Convert libressl to use the BoringSSL style time conversions

This gets rid of our last uses of timegm and gmtime in the library and things that ship with it. It includes a bit of refactoring in ocsp_cl.c to remove some obvious ugly. ok tb@
author: beck <> 2024-03-24 11:30:12 +0000
committer: beck <> 2024-03-24 11:30:12 +0000
commit: 5176ab31ca58949fc78b5b06b23adf63a83b9c44 (patch)
tree: af867a635253990b4a88720849f04a8a6bb5d8b3
parent: c84d6a97971ee756cdbcf3936caaeaa66a6d2289 (diff)
download: openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.gz
openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.bz2
openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.zip
5 files changed, 61 insertions, 54 deletions
diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c
index 5ef2226785..d8ee33c391 100644
--- a/src/lib/libcrypto/ocsp/ocsp_cl.c
+++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */
+/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
 * project. */
@@ -68,6 +68,7 @@
 #include <openssl/ocsp.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
@@ -394,69 +395,61 @@ int
 OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
    ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
 {
-        time_t t_now, t_tmp;
+        int64_t posix_next, posix_this, posix_now;
-        struct tm tm_this, tm_next, tm_tmp;
+        struct tm tm_this, tm_next;
-        time(&t_now);
+        /* Negative values of nsec make no sense */
+        if (nsec < 0)
+                return 0;
+        posix_now = time(NULL);
        /*
         * Times must explicitly be a GENERALIZEDTIME as per section
         * 4.2.2.1 of RFC 6960 - It is invalid to accept other times
         * (such as UTCTIME permitted/required by RFC 5280 for certificates)
         */
+        /* Check that thisUpdate is valid. */
-        /* Check thisUpdate is valid and not more than nsec in the future */
        if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
                return 0;
-        } else {
+        }
-                t_tmp = t_now + nsec;
+        if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
+                return 0;
-                        return 0;
+        /* thisUpdate must not be more than nsec in the future. */
-                if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {
+        if (posix_this - nsec > posix_now) {
-                        OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
+                OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
-                        return 0;
+                return 0;
-                }
+        }
+        /* thisUpdate must not be more than maxsec seconds in the past. */
-                /*
+        if (maxsec >= 0 && posix_this < posix_now - maxsec) {
-                 * If maxsec specified check thisUpdate is not more than maxsec
+                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                 * in the past
+                return 0;
-                 */
-                if (maxsec >= 0) {
-                        t_tmp = t_now - maxsec;
-                        if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                                return 0;
-                        if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
-                                OCSPerror(OCSP_R_STATUS_TOO_OLD);
-                                return 0;
-                        }
-                }
        }
-        if (!nextupd)
+        /* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
+        if (nextupd == NULL)
                return 1;
-        /* Check nextUpdate is valid and not more than nsec in the past */
+        /* Check that nextUpdate is valid. */
        if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
            V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
                OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
                return 0;
-        } else {
-                t_tmp = t_now - nsec;
-                if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
-                        return 0;
-                if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
-                        OCSPerror(OCSP_R_STATUS_EXPIRED);
-                        return 0;
-                }
        }
+        if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
-        /* Also don't allow nextUpdate to precede thisUpdate */
+                return 0;
-        if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {
+        /* Don't allow nextUpdate to precede thisUpdate. */
+        if (posix_next < posix_this) {
                OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
                return 0;
        }
+        /* nextUpdate must not be more than nsec seconds in the past. */
+        if (posix_next + nsec  < posix_now) {
+                OCSPerror(OCSP_R_STATUS_EXPIRED);
+                return 0;
+        }
        return 1;
 }
diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c
index 3013cffbc5..8eb687aab1 100644
--- a/src/lib/libcrypto/ts/ts_rsp_sign.c
+++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_rsp_sign.c,v 1.32 2023/08/22 08:09:36 tb Exp $ */
+/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2002.
 */
@@ -999,7 +999,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
        if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
                goto err;
-        if (!(tm = gmtime(&sec)))
+        if (OPENSSL_gmtime(&sec, tm) == NULL)
                goto err;
        /*
diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 90fdfacad3..08f8714ecd 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /*
 * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -19,12 +19,27 @@
 #include <stdio.h>
 #include <string.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <tls.h>
 #include "tls_internal.h"
-int ASN1_time_tm_clamp_notafter(struct tm *tm);
+static int
+tls_convert_notafter(struct tm *tm, time_t *out_time)
+{
+        int64_t posix_time;
+        /* OPENSSL_timegm() fails if tm is not representable in a time_t */
+        if (OPENSSL_timegm(tm, out_time))
+                return 1;
+        if (!OPENSSL_tm_to_posix(tm, &posix_time))
+                return 0;
+        if (posix_time < INT32_MIN)
+                return 0;
+        *out_time = (posix_time > INT32_MAX) ? INT32_MAX : posix_time;
+        return 1;
+}
 int
 tls_hex_string(const unsigned char *in, size_t inlen, char **out,
@@ -121,13 +136,10 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
                goto err;
        if (!ASN1_TIME_to_tm(after, &after_tm))
                goto err;
-        if (!ASN1_time_tm_clamp_notafter(&after_tm))
+        if (!tls_convert_notafter(&after_tm, notafter))
                goto err;
-        if ((*notbefore = timegm(&before_tm)) == -1)
+        if (!OPENSSL_timegm(&before_tm, notbefore))
                goto err;
-        if ((*notafter = timegm(&after_tm)) == -1)
-                goto err;
        return (0);
 err:
diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c
index c7eb3e5986..f7d7ba9199 100644
--- a/src/lib/libtls/tls_ocsp.c
+++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls_ocsp.c,v 1.24 2023/11/13 10:56:19 tb Exp $ */
+/*      $OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /*
 * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
 * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -25,6 +25,7 @@
 #include <openssl/err.h>
 #include <openssl/ocsp.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 #include <tls.h>
@@ -68,7 +69,7 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t
                return -1;
        if (!ASN1_TIME_to_tm(gt, &tm))
                return -1;
-        if ((*gt_time = timegm(&tm)) == -1)
+        if (!OPENSSL_timegm(&tm, gt_time))
                return -1;
        return 0;
 }
diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c
index 234f3d22f6..9739e398e8 100644
--- a/src/usr.sbin/ocspcheck/ocspcheck.c
+++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ocspcheck.c,v 1.32 2023/11/13 11:46:24 tb Exp $ */
+/* $OpenBSD: ocspcheck.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
 /*
 * Copyright (c) 2017,2020 Bob Beck <beck@openbsd.org>
@@ -34,6 +34,7 @@
 #include <openssl/err.h>
 #include <openssl/ocsp.h>
+#include <openssl/posix_time.h>
 #include <openssl/ssl.h>
 #include "http.h"
@@ -193,7 +194,7 @@ parse_ocsp_time(ASN1_GENERALIZEDTIME *gt)
                return -1;
        if (!ASN1_TIME_to_tm(gt, &tm))
                return -1;
-        if ((rv = timegm(&tm)) == -1)
+        if (!OPENSSL_timegm(&tm, &rv))
                return -1;
        return rv;
 }
author	beck <>	2024-03-24 11:30:12 +0000
committer	beck <>	2024-03-24 11:30:12 +0000
commit	5176ab31ca58949fc78b5b06b23adf63a83b9c44 (patch)
tree	af867a635253990b4a88720849f04a8a6bb5d8b3
parent	c84d6a97971ee756cdbcf3936caaeaa66a6d2289 (diff)
download	openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.gz openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.tar.bz2 openbsd-5176ab31ca58949fc78b5b06b23adf63a83b9c44.zip

diff --git a/src/lib/libcrypto/ocsp/ocsp_cl.c b/src/lib/libcrypto/ocsp/ocsp_cl.c index 5ef2226785..d8ee33c391 100644 --- a/src/lib/libcrypto/ocsp/ocsp_cl.c +++ b/src/lib/libcrypto/ocsp/ocsp_cl.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocsp_cl.c,v 1.24 2024/03/02 09:08:41 tb Exp $ */	1	/* $OpenBSD: ocsp_cl.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL	2	/* Written by Tom Titchener <Tom_Titchener@groove.net> for the OpenSSL
3	* project. */	3	* project. */
4		4
@@ -68,6 +68,7 @@
68	#include <openssl/ocsp.h>	68	#include <openssl/ocsp.h>
69	#include <openssl/objects.h>	69	#include <openssl/objects.h>
70	#include <openssl/pem.h>	70	#include <openssl/pem.h>
		71	#include <openssl/posix_time.h>
71	#include <openssl/x509.h>	72	#include <openssl/x509.h>
72	#include <openssl/x509v3.h>	73	#include <openssl/x509v3.h>
73		74
@@ -394,69 +395,61 @@ int
394	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,	395	OCSP_check_validity(ASN1_GENERALIZEDTIME *thisupd,
395	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)	396	ASN1_GENERALIZEDTIME *nextupd, long nsec, long maxsec)
396	{	397	{
397	time_t t_now, t_tmp;	398	int64_t posix_next, posix_this, posix_now;
398	struct tm tm_this, tm_next, tm_tmp;	399	struct tm tm_this, tm_next;
399		400
400	time(&t_now);	401	/* Negative values of nsec make no sense */
		402	if (nsec < 0)
		403	return 0;
		404
		405	posix_now = time(NULL);
401		406
402	/*	407	/*
403	* Times must explicitly be a GENERALIZEDTIME as per section	408	* Times must explicitly be a GENERALIZEDTIME as per section
404	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times	409	* 4.2.2.1 of RFC 6960 - It is invalid to accept other times
405	* (such as UTCTIME permitted/required by RFC 5280 for certificates)	410	* (such as UTCTIME permitted/required by RFC 5280 for certificates)
406	*/	411	*/
407		412	/* Check that thisUpdate is valid. */
408	/* Check thisUpdate is valid and not more than nsec in the future */
409	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,	413	if (ASN1_time_parse(thisupd->data, thisupd->length, &tm_this,
410	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	414	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
411	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);	415	OCSPerror(OCSP_R_ERROR_IN_THISUPDATE_FIELD);
412	return 0;	416	return 0;
413	} else {	417	}
414	t_tmp = t_now + nsec;	418	if (!OPENSSL_tm_to_posix(&tm_this, &posix_this))
415	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)	419	return 0;
416	return 0;	420	/* thisUpdate must not be more than nsec in the future. */
417	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) > 0) {	421	if (posix_this - nsec > posix_now) {
418	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);	422	OCSPerror(OCSP_R_STATUS_NOT_YET_VALID);
419	return 0;	423	return 0;
420	}	424	}
421		425	/* thisUpdate must not be more than maxsec seconds in the past. */
422	/*	426	if (maxsec >= 0 && posix_this < posix_now - maxsec) {
423	* If maxsec specified check thisUpdate is not more than maxsec	427	OCSPerror(OCSP_R_STATUS_TOO_OLD);
424	* in the past	428	return 0;
425	*/
426	if (maxsec >= 0) {
427	t_tmp = t_now - maxsec;
428	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
429	return 0;
430	if (ASN1_time_tm_cmp(&tm_this, &tm_tmp) < 0) {
431	OCSPerror(OCSP_R_STATUS_TOO_OLD);
432	return 0;
433	}
434	}
435	}	429	}
436		430
437	if (!nextupd)	431	/* RFC 6960 section 4.2.2.1 allows for servers to not set nextUpdate */
		432	if (nextupd == NULL)
438	return 1;	433	return 1;
439		434
440	/* Check nextUpdate is valid and not more than nsec in the past */	435	/* Check that nextUpdate is valid. */
441	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,	436	if (ASN1_time_parse(nextupd->data, nextupd->length, &tm_next,
442	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {	437	V_ASN1_GENERALIZEDTIME) != V_ASN1_GENERALIZEDTIME) {
443	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);	438	OCSPerror(OCSP_R_ERROR_IN_NEXTUPDATE_FIELD);
444	return 0;	439	return 0;
445	} else {
446	t_tmp = t_now - nsec;
447	if (gmtime_r(&t_tmp, &tm_tmp) == NULL)
448	return 0;
449	if (ASN1_time_tm_cmp(&tm_next, &tm_tmp) < 0) {
450	OCSPerror(OCSP_R_STATUS_EXPIRED);
451	return 0;
452	}
453	}	440	}
454		441	if (!OPENSSL_tm_to_posix(&tm_next, &posix_next))
455	/* Also don't allow nextUpdate to precede thisUpdate */	442	return 0;
456	if (ASN1_time_tm_cmp(&tm_next, &tm_this) < 0) {	443	/* Don't allow nextUpdate to precede thisUpdate. */
		444	if (posix_next < posix_this) {
457	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);	445	OCSPerror(OCSP_R_NEXTUPDATE_BEFORE_THISUPDATE);
458	return 0;	446	return 0;
459	}	447	}
		448	/* nextUpdate must not be more than nsec seconds in the past. */
		449	if (posix_next + nsec < posix_now) {
		450	OCSPerror(OCSP_R_STATUS_EXPIRED);
		451	return 0;
		452	}
460		453
461	return 1;	454	return 1;
462	}	455	}


diff --git a/src/lib/libcrypto/ts/ts_rsp_sign.c b/src/lib/libcrypto/ts/ts_rsp_sign.c index 3013cffbc5..8eb687aab1 100644 --- a/src/lib/libcrypto/ts/ts_rsp_sign.c +++ b/src/lib/libcrypto/ts/ts_rsp_sign.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_rsp_sign.c,v 1.32 2023/08/22 08:09:36 tb Exp $ */	1	/* $OpenBSD: ts_rsp_sign.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2002.	3	* project 2002.
4	*/	4	*/
@@ -999,7 +999,7 @@ TS_RESP_set_genTime_with_precision(ASN1_GENERALIZEDTIME *asn1_time,
999	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)	999	if (precision > TS_MAX_CLOCK_PRECISION_DIGITS)
1000	goto err;	1000	goto err;
1001		1001
1002	if (!(tm = gmtime(&sec)))	1002	if (OPENSSL_gmtime(&sec, tm) == NULL)
1003	goto err;	1003	goto err;
1004		1004
1005	/*	1005	/*


diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c index 90fdfacad3..08f8714ecd 100644 --- a/src/lib/libtls/tls_conninfo.c +++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */	1	/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -19,12 +19,27 @@
19	#include <stdio.h>	19	#include <stdio.h>
20	#include <string.h>	20	#include <string.h>
21		21
		22	#include <openssl/posix_time.h>
22	#include <openssl/x509.h>	23	#include <openssl/x509.h>
23		24
24	#include <tls.h>	25	#include <tls.h>
25	#include "tls_internal.h"	26	#include "tls_internal.h"
26		27
27	int ASN1_time_tm_clamp_notafter(struct tm *tm);	28	static int
		29	tls_convert_notafter(struct tm tm, time_t out_time)
		30	{
		31	int64_t posix_time;
		32
		33	/* OPENSSL_timegm() fails if tm is not representable in a time_t */
		34	if (OPENSSL_timegm(tm, out_time))
		35	return 1;
		36	if (!OPENSSL_tm_to_posix(tm, &posix_time))
		37	return 0;
		38	if (posix_time < INT32_MIN)
		39	return 0;
		40	*out_time = (posix_time > INT32_MAX) ? INT32_MAX : posix_time;
		41	return 1;
		42	}
28		43
29	int	44	int
30	tls_hex_string(const unsigned char in, size_t inlen, char *out,	45	tls_hex_string(const unsigned char in, size_t inlen, char *out,
@@ -121,13 +136,10 @@ tls_get_peer_cert_times(struct tls ctx, time_t notbefore,
121	goto err;	136	goto err;
122	if (!ASN1_TIME_to_tm(after, &after_tm))	137	if (!ASN1_TIME_to_tm(after, &after_tm))
123	goto err;	138	goto err;
124	if (!ASN1_time_tm_clamp_notafter(&after_tm))	139	if (!tls_convert_notafter(&after_tm, notafter))
125	goto err;	140	goto err;
126	if ((*notbefore = timegm(&before_tm)) == -1)	141	if (!OPENSSL_timegm(&before_tm, notbefore))
127	goto err;	142	goto err;
128	if ((*notafter = timegm(&after_tm)) == -1)
129	goto err;
130
131	return (0);	143	return (0);
132		144
133	err:	145	err:


diff --git a/src/lib/libtls/tls_ocsp.c b/src/lib/libtls/tls_ocsp.c index c7eb3e5986..f7d7ba9199 100644 --- a/src/lib/libtls/tls_ocsp.c +++ b/src/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls_ocsp.c,v 1.24 2023/11/13 10:56:19 tb Exp $ */	1	/* $OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>	3	* Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -25,6 +25,7 @@
25		25
26	#include <openssl/err.h>	26	#include <openssl/err.h>
27	#include <openssl/ocsp.h>	27	#include <openssl/ocsp.h>
		28	#include <openssl/posix_time.h>
28	#include <openssl/x509.h>	29	#include <openssl/x509.h>
29		30
30	#include <tls.h>	31	#include <tls.h>
@@ -68,7 +69,7 @@ tls_ocsp_asn1_parse_time(struct tls ctx, ASN1_GENERALIZEDTIME gt, time_t *gt_t
68	return -1;	69	return -1;
69	if (!ASN1_TIME_to_tm(gt, &tm))	70	if (!ASN1_TIME_to_tm(gt, &tm))
70	return -1;	71	return -1;
71	if ((*gt_time = timegm(&tm)) == -1)	72	if (!OPENSSL_timegm(&tm, gt_time))
72	return -1;	73	return -1;
73	return 0;	74	return 0;
74	}	75	}


diff --git a/src/usr.sbin/ocspcheck/ocspcheck.c b/src/usr.sbin/ocspcheck/ocspcheck.c index 234f3d22f6..9739e398e8 100644 --- a/src/usr.sbin/ocspcheck/ocspcheck.c +++ b/src/usr.sbin/ocspcheck/ocspcheck.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ocspcheck.c,v 1.32 2023/11/13 11:46:24 tb Exp $ */	1	/* $OpenBSD: ocspcheck.c,v 1.33 2024/03/24 11:30:12 beck Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2017,2020 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2017,2020 Bob Beck <beck@openbsd.org>
@@ -34,6 +34,7 @@
34		34
35	#include <openssl/err.h>	35	#include <openssl/err.h>
36	#include <openssl/ocsp.h>	36	#include <openssl/ocsp.h>
		37	#include <openssl/posix_time.h>
37	#include <openssl/ssl.h>	38	#include <openssl/ssl.h>
38		39
39	#include "http.h"	40	#include "http.h"
@@ -193,7 +194,7 @@ parse_ocsp_time(ASN1_GENERALIZEDTIME *gt)
193	return -1;	194	return -1;
194	if (!ASN1_TIME_to_tm(gt, &tm))	195	if (!ASN1_TIME_to_tm(gt, &tm))
195	return -1;	196	return -1;
196	if ((rv = timegm(&tm)) == -1)	197	if (!OPENSSL_timegm(&tm, &rv))
197	return -1;	198	return -1;
198	return rv;	199	return rv;
199	}	200	}