Merge branch 'tmp-32-bit-time_t' into 'master'

tests: verify that certtool will fail with a 32-bit time_t

Closes #370

See merge request gnutls/gnutls!691

9 files changed, 187 insertions, 20 deletions

diff --git a/bootstrap.conf b/bootstrap.conf
index b67a531aa7..836f1a6f8a 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -35,7 +35,7 @@ unictype/category-all unictype/property-default-ignorable-code-point unictype/pr
 "
 
 src_modules="
-accept bind close connect getaddrinfo getpass gettext-h inet_ntop inet_pton listen minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen
+accept bind close connect getaddrinfo getpass gettext-h inet_ntop inet_pton listen minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen inttypes
 "
 
 # Build prerequisites
diff --git a/configure.ac b/configure.ac
index 548abbeebd..c328ff7213 100644
--- a/configure.ac
+++ b/configure.ac
@@ -739,9 +739,10 @@ AC_CHECK_TYPE(ssize_t,
 # For minitasn1.
 AC_CHECK_SIZEOF(unsigned long int, 4)
 AC_CHECK_SIZEOF(unsigned int, 4)
+AC_CHECK_SIZEOF(time_t, 4)
 
 # export for use in scripts
-AC_SUBST(ac_cv_sizeof_unsigned_long_int)
+AC_SUBST(ac_cv_sizeof_time_t)
 
 AC_SUBST(GNUTLS_REQUIRES_PRIVATE)
 
diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c
index b4894e63a6..f13dabfa82 100644
--- a/src/certtool-cfg.c
+++ b/src/certtool-cfg.c
@@ -31,7 +31,6 @@
 #include <gnutls/x509-ext.h>
 #include <string.h>
 #include <limits.h>
-#include <inttypes.h>
 #include <time.h>
 #include <timespec.h>
 #include <parse-datetime.h>
@@ -57,10 +56,8 @@
 #include "certtool-common.h"
 
 /* to print uint64_t */
-#if SIZEOF_LONG < 8
 # define __STDC_FORMAT_MACROS
 # include <inttypes.h>
-#endif
 
 extern int batch;
 extern int ask_pass;
@@ -68,6 +65,10 @@ extern int ask_pass;
 #define MAX_ENTRIES 128
 #define MAX_POLICIES 8
 
+#define PRINT_TIME_T_ERROR \
+	if (sizeof(time_t) < 8) \
+		fprintf(stderr, "This system expresses time with a 32-bit time_t; that prevents dates after 2038 to be expressed by GnuTLS.\n")
+
 enum option_types { OPTION_NUMERIC, OPTION_STRING, OPTION_BOOLEAN, OPTION_MULTI_LINE };
 
 struct cfg_options {
@@ -747,7 +748,7 @@ int serial_decode(const char *input, gnutls_datum_t *output)
 	}
 
 	if (value <= 0 || value >= value_limit) {
-		fprintf(stderr, "Integer out of range: `%s' (min: 1, max: %lu)\n", input, value_limit-1);
+		fprintf(stderr, "Integer out of range: `%s' (min: 1, max: %"PRId64")\n", input, value_limit-1);
 		return GNUTLS_E_PARSING_ERROR;
 	}
 
@@ -1693,6 +1694,7 @@ time_t get_date(const char* date)
 	struct timespec r;
 
 	if (date==NULL || parse_datetime(&r, date, NULL) == 0) {
+		PRINT_TIME_T_ERROR;
 		fprintf(stderr, "Cannot parse date: %s\n", date);
 		exit(1);
 	}
@@ -1754,6 +1756,7 @@ time_t now = time(NULL);
 
 	return secs;
  overflow:
+	PRINT_TIME_T_ERROR;
 	fprintf(stderr, "Overflow while parsing days\n");
 	exit(1);
 }
diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am
index ff38b23bc4..52090d427c 100644
--- a/tests/cert-tests/Makefile.am
+++ b/tests/cert-tests/Makefile.am
@@ -44,6 +44,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem
 	data/template-rsa-sha3-256.pem data/template-rsa-sha3-512.pem data/template-rsa-sha3-224.pem \
 	data/template-rsa-sha3-384.pem data/long-oids.pem \
 	data/name-constraints-ip2.pem data/chain-md5.pem \
+	templates/template-dates-after2038.tmpl data/template-dates-after2038.pem \
 	data/gost-cert.pem data/gost-cert-nogost.pem data/gost94-cert.pem \
 	templates/template-tlsfeature.tmpl data/userid.pem data/cert-with-crl.p12 \
 	data/template-tlsfeature.pem data/template-tlsfeature.csr \
@@ -138,7 +139,7 @@ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \
 	VALGRIND="$(VALGRIND)"			\
 	LIBTOOL="$(LIBTOOL)"			\
 	top_builddir="$(top_builddir)"		\
-	ac_cv_sizeof_unsigned_long_int="$(ac_cv_sizeof_unsigned_long_int)" \
+	ac_cv_sizeof_time_t="$(ac_cv_sizeof_time_t)" \
 	ASAN_OPTIONS="detect_leaks=0:exitcode=6" \
 	srcdir="$(srcdir)"
 
diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl
index b7febc3bb2..f82bb0196c 100755
--- a/tests/cert-tests/crl
+++ b/tests/cert-tests/crl
@@ -25,7 +25,7 @@ export TZ="UTC"
 srcdir="${srcdir:-.}"
 CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
 DIFF="${DIFF:-diff}"
-ac_cv_sizeof_unsigned_long_int="${ac_cv_sizeof_unsigned_long_int:-8}"
+ac_cv_sizeof_time_t="${ac_cv_sizeof_time_t:-8}"
 
 if ! test -x "${CERTTOOL}"; then
 	exit 77
@@ -179,7 +179,7 @@ if test "$?" != "0"; then
 	exit 1
 fi
 
-if test "${ac_cv_sizeof_unsigned_long_int}" = 8;then
+if test "${ac_cv_sizeof_time_t}" = 8;then
 	# we should test that on systems which have 64-bit time_t
 	datefudge -s "2138-01-20 10:00:00" ${VALGRIND} \
 		"${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \
diff --git a/tests/cert-tests/data/template-dates-after2038.pem b/tests/cert-tests/data/template-dates-after2038.pem
new file mode 100644
index 0000000000..865ddc901a
--- /dev/null
+++ b/tests/cert-tests/data/template-dates-after2038.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3jCCA0egAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu
+ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl
+ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp
+MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa
+BgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5vcmcwHhcNMzkwMTEyMTEzNjExWhcNNDMw
+NTI0MTQyOTEyWjCBuDEVMBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPy
+LGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoT
+CUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEMMAoGA1UE
+DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u
+ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED
+Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7
+QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW
+PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq
+BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3
+dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy
+ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA
+MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf
+hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB
+gQCTELknONiixbQdjpBVaelZZfymC4ixUfw/IqeWMK7bYoPWi3JQyY8McQOtijna
+RZwSVga9nthtBhHYjxuW3w8kPYQCoyK3ugw7aI8WYmlGeEAT+BiVualE3ZMm7Lf0
+CwmtHA8I0CHKEzfsMCN3wu9EJ3C+9nq5qRtm2lfQSbSsvw==
+-----END CERTIFICATE-----
diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test
index 3d32b78c90..fe954e528a 100755
--- a/tests/cert-tests/template-test
+++ b/tests/cert-tests/template-test
@@ -21,7 +21,7 @@
 #set -e
 
 srcdir="${srcdir:-.}"
-ac_cv_sizeof_unsigned_long_int="${ac_cv_sizeof_unsigned_long_int:-8}"
+ac_cv_sizeof_time_t="${ac_cv_sizeof_time_t:-8}"
 CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}"
 DIFF="${DIFF:-diff}"
 
@@ -36,6 +36,8 @@ TMPFILE=tmp-tt.pem.$$.tmp
 
 check_for_datefudge
 
+echo "Running test for ${ac_cv_sizeof_time_t}-byte time_t"
+
 # Note that in rare cases this test may fail because the
 # time set using datefudge could have changed since the generation
 # (if example the system was busy)
@@ -123,7 +125,6 @@ fi
 rm -f ${TMPFILE}
 
 # The following test works in 64-bit systems
-if test "${ac_cv_sizeof_unsigned_long_int}" = 8;then
 
 datefudge -s "2007-04-22" \
 	"${CERTTOOL}" --generate-self-signed \
@@ -131,17 +132,30 @@ datefudge -s "2007-04-22" \
 		--template "${srcdir}/templates/template-overflow2.tmpl" \
 		--outfile ${TMPFILE} 2>/dev/null
 
-${DIFF} "${srcdir}/data/template-overflow2.pem" ${TMPFILE} >/dev/null 2>&1
 rc=$?
+if test "${ac_cv_sizeof_time_t}" -lt 8;then
+	if test "$rc" = "0"; then
+		echo "Test 5-1 (overflow2) succeeded unexpectedly with 32-bit time_t"
+		exit ${rc}
+	fi
+else
+	if test "$rc" != "0"; then
+		echo "Test 5-1 (overflow2) failed"
+		exit ${rc}
+	fi
 
-# We're done.
-if test "${rc}" != "0"; then
-	echo "Test 5 (overflow2) failed"
-	exit ${rc}
-fi
+	${DIFF} "${srcdir}/data/template-overflow2.pem" ${TMPFILE} #>/dev/null 2>&1
+	rc=$?
+
+	# We're done.
+	if test "${rc}" != "0"; then
+	echo $TMPFILE
+		echo "Test 5-2 (overflow2) failed"
+		exit ${rc}
+	fi
 
-rm -f ${TMPFILE}
 fi
+rm -f ${TMPFILE}
 
 datefudge -s "2007-04-22" \
 	"${CERTTOOL}" --generate-self-signed \
@@ -160,6 +174,34 @@ fi
 
 rm -f ${TMPFILE}
 
+datefudge -s "2007-04-22" \
+	"${CERTTOOL}" --generate-self-signed \
+		--load-privkey "${srcdir}/data/template-test.key" \
+		--template "${srcdir}/templates/template-dates-after2038.tmpl" \
+		--outfile ${TMPFILE} 2>/dev/null
+rc=$?
+if test "${ac_cv_sizeof_time_t}" -lt 8;then
+	if test "$rc" = "0"; then
+		echo "Test 6-2 (explicit dates) succeeded unexpectedly with 32-bit long"
+		exit ${rc}
+	fi
+else
+	if test "$rc" != "0"; then
+		echo "Test 6-2 (explicit dates) failed"
+		exit ${rc}
+	fi
+
+	${DIFF} "${srcdir}/data/template-dates-after2038.pem" ${TMPFILE} >/dev/null 2>&1
+	rc=$?
+
+	if test "${rc}" != "0"; then
+		echo "Test 6-3 (explicit dates) failed"
+		exit ${rc}
+	fi
+fi
+
+rm -f ${TMPFILE}
+
 # Test name constraints generation
 
 datefudge -s "2007-04-22" \
@@ -181,7 +223,7 @@ rm -f ${TMPFILE}
 
 
 # Test the GeneralizedTime support
-if test "${ac_cv_sizeof_unsigned_long_int}" = 8;then
+if test "${ac_cv_sizeof_time_t}" = 8;then
 	# we should test that on systems which have 64-bit time_t.
 	datefudge -s "2051-04-22" \
 			"${CERTTOOL}" --generate-self-signed \
diff --git a/tests/cert-tests/templates/template-dates-after2038.tmpl b/tests/cert-tests/templates/template-dates-after2038.tmpl
new file mode 100644
index 0000000000..cb173875a3
--- /dev/null
+++ b/tests/cert-tests/templates/template-dates-after2038.tmpl
@@ -0,0 +1,97 @@
+# X.509 Certificate options
+#
+# DN options
+
+# The organization of the subject.
+organization = "Koko inc."
+
+# The organizational unit of the subject.
+unit = "sleeping dept."
+
+# The locality of the subject.
+# locality =
+
+# The state of the certificate owner.
+state = "Attiki"
+
+# The country of the subject. Two letter code.
+country = GR
+
+# The common name of the certificate owner.
+cn = "Cindy Lauper"
+
+# A user id of the certificate owner.
+uid = "clauper"
+
+# If the supported DN OIDs are not adequate you can set
+# any OID here.
+# For example set the X.520 Title and the X.520 Pseudonym
+# by using OID and string pairs.
+dn_oid = 2.5.4.12 Dr.
+dn_oid = 2.5.4.65 jackal
+
+# This is deprecated and should not be used in new
+# certificates.
+pkcs9_email = "none@none.org"
+
+# The serial number of the certificate
+serial = 7
+
+expiration_date = 2043-05-24 14:29:12
+activation_date = 2039-01-12 11:36:11
+
+# X.509 v3 extensions
+
+# A dnsname in case of a WWW server.
+dns_name = "www.none.org"
+dns_name = "www.morethanone.org"
+
+# An IP address in case of a server.
+ip_address = "192.168.1.1"
+
+dns_name = "www.evenmorethanone.org"
+
+# An email in case of a person
+email = "none@none.org"
+
+# An URL that has CRLs (certificate revocation lists)
+# available. Needed in CA certificates.
+crl_dist_points = "http://www.getcrl.crl/getcrl/"
+
+email = "where@none.org"
+
+# Whether this is a CA certificate or not
+ca
+
+# Whether this certificate will be used for a TLS client
+#tls_www_client
+
+# Whether this certificate will be used for a TLS server
+#tls_www_server
+
+# Whether this certificate will be used to sign data (needed
+# in TLS DHE ciphersuites).
+signing_key
+
+# Whether this certificate will be used to encrypt data (needed
+# in TLS RSA ciphersuites). Note that it is preferred to use different
+# keys for encryption and signing.
+#encryption_key
+
+# Whether this key will be used to sign other certificates.
+cert_signing_key
+
+# Whether this key will be used to sign CRLs.
+#crl_signing_key
+
+# Whether this key will be used to sign code.
+#code_signing_key
+
+# Whether this key will be used to sign OCSP data.
+ocsp_signing_key
+
+# Whether this key will be used for time stamping.
+#time_stamping_key
+
+# Whether this key will be used for IPsec IKE operations.
+#ipsec_ike_key
diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh
index 35ac52e5a6..10c25738dd 100644
--- a/tests/scripts/common.sh
+++ b/tests/scripts/common.sh
@@ -69,7 +69,7 @@ GETPORT='rc=0; myrandom=$(date +%N | sed s/^0*//)
 check_for_datefudge() {
 	# On certain platforms running datefudge date fails (e.g., x86 datefudge
 	# with x86-64 date app).
-	if test ${SKIP_DATEFUDGE_CHECK} = 1;then
+	if test "${SKIP_DATEFUDGE_CHECK}" = 1;then
 		return
 	fi