openssl: fix the Year 2038 problem

r55219 didn't fix the entire issue. It only fixed the issue on
environment with sizeof(time_t) == 8 && sizeof(long) == 4.

* ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old
  ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4
  environment. This function was added in OpenSSL 1.0.0.
  [ruby-core:45552] [Bug #6571]

* ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument
  (Time) into the number of days elapsed since the epoch and the
  remainder seconds to conform to ASN1_TIME_adj().
  (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and
  ASN1_*TIME_adj().

* ext/openssl/ossl_asn1.h: Add the function prototype for
  ossl_time_split().

* ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to
  obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj().

* ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c,
  ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust().

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55249 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,25 @@
+Wed Jun  1 21:41:05 2016  Kazuki Yamaguchi  <k@rhe.jp>
+
+	* ext/openssl/extconf.rb: Check existence of ASN1_TIME_adj(). The old
+	  ASN1_TIME_set() is not Year 2038 ready on sizeof(time_t) == 4
+	  environment. This function was added in OpenSSL 1.0.0.
+	  [ruby-core:45552] [Bug #6571]
+
+	* ext/openssl/ossl_asn1.c (ossl_time_split): Added. Split the argument
+	  (Time) into the number of days elapsed since the epoch and the
+	  remainder seconds to conform to ASN1_TIME_adj().
+	  (obj_to_asn1utime, obj_to_asn1gtime): Use ossl_time_split() and
+	  ASN1_*TIME_adj().
+
+	* ext/openssl/ossl_asn1.h: Add the function prototype for
+	  ossl_time_split().
+
+	* ext/openssl/ossl_x509.[ch]: Add ossl_x509_time_adjust(). Similarly to
+	  obj_to_asn1*time(), use X509_time_adj_ex() instead of X509_time_adj().
+
+	* ext/openssl/ossl_x509cert.c, ext/openssl/ossl_x509crl.c,
+	  ext/openssl/ossl_x509revoked.c: Use ossl_x509_time_adjust().
+
 Wed Jun  1 15:58:20 2016  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* configure.in: revert r55237.  replace crypt, not crypt_r, and

ext/openssl/extconf.rb

@@ -85,6 +85,7 @@ engines.each { |name|
 }
 
 # added in 1.0.0
+have_func("ASN1_TIME_adj")
 have_func("EVP_CIPHER_CTX_copy")
 have_func("HMAC_CTX_copy")
 have_func("PKCS5_PBKDF2_HMAC")

ext/openssl/ossl_asn1.c

@@ -75,11 +75,28 @@ asn1time_to_time(ASN1_TIME *time)
     return rb_funcall2(rb_cTime, rb_intern("utc"), 6, argv);
 }
 
+#if defined(HAVE_ASN1_TIME_ADJ)
+void
+ossl_time_split(VALUE time, time_t *sec, int *days)
+{
+    VALUE num = rb_Integer(time);
+
+    if (FIXNUM_P(num)) {
+	*days = FIX2LONG(num) / 86400;
+	*sec = FIX2LONG(num) % 86400;
+    }
+    else {
+	*days = NUM2INT(rb_funcall(num, rb_intern("/"), 1, INT2FIX(86400)));
+	*sec = NUM2TIMET(rb_funcall(num, rb_intern("%"), 1, INT2FIX(86400)));
+    }
+}
+#else
 time_t
 time_to_time_t(VALUE time)
 {
     return (time_t)NUM2TIMET(rb_Integer(time));
 }
+#endif
 
 /*
  * STRING conversion
@@ -279,27 +296,41 @@ obj_to_asn1obj(VALUE obj)
     return a1obj;
 }
 
-static ASN1_UTCTIME*
+static ASN1_UTCTIME *
 obj_to_asn1utime(VALUE time)
 {
     time_t sec;
     ASN1_UTCTIME *t;
 
+#if defined(HAVE_ASN1_TIME_ADJ)
+    int off_days;
+
+    ossl_time_split(time, &sec, &off_days);
+    if (!(t = ASN1_UTCTIME_adj(NULL, sec, off_days, 0)))
+#else
     sec = time_to_time_t(time);
-    if(!(t = ASN1_UTCTIME_set(NULL, sec)))
+    if (!(t = ASN1_UTCTIME_set(NULL, sec)))
+#endif
 	ossl_raise(eASN1Error, NULL);
 
     return t;
 }
 
-static ASN1_GENERALIZEDTIME*
+static ASN1_GENERALIZEDTIME *
 obj_to_asn1gtime(VALUE time)
 {
     time_t sec;
     ASN1_GENERALIZEDTIME *t;
 
+#if defined(HAVE_ASN1_TIME_ADJ)
+    int off_days;
+
+    ossl_time_split(time, &sec, &off_days);
+    if (!(t = ASN1_GENERALIZEDTIME_adj(NULL, sec, off_days, 0)))
+#else
     sec = time_to_time_t(time);
-    if(!(t =ASN1_GENERALIZEDTIME_set(NULL, sec)))
+    if (!(t = ASN1_GENERALIZEDTIME_set(NULL, sec)))
+#endif
 	ossl_raise(eASN1Error, NULL);
 
     return t;

ext/openssl/ossl_asn1.h

@@ -14,7 +14,15 @@
  * ASN1_DATE conversions
  */
 VALUE asn1time_to_time(ASN1_TIME *);
+#if defined(HAVE_ASN1_TIME_ADJ)
+/* Splits VALUE to seconds and offset days. VALUE is typically a Time or an
+ * Integer. This is used when updating ASN1_*TIME with ASN1_TIME_adj() or
+ * X509_time_adj_ex(). We can't use ASN1_TIME_set() and X509_time_adj() because
+ * they have the Year 2038 issue on sizeof(time_t) == 4 environment */
+void ossl_time_split(VALUE, time_t *, int *);
+#else
 time_t time_to_time_t(VALUE);
+#endif
 
 /*
  * ASN1_STRING conversions

ext/openssl/ossl_x509.c

@@ -15,6 +15,22 @@ VALUE mX509;
 #define DefX509Default(x,i) \
   rb_define_const(mX509, "DEFAULT_" #x, rb_str_new2(X509_get_default_##i()))
 
+ASN1_TIME *
+ossl_x509_time_adjust(ASN1_TIME *s, VALUE time)
+{
+    time_t sec;
+
+#if defined(HAVE_ASN1_TIME_ADJ)
+    int off_days;
+
+    ossl_time_split(time, &sec, &off_days);
+    return X509_time_adj_ex(s, off_days, 0, &sec);
+#else
+    sec = time_to_time_t(time);
+    return X509_time_adj(s, 0, &sec);
+#endif
+}
+
 void
 Init_ossl_x509(void)
 {

ext/openssl/ossl_x509.h

@@ -15,6 +15,13 @@
  */
 extern VALUE mX509;
 
+/*
+ * Converts the VALUE into Integer and set it to the ASN1_TIME. This is a
+ * wrapper for X509_time_adj_ex() so passing NULL creates a new ASN1_TIME.
+ * Note that the caller must check the NULL return.
+ */
+ASN1_TIME *ossl_x509_time_adjust(ASN1_TIME *, VALUE);
+
 void Init_ossl_x509(void);
 
 /*

ext/openssl/ossl_x509cert.c

@@ -476,13 +476,10 @@ static VALUE
 ossl_x509_set_not_before(VALUE self, VALUE time)
 {
     X509 *x509;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509(self, x509);
-    if (!X509_time_adj(X509_get_notBefore(x509), 0, &sec)) {
+    if (!ossl_x509_time_adjust(X509_get_notBefore(x509), time))
 	ossl_raise(eX509CertError, NULL);
-    }
 
     return time;
 }
@@ -513,13 +510,10 @@ static VALUE
 ossl_x509_set_not_after(VALUE self, VALUE time)
 {
     X509 *x509;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509(self, x509);
-    if (!X509_time_adj(X509_get_notAfter(x509), 0, &sec)) {
+    if (!ossl_x509_time_adjust(X509_get_notAfter(x509), time))
 	ossl_raise(eX509CertError, NULL);
-    }
 
     return time;
 }

ext/openssl/ossl_x509crl.c

@@ -235,13 +235,10 @@ static VALUE
 ossl_x509crl_set_last_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509CRL(self, crl);
-    if (!X509_time_adj(crl->crl->lastUpdate, 0, &sec)) {
+    if (!ossl_x509_time_adjust(crl->crl->lastUpdate, time))
 	ossl_raise(eX509CRLError, NULL);
-    }
 
     return time;
 }
@@ -260,14 +257,11 @@ static VALUE
 ossl_x509crl_set_next_update(VALUE self, VALUE time)
 {
     X509_CRL *crl;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509CRL(self, crl);
-    /* This must be some thinko in OpenSSL */
+    /* crl->crl->nextUpdate may be NULL at this time */
-    if (!(crl->crl->nextUpdate = X509_time_adj(crl->crl->nextUpdate, 0, &sec))){
+    if (!(crl->crl->nextUpdate = ossl_x509_time_adjust(crl->crl->nextUpdate, time)))
 	ossl_raise(eX509CRLError, NULL);
-    }
 
     return time;
 }

ext/openssl/ossl_x509revoked.c

@@ -144,13 +144,10 @@ static VALUE
 ossl_x509revoked_set_time(VALUE self, VALUE time)
 {
     X509_REVOKED *rev;
-    time_t sec;
 
-    sec = time_to_time_t(time);
     GetX509Rev(self, rev);
-    if (!X509_time_adj(rev->revocationDate, 0, &sec)) {
+    if (!ossl_x509_time_adjust(rev->revocationDate, time))
 	ossl_raise(eX509RevError, NULL);
-    }
 
     return time;
 }