_min == cert->valid_from.tm_min &&
167	(now.tm_sec < cert->valid_from.tm_sec
168	))))))))))) {
169	pr_warn("Cert %s is not yet valid\n", cert->fingerprint);
170	ret = -EKEYREJECTED;
171	goto error_free_cert;
172	}
173	if (now.tm_year > cert->valid_to.tm_year \|\|
174	(now.tm_year == cert->valid_to.tm_year &&
175	(now.tm_mon > cert->valid_to.tm_mon \|\|
176	(now.tm_mon == cert->valid_to.tm_mon &&
177	(now.tm_mday > cert->valid_to.tm_mday \|\|
178	(now.tm_mday == cert->valid_to.tm_mday &&
179	(now.tm_hour > cert->valid_to.tm_hour \|\|
180	(now.tm_hour == cert->valid_to.tm_hour &&
181	(now.tm_min > cert->valid_to.tm_min \|\|
182	(now.tm_min == cert->valid_to.tm_min &&
183	(now.tm_sec > cert->valid_to.tm_sec
184	))))))))))) {
185	pr_warn("Cert %s has expired\n", cert->fingerprint);
186	ret = -EKEYEXPIRED;
187	goto error_free_cert;
188	}
189
190	cert->pub->algo = pkey_algo[cert->pub->pkey_algo];	152	cert->pub->algo = pkey_algo[cert->pub->pkey_algo];
191	cert->pub->id_type = PKEY_ID_X509;	153	cert->pub->id_type = PKEY_ID_X509;
192		154