ViewMTN: Diff from [5a1d14c4..] to [b773b0a7..]

The unified diff between revisions [5a1d14c4..] and [b773b0a7..] is displayed below. It can also be downloaded as a raw diff.
This diff has been restricted to the following files: 'src/x509stor.cpp'
#
#
# patch "src/x509stor.cpp"
#  from [b885de41c4d7fef9b57d9a6468103d7642358a19]
#    to [18753c606cbad1e6b18ef3a9336acd0a88769ac6]
#
============================================================
--- src/x509stor.cpp	b885de41c4d7fef9b57d9a6468103d7642358a19
+++ src/x509stor.cpp	18753c606cbad1e6b18ef3a9336acd0a88769ac6
@@ -21,16 +21,13 @@ s32bit validity_check(const X509_Time& s
 * Do a validity check                            *
 *************************************************/
 s32bit validity_check(const X509_Time& start, const X509_Time& end,
-                      u64bit current_time)
+                      u64bit current_time, u32bit slack)
    {
-   const u32bit ALLOWABLE_SLIP =
-      global_config().option_as_time("x509/validity_slack");
-
    const s32bit NOT_YET_VALID = -1, VALID_TIME = 0, EXPIRED = 1;

-   if(start.cmp(current_time + ALLOWABLE_SLIP) > 0)
+   if(start.cmp(current_time + slack) > 0)
       return NOT_YET_VALID;
-   if(end.cmp(current_time - ALLOWABLE_SLIP) < 0)
+   if(end.cmp(current_time - slack) < 0)
       return EXPIRED;
    return VALID_TIME;
    }
@@ -174,18 +171,25 @@ X509_Store::X509_Store()
 X509_Store::X509_Store()
    {
    revoked_info_valid = true;
+
+   time_slack = timespec_to_u32bit(
+      global_config().option("x509/validity_slack"));
+
+   validation_cache_timeout = timespec_to_u32bit(
+      global_config().option("x509/cache_verify_results"));
    }

 /*************************************************
 * X509_Store Copy Constructor                    *
 *************************************************/
-X509_Store::X509_Store(const X509_Store& store)
+X509_Store::X509_Store(const X509_Store& other)
    {
-   certs = store.certs;
-   revoked = store.revoked;
-   revoked_info_valid = store.revoked_info_valid;
-   for(u32bit j = 0; j != store.stores.size(); ++j)
-      stores[j] = store.stores[j]->clone();
+   certs = other.certs;
+   revoked = other.revoked;
+   revoked_info_valid = other.revoked_info_valid;
+   for(u32bit j = 0; j != other.stores.size(); ++j)
+      stores[j] = other.stores[j]->clone();
+   time_slack = other.time_slack;
    }

 /*************************************************
@@ -213,7 +217,7 @@ X509_Code X509_Store::validate_cert(cons
    const u64bit current_time = system_time();

    s32bit time_check = validity_check(cert.start_time(), cert.end_time(),
-                                      current_time);
+                                      current_time, time_slack);
    if(time_check < 0)      return CERT_NOT_YET_VALID;
    else if(time_check > 0) return CERT_HAS_EXPIRED;

@@ -227,8 +231,12 @@ X509_Code X509_Store::validate_cert(cons
    for(u32bit j = 0; j != indexes.size() - 1; ++j)
       {
       const X509_Certificate& current_cert = certs[indexes[j]].cert;
+
       time_check = validity_check(current_cert.start_time(),
-                                  current_cert.end_time(), current_time);
+                                  current_cert.end_time(),
+                                  current_time,
+                                  time_slack);
+
       if(time_check < 0)      return CERT_NOT_YET_VALID;
       else if(time_check > 0) return CERT_HAS_EXPIRED;

@@ -302,7 +310,7 @@ X509_Code X509_Store::construct_cert_cha
          return CERT_ISSUER_NOT_FOUND;
       indexes.push_back(parent);

-      if(certs[parent].is_verified())
+      if(certs[parent].is_verified(validation_cache_timeout))
          if(certs[parent].verify_result() != VERIFIED)
             return certs[parent].verify_result();

@@ -331,7 +339,7 @@ X509_Code X509_Store::construct_cert_cha

       const u32bit cert = indexes.back();

-      if(certs[cert].is_verified())
+      if(certs[cert].is_verified(validation_cache_timeout))
          {
          if(certs[cert].verify_result() != VERIFIED)
             throw Internal_Error("X509_Store::construct_cert_chain");
@@ -356,7 +364,7 @@ X509_Code X509_Store::check_sig(const Ce
 X509_Code X509_Store::check_sig(const Cert_Info& cert_info,
                                 const Cert_Info& ca_cert_info) const
    {
-   if(cert_info.is_verified())
+   if(cert_info.is_verified(validation_cache_timeout))
       return cert_info.verify_result();

    const X509_Certificate& cert    = cert_info.cert;
@@ -428,7 +436,8 @@ void X509_Store::recompute_revoked_info(

    for(u32bit j = 0; j != certs.size(); ++j)
       {
-      if((certs[j].is_verified()) && (certs[j].verify_result() != VERIFIED))
+      if((certs[j].is_verified(validation_cache_timeout)) &&
+         (certs[j].verify_result() != VERIFIED))
          continue;

       if(is_revoked(certs[j].cert))
@@ -557,7 +566,8 @@ X509_Code X509_Store::add_crl(const X509
 X509_Code X509_Store::add_crl(const X509_CRL& crl)
    {
    s32bit time_check = validity_check(crl.this_update(), crl.next_update(),
-                                      system_time());
+                                      system_time(), time_slack);
+
    if(time_check < 0)      return CRL_NOT_YET_VALID;
    else if(time_check > 0) return CRL_HAS_EXPIRED;

@@ -669,19 +679,16 @@ bool X509_Store::Cert_Info::is_trusted()
 /*************************************************
 * Check if this certificate has been verified    *
 *************************************************/
-bool X509_Store::Cert_Info::is_verified() const
+bool X509_Store::Cert_Info::is_verified(u32bit timeout) const
    {
    if(!checked)
       return false;
    if(result != VERIFIED && result != CERT_NOT_YET_VALID)
       return true;

-   const u32bit CACHE_TIME =
-      global_config().option_as_time("x509/cache_verify_results");
-
    const u64bit current_time = system_time();

-   if(current_time > last_checked + CACHE_TIME)
+   if(current_time > last_checked + timeout)
       checked = false;

    return checked;