From 68770479ea4dee323f5bb56e995282f7c2100d4f Mon Sep 17 00:00:00 2001
From: William Lallemand <wlallemand@haproxy.com>
Date: Thu, 25 Sep 2025 14:39:31 +0200
Subject: [PATCH] BUG/MINOR: acme: possible overflow on scheduling computation

acme_schedule_date() computes the schedule date using notAfter and
notBefore from the certificate. However notBefore could be greater than
notAfter and could result in an overflow.

This is unlikely to happen and would mean an incorrect certificate.

This patch fixes the issue by checking that notAfter > notBefore.

It also replace the int type by a time_t to avoid overflow on 64bits
architecture which is also unlikely to happen with certificates.

Fix issue #3136.

Need to be backported to 3.2.
---
 src/acme.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/acme.c b/src/acme.c
index e71071692..b5746a41a 100644
--- a/src/acme.c
+++ b/src/acme.c
@@ -2381,7 +2381,7 @@ int acme_will_expire(struct ckch_store *store)
  */
 time_t acme_schedule_date(struct ckch_store *store)
 {
-	int diff = 0;
+	time_t diff = 0;
 	time_t notAfter = 0;
 	time_t notBefore = 0;
 
@@ -2395,7 +2395,8 @@ time_t acme_schedule_date(struct ckch_store *store)
 	notAfter = x509_get_notafter_time_t(store->data->cert);
 	notBefore = x509_get_notbefore_time_t(store->data->cert);
 
-	if (notAfter >= 0 && notBefore >= 0) {
+	if ((notAfter >= 0 && notBefore >= 0)
+	   && (notAfter > notBefore)) {
 		diff = (notAfter - notBefore) / 12; /* validity period / 12 */
 	} else {
 		diff = 7 * 24 * 60 * 60; /* default to 7 days */
-- 
2.47.3