Eliminate the timegm(3) dependency in libcrypto

timegm(3) is not available on some operating systems we support in
portable. We currently use musl's implementation, for which gcc-13
decided to emit warnings (which seem incorrect in general and are
irrelevant in this case anyway). Instead of patching this up and
diverge from upstream, we can avoid reports about compiler warnings
by simply not depending on this function.

Rework the caching of notBefore and notAfter by replacing timegm(3)
with asn1_time_tm_to_time_t(3). Also make this API properly error
checkable since at the time x509v3_cache_extensions(3) is called,
nothing is known about the cert, in particular not whether it isn't
malformed one way or the other.

suggested by and ok beck

1 files changed, 3 insertions, 2 deletions

diff --git a/src/lib/libcrypto/x509/x509_purp.c b/src/lib/libcrypto/x509/x509_purp.c
index 0c92dfb19c..999ba639c5 100644
--- a/src/lib/libcrypto/x509/x509_purp.c
+++ b/src/lib/libcrypto/x509/x509_purp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_purp.c,v 1.29 2023/08/18 08:42:41 tb Exp $ */
+/* $OpenBSD: x509_purp.c,v 1.30 2023/11/13 10:33:00 tb Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
  * project 2001.
  */
@@ -711,7 +711,8 @@ x509v3_cache_extensions_internal(X509 *x)
         if (!x509_extension_oids_are_unique(x))
                 x->ex_flags |= EXFLAG_INVALID;
 
-        x509_verify_cert_info_populate(x);
+        if (!x509_verify_cert_info_populate(x))
+                x->ex_flags |= EXFLAG_INVALID;
 
         x->ex_flags |= EXFLAG_SET;
 }