Default CT_POLICY_EVAL_CTX.epoch_time_in_ms to time()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1554)

diff --git a/crypto/ct/ct_policy.c b/crypto/ct/ct_policy.c
index 074589db938442cbca0342537bb0bb7f0ff1ca84..d2f72c4a5a0b0182e7c028c81cd7fb7fd17bd190 100644 (file)
--- a/crypto/ct/ct_policy.c
+++ b/crypto/ct/ct_policy.c
@@ -13,18 +13,25 @@
 
 #include <openssl/ct.h>
 #include <openssl/err.h>
+#include <time.h>
 
 #include "ct_locl.h"
 
 CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void)
 {
     CT_POLICY_EVAL_CTX *ctx = OPENSSL_zalloc(sizeof(CT_POLICY_EVAL_CTX));
+    time_t epoch_time_in_s;
 
     if (ctx == NULL) {
         CTerr(CT_F_CT_POLICY_EVAL_CTX_NEW, ERR_R_MALLOC_FAILURE);
         return NULL;
     }
 
+    // Use the current time if available.
+    time(&epoch_time_in_s);
+    if (epoch_time_in_s != -1)
+        ctx->epoch_time_in_ms = epoch_time_in_s * 1000;
+
     return ctx;
 }
 

diff --git a/doc/man3/CT_POLICY_EVAL_CTX_new.pod b/doc/man3/CT_POLICY_EVAL_CTX_new.pod
index fe25cd9cae4d86e1a3f046aafb40fe287fc90564..e0fb7c1ebcbf16f38724ed57cecd30488ab2fae0 100644 (file)
--- a/doc/man3/CT_POLICY_EVAL_CTX_new.pod
+++ b/doc/man3/CT_POLICY_EVAL_CTX_new.pod
@@ -68,8 +68,8 @@ CT_POLICY_EVAL_CTX.
 
 The SCT timestamp will be compared to this time to check whether the SCT was
 issued in the future. RFC6962 states that "TLS clients MUST reject SCTs whose
-timestamp is in the future". Typically, the time provided to this function will
-be the current time.
+timestamp is in the future". By default, this will be set to the
+current time (obtained by calling time()) if possible.
 
 The time should be in milliseconds since the Unix epoch.