mktime may return a negative due to timezones around the unix epoch

2025-08-03 20:54:41 +02:00 · 2022-03-21 15:52:11 +01:00
parent 2f52d3cd20
commit d7037da0b5
1 changed files with 26 additions and 3 deletions
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -28548,7 +28548,7 @@ static int Asn1TimeToTm(WOLFSSL_ASN1_TIME* asnTime, struct tm* tm)
    unsigned char* asn1TimeBuf;
    int asn1TimeBufLen;
    int i = 0;
-    int bytesNeeded = 10;
+    int bytesNeeded = 11;

    if (asnTime == NULL) {
        WOLFSSL_MSG("asnTime is NULL");
@@ -28580,6 +28580,10 @@ static int Asn1TimeToTm(WOLFSSL_ASN1_TIME* asnTime, struct tm* tm)
            WOLFSSL_MSG("WOLFSSL_ASN1_TIME buffer length is invalid.");
            return WOLFSSL_FAILURE;
        }
+        if (asn1TimeBuf[bytesNeeded-1] != 'Z') {
+            WOLFSSL_MSG("Expecting UTC time.");
+            return WOLFSSL_FAILURE;
+        }

        tm->tm_year = (asn1TimeBuf[i] - '0') * 10; i++;
        tm->tm_year += asn1TimeBuf[i] - '0'; i++;
@@ -28594,6 +28598,10 @@ static int Asn1TimeToTm(WOLFSSL_ASN1_TIME* asnTime, struct tm* tm)
            WOLFSSL_MSG("WOLFSSL_ASN1_TIME buffer length is invalid.");
            return WOLFSSL_FAILURE;
        }
+        if (asn1TimeBuf[bytesNeeded-1] != 'Z') {
+            WOLFSSL_MSG("Expecting UTC time.");
+            return WOLFSSL_FAILURE;
+        }

        tm->tm_year = (asn1TimeBuf[i] - '0') * 1000; i++;
        tm->tm_year += (asn1TimeBuf[i] - '0') * 100; i++;
@@ -32068,8 +32076,17 @@ int wolfSSL_ASN1_TIME_diff(int *days, int *secs, const WOLFSSL_ASN1_TIME *from,
        return WOLFSSL_FAILURE;
    }

+#ifdef HAVE_ERRNO_H
+    errno = 0;
+#endif
    fromSecs = XMKTIME(fromTm);
-    if (fromSecs < 0) {
+    /* Result can be negative due to time zones around UNIX epoch */
+    if (fromSecs == -1
+#ifdef HAVE_ERRNO_H
+            /* Double check with errno that -1 is actually an error */
+            && errno != 0
+#endif
+            ) {
        WOLFSSL_MSG("XMKTIME for from time failed.");
        return WOLFSSL_FAILURE;
    }
@@ -32088,7 +32105,13 @@ int wolfSSL_ASN1_TIME_diff(int *days, int *secs, const WOLFSSL_ASN1_TIME *from,
    }

    toSecs = XMKTIME(toTm);
-    if (toSecs < 0) {
+    /* Result can be negative due to time zones around UNIX epoch */
+    if (toSecs == -1
+#ifdef HAVE_ERRNO_H
+            /* Double check with errno that -1 is actually an error */
+            && errno != 0
+#endif
+            ) {
        WOLFSSL_MSG("XMKTIME for to time failed.");
        return WOLFSSL_FAILURE;
    }