diff options
| author | David Howells <dhowells@redhat.com> | 2012-10-02 14:36:16 +0100 |
|---|---|---|
| committer | Rusty Russell <rusty@rustcorp.com.au> | 2012-10-10 20:06:37 +1030 |
| commit | b704b28c01f94cf11495d9c97dc5be3b35900bb8 (patch) | |
| tree | 7cbdbd3fd9a23dd060e4a8023d3f067545411a4d /crypto/twofish_generic.c | |
| parent | de26a46f6c581b579f77bbe31cc7aef0b1fd14bc (diff) | |
| download | linux-crypto-b704b28c01f94cf11495d9c97dc5be3b35900bb8.tar.gz linux-crypto-b704b28c01f94cf11495d9c97dc5be3b35900bb8.zip | |
MODSIGN: Fix 32-bit overflow in X.509 certificate validity date checking
The current choice of lifetime for the autogenerated X.509 of 100 years,
putting the validTo date in 2112, causes problems on 32-bit systems where a
32-bit time_t wraps in 2106. 64-bit x86_64 systems seem to be unaffected.
This can result in something like:
Loading module verification certificates
X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 has expired
MODSIGN: Problem loading in-kernel X.509 certificate (-127)
Or:
X.509: Cert 6e03943da0f3b015ba6ed7f5e0cac4fe48680994 is not yet valid
MODSIGN: Problem loading in-kernel X.509 certificate (-129)
Instead of turning the dates into time_t values and comparing, turn the system
clock and the ASN.1 dates into tm structs and compare those piecemeal instead.
Reported-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Josh Boyer <jwboyer@redhat.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Diffstat (limited to 'crypto/twofish_generic.c')
0 files changed, 0 insertions, 0 deletions