From 7fd0510c059612e6faf54a74ea1551b4cddf32e6 Mon Sep 17 00:00:00 2001 From: tb Date: Wed, 27 May 2026 13:57:16 +0000 Subject: [PATCH] rpki-client: use sentinel idiom for timegm(3) error check We currently fail on ASN.1 times before the epoch. There is nothing wrong in principle with those. Both UTCTime and GeneralizedTimes can represent such times and we should be able to accept them. Modern OpenSSL and LibreSSL ensure in ASN1_TIME_to_tm() that the times are well formed according to the DER, so this call is really only a translation step. ok claudio deraadt --- usr.sbin/rpki-client/x509.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/usr.sbin/rpki-client/x509.c b/usr.sbin/rpki-client/x509.c index 3788e2b79e5..7edf1e3b598 100644 --- a/usr.sbin/rpki-client/x509.c +++ b/usr.sbin/rpki-client/x509.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509.c,v 1.131 2026/04/13 03:36:10 tb Exp $ */ +/* $OpenBSD: x509.c,v 1.132 2026/05/27 13:57:16 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Claudio Jeker @@ -298,7 +298,8 @@ x509_get_time(const ASN1_TIME *at, time_t *t) return 0; if (!ASN1_TIME_to_tm(at, &tm)) return 0; - if ((*t = timegm(&tm)) < 0) + tm.tm_wday = -1; + if ((*t = timegm(&tm)) == -1 && tm.tm_wday == -1) return 0; return 1; }