Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit a5752d11 authored by David Howells's avatar David Howells Committed by Rusty Russell
Browse files

MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking 



The current choice of lifetime for the autogenerated X.509 of 100 years,
putting the validTo date in 2112, causes problems on 32-bit systems where a
32-bit time_t wraps in 2106.  64-bit x86_64 systems seem to be unaffected.

This can result in something like:

	Loading module verification certificates
	X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 has expired
	MODSIGN: Problem loading in-kernel X.509 certificate (-127)

Or:

	X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 is not yet valid
	MODSIGN: Problem loading in-kernel X.509 certificate (-129)

Instead of turning the dates into time_t values and comparing, turn the system
clock and the ASN.1 dates into tm structs and compare those piecemeal instead.

Reported-by: default avatarRusty Russell <rusty@rustcorp.com.au>
Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
Acked-by: default avatarJosh Boyer <jwboyer@redhat.com>
Signed-off-by: default avatarRusty Russell <rusty@rustcorp.com.au>
parent d5b71936
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment