From 405a4a7f3e60310095d7ef244e69d9acccc12322 Mon Sep 17 00:00:00 2001
From: Ismael Luceno <ismael@iodev.co.uk>
Date: Sun, 1 Nov 2020 01:59:11 +0100
Subject: [PATCH for 3.2] Fix compatibility with pre-RFC-5280 certificates

Allow GENERALIZEDTIME for dates before 2050, it isn't a security issue, and
enables interoperability with older software.

Based on a patch by Johan de Vries <devries@wivion.nl>.
---
 crypto/x509/x509_verify.c            |  3 +++
 1 files changed, 3 insertions(+)

diff --git a/crypto/x509/x509_verify.c b/crypto/x509/x509_verify.c
index 0c32cd04b741..3dda41ea825f 100644
--- a/crypto/x509/x509_verify.c
+++ b/crypto/x509/x509_verify.c
@@ -522,6 +522,9 @@ x509_verify_asn1_time_to_tm(const ASN1_TIME *atime, struct tm *tm, int notafter)
 	if (type == -1)
 		return 0;
 
+ 	/* Allow GENERALIZEDTIME for dates before 2050, it isn't a security
+ 	 * issue, and enables interoperability with older software. */
+ 	if (type != V_ASN1_GENERALIZEDTIME)
 	/* RFC 5280 section 4.1.2.5 */
 	if (tm->tm_year < 150 && type != V_ASN1_UTCTIME)
 		return 0;
--
2.28.0