From 4f407a4a493698802981ffe910a3cbbdd11d6e2f Mon Sep 17 00:00:00 2001 From: rhe Date: Wed, 1 Jun 2016 12:41:15 +0000 Subject: openssl: fix the Year 2038 problem r55219 didn't fix the entire issue. It only fixed the issue on environment with sizeof(time_t) == 8 && sizeof(long) == 4. * ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4 environment. This function was added in OpenSSL 1.0.0. [ruby-core:45552] [Bug #6571] * ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument (Time) into the number of days elapsed since the epoch and the remainder seconds to conform to ASN1_TIME_adj(). (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and ASN1_*TIME_adj(). * ext/openssl/ossl_asn1.h: Add the function prototype for ossl_time_split(). * ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj(). * ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust(). git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55249 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ext/openssl/extconf.rb | 1 + ext/openssl/ossl_asn1.c | 43 ++++++++++++++++++++++++++++++++++++------ ext/openssl/ossl_asn1.h | 8 ++++++++ ext/openssl/ossl_x509.c | 16 ++++++++++++++++ ext/openssl/ossl_x509.h | 7 +++++++ ext/openssl/ossl_x509cert.c | 10 ++-------- ext/openssl/ossl_x509crl.c | 12 +++--------- ext/openssl/ossl_x509revoked.c | 5 +---- 8 files changed, 75 insertions(+), 27 deletions(-) (limited to 'ext/openssl') diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb index eeeae448c0..aa6351d9f8 100644 --- a/ext/openssl/extconf.rb +++ b/ext/openssl/extconf.rb @@ -85,6 +85,7 @@ engines.each { |name| } # added in 1.0.0 +have_func("ASN1_TIME_adj") have_func("EVP_CIPHER_CTX_copy") have_func("HMAC_CTX_copy") have_func("PKCS5_PBKDF2_HMAC") diff --git a/ext/openssl/ossl_asn1.c b/ext/openssl/ossl_asn1.c index 43a3d2d88a..e43d8147e3 100644 --- a/ext/openssl/ossl_asn1.c +++ b/ext/openssl/ossl_asn1.c @@ -75,11 +75,28 @@ asn1time_to_time(ASN1_TIME *time) return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv); } +#if defined(HAVE_ASN1_TIME_ADJ) +void +ossl_time_split(VALUE time, time_t *sec, int *days) +{ + VALUE num = rb_Integer(time); + + if (FIXNUM_P(num)) { + *days = FIX2LONG(num) / 86400; + *sec = FIX2LONG(num) % 86400; + } + else { + *days = NUM2INT(rb_funcall(num, rb_intern("/"), 1, INT2FIX(86400))); + *sec = NUM2TIMET(rb_funcall(num, rb_intern("%"), 1, INT2FIX(86400))); + } +} +#else time_t time_to_time_t(VALUE time) { return (time_t)NUM2TIMET(rb_Integer(time)); } +#endif /* * STRING conversion @@ -279,28 +296,42 @@ obj_to_asn1obj(VALUE obj) return a1obj; } -static ASN1_UTCTIME* +static ASN1_UTCTIME * obj_to_asn1utime(VALUE time) { time_t sec; ASN1_UTCTIME *t; +#if defined(HAVE_ASN1_TIME_ADJ) + int off_days; + + ossl_time_split(time, &sec, &off_days); + if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0))) +#else sec = time_to_time_t(time); - if(!(t = ASN1_UTCTIME_set(NULL, sec))) - ossl_raise(eASN1Error, NULL); + if (!(t = ASN1_UTCTIME_set(NULL, sec))) +#endif + ossl_raise(eASN1Error, NULL); return t; } -static ASN1_GENERALIZEDTIME* +static ASN1_GENERALIZEDTIME * obj_to_asn1gtime(VALUE time) { time_t sec; ASN1_GENERALIZEDTIME *t; +#if defined(HAVE_ASN1_TIME_ADJ) + int off_days; + + ossl_time_split(time, &sec, &off_days); + if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0))) +#else sec = time_to_time_t(time); - if(!(t =ASN1_GENERALIZEDTIME_set(NULL, sec))) - ossl_raise(eASN1Error, NULL); + if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec))) +#endif + ossl_raise(eASN1Error, NULL); return t; } diff --git a/ext/openssl/ossl_asn1.h b/ext/openssl/ossl_asn1.h index 8250746c79..b1c85a6804 100644 --- a/ext/openssl/ossl_asn1.h +++ b/ext/openssl/ossl_asn1.h @@ -14,7 +14,15 @@ * ASN1_DATE conversions */ VALUE asn1time_to_time(ASN1_TIME *); +#if defined(HAVE_ASN1_TIME_ADJ) +/* Splits VALUE to seconds and offset days. VALUE is typically a Time or an + * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or + * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because + * they have the Year 2038 issue on sizeof(time_t) == 4 environment */ +void ossl_time_split(VALUE, time_t *, int *); +#else time_t time_to_time_t(VALUE); +#endif /* * ASN1_STRING conversions diff --git a/ext/openssl/ossl_x509.c b/ext/openssl/ossl_x509.c index cf62b53e28..14f794e8ee 100644 --- a/ext/openssl/ossl_x509.c +++ b/ext/openssl/ossl_x509.c @@ -15,6 +15,22 @@ VALUE mX509; #define DefX509Default(x,i) \ rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i())) +ASN1_TIME * +ossl_x509_time_adjust(ASN1_TIME *s, VALUE time) +{ + time_t sec; + +#if defined(HAVE_ASN1_TIME_ADJ) + int off_days; + + ossl_time_split(time, &sec, &off_days); + return X509_time_adj_ex(s, off_days, 0, &sec); +#else + sec = time_to_time_t(time); + return X509_time_adj(s, 0, &sec); +#endif +} + void Init_ossl_x509(void) { diff --git a/ext/openssl/ossl_x509.h b/ext/openssl/ossl_x509.h index 8e9b233098..576804858e 100644 --- a/ext/openssl/ossl_x509.h +++ b/ext/openssl/ossl_x509.h @@ -15,6 +15,13 @@ */ extern VALUE mX509; +/* + * Converts the VALUE into Integer and set it to the ASN1_TIME. This is a + * wrapper for X509_time_adj_ex() so passing NULL creates a new ASN1_TIME. + * Note that the caller must check the NULL return. + */ +ASN1_TIME *ossl_x509_time_adjust(ASN1_TIME *, VALUE); + void Init_ossl_x509(void); /* diff --git a/ext/openssl/ossl_x509cert.c b/ext/openssl/ossl_x509cert.c index 34b8aae7cd..13e738f30f 100644 --- a/ext/openssl/ossl_x509cert.c +++ b/ext/openssl/ossl_x509cert.c @@ -476,13 +476,10 @@ static VALUE ossl_x509_set_not_before(VALUE self, VALUE time) { X509 *x509; - time_t sec; - sec = time_to_time_t(time); GetX509(self, x509); - if (!X509_time_adj(X509_get_notBefore(x509), 0, &sec)) { + if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time)) ossl_raise(eX509CertError, NULL); - } return time; } @@ -513,13 +510,10 @@ static VALUE ossl_x509_set_not_after(VALUE self, VALUE time) { X509 *x509; - time_t sec; - sec = time_to_time_t(time); GetX509(self, x509); - if (!X509_time_adj(X509_get_notAfter(x509), 0, &sec)) { + if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time)) ossl_raise(eX509CertError, NULL); - } return time; } diff --git a/ext/openssl/ossl_x509crl.c b/ext/openssl/ossl_x509crl.c index a660cccebc..82fd128f72 100644 --- a/ext/openssl/ossl_x509crl.c +++ b/ext/openssl/ossl_x509crl.c @@ -235,13 +235,10 @@ static VALUE ossl_x509crl_set_last_update(VALUE self, VALUE time) { X509_CRL *crl; - time_t sec; - sec = time_to_time_t(time); GetX509CRL(self, crl); - if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) { + if (!ossl_x509_time_adjust(crl->crl->lastUpdate, time)) ossl_raise(eX509CRLError, NULL); - } return time; } @@ -260,14 +257,11 @@ static VALUE ossl_x509crl_set_next_update(VALUE self, VALUE time) { X509_CRL *crl; - time_t sec; - sec = time_to_time_t(time); GetX509CRL(self, crl); - /* This must be some thinko in OpenSSL */ - if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){ + /* crl->crl->nextUpdate may be NULL at this time */ + if (!(crl->crl->nextUpdate = ossl_x509_time_adjust(crl->crl->nextUpdate, time))) ossl_raise(eX509CRLError, NULL); - } return time; } diff --git a/ext/openssl/ossl_x509revoked.c b/ext/openssl/ossl_x509revoked.c index 46250e1225..fc1a7d1337 100644 --- a/ext/openssl/ossl_x509revoked.c +++ b/ext/openssl/ossl_x509revoked.c @@ -144,13 +144,10 @@ static VALUE ossl_x509revoked_set_time(VALUE self, VALUE time) { X509_REVOKED *rev; - time_t sec; - sec = time_to_time_t(time); GetX509Rev(self, rev); - if (!X509_time_adj(rev->revocationDate, 0, &sec)) { + if (!ossl_x509_time_adjust(rev->revocationDate, time)) ossl_raise(eX509RevError, NULL); - } return time; } -- cgit v1.2.3