3 files changed, 8 insertions, 27 deletions
diff --git a/src/lib/libcrypto/x509/x509_internal.h b/src/lib/libcrypto/x509/x509_internal.h
index ced6b306e5..9d69055afa 100644
--- a/src/lib/libcrypto/x509/x509_internal.h
+++ b/src/lib/libcrypto/x509/x509_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_internal.h,v 1.2 2020/09/13 15:06:17 beck Exp $ */
+/* $OpenBSD: x509_internal.h,v 1.3 2020/09/15 11:55:14 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -87,6 +87,9 @@ int x509_vfy_check_trust(X509_STORE_CTX *ctx);
 int x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx);
 void x509v3_cache_extensions(X509 *x);
+int x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm,
+    int notafter);
 struct x509_verify_ctx *x509_verify_ctx_new_from_xsc(X509_STORE_CTX *xsc,
    STACK_OF(X509) *roots);
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index 431f5ab1bc..c3280774f9 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.6 2020/09/14 12:33:51 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.7 2020/09/15 11:55:14 beck Exp $ */
 /*
 * Copyright (c) 2020 Bob Beck <beck@openbsd.org>
 *
@@ -484,7 +484,7 @@ x509_verify_set_check_time(struct x509_verify_ctx *ctx) {
        return 1;
 }
-static int
+int
 x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter)
 {
        int type;
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 8a616b6bc2..99a699f99e 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.78 2020/09/14 09:09:08 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.79 2020/09/15 11:55:14 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -2004,7 +2004,6 @@ X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafte
        time_t compare;
        struct tm tm1, tm2;
        int ret = 0;
-        int type;
        if (cmp_time == NULL)
                compare = time(NULL);
@@ -2013,30 +2012,9 @@ X509_cmp_time_internal(const ASN1_TIME *ctm, time_t *cmp_time, int clamp_notafte
        memset(&tm1, 0, sizeof(tm1));
-        type = ASN1_time_parse(ctm->data, ctm->length, &tm1, ctm->type);
+        if (!x509_verify_asn1_time_to_tm(ctm, &tm1, clamp_notafter))
-        if (type == -1)
                goto out; /* invalid time */
-        /* RFC 5280 section 4.1.2.5 */
-        if (tm1.tm_year < 150 && type != V_ASN1_UTCTIME)
-                goto out;
-        if (tm1.tm_year >= 150 && type != V_ASN1_GENERALIZEDTIME)
-                goto out;
-        if (clamp_notafter) {
-                /* Allow for completely broken operating systems. */
-                if (!ASN1_time_tm_clamp_notafter(&tm1))
-                        goto out;
-        }
-        /*
-         * Defensively fail if the time string is not representable as
-         * a time_t. A time_t must be sane if you care about times after
-         * Jan 19 2038.
-         */
-        if (timegm(&tm1) == -1)
-                goto out;
        if (gmtime_r(&compare, &tm2) == NULL)
                goto out;