RT3951: Add X509_V_FLAG_NO_CHECK_TIME to suppress time check

In some environments, such as firmware, the current system time is entirely
meaningless. Provide a clean mechanism to suppress the checks against it.

Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>

apps/apps.h

@@ -179,7 +179,7 @@ void unbuffer(FILE *fp);
         OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
         OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
         OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
-        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, \
+        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
         OPT_V__LAST
 
 # define OPT_V_OPTIONS \
@@ -209,7 +209,8 @@ void unbuffer(FILE *fp);
         { "suiteB_128", OPT_V_SUITEB_128, '-' }, \
         { "suiteB_192", OPT_V_SUITEB_192, '-' }, \
         { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
-        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }
+        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
 
 # define OPT_V_CASES \
         OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -239,7 +240,8 @@ void unbuffer(FILE *fp);
         case OPT_V_SUITEB_128: \
         case OPT_V_SUITEB_192: \
         case OPT_V_PARTIAL_CHAIN: \
-        case OPT_V_NO_ALT_CHAINS
+        case OPT_V_NO_ALT_CHAINS: \
+        case OPT_V_NO_CHECK_TIME
 
 /*
  * Common "extended"? options.

apps/opt.c

@@ -543,6 +543,10 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
         break;
     case OPT_V_NO_ALT_CHAINS:
         X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
+	break;
+    case OPT_V_NO_CHECK_TIME:
+        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
+	break;
     }
     return 1;