On Wed, May 27, 2026 at 05:27:22AM +0200, Theo Buehler wrote:
> ASN1_TIME_to_tm() in LibreSSL and modern OpenSSL ensure that at is a
> valid ASN1_TIME. Both GeneralizedTime and UTCTime can represent times
> before epoch, so the error is currently slightly too aggressive. Use
> the idiom in the timegm(3) CAVEATS.
>
> We could use OPENSSL_gmtime() instead but this would require a compat
> implementation for OpenSSL < 4 (and LibreSSL 3.6) in portable. To keep
> things reasonably simple the compat impl would likely be the below...
> 
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
> diff -u -p -r1.131 x509.c
> --- x509.c	13 Apr 2026 03:36:10 -0000	1.131
> +++ x509.c	27 May 2026 03:14:50 -0000
> @@ -298,7 +298,8 @@ x509_get_time(const ASN1_TIME *at, time_
>  		return 0;
>  	if (!ASN1_TIME_to_tm(at, &tm))
>  		return 0;
> -	if ((*t = timegm(&tm)) < 0)
> +	tm.tm_wday = -1;
> +	if ((*t = timegm(&tm)) == -1 && tm.tm_wday == -1)
>  		return 0;
>  	return 1;
>  }
> 

Lets use the common idiom for timegm().

OK claudio@

-- 
:wq Claudio