9 files changed, 53 insertions, 28 deletions
diff --git a/CHANGES b/CHANGES
index d2ab339..ec02d06 100644
--- a/CHANGES
+++ b/CHANGES
@@ -5,6 +5,13 @@
 
  Changes between 0.9.1c and 0.9.2
 
+  *) Continuing patches for GeneralizedTime. Fix up certificate and CRL
+     ASN1 to use ASN1_TIME and modify print routines to use ASN1_TIME_print.
+     Removed the versions check from X509 routines when loading extensions:
+     this allows certain broken certificates that don't set the version
+     properly to be processed.
+     [Steve Henson]
+
   *) Deal with irritating shit to do with dependencies, in YAAHW (Yet Another
      Ad Hoc Way) - Makefile.ssls now all contain local dependencies, which
      can still be regenerated with "make depend".
@@ -22,6 +29,7 @@
      C file. To rebuild all the error codes from scratch (the old behaviour)
      either modify crypto/Makefile.ssl to pass the -regen flag to err_code.pl
      or delete all the .err files.
+     [Steve Henson]
 
   *) CAST-128 was incorrectly implemented for short keys. The C version has
      been fixed, but is untested. The assembler versions are also fixed, but
diff --git a/apps/crl.c b/apps/crl.c
index acb5cb9..a0098e9 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -214,14 +214,14 @@ bad:
 			if (lastupdate == i)
 				{
 				fprintf(stdout,"lastUpdate=");
-				ASN1_UTCTIME_print(bio_out,x->crl->lastUpdate);
+				ASN1_TIME_print(bio_out,x->crl->lastUpdate);
 				fprintf(stdout,"\n");
 				}
 			if (nextupdate == i)
 				{
 				fprintf(stdout,"nextUpdate=");
 				if (x->crl->nextUpdate != NULL)
-					ASN1_UTCTIME_print(bio_out,x->crl->nextUpdate);
+					ASN1_TIME_print(bio_out,x->crl->nextUpdate);
 				else
 					fprintf(stdout,"NONE");
 				fprintf(stdout,"\n");
@@ -264,7 +264,7 @@ bad:
 			fprintf(stdout,"revoked: serialNumber=");
 			i2a_ASN1_INTEGER(out,r->serialNumber);
 			fprintf(stdout," revocationDate=");
-			ASN1_UTCTIME_print(bio_out,r->revocationDate);
+			ASN1_TIME_print(bio_out,r->revocationDate);
 			fprintf(stdout,"\n");
 			}
 		sk_free(sk);
diff --git a/apps/pkcs7.c b/apps/pkcs7.c
index 4105dbd..06640bf 100644
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -277,9 +277,9 @@ bad:
 				BIO_puts(out,buf);
 
 				BIO_puts(out,"\nlast update=");
-				ASN1_UTCTIME_print(out,crl->crl->lastUpdate);
+				ASN1_TIME_print(out,crl->crl->lastUpdate);
 				BIO_puts(out,"\nnext update=");
-				ASN1_UTCTIME_print(out,crl->crl->nextUpdate);
+				ASN1_TIME_print(out,crl->crl->nextUpdate);
 				BIO_puts(out,"\n");
 
 				PEM_write_bio_X509_CRL(out,crl);
diff --git a/apps/s_cb.c b/apps/s_cb.c
index 7fa855c..1a7b06e 100644
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -109,13 +109,13 @@ X509_STORE_CTX *ctx;
 	case X509_V_ERR_CERT_NOT_YET_VALID:
 	case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
 		BIO_printf(bio_err,"notBefore=");
-		ASN1_UTCTIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
+		ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
 		BIO_printf(bio_err,"\n");
 		break;
 	case X509_V_ERR_CERT_HAS_EXPIRED:
 	case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
 		BIO_printf(bio_err,"notAfter=");
-		ASN1_UTCTIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
+		ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
 		BIO_printf(bio_err,"\n");
 		break;
 		}
diff --git a/apps/x509.c b/apps/x509.c
index 58ccd93..fa8537e 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -550,13 +550,13 @@ bad:
 			else if (startdate == i)
 				{
 				BIO_puts(STDout,"notBefore=");
-				ASN1_UTCTIME_print(STDout,X509_get_notBefore(x));
+				ASN1_TIME_print(STDout,X509_get_notBefore(x));
 				BIO_puts(STDout,"\n");
 				}
 			else if (enddate == i)
 				{
 				BIO_puts(STDout,"notAfter=");
-				ASN1_UTCTIME_print(STDout,X509_get_notAfter(x));
+				ASN1_TIME_print(STDout,X509_get_notAfter(x));
 				BIO_puts(STDout,"\n");
 				}
 			else if (fingerprint == i)
diff --git a/crypto/asn1/t_x509.c b/crypto/asn1/t_x509.c
index bfee6f6..060f99d 100644
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@@ -146,9 +146,9 @@ X509 *x;
 	if (!X509_NAME_print(bp,X509_get_issuer_name(x),16)) goto err;
 	if (BIO_write(bp,"\n        Validity\n",18) <= 0) goto err;
 	if (BIO_write(bp,"            Not Before: ",24) <= 0) goto err;
-	if (!ASN1_UTCTIME_print(bp,X509_get_notBefore(x))) goto err;
+	if (!ASN1_TIME_print(bp,X509_get_notBefore(x))) goto err;
 	if (BIO_write(bp,"\n            Not After : ",25) <= 0) goto err;
-	if (!ASN1_UTCTIME_print(bp,X509_get_notAfter(x))) goto err;
+	if (!ASN1_TIME_print(bp,X509_get_notAfter(x))) goto err;
 	if (BIO_write(bp,"\n        Subject: ",18) <= 0) goto err;
 	if (!X509_NAME_print(bp,X509_get_subject_name(x),16)) goto err;
 	if (BIO_write(bp,"\n        Subject Public Key Info:\n",34) <= 0)
diff --git a/crypto/asn1/x_cinf.c b/crypto/asn1/x_cinf.c
index 99b9fe7..88099ea 100644
--- a/crypto/asn1/x_cinf.c
+++ b/crypto/asn1/x_cinf.c
@@ -147,7 +147,14 @@ long length;
 		M_ASN1_D2I_get_IMP_opt(ret->subjectUID,d2i_ASN1_BIT_STRING, 2,
 			V_ASN1_BIT_STRING);
 		}
+/* Note: some broken certificates include extensions but don't set
+ * the version number properly. By bypassing this check they can
+ * be parsed.
+ */
+
+#ifdef VERSION_EXT_CHECK
 	if (ver >= 2) /* version 3 extensions */
+#endif
 		{
 		if (ret->extensions != NULL)
 			while (sk_num(ret->extensions))
diff --git a/crypto/asn1/x_crl.c b/crypto/asn1/x_crl.c
index 5e1fa79..8629a73 100644
--- a/crypto/asn1/x_crl.c
+++ b/crypto/asn1/x_crl.c
@@ -85,13 +85,13 @@ unsigned char **pp;
 	M_ASN1_I2D_vars(a);
 
 	M_ASN1_I2D_len(a->serialNumber,i2d_ASN1_INTEGER);
-	M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_UTCTIME);
+	M_ASN1_I2D_len(a->revocationDate,i2d_ASN1_TIME);
 	M_ASN1_I2D_len_SEQUENCE_opt(a->extensions,i2d_X509_EXTENSION);
 
 	M_ASN1_I2D_seq_total();
 
 	M_ASN1_I2D_put(a->serialNumber,i2d_ASN1_INTEGER);
-	M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_UTCTIME);
+	M_ASN1_I2D_put(a->revocationDate,i2d_ASN1_TIME);
 	M_ASN1_I2D_put_SEQUENCE_opt(a->extensions,i2d_X509_EXTENSION);
 
 	M_ASN1_I2D_finish();
@@ -107,7 +107,7 @@ long length;
 	M_ASN1_D2I_Init();
 	M_ASN1_D2I_start_sequence();
 	M_ASN1_D2I_get(ret->serialNumber,d2i_ASN1_INTEGER);
-	M_ASN1_D2I_get(ret->revocationDate,d2i_ASN1_UTCTIME);
+	M_ASN1_D2I_get(ret->revocationDate,d2i_ASN1_TIME);
 	M_ASN1_D2I_get_seq_opt(ret->extensions,d2i_X509_EXTENSION,
 		X509_EXTENSION_free);
 	M_ASN1_D2I_Finish(a,X509_REVOKED_free,ASN1_F_D2I_X509_REVOKED);
@@ -130,9 +130,9 @@ unsigned char **pp;
 		}
 	M_ASN1_I2D_len(a->sig_alg,i2d_X509_ALGOR);
 	M_ASN1_I2D_len(a->issuer,i2d_X509_NAME);
-	M_ASN1_I2D_len(a->lastUpdate,i2d_ASN1_UTCTIME);
+	M_ASN1_I2D_len(a->lastUpdate,i2d_ASN1_TIME);
 	if (a->nextUpdate != NULL)
-		{ M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_UTCTIME); }
+		{ M_ASN1_I2D_len(a->nextUpdate,i2d_ASN1_TIME); }
 	M_ASN1_I2D_len_SEQUENCE_opt(a->revoked,i2d_X509_REVOKED);
 	M_ASN1_I2D_len_EXP_SEQUENCE_opt(a->extensions,i2d_X509_EXTENSION,0,
 		V_ASN1_SEQUENCE,v1);
@@ -177,8 +177,18 @@ long length;
 		}
 	M_ASN1_D2I_get(ret->sig_alg,d2i_X509_ALGOR);
 	M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME);
-	M_ASN1_D2I_get(ret->lastUpdate,d2i_ASN1_UTCTIME);
-	M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_UTCTIME,V_ASN1_UTCTIME);
+	M_ASN1_D2I_get(ret->lastUpdate,d2i_ASN1_TIME);
+	/* Manually handle the OPTIONAL ASN1_TIME stuff */
+	if((c.slen != 0) && 
+		( ( (M_ASN1_next & ~V_ASN1_CONSTRUCTED) ==
+			 V_ASN1_UNIVERSAL|V_ASN1_UTCTIME)
+		|| ( ( (M_ASN1_next & ~V_ASN1_CONSTRUCTED) ==
+			 V_ASN1_UNIVERSAL|V_ASN1_GENERALIZEDTIME) ) ) ) {
+		M_ASN1_D2I_get(ret->nextUpdate,d2i_ASN1_TIME);
+	}
+	if(!ret->nextUpdate) 
+		M_ASN1_D2I_get_opt(ret->nextUpdate,d2i_ASN1_GENERALIZEDTIME,
+							V_ASN1_GENERALIZEDTIME);
 	if (ret->revoked != NULL)
 		{
 		while (sk_num(ret->revoked))
diff --git a/crypto/asn1/x_val.c b/crypto/asn1/x_val.c
index 8d996e9..f6534a6 100644
--- a/crypto/asn1/x_val.c
+++ b/crypto/asn1/x_val.c
@@ -71,13 +71,13 @@ unsigned char **pp;
 	{
 	M_ASN1_I2D_vars(a);
 
-	M_ASN1_I2D_len(a->notBefore,i2d_ASN1_UTCTIME);
-	M_ASN1_I2D_len(a->notAfter,i2d_ASN1_UTCTIME);
+	M_ASN1_I2D_len(a->notBefore,i2d_ASN1_TIME);
+	M_ASN1_I2D_len(a->notAfter,i2d_ASN1_TIME);
 
 	M_ASN1_I2D_seq_total();
 
-	M_ASN1_I2D_put(a->notBefore,i2d_ASN1_UTCTIME);
-	M_ASN1_I2D_put(a->notAfter,i2d_ASN1_UTCTIME);
+	M_ASN1_I2D_put(a->notBefore,i2d_ASN1_TIME);
+	M_ASN1_I2D_put(a->notAfter,i2d_ASN1_TIME);
 
 	M_ASN1_I2D_finish();
 	}
@@ -91,8 +91,8 @@ long length;
 
 	M_ASN1_D2I_Init();
 	M_ASN1_D2I_start_sequence();
-	M_ASN1_D2I_get(ret->notBefore,d2i_ASN1_UTCTIME);
-	M_ASN1_D2I_get(ret->notAfter,d2i_ASN1_UTCTIME);
+	M_ASN1_D2I_get(ret->notBefore,d2i_ASN1_TIME);
+	M_ASN1_D2I_get(ret->notAfter,d2i_ASN1_TIME);
 	M_ASN1_D2I_Finish(a,X509_VAL_free,ASN1_F_D2I_X509_VAL);
 	}
 
@@ -102,8 +102,8 @@ X509_VAL *X509_VAL_new()
 	ASN1_CTX c;
 
 	M_ASN1_New_Malloc(ret,X509_VAL);
-	M_ASN1_New(ret->notBefore,ASN1_UTCTIME_new);
-	M_ASN1_New(ret->notAfter,ASN1_UTCTIME_new);
+	M_ASN1_New(ret->notBefore,ASN1_TIME_new);
+	M_ASN1_New(ret->notAfter,ASN1_TIME_new);
 	return(ret);
 	M_ASN1_New_Error(ASN1_F_X509_VAL_NEW);
 	}
@@ -112,8 +112,8 @@ void X509_VAL_free(a)
 X509_VAL *a;
 	{
 	if (a == NULL) return;
-	ASN1_UTCTIME_free(a->notBefore);
-	ASN1_UTCTIME_free(a->notAfter);
+	ASN1_TIME_free(a->notBefore);
+	ASN1_TIME_free(a->notAfter);
 	Free((char *)a);
 	}