aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKazuki Yamaguchi <k@rhe.jp>2016-06-01 16:33:56 +0900
committerKazuki Yamaguchi <k@rhe.jp>2016-06-01 16:33:56 +0900
commitdc2222fd8323d0c8cb74e25dad819ecdbdd99e2a (patch)
tree7a1aee21a017cfd9c51fbaee44193e7257044412
parent17b3f3ed11660fd3adaf74ca7e13fdf83689a241 (diff)
downloadruby-topic/openssl-get-rid-of-time_t.tar.gz
openssl: fix the Year 2038 issuetopic/openssl-get-rid-of-time_t
The fix in r55219 was wrong. It fixed the issue only when long is 32bit and also time_t is 64bit. But time_t may be 32bit. OpenSSL 1.0.0 introduced ASN1_TIME_adj() and X509_time_adj_ex() which takes offset days. So make use of it.
-rw-r--r--ext/openssl/extconf.rb1
-rw-r--r--ext/openssl/ossl_asn1.c38
-rw-r--r--ext/openssl/ossl_asn1.h4
-rw-r--r--ext/openssl/ossl_x509.c15
-rw-r--r--ext/openssl/ossl_x509.h2
-rw-r--r--ext/openssl/ossl_x509cert.c10
-rw-r--r--ext/openssl/ossl_x509crl.c12
-rw-r--r--ext/openssl/ossl_x509revoked.c5
8 files changed, 62 insertions, 25 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index eeeae44..aa6351d 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -85,6 +85,7 @@ engines.each { |name|
}
# added in 1.0.0
+have_func("ASN1_TIME_adj")
have_func("EVP_CIPHER_CTX_copy")
have_func("HMAC_CTX_copy")
have_func("PKCS5_PBKDF2_HMAC")
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
index 43a3d2d..5be0a0b 100644
--- a/ext/openssl/ossl_asn1.c
+++ b/ext/openssl/ossl_asn1.c
@@ -75,11 +75,27 @@ asn1time_to_time(ASN1_TIME *time)
return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv);
}
+#if defined(HAVE_ASN1_TIME_ADJ)
+void
+ossl_time_extract(VALUE time, time_t *sec, int *days)
+{
+ VALUE divmod;
+
+ divmod = rb_check_array_type(
+ rb_funcall(rb_Integer(time), rb_intern("divmod"), 1, INT2FIX(86400)));
+ *days = NUM2INT(RARRAY_AREF(divmod, 0));
+ *sec = NUM2TIMET(RARRAY_AREF(divmod, 1));
+}
+#else
+/* OpenSSL 0.9.8 does not have ASN1_TIME_adj(). In that case, we have to use
+ * ASN1_TIME_set() but it has the Year 2038 issue on sizeof(time_t) == 4
+ * environment. */
time_t
time_to_time_t(VALUE time)
{
return (time_t)NUM2TIMET(rb_Integer(time));
}
+#endif
/*
* STRING conversion
@@ -279,27 +295,41 @@ obj_to_asn1obj(VALUE obj)
return a1obj;
}
-static ASN1_UTCTIME*
+static ASN1_UTCTIME *
obj_to_asn1utime(VALUE time)
{
time_t sec;
ASN1_UTCTIME *t;
+#if defined(HAVE_ASN1_TIME_ADJ)
+ int off_days;
+
+ ossl_time_extract(time, &sec, &off_days);
+ if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0)))
+#else
sec = time_to_time_t(time);
- if(!(t = ASN1_UTCTIME_set(NULL, sec)))
+ if (!(t = ASN1_UTCTIME_set(NULL, sec)))
+#endif
ossl_raise(eASN1Error, NULL);
return t;
}
-static ASN1_GENERALIZEDTIME*
+static ASN1_GENERALIZEDTIME *
obj_to_asn1gtime(VALUE time)
{
time_t sec;
ASN1_GENERALIZEDTIME *t;
+#if defined(HAVE_ASN1_TIME_ADJ)
+ int off_days;
+
+ ossl_time_extract(time, &sec, &off_days);
+ if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0)))
+#else
sec = time_to_time_t(time);
- if(!(t =ASN1_GENERALIZEDTIME_set(NULL, sec)))
+ if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec)))
+#endif
ossl_raise(eASN1Error, NULL);
return t;
diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h
index 8250746..5c692bf 100644
--- a/ext/openssl/ossl_asn1.h
+++ b/ext/openssl/ossl_asn1.h
@@ -14,7 +14,11 @@
* ASN1_DATE conversions
*/
VALUE asn1time_to_time(ASN1_TIME *);
+#if defined(HAVE_ASN1_TIME_ADJ)
+void ossl_time_extract(VALUE time, time_t *, int *);
+#else
time_t time_to_time_t(VALUE);
+#endif
/*
* ASN1_STRING conversions
diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c
index cf62b53..e9a60b7 100644
--- a/ext/openssl/ossl_x509.c
+++ b/ext/openssl/ossl_x509.c
@@ -15,6 +15,21 @@ VALUE mX509;
#define DefX509Default(x,i) \
rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
+ASN1_TIME *
+ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
+{
+ time_t sec;
+
+#if defined(HAVE_ASN1_TIME_ADJ)
+ int off_days;
+ ossl_time_extract(time, &sec, &off_days);
+ return X509_time_adj_ex(s, off_days, 0, &sec);
+#else
+ sec = time_to_time_t(time);
+ return X509_time_adj(s, 0, &sec);
+#endif
+}
+
void
Init_ossl_x509(void)
{
diff --git a/ext/openssl/ossl_x509.h b/ext/openssl/ossl_x509.h
index 8e9b233..8b666ac 100644
--- a/ext/openssl/ossl_x509.h
+++ b/ext/openssl/ossl_x509.h
@@ -15,6 +15,8 @@
*/
extern VALUE mX509;
+ASN1_TIME *ossl_x509_time_adjust(ASN1_TIME *, VALUE);
+
void Init_ossl_x509(void);
/*
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
index 34b8aae..13e738f 100644
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@@ -476,13 +476,10 @@ static VALUE
ossl_x509_set_not_before(VALUE self, VALUE time)
{
X509 *x509;
- time_t sec;
- sec = time_to_time_t(time);
GetX509(self, x509);
- if (!X509_time_adj(X509_get_notBefore(x509), 0, &sec)) {
+ if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time))
ossl_raise(eX509CertError, NULL);
- }
return time;
}
@@ -513,13 +510,10 @@ static VALUE
ossl_x509_set_not_after(VALUE self, VALUE time)
{
X509 *x509;
- time_t sec;
- sec = time_to_time_t(time);
GetX509(self, x509);
- if (!X509_time_adj(X509_get_notAfter(x509), 0, &sec)) {
+ if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time))
ossl_raise(eX509CertError, NULL);
- }
return time;
}
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
index a660ccc..82fd128 100644
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@@ -235,13 +235,10 @@ static VALUE
ossl_x509crl_set_last_update(VALUE self, VALUE time)
{
X509_CRL *crl;
- time_t sec;
- sec = time_to_time_t(time);
GetX509CRL(self, crl);
- if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
+ if (!ossl_x509_time_adjust(crl->crl->lastUpdate, time))
ossl_raise(eX509CRLError, NULL);
- }
return time;
}
@@ -260,14 +257,11 @@ static VALUE
ossl_x509crl_set_next_update(VALUE self, VALUE time)
{
X509_CRL *crl;
- time_t sec;
- sec = time_to_time_t(time);
GetX509CRL(self, crl);
- /* This must be some thinko in OpenSSL */
- if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){
+ /* crl->crl->nextUpdate may be NULL at this time */
+ if (!(crl->crl->nextUpdate = ossl_x509_time_adjust(crl->crl->nextUpdate, time)))
ossl_raise(eX509CRLError, NULL);
- }
return time;
}
diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c
index 46250e1..fc1a7d1 100644
--- a/ext/openssl/ossl_x509revoked.c
+++ b/ext/openssl/ossl_x509revoked.c
@@ -144,13 +144,10 @@ static VALUE
ossl_x509revoked_set_time(VALUE self, VALUE time)
{
X509_REVOKED *rev;
- time_t sec;
- sec = time_to_time_t(time);
GetX509Rev(self, rev);
- if (!X509_time_adj(rev->revocationDate, 0, &sec)) {
+ if (!ossl_x509_time_adjust(rev->revocationDate, time))
ossl_raise(eX509RevError, NULL);
- }
return time;
}