* modules/ssl/ssl_engine_vars.c (ssl_var_lookup_ssl_cert): Use

notroj · notroj · commit 255e96882dd1 · 2026-01-19T12:01:10.000Z
ASN1_TIME_diff() if available to avoid parsing the ASN1_TIME.
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
@@ -827,23 +827,33 @@ static const char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
     return modssl_bio_free_read(p, bio);
 }
 
-#define DIGIT2NUM(x) (((x)[0] - '0') * 10 + (x)[1] - '0')
+/* Evaluates to true if asn1 isn't a valid ASN.1 TIME; RFC3280
+ * mandates that the seconds digits are present even though ASN.1
+ * doesn't. */
+#define INVALID_ASN1_TIME(asn1) (                                       \
+    ((asn1)->type == V_ASN1_UTCTIME && (asn1)->length < 11)             \
+    || ((asn1)->type == V_ASN1_GENERALIZEDTIME && (asn1)->length < 13)  \
+    || ASN1_TIME_check(asn1) != 1)
 
 /* Return a string giving the number of days remaining until 'tm', or
  * "0" if this can't be determined. */
 static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm)
 {
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L && !defined(LIBRESSL_VERSION_NUMBER)
+    int diff;
+
+    if (INVALID_ASN1_TIME(tm) || ASN1_TIME_diff(&diff, NULL, NULL, tm) != 1) {
+        return "0";
+    }
+#else
     apr_time_t then, now = apr_time_now();
     apr_time_exp_t exp = {0};
     long diff;
     unsigned char *dp;
 
-    /* Fail if the time isn't a valid ASN.1 TIME; RFC3280 mandates
-     * that the seconds digits are present even though ASN.1
-     * doesn't. */
-    if ((tm->type == V_ASN1_UTCTIME && tm->length < 11) ||
-        (tm->type == V_ASN1_GENERALIZEDTIME && tm->length < 13) ||
-        !ASN1_TIME_check(tm)) {
+#define DIGIT2NUM(x) (((x)[0] - '0') * 10 + (x)[1] - '0')
+
+    if (INVALID_ASN1_TIME(tm)) {
         return "0";
     }
 
@@ -857,7 +867,7 @@ static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm)
     }
 
     exp.tm_mon = DIGIT2NUM(dp) - 1;
-    exp.tm_mday = DIGIT2NUM(dp + 2);
+    exp.tm_mday = DIGIT2NUM(dp + 2) + 1;
     exp.tm_hour = DIGIT2NUM(dp + 4);
     exp.tm_min = DIGIT2NUM(dp + 6);
     exp.tm_sec = DIGIT2NUM(dp + 8);
@@ -867,6 +877,7 @@ static const char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm)
     }
 
     diff = (long)((apr_time_sec(then) - apr_time_sec(now)) / (60*60*24));
+#endif
 
     return diff > 0 ? apr_ltoa(p, diff) : "0";
 }
