/pidgin/main: 2aa4d5ab8916: Add workaround so that certificates ...

Thu Jul 11 17:52:03 EDT 2013

Changeset: 2aa4d5ab8916f83aa3ad3a06c1ab7324d9d90d64
Author:	 Daniel Atallah <datallah at pidgin.im>
Date:	 2013-07-10 19:45 -0400
Branch:	 release-2.x.y
URL: https://hg.pidgin.im/pidgin/main/rev/2aa4d5ab8916

Description:

Add workaround so that certificates with times that can't be represented using
32-bit timestamps will still work when using NSS. Refs #15586

 * the current libpurple API uses time_t (signed 32-bit on most platforms)
 * this works by fudging the certificate dates to the subset of the time window
   that can be represented with time_t

diffstat:

 libpurple/plugins/ssl/ssl-nss.c |  50 +++++++++++++++++++++++++++++++++++++++-
 1 files changed, 48 insertions(+), 2 deletions(-)

diffs (71 lines):

diff --git a/libpurple/plugins/ssl/ssl-nss.c b/libpurple/plugins/ssl/ssl-nss.c
--- a/libpurple/plugins/ssl/ssl-nss.c
+++ b/libpurple/plugins/ssl/ssl-nss.c
@@ -29,7 +29,15 @@
 
 #define SSL_NSS_PLUGIN_ID "ssl-nss"
 
+#ifdef _WIN32
+# ifndef HAVE_LONG_LONG
+#define HAVE_LONG_LONG
+# endif
+#else
+/* TODO: Why is this done?
+ * This is probably being overridden by <nspr.h> (prcpucfg.h) on *nix OSes */
 #undef HAVE_LONG_LONG /* Make Mozilla less angry. If angry, Mozilla SMASH! */
+#endif
 
 #include <nspr.h>
 #include <nss.h>
@@ -910,11 +918,49 @@ x509_times (PurpleCertificate *crt, time
 	/* NSS's native PRTime type *almost* corresponds to time_t; however,
 	   it measures *microseconds* since the epoch, not seconds. Hence
 	   the funny conversion. */
+	nss_activ = nss_activ / 1000000;
+	nss_expir = nss_expir / 1000000;
+
 	if (activation) {
-		*activation = nss_activ / 1000000;
+		*activation = nss_activ;
+#if SIZEOF_TIME_T == 4
+		/** Hack to deal with dates past the 32-bit barrier.
+		    Handling is different for signed vs unsigned 32-bit types.
+		 */
+		if (*activation != nss_activ) {
+		       	if (nss_activ < 0) {
+				purple_debug_warning("nss",
+					"Setting Activation Date to epoch to handle pre-epoch value\n");
+				*activation = 0;
+			} else {
+				purple_debug_error("nss",
+					"Activation date past 32-bit barrier, forcing invalidity\n");
+				return FALSE;
+			}
+		}
+#endif
 	}
 	if (expiration) {
-		*expiration = nss_expir / 1000000;
+		*expiration = nss_expir;
+#if SIZEOF_TIME_T == 4
+		if (*expiration != nss_expir) {
+			if (*expiration < nss_expir) {
+				if (*expiration < 0) {
+					purple_debug_warning("nss",
+						"Setting Expiration Date to 32-bit signed max\n");
+					*expiration = PR_INT32_MAX;
+				} else {
+					purple_debug_warning("nss",
+						"Setting Expiration Date to 32-bit unsigned max\n");
+					*expiration = PR_UINT32_MAX;
+				}
+			} else {
+				purple_debug_error("nss",
+					"Expiration date prior to unix epoch, forcing invalidity\n");
+				return FALSE;
+			}
+		}
+#endif
 	}
 
 	return TRUE;

