Re: overflow when calling X509_gmtime_adj() on 32-bit systems
On 03.02.2013, at 12:28, Dr. Stephen Henson st...@openssl.org wrote: On Sun, Feb 03, 2013, Dongsheng Song wrote: On Sun, Feb 3, 2013 at 7:01 PM, Dr. Stephen Henson st...@openssl.org wrote: In that above code example if you do: X509_gmtime_adj_ex(X509_get_notAfter(x), days, 0, NULL); that should resolve your problem. Maybe it should be better: X509_time_adj_ex(X509_get_notAfter(x),days, 0, NULL); Yes sorry it should, that's a typo. A bit early in the day for me... Steve. Thanks a lot! I'll pass that information on to the php people, maybe they are willing to make the effort and look into it. Alex__ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
overflow when calling X509_gmtime_adj() on 32-bit systems
Hi, The php openssl library implements a function named openssl_csr_sign() and inside that function one can find the following line: X509_gmtime_adj(X509_get_notAfter(new_cert), (long)60*60*24*num_days); This obviously provokes an overflow in cases of large values of num_days, say 36500 (representing 100 years), on 32-bit systems where usually sizeof(long) = 4. The bug report I opened in the php bugtracker was closed with not a bug pointing to the openssl API. The php people correctly pointed out that X509_gmtime_adj() needs a long value as parameter. I found that OpenSSL Cert creation example code (https://github.com/cloudmeter/openssl/blob/master/demos/x509/mkcert.c) has that very same line in it and should therefore be subject to the same issue: X509_set_version(x,2); ASN1_INTEGER_set(X509_get_serialNumber(x),serial); X509_gmtime_adj(X509_get_notBefore(x),0); X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days); X509_set_pubkey(x,pk); After searching around a bit I assume that with newer versions of OpenSSL using OPENSSL_gmtime_adj() or X509_time_adj_ex instead of X509_gmtime_adj() would maybe resolve this obvious limitation. Unfortunately I'm not able to immediately see how (my C skills are rather limited and I'm not experienced with using OpenSSL). Could somebody on this list maybe be so kind and point me in the right direction? Thanks Alex __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org