ruby-changes:43175
From: rhe <ko1@a...>
Date: Wed, 1 Jun 2016 21:41:21 +0900 (JST)
Subject: [ruby-changes:43175] rhe:r55249 (trunk): openssl: fix the Year 2038 problem
rhe 2016-06-01 21:41:15 +0900 (Wed, 01 Jun 2016) New Revision: 55249 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55249 Log: openssl: fix the Year 2038 problem r55219 didn't fix the entire issue. It only fixed the issue on environment with sizeof(time_t) == 8 && sizeof(long) == 4. * ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4 environment. This function was added in OpenSSL 1.0.0. [ruby-core:45552] [Bug #6571] * ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument (Time) into the number of days elapsed since the epoch and the remainder seconds to conform to ASN1_TIME_adj(). (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and ASN1_*TIME_adj(). * ext/openssl/ossl_asn1.h: Add the function prototype for ossl_time_split(). * ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj(). * ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust(). Modified files: trunk/ChangeLog trunk/ext/openssl/extconf.rb trunk/ext/openssl/ossl_asn1.c trunk/ext/openssl/ossl_asn1.h trunk/ext/openssl/ossl_x509.c trunk/ext/openssl/ossl_x509.h trunk/ext/openssl/ossl_x509cert.c trunk/ext/openssl/ossl_x509crl.c trunk/ext/openssl/ossl_x509revoked.c Index: ext/openssl/ossl_x509.h =================================================================== --- ext/openssl/ossl_x509.h (revision 55248) +++ ext/openssl/ossl_x509.h (revision 55249) @@ -15,6 +15,13 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509.h#L15 */ extern VALUE mX509; +/* + * Converts the VALUE into Integer and set it to the ASN1_TIME. This is a + * wrapper for X509_time_adj_ex() so passing NULL creates a new ASN1_TIME. + * Note that the caller must check the NULL return. + */ +ASN1_TIME *ossl_x509_time_adjust(ASN1_TIME *, VALUE); + void Init_ossl_x509(void); /* Index: ext/openssl/ossl_x509cert.c =================================================================== --- ext/openssl/ossl_x509cert.c (revision 55248) +++ ext/openssl/ossl_x509cert.c (revision 55249) @@ -476,13 +476,10 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509cert.c#L476 ossl_x509_set_not_before(VALUE self, VALUE time) { X509 *x509; - time_t sec; - sec = time_to_time_t(time); GetX509(self, x509); - if (!X509_time_adj(X509_get_notBefore(x509), 0, &sec)) { + if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time)) ossl_raise(eX509CertError, NULL); - } return time; } @@ -513,13 +510,10 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509cert.c#L510 ossl_x509_set_not_after(VALUE self, VALUE time) { X509 *x509; - time_t sec; - sec = time_to_time_t(time); GetX509(self, x509); - if (!X509_time_adj(X509_get_notAfter(x509), 0, &sec)) { + if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time)) ossl_raise(eX509CertError, NULL); - } return time; } Index: ext/openssl/ossl_x509crl.c =================================================================== --- ext/openssl/ossl_x509crl.c (revision 55248) +++ ext/openssl/ossl_x509crl.c (revision 55249) @@ -235,13 +235,10 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509crl.c#L235 ossl_x509crl_set_last_update(VALUE self, VALUE time) { X509_CRL *crl; - time_t sec; - sec = time_to_time_t(time); GetX509CRL(self, crl); - if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) { + if (!ossl_x509_time_adjust(crl->crl->lastUpdate, time)) ossl_raise(eX509CRLError, NULL); - } return time; } @@ -260,14 +257,11 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509crl.c#L257 ossl_x509crl_set_next_update(VALUE self, VALUE time) { X509_CRL *crl; - time_t sec; - sec = time_to_time_t(time); GetX509CRL(self, crl); - /* This must be some thinko in OpenSSL */ - if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){ + /* crl->crl->nextUpdate may be NULL at this time */ + if (!(crl->crl->nextUpdate = ossl_x509_time_adjust(crl->crl->nextUpdate, time))) ossl_raise(eX509CRLError, NULL); - } return time; } Index: ext/openssl/ossl_x509revoked.c =================================================================== --- ext/openssl/ossl_x509revoked.c (revision 55248) +++ ext/openssl/ossl_x509revoked.c (revision 55249) @@ -144,13 +144,10 @@ static VALUE https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509revoked.c#L144 ossl_x509revoked_set_time(VALUE self, VALUE time) { X509_REVOKED *rev; - time_t sec; - sec = time_to_time_t(time); GetX509Rev(self, rev); - if (!X509_time_adj(rev->revocationDate, 0, &sec)) { + if (!ossl_x509_time_adjust(rev->revocationDate, time)) ossl_raise(eX509RevError, NULL); - } return time; } Index: ext/openssl/extconf.rb =================================================================== --- ext/openssl/extconf.rb (revision 55248) +++ ext/openssl/extconf.rb (revision 55249) @@ -85,6 +85,7 @@ engines.each { |name| https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L85 } # added in 1.0.0 +have_func("ASN1_TIME_adj") have_func("EVP_CIPHER_CTX_copy") have_func("HMAC_CTX_copy") have_func("PKCS5_PBKDF2_HMAC") Index: ext/openssl/ossl_asn1.c =================================================================== --- ext/openssl/ossl_asn1.c (revision 55248) +++ ext/openssl/ossl_asn1.c (revision 55249) @@ -75,11 +75,28 @@ asn1time_to_time(ASN1_TIME *time) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_asn1.c#L75 return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv); } +#if defined(HAVE_ASN1_TIME_ADJ) +void +ossl_time_split(VALUE time, time_t *sec, int *days) +{ + VALUE num = rb_Integer(time); + + if (FIXNUM_P(num)) { + *days = FIX2LONG(num) / 86400; + *sec = FIX2LONG(num) % 86400; + } + else { + *days = NUM2INT(rb_funcall(num, rb_intern("/"), 1, INT2FIX(86400))); + *sec = NUM2TIMET(rb_funcall(num, rb_intern("%"), 1, INT2FIX(86400))); + } +} +#else time_t time_to_time_t(VALUE time) { return (time_t)NUM2TIMET(rb_Integer(time)); } +#endif /* * STRING conversion @@ -279,28 +296,42 @@ obj_to_asn1obj(VALUE obj) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_asn1.c#L296 return a1obj; } -static ASN1_UTCTIME* +static ASN1_UTCTIME * obj_to_asn1utime(VALUE time) { time_t sec; ASN1_UTCTIME *t; +#if defined(HAVE_ASN1_TIME_ADJ) + int off_days; + + ossl_time_split(time, &sec, &off_days); + if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0))) +#else sec = time_to_time_t(time); - if(!(t = ASN1_UTCTIME_set(NULL, sec))) - ossl_raise(eASN1Error, NULL); + if (!(t = ASN1_UTCTIME_set(NULL, sec))) +#endif + ossl_raise(eASN1Error, NULL); return t; } -static ASN1_GENERALIZEDTIME* +static ASN1_GENERALIZEDTIME * obj_to_asn1gtime(VALUE time) { time_t sec; ASN1_GENERALIZEDTIME *t; +#if defined(HAVE_ASN1_TIME_ADJ) + int off_days; + + ossl_time_split(time, &sec, &off_days); + if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0))) +#else sec = time_to_time_t(time); - if(!(t =ASN1_GENERALIZEDTIME_set(NULL, sec))) - ossl_raise(eASN1Error, NULL); + if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec))) +#endif + ossl_raise(eASN1Error, NULL); return t; } Index: ext/openssl/ossl_x509.c =================================================================== --- ext/openssl/ossl_x509.c (revision 55248) +++ ext/openssl/ossl_x509.c (revision 55249) @@ -15,6 +15,22 @@ VALUE mX509; https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_x509.c#L15 #define DefX509Default(x,i) \ rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i())) +ASN1_TIME * +ossl_x509_time_adjust(ASN1_TIME *s, VALUE time) +{ + time_t sec; + +#if defined(HAVE_ASN1_TIME_ADJ) + int off_days; + + ossl_time_split(time, &sec, &off_days); + return X509_time_adj_ex(s, off_days, 0, &sec); +#else + sec = time_to_time_t(time); + return X509_time_adj(s, 0, &sec); +#endif +} + void Init_ossl_x509(void) { Index: ext/openssl/ossl_asn1.h =================================================================== --- ext/openssl/ossl_asn1.h (revision 55248) +++ ext/openssl/ossl_asn1.h (revision 55249) @@ -14,7 +14,15 @@ https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_asn1.h#L14 * ASN1_DATE conversions */ VALUE asn1time_to_time(ASN1_TIME *); +#if defined(HAVE_ASN1_TIME_ADJ) +/* Splits VALUE to seconds and offset days. VALUE is typically a Time or an + * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or + * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because + * they have the Year 2038 issue on sizeof(time_t) == 4 environment */ +void ossl_time_split(VALUE, time_t *, int *); +#else time_t time_to_time_t(VALUE); +#endif /* * ASN1_STRING conversions Index: ChangeLog =================================================================== --- ChangeLog (revision 55248) +++ ChangeLog (revision 55249) @@ -1,3 +1,25 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Wed Jun 1 21:41:05 2016 Kazuki Yamaguchi <k@r...> + + * ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old + ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4 + environment. This function was added in OpenSSL 1.0.0. + [ruby-core:45552] [Bug #6571] + + * ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument + (Time) into the number of days elapsed since the epoch and the + remainder seconds to conform to ASN1_TIME_adj(). + (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and + ASN1_*TIME_adj(). + + * ext/openssl/ossl_asn1.h: Add the function prototype for + ossl_time_split(). + + * ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to + obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj(). + + * ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c, + ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust(). + Wed Jun 1 15:58:20 2016 Nobuyoshi Nakada <nobu@r...> * configure.in: revert r55237. replace crypt, not crypt_r, and -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/