From bc298cd0f77dce2d452efd3e3d3153e2a9a17dbf Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 27 Jan 2012 01:43:53 +0000
Subject: [PATCH] 3268.   [bug]           Convert RRSIG expiry times to 64
 timestamps to work                         out the earliest expiry time. [RT
 #23311]

---
 CHANGES                    |  3 +++
 lib/dns/include/dns/time.h |  8 +++++++-
 lib/dns/time.c             | 14 ++++++++++----
 lib/dns/win32/libdns.def   |  1 +
 lib/dns/zone.c             | 38 ++++++++++++++++++++++++--------------
 5 files changed, 45 insertions(+), 19 deletions(-)

diff --git a/CHANGES b/CHANGES
index 95959d8ceb..9adfa0d0cc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3268.	[bug]		Convert RRSIG expiry times to 64 timestamps to work
+			out the earliest expiry time. [RT #23311]
+
 3267.	[bug]		Memory allocation failures could be mis-reported as
 			unexpected error.  New ISC_R_UNSET result code.
 			[RT #27336]
diff --git a/lib/dns/include/dns/time.h b/lib/dns/include/dns/time.h
index 5b47d11c13..ff817a92e6 100644
--- a/lib/dns/include/dns/time.h
+++ b/lib/dns/include/dns/time.h
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.h,v 1.17 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: time.h,v 1.18 2012/01/27 01:43:52 marka Exp $ */
 
 #ifndef DNS_TIME_H
 #define DNS_TIME_H 1
@@ -67,6 +67,12 @@ dns_time32_totext(isc_uint32_t value, isc_buffer_t *target);
  * current date is chosen.
  */
 
+isc_int64_t
+dns_time64_from32(isc_uint32_t value);
+/*%<
+ * Covert a 32-bit cyclic time value into a 64 bit time stamp. 
+ */
+
 ISC_LANG_ENDDECLS
 
 #endif /* DNS_TIME_H */
diff --git a/lib/dns/time.c b/lib/dns/time.c
index 993199850b..5c6cead244 100644
--- a/lib/dns/time.c
+++ b/lib/dns/time.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: time.c,v 1.37 2011/03/09 23:47:17 tbox Exp $ */
+/* $Id: time.c,v 1.38 2012/01/27 01:43:51 marka Exp $ */
 
 /*! \file */
 
@@ -103,8 +103,8 @@ dns_time64_totext(isc_int64_t t, isc_buffer_t *target) {
 	return (ISC_R_SUCCESS);
 }
 
-isc_result_t
-dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
+isc_int64_t
+dns_time64_from32(isc_uint32_t value) {
 	isc_stdtime_t now;
 	isc_int64_t start;
 	isc_int64_t t;
@@ -121,7 +121,13 @@ dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
 		t = start + (value - now);
 	else
 		t = start - (now - value);
-	return (dns_time64_totext(t, target));
+
+	return (t);
+}
+
+isc_result_t
+dns_time32_totext(isc_uint32_t value, isc_buffer_t *target) {
+	return (dns_time64_totext(dns_time64_from32(value), target));
 }
 
 isc_result_t
diff --git a/lib/dns/win32/libdns.def b/lib/dns/win32/libdns.def
index 615d068f9c..bf16469f4e 100644
--- a/lib/dns/win32/libdns.def
+++ b/lib/dns/win32/libdns.def
@@ -686,6 +686,7 @@ dns_tcpmsg_readmessage
 dns_tcpmsg_setmaxsize
 dns_time32_fromtext
 dns_time32_totext
+dns_time64_from32
 dns_time64_fromtext
 dns_time64_totext
 dns_timer_setidle
diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 3fbdca1059..3da0a31318 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zone.c,v 1.664 2012/01/25 23:46:49 tbox Exp $ */
+/* $Id: zone.c,v 1.665 2012/01/27 01:43:51 marka Exp $ */
 
 /*! \file */
 
@@ -76,6 +76,7 @@
 #include <dns/soa.h>
 #include <dns/ssu.h>
 #include <dns/stats.h>
+#include <dns/time.h>
 #include <dns/tsig.h>
 #include <dns/update.h>
 #include <dns/xfrin.h>
@@ -5001,7 +5002,7 @@ offline(dns_db_t *db, dns_dbversion_t *ver, dns_diff_t *diff, dns_name_t *name,
 }
 
 static void
-set_key_expiry_warning(dns_zone_t *zone, isc_stdtime_t when, isc_stdtime_t now)
+set_key_expiry_warning(dns_zone_t *zone, isc_uint64_t when, isc_stdtime_t now)
 {
 	unsigned int delta;
 	char timebuf[80];
@@ -5080,7 +5081,7 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	unsigned int i;
 	dns_rdata_rrsig_t rrsig;
 	isc_boolean_t found, changed;
-	isc_stdtime_t warn = 0, maybe = 0;
+	isc_int64_t warn = 0, maybe = 0;
 
 	dns_rdataset_init(&rdataset);
 
@@ -5182,21 +5183,20 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 				 * iff there is a new offline signature.
 				 */
 				if (!dst_key_isprivate(keys[i])) {
-					if (warn != 0 &&
-					    warn > rrsig.timeexpire)
-						warn = rrsig.timeexpire;
+					isc_int64_t timeexpire =
+					   dns_time64_from32(rrsig.timeexpire);
+					if (warn != 0 && warn > timeexpire)
+						warn = timeexpire;
 					if (rdata.flags & DNS_RDATA_OFFLINE) {
 						if (maybe == 0 ||
-						    maybe > rrsig.timeexpire)
-							maybe =
-							     rrsig.timeexpire;
+						    maybe > timeexpire)
+							maybe = timeexpire;
 						break;
 					}
 					if (warn == 0)
 						warn = maybe;
-					if (warn == 0 ||
-					    warn > rrsig.timeexpire)
-						warn = rrsig.timeexpire;
+					if (warn == 0 || warn > timeexpire)
+						warn = timeexpire;
 					result = offline(db, ver, diff, name,
 							 rdataset.ttl, &rdata);
 					break;
@@ -5227,8 +5227,18 @@ del_sigs(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_rdataset_disassociate(&rdataset);
 	if (result == ISC_R_NOMORE)
 		result = ISC_R_SUCCESS;
-	if (warn != 0)
-		set_key_expiry_warning(zone, warn, now);
+	if (warn > 0) {
+#if defined(STDTIME_ON_32BITS)
+		isc_stdtime_t stdwarn = (isc_stdtime_t)warn;
+		if (warn == stdwarn)
+#endif
+			set_key_expiry_warning(zone, (isc_stdtime_t)warn, now);
+#if defined(STDTIME_ON_32BITS)
+		else
+			dns_zone_log(zone, ISC_LOG_ERROR,
+			     	     "key expiry warning time out of range");
+#endif
+	}
  failure:
 	if (node != NULL)
 		dns_db_detachnode(db, &node);