From dc2222fd8323d0c8cb74e25dad819ecdbdd99e2a Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Wed, 1 Jun 2016 16:33:56 +0900
Subject: openssl: fix the Year 2038 issue

The fix in r55219 was wrong. It fixed the issue only when long is 32bit
and also time_t is 64bit. But time_t may be 32bit. OpenSSL 1.0.0
introduced ASN1_TIME_adj() and X509_time_adj_ex() which takes offset
days. So make use of it.
---
 ext/openssl/extconf.rb         |  1 +
 ext/openssl/ossl_asn1.c        | 38 ++++++++++++++++++++++++++++++++++----
 ext/openssl/ossl_asn1.h        |  4 ++++
 ext/openssl/ossl_x509.c        | 15 +++++++++++++++
 ext/openssl/ossl_x509.h        |  2 ++
 ext/openssl/ossl_x509cert.c    | 10 ++--------
 ext/openssl/ossl_x509crl.c     | 12 +++---------
 ext/openssl/ossl_x509revoked.c |  5 +----
 8 files changed, 62 insertions(+), 25 deletions(-)

diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index eeeae448c0..aa6351d9f8 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -85,6 +85,7 @@ engines.each { |name|
 }
 
 # added in 1.0.0
+have_func("ASN1_TIME_adj")
 have_func("EVP_CIPHER_CTX_copy")
 have_func("HMAC_CTX_copy")
 have_func("PKCS5_PBKDF2_HMAC")
diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c
index 43a3d2d88a..5be0a0ba55 100644
--- a/ext/openssl/ossl_asn1.c
+++ b/ext/openssl/ossl_asn1.c
@@ -75,11 +75,27 @@ asn1time_to_time(ASN1_TIME *time)
     return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv);
 }
 
+#if defined(HAVE_ASN1_TIME_ADJ)
+void
+ossl_time_extract(VALUE time, time_t *sec, int *days)
+{
+    VALUE divmod;
+
+    divmod = rb_check_array_type(
+	rb_funcall(rb_Integer(time), rb_intern("divmod"), 1, INT2FIX(86400)));
+    *days = NUM2INT(RARRAY_AREF(divmod, 0));
+    *sec = NUM2TIMET(RARRAY_AREF(divmod, 1));
+}
+#else
+/* OpenSSL 0.9.8 does not have ASN1_TIME_adj(). In that case, we have to use
+ * ASN1_TIME_set() but it has the Year 2038 issue on sizeof(time_t) == 4
+ * environment. */
 time_t
 time_to_time_t(VALUE time)
 {
     return (time_t)NUM2TIMET(rb_Integer(time));
 }
+#endif
 
 /*
  * STRING conversion
@@ -279,27 +295,41 @@ obj_to_asn1obj(VALUE obj)
     return a1obj;
 }
 
-static ASN1_UTCTIME*
+static ASN1_UTCTIME *
 obj_to_asn1utime(VALUE time)
 {
     time_t sec;
     ASN1_UTCTIME *t;
 
+#if defined(HAVE_ASN1_TIME_ADJ)
+    int off_days;
+
+    ossl_time_extract(time, &sec, &off_days);
+    if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0)))
+#else
     sec = time_to_time_t(time);
-    if(!(t = ASN1_UTCTIME_set(NULL, sec)))
+    if (!(t = ASN1_UTCTIME_set(NULL, sec)))
+#endif
         ossl_raise(eASN1Error, NULL);
 
     return t;
 }
 
-static ASN1_GENERALIZEDTIME*
+static ASN1_GENERALIZEDTIME *
 obj_to_asn1gtime(VALUE time)
 {
     time_t sec;
     ASN1_GENERALIZEDTIME *t;
 
+#if defined(HAVE_ASN1_TIME_ADJ)
+    int off_days;
+
+    ossl_time_extract(time, &sec, &off_days);
+    if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0)))
+#else
     sec = time_to_time_t(time);
-    if(!(t =ASN1_GENERALIZEDTIME_set(NULL, sec)))
+    if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec)))
+#endif
         ossl_raise(eASN1Error, NULL);
 
     return t;
diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h
index 8250746c79..5c692bf2f0 100644
--- a/ext/openssl/ossl_asn1.h
+++ b/ext/openssl/ossl_asn1.h
@@ -14,7 +14,11 @@
  * ASN1_DATE conversions
  */
 VALUE asn1time_to_time(ASN1_TIME *);
+#if defined(HAVE_ASN1_TIME_ADJ)
+void ossl_time_extract(VALUE time, time_t *, int *);
+#else
 time_t time_to_time_t(VALUE);
+#endif
 
 /*
  * ASN1_STRING conversions
diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c
index cf62b53e28..e9a60b7f0a 100644
--- a/ext/openssl/ossl_x509.c
+++ b/ext/openssl/ossl_x509.c
@@ -15,6 +15,21 @@ VALUE mX509;
 #define DefX509Default(x,i) \
   rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
 
+ASN1_TIME *
+ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
+{
+    time_t sec;
+
+#if defined(HAVE_ASN1_TIME_ADJ)
+    int off_days;
+    ossl_time_extract(time, &sec, &off_days);
+    return X509_time_adj_ex(s, off_days, 0, &sec);
+#else
+    sec = time_to_time_t(time);
+    return X509_time_adj(s, 0, &sec);
+#endif
+}
+
 void
 Init_ossl_x509(void)
 {
diff --git a/ext/openssl/ossl_x509.h b/ext/openssl/ossl_x509.h
index 8e9b233098..8b666ac2ae 100644
--- a/ext/openssl/ossl_x509.h
+++ b/ext/openssl/ossl_x509.h
@@ -15,6 +15,8 @@
  */
 extern VALUE mX509;
 
+ASN1_TIME *ossl_x509_time_adjust(ASN1_TIME *, VALUE);
+
 void Init_ossl_x509(void);
 
 /*
diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c
index 34b8aae7cd..13e738f30f 100644
--- a/ext/openssl/ossl_x509cert.c
+++ b/ext/openssl/ossl_x509cert.c
@@ -476,13 +476,10 @@ static VALUE
 ossl_x509_set_not_before(VALUE self, VALUE time)
 {
     X509 *x509;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509(self, x509);
-    if (!X509_time_adj(X509_get_notBefore(x509), 0, &sec)) {
+    if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time))
 	ossl_raise(eX509CertError, NULL);
-    }
 
     return time;
 }
@@ -513,13 +510,10 @@ static VALUE
 ossl_x509_set_not_after(VALUE self, VALUE time)
 {
     X509 *x509;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509(self, x509);
-    if (!X509_time_adj(X509_get_notAfter(x509), 0, &sec)) {
+    if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time))
 	ossl_raise(eX509CertError, NULL);
-    }
 
     return time;
 }
diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c
index a660cccebc..82fd128f72 100644
--- a/ext/openssl/ossl_x509crl.c
+++ b/ext/openssl/ossl_x509crl.c
@@ -235,13 +235,10 @@ static VALUE
 ossl_x509crl_set_last_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509CRL(self, crl);
-    if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
+    if (!ossl_x509_time_adjust(crl->crl->lastUpdate, time))
 	ossl_raise(eX509CRLError, NULL);
-    }
 
     return time;
 }
@@ -260,14 +257,11 @@ static VALUE
 ossl_x509crl_set_next_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509CRL(self, crl);
-    /* This must be some thinko in OpenSSL */
-    if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){
+    /* crl->crl->nextUpdate may be NULL at this time */
+    if (!(crl->crl->nextUpdate = ossl_x509_time_adjust(crl->crl->nextUpdate, time)))
 	ossl_raise(eX509CRLError, NULL);
-    }
 
     return time;
 }
diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c
index 46250e1225..fc1a7d1337 100644
--- a/ext/openssl/ossl_x509revoked.c
+++ b/ext/openssl/ossl_x509revoked.c
@@ -144,13 +144,10 @@ static VALUE
 ossl_x509revoked_set_time(VALUE self, VALUE time)
 {
     X509_REVOKED *rev;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509Rev(self, rev);
-    if (!X509_time_adj(rev->revocationDate, 0, &sec)) {
+    if (!ossl_x509_time_adjust(rev->revocationDate, time))
 	ossl_raise(eX509RevError, NULL);
-    }
 
     return time;
 }
-- 
cgit v1.2.3