2 files changed, 22 insertions, 9 deletions

diff --git a/lib/libtls/tls_conninfo.c b/lib/libtls/tls_conninfo.c
index 90fdfacad3c..08f8714ecd7 100644
--- a/lib/libtls/tls_conninfo.c
+++ b/lib/libtls/tls_conninfo.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_conninfo.c,v 1.24 2023/11/13 10:51:49 tb Exp $ */
+/* $OpenBSD: tls_conninfo.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /*
  * Copyright (c) 2015 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2015 Bob Beck <beck@openbsd.org>
@@ -19,12 +19,27 @@
 #include <stdio.h>
 #include <string.h>
 
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 
 #include <tls.h>
 #include "tls_internal.h"
 
-int ASN1_time_tm_clamp_notafter(struct tm *tm);
+static int
+tls_convert_notafter(struct tm *tm, time_t *out_time)
+{
+	int64_t posix_time;
+
+	/* OPENSSL_timegm() fails if tm is not representable in a time_t */
+	if (OPENSSL_timegm(tm, out_time))
+		return 1;
+	if (!OPENSSL_tm_to_posix(tm, &posix_time))
+		return 0;
+	if (posix_time < INT32_MIN)
+		return 0;
+	*out_time = (posix_time > INT32_MAX) ? INT32_MAX : posix_time;
+	return 1;
+}
 
 int
 tls_hex_string(const unsigned char *in, size_t inlen, char **out,
@@ -121,13 +136,10 @@ tls_get_peer_cert_times(struct tls *ctx, time_t *notbefore,
 		goto err;
 	if (!ASN1_TIME_to_tm(after, &after_tm))
 		goto err;
-	if (!ASN1_time_tm_clamp_notafter(&after_tm))
+	if (!tls_convert_notafter(&after_tm, notafter))
 		goto err;
-	if ((*notbefore = timegm(&before_tm)) == -1)
+	if (!OPENSSL_timegm(&before_tm, notbefore))
 		goto err;
-	if ((*notafter = timegm(&after_tm)) == -1)
-		goto err;
-
 	return (0);
 
  err:
diff --git a/lib/libtls/tls_ocsp.c b/lib/libtls/tls_ocsp.c
index c7eb3e59869..f7d7ba91997 100644
--- a/lib/libtls/tls_ocsp.c
+++ b/lib/libtls/tls_ocsp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls_ocsp.c,v 1.24 2023/11/13 10:56:19 tb Exp $ */
+/*	$OpenBSD: tls_ocsp.c,v 1.25 2024/03/24 11:30:12 beck Exp $ */
 /*
  * Copyright (c) 2015 Marko Kreen <markokr@gmail.com>
  * Copyright (c) 2016 Bob Beck <beck@openbsd.org>
@@ -25,6 +25,7 @@
 
 #include <openssl/err.h>
 #include <openssl/ocsp.h>
+#include <openssl/posix_time.h>
 #include <openssl/x509.h>
 
 #include <tls.h>
@@ -68,7 +69,7 @@ tls_ocsp_asn1_parse_time(struct tls *ctx, ASN1_GENERALIZEDTIME *gt, time_t *gt_t
 		return -1;
 	if (!ASN1_TIME_to_tm(gt, &tm))
 		return -1;
-	if ((*gt_time = timegm(&tm)) == -1)
+	if (!OPENSSL_timegm(&tm, gt_time))
 		return -1;
 	return 0;
 }