From d7037da0b5bd4aac11b52b6a296527f803434ee2 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Mon, 21 Mar 2022 15:52:11 +0100
Subject: [PATCH] `mktime` may return a negative due to timezones around the
 unix epoch

---
 src/ssl.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/src/ssl.c b/src/ssl.c
index a8d300523..8326e4e0f 100644
--- a/src/ssl.c
+++ b/src/ssl.c
@@ -28548,7 +28548,7 @@ static int Asn1TimeToTm(WOLFSSL_ASN1_TIME* asnTime, struct tm* tm)
     unsigned char* asn1TimeBuf;
     int asn1TimeBufLen;
     int i = 0;
-    int bytesNeeded = 10;
+    int bytesNeeded = 11;
 
     if (asnTime == NULL) {
         WOLFSSL_MSG("asnTime is NULL");
@@ -28580,6 +28580,10 @@ static int Asn1TimeToTm(WOLFSSL_ASN1_TIME* asnTime, struct tm* tm)
             WOLFSSL_MSG("WOLFSSL_ASN1_TIME buffer length is invalid.");
             return WOLFSSL_FAILURE;
         }
+        if (asn1TimeBuf[bytesNeeded-1] != 'Z') {
+            WOLFSSL_MSG("Expecting UTC time.");
+            return WOLFSSL_FAILURE;
+        }
 
         tm->tm_year = (asn1TimeBuf[i] - '0') * 10; i++;
         tm->tm_year += asn1TimeBuf[i] - '0'; i++;
@@ -28594,6 +28598,10 @@ static int Asn1TimeToTm(WOLFSSL_ASN1_TIME* asnTime, struct tm* tm)
             WOLFSSL_MSG("WOLFSSL_ASN1_TIME buffer length is invalid.");
             return WOLFSSL_FAILURE;
         }
+        if (asn1TimeBuf[bytesNeeded-1] != 'Z') {
+            WOLFSSL_MSG("Expecting UTC time.");
+            return WOLFSSL_FAILURE;
+        }
 
         tm->tm_year = (asn1TimeBuf[i] - '0') * 1000; i++;
         tm->tm_year += (asn1TimeBuf[i] - '0') * 100; i++;
@@ -32068,8 +32076,17 @@ int wolfSSL_ASN1_TIME_diff(int *days, int *secs, const WOLFSSL_ASN1_TIME *from,
         return WOLFSSL_FAILURE;
     }
 
+#ifdef HAVE_ERRNO_H
+    errno = 0;
+#endif
     fromSecs = XMKTIME(fromTm);
-    if (fromSecs < 0) {
+    /* Result can be negative due to time zones around UNIX epoch */
+    if (fromSecs == -1
+#ifdef HAVE_ERRNO_H
+            /* Double check with errno that -1 is actually an error */
+            && errno != 0
+#endif
+            ) {
         WOLFSSL_MSG("XMKTIME for from time failed.");
         return WOLFSSL_FAILURE;
     }
@@ -32088,7 +32105,13 @@ int wolfSSL_ASN1_TIME_diff(int *days, int *secs, const WOLFSSL_ASN1_TIME *from,
     }
 
     toSecs = XMKTIME(toTm);
-    if (toSecs < 0) {
+    /* Result can be negative due to time zones around UNIX epoch */
+    if (toSecs == -1
+#ifdef HAVE_ERRNO_H
+            /* Double check with errno that -1 is actually an error */
+            && errno != 0
+#endif
+            ) {
         WOLFSSL_MSG("XMKTIME for to time failed.");
         return WOLFSSL_FAILURE;
     }