On Sat, Feb 02, 2013, Alexander Hollerith wrote: > Hi, > > The php openssl library implements a function named openssl_csr_sign() and > inside that function one can find the following line: > X509_gmtime_adj(X509_get_notAfter(new_cert), (long)60*60*24*num_days); > > This obviously provokes an overflow in cases of large values of "num_days", > say 36500 (representing 100 years), on 32-bit systems where usually > "sizeof(long) = 4". The bug report I opened in the php bugtracker was closed > with "not a bug" pointing to the openssl API. The php people correctly > pointed out that X509_gmtime_adj() needs a long value as parameter. > > I found that OpenSSL Cert creation example code > (https://github.com/cloudmeter/openssl/blob/master/demos/x509/mkcert.c) has > that very same line in it and should therefore be subject to the same issue: > X509_set_version(x,2); > ASN1_INTEGER_set(X509_get_serialNumber(x),serial); > X509_gmtime_adj(X509_get_notBefore(x),0); > X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); > X509_set_pubkey(x,pk); > > After searching around a bit I assume that with newer versions of OpenSSL > using OPENSSL_gmtime_adj() or X509_time_adj_ex instead of X509_gmtime_adj() > would maybe resolve this obvious limitation. Unfortunately I'm not able to > immediately see how (my C skills are rather limited and I'm not experienced > with using OpenSSL). Could somebody on this list maybe be so kind and point > me in the right direction? >
This is indeed a limitation with X509_gmtime_adj. In older versions of OpenSSL it also relied on the system time functions and so was sensitive to overlflows in the time_t type. In OpenSSL 1.0.0 some OS independent time functions have been added with some additional functions that overcome the limits but still retaining the old ones for compatibility. In that above code example if you do: X509_gmtime_adj_ex(X509_get_notAfter(x), days, 0, NULL); that should resolve your problem. Steve. - Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
