From: "Theo de Raadt" <deraadt@openbsd.org>
Subject: Re: rpki-client: better check for timegm() call
To: Theo Buehler <tb@theobuehler.org>
Cc: tech@openbsd.org
Date: Tue, 26 May 2026 22:04:47 -0600

I think this tm_tday thing is now the pattern we should splat everywhere.
It is better in every case, and cannot create a new problem.

ok deraadt


> ASN1_TIME_to_tm() in LibreSSL and modern OpenSSL ensure that at is a
> valid ASN1_TIME. Both GeneralizedTime and UTCTime can represent times
> before epoch, so the error is currently slightly too aggressive. Use
> the idiom in the timegm(3) CAVEATS.
> 
> We could use OPENSSL_gmtime() instead but this would require a compat
> implementation for OpenSSL < 4 (and LibreSSL 3.6) in portable. To keep
> things reasonably simple the compat impl would likely be the below...
> 
> Index: x509.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/rpki-client/x509.c,v
> diff -u -p -r1.131 x509.c
> --- x509.c	13 Apr 2026 03:36:10 -0000	1.131
> +++ x509.c	27 May 2026 03:14:50 -0000
> @@ -298,7 +298,8 @@ x509_get_time(const ASN1_TIME *at, time_
>  		return 0;
>  	if (!ASN1_TIME_to_tm(at, &tm))
>  		return 0;
> -	if ((*t = timegm(&tm)) < 0)
> +	tm.tm_wday = -1;
> +	if ((*t = timegm(&tm)) == -1 && tm.tm_wday == -1)
>  		return 0;
>  	return 1;
>  }
>