To avoid possible time_t overflow use X509_time_adj_ex()

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

diff --git a/apps/ocsp.c b/apps/ocsp.c
index ceda592de9c2e44b2b768aa3daf5a75cda586c2e..0c41c4d5de5fdf04a50f117c95dd858410f5f3d3 100644 (file)
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -914,7 +914,7 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
     bs = OCSP_BASICRESP_new();
     thisupd = X509_gmtime_adj(NULL, 0);
     if (ndays != -1)
     bs = OCSP_BASICRESP_new();
     thisupd = X509_gmtime_adj(NULL, 0);
     if (ndays != -1)

-        nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
+        nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);

 
     /* Examine each certificate id in the request */
     for (i = 0; i < id_count; i++) {
 
     /* Examine each certificate id in the request */
     for (i = 0; i < id_count; i++) {

diff --git a/apps/x509.c b/apps/x509.c
index 283d0552afbe38909b1216f64529caaaa95e2117..37d3a71e4a19fa2dda05be05a15d322351662a78 100644 (file)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -1101,8 +1101,7 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext,
     if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
         goto err;
 
     if (X509_gmtime_adj(X509_get_notBefore(x), 0) == NULL)
         goto err;
 

-    if (X509_gmtime_adj(X509_get_notAfter(x), (long)60 * 60 * 24 * days) ==
-        NULL)
+    if (X509_time_adj_ex(X509_get_notAfter(x), days, 0, NULL) == NULL)

         goto err;
 
     if (!X509_set_pubkey(x, pkey))
         goto err;
 
     if (!X509_set_pubkey(x, pkey))