1 files changed, 19 insertions, 7 deletions

diff --git a/src/lib/libtls/tls_conninfo.c b/src/lib/libtls/tls_conninfo.c
index 90fdfacad3..08f8714ecd 100644
--- a/src/lib/libtls/tls_conninfo.c
+++ b/src/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -19,12 +19,27 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 
 #include <tls.h>
 #include "tls_internal.h"
 
-int ASN1_time_tm_clamp_notafter(struct tm *tm);
+static int
+tls_convert_notafter(struct tm *tm, time_t *out_time)
+{
+        int64_t posix_time;
+
+        /* OPENSSL_timegm() fails if tm is not representable in a time_t */
+        if (OPENSSL_timegm(tm, out_time))
+                return 1;
+        if (!OPENSSL_tm_to_posix(tm, &posix_time))
+                return 0;
+        if (posix_time < INT32_MIN)
+                return 0;
+        *out_time = (posix_time > INT32_MAX) ? INT32_MAX : posix_time;
+        return 1;
+}
 
 int
 tls_hex_string(const unsigned char *in, size_t inlen, char **out,
@@ -121,13 +136,10 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
                 goto err;
         if (!ASN1_TIME_to_tm(after, &after_tm))
                 goto err;
-        if (!ASN1_time_tm_clamp_notafter(&after_tm))
+        if (!tls_convert_notafter(&after_tm, notafter))
                 goto err;
-        if ((*notbefore = timegm(&before_tm)) == -1)
+        if (!OPENSSL_timegm(&before_tm, notbefore))
                 goto err;
-        if ((*notafter = timegm(&after_tm)) == -1)
-                goto err;
-
         return (0);
 
  err: