I was experimenting with OpenSSL's ability to create CRLs with
nextUpdate times after 2050 and I believe that I found a minor bug in
the function X509_time_adj_ex() in crypto/x509/x509_vfy.c. (I
performed these experiments several months ago, so my memory may be a
bit rusty.)
If s->type is V_ASN1_UTCTIME then ASN1_UTCTIME_adj() is called.
This works fine as long as the adjusted time (s + offset_day +
offset_sec) is before 2050. However, if the adjusted time is after
2050 this does not work since the ASN1_UTCTIME_adj() will only return a
time encoded in UTCTime and the adjusted date cannot be encoded in that
format.
While I cannot guarantee that this is the correct solution, I was able
to get things to work correctly by changing the code to call
ASN1_TIME_adj instead of ASN1_UTCTIME_adj, since this function, given a
time encoded as UTCTime as input, will return the adjusted time in
UTCTime if it is before 2050 and in GeneralizedTime if the adjusted
time is in 2050 or later.
David Cooper
Original (crypto/x509/x509_vfy.c):
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
int offset_day, long offset_sec,
time_t *in_tm)
{
time_t t;
int type = -1;
if (in_tm) t = *in_tm;
else time(&t);
if (s) type = s->type;
if (type == V_ASN1_UTCTIME)
return ASN1_UTCTIME_adj(s,t,
offset_day, offset_sec); // <--------------------
if (type == V_ASN1_GENERALIZEDTIME)
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
offset_sec);
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
Modified:
ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s,
int offset_day, long offset_sec,
time_t *in_tm)
{
time_t t;
int type = -1;
if (in_tm) t = *in_tm;
else time(&t);
if (s) type = s->type;
if (type == V_ASN1_UTCTIME)
return ASN1_TIME_adj(s,t,
offset_day, offset_sec); //
<--------------------
if (type == V_ASN1_GENERALIZEDTIME)
return ASN1_GENERALIZEDTIME_adj(s, t, offset_day,
offset_sec);
return ASN1_TIME_adj(s, t, offset_day, offset_sec);
}
|
