summaryrefslogtreecommitdiff
path: root/crypto/asymmetric_keys/x509_parser.h
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2012-10-02 14:36:16 +0100
committerRusty Russell <rusty@rustcorp.com.au>2012-10-10 20:06:37 +1030
commita5752d11b3853fcdb48b303573dd39b09d05e500 (patch)
treefdbf54986ce97f473661d62510a513bb4ba79aa9 /crypto/asymmetric_keys/x509_parser.h
parentd5b719365ec13ef825f2548ba54903b9d029238c (diff)
MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking
The current choice of lifetime for the autogenerated X.509 of 100 years, putting the validTo date in 2112, causes problems on 32-bit systems where a 32-bit time_t wraps in 2106. 64-bit x86_64 systems seem to be unaffected. This can result in something like: Loading module verification certificates X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 has expired MODSIGN: Problem loading in-kernel X.509 certificate (-127) Or: X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 is not yet valid MODSIGN: Problem loading in-kernel X.509 certificate (-129) Instead of turning the dates into time_t values and comparing, turn the system clock and the ASN.1 dates into tm structs and compare those piecemeal instead. Reported-by: Rusty Russell <rusty@rustcorp.com.au> Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Josh Boyer <jwboyer@redhat.com> Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'crypto/asymmetric_keys/x509_parser.h')
-rw-r--r--crypto/asymmetric_keys/x509_parser.h4
1 files changed, 2 insertions, 2 deletions
diff --git a/crypto/asymmetric_keys/x509_parser.h b/crypto/asymmetric_keys/x509_parser.h
index 635053f7e962..f86dc5fcc4ad 100644
--- a/crypto/asymmetric_keys/x509_parser.h
+++ b/crypto/asymmetric_keys/x509_parser.h
@@ -18,8 +18,8 @@ struct x509_certificate {
char *subject; /* Name of certificate subject */
char *fingerprint; /* Key fingerprint as hex */
char *authority; /* Authority key fingerprint as hex */
- time_t valid_from;
- time_t valid_to;
+ struct tm valid_from;
+ struct tm valid_to;
enum pkey_algo pkey_algo : 8; /* Public key algorithm */
enum pkey_algo sig_pkey_algo : 8; /* Signature public key algorithm */
enum pkey_hash_algo sig_hash_algo : 8; /* Signature hash algorithm */