Add ability to clamp a notafter to values representable in a 32 bit time_t

This will only be used in portable. As noted, necessary to
make us conformant to RFC 5280 4.1.2.5.
ok jsing@ bcook@

2 files changed, 20 insertions, 2 deletions

diff --git a/src/lib/libcrypto/asn1/a_time_tm.c b/src/lib/libcrypto/asn1/a_time_tm.c
index f0afc00be4..48f9f8b5e1 100644
--- a/src/lib/libcrypto/asn1/a_time_tm.c
+++ b/src/lib/libcrypto/asn1/a_time_tm.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: a_time_tm.c,v 1.12 2017/05/06 17:12:59 beck Exp $ */
+/* $OpenBSD: a_time_tm.c,v 1.13 2017/08/13 19:47:49 beck Exp $ */
 /*
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
  *
@@ -58,6 +58,22 @@ ASN1_time_tm_cmp(struct tm *tm1, struct tm *tm2) {
         return 0;
 }
 
+int
+ASN1_time_tm_clamp_notafter(struct tm *tm)
+{
+#ifdef SMALL_TIME_T
+        struct tm broken_os_epoch_tm;
+        time_t broken_os_epoch_time = INT_MAX;
+
+        if (gmtime_r(&broken_os_epoch_time, &broken_os_epoch_tm) == NULL)
+                return 0;
+
+        if (ASN1_time_tm_cmp(tm, &broken_os_epoch_tm) == 1)
+                memcpy(tm, &broken_os_epoch_tm, sizeof(*tm));
+#endif
+        return 1;
+}
+
 /* Format a time as an RFC 5280 format Generalized time */
 char *
 gentime_string_from_tm(struct tm *tm)
diff --git a/src/lib/libcrypto/asn1/asn1_locl.h b/src/lib/libcrypto/asn1/asn1_locl.h
index 17bb4157a9..68f71dfc4a 100644
--- a/src/lib/libcrypto/asn1/asn1_locl.h
+++ b/src/lib/libcrypto/asn1/asn1_locl.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1_locl.h,v 1.8 2016/12/21 15:49:29 jsing Exp $ */
+/* $OpenBSD: asn1_locl.h,v 1.9 2017/08/13 19:47:49 beck Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2006.
  */
@@ -152,4 +152,6 @@ struct x509_crl_method_st {
 int UTF8_getc(const unsigned char *str, int len, unsigned long *val);
 int UTF8_putc(unsigned char *str, int len, unsigned long value);
 
+int ASN1_time_tm_clamp_notafter(struct tm *tm);
+
 __END_HIDDEN_DECLS