diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-07-02 12:09:57 +0000 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-07-02 12:09:57 +0000 |
commit | a859466401cd8afb5a3c4963102108e8aa387c99 (patch) | |
tree | cf04352ac5b2fff485b8ebe53fdae51252690496 | |
parent | b001f2722c9d8a48db618881cc83ed7544bd4743 (diff) | |
parent | c19ee607b45830dd142022fff4d42ba7d0ee02e0 (diff) | |
download | gnutls-a859466401cd8afb5a3c4963102108e8aa387c99.tar.gz |
Merge branch 'tmp-32-bit-time_t' into 'master'
tests: verify that certtool will fail with a 32-bit time_t
Closes #370
See merge request gnutls/gnutls!691
-rw-r--r-- | bootstrap.conf | 2 | ||||
-rw-r--r-- | configure.ac | 3 | ||||
-rw-r--r-- | src/certtool-cfg.c | 11 | ||||
-rw-r--r-- | tests/cert-tests/Makefile.am | 3 | ||||
-rwxr-xr-x | tests/cert-tests/crl | 4 | ||||
-rw-r--r-- | tests/cert-tests/data/template-dates-after2038.pem | 23 | ||||
-rwxr-xr-x | tests/cert-tests/template-test | 62 | ||||
-rw-r--r-- | tests/cert-tests/templates/template-dates-after2038.tmpl | 97 | ||||
-rw-r--r-- | tests/scripts/common.sh | 2 |
9 files changed, 187 insertions, 20 deletions
diff --git a/bootstrap.conf b/bootstrap.conf index b67a531aa7..836f1a6f8a 100644 --- a/bootstrap.conf +++ b/bootstrap.conf @@ -35,7 +35,7 @@ unictype/category-all unictype/property-default-ignorable-code-point unictype/pr " src_modules=" -accept bind close connect getaddrinfo getpass gettext-h inet_ntop inet_pton listen minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen +accept bind close connect getaddrinfo getpass gettext-h inet_ntop inet_pton listen minmax parse-datetime progname read-file recv recvfrom select send sendto servent setsockopt shutdown socket sockets socklen inttypes " # Build prerequisites diff --git a/configure.ac b/configure.ac index 548abbeebd..c328ff7213 100644 --- a/configure.ac +++ b/configure.ac @@ -739,9 +739,10 @@ AC_CHECK_TYPE(ssize_t, # For minitasn1. AC_CHECK_SIZEOF(unsigned long int, 4) AC_CHECK_SIZEOF(unsigned int, 4) +AC_CHECK_SIZEOF(time_t, 4) # export for use in scripts -AC_SUBST(ac_cv_sizeof_unsigned_long_int) +AC_SUBST(ac_cv_sizeof_time_t) AC_SUBST(GNUTLS_REQUIRES_PRIVATE) diff --git a/src/certtool-cfg.c b/src/certtool-cfg.c index b4894e63a6..f13dabfa82 100644 --- a/src/certtool-cfg.c +++ b/src/certtool-cfg.c @@ -31,7 +31,6 @@ #include <gnutls/x509-ext.h> #include <string.h> #include <limits.h> -#include <inttypes.h> #include <time.h> #include <timespec.h> #include <parse-datetime.h> @@ -57,10 +56,8 @@ #include "certtool-common.h" /* to print uint64_t */ -#if SIZEOF_LONG < 8 # define __STDC_FORMAT_MACROS # include <inttypes.h> -#endif extern int batch; extern int ask_pass; @@ -68,6 +65,10 @@ extern int ask_pass; #define MAX_ENTRIES 128 #define MAX_POLICIES 8 +#define PRINT_TIME_T_ERROR \ + if (sizeof(time_t) < 8) \ + fprintf(stderr, "This system expresses time with a 32-bit time_t; that prevents dates after 2038 to be expressed by GnuTLS.\n") + enum option_types { OPTION_NUMERIC, OPTION_STRING, OPTION_BOOLEAN, OPTION_MULTI_LINE }; struct cfg_options { @@ -747,7 +748,7 @@ int serial_decode(const char *input, gnutls_datum_t *output) } if (value <= 0 || value >= value_limit) { - fprintf(stderr, "Integer out of range: `%s' (min: 1, max: %lu)\n", input, value_limit-1); + fprintf(stderr, "Integer out of range: `%s' (min: 1, max: %"PRId64")\n", input, value_limit-1); return GNUTLS_E_PARSING_ERROR; } @@ -1693,6 +1694,7 @@ time_t get_date(const char* date) struct timespec r; if (date==NULL || parse_datetime(&r, date, NULL) == 0) { + PRINT_TIME_T_ERROR; fprintf(stderr, "Cannot parse date: %s\n", date); exit(1); } @@ -1754,6 +1756,7 @@ time_t now = time(NULL); return secs; overflow: + PRINT_TIME_T_ERROR; fprintf(stderr, "Overflow while parsing days\n"); exit(1); } diff --git a/tests/cert-tests/Makefile.am b/tests/cert-tests/Makefile.am index ff38b23bc4..52090d427c 100644 --- a/tests/cert-tests/Makefile.am +++ b/tests/cert-tests/Makefile.am @@ -44,6 +44,7 @@ EXTRA_DIST = data/ca-no-pathlen.pem data/no-ca-or-pathlen.pem data/aki-cert.pem data/template-rsa-sha3-256.pem data/template-rsa-sha3-512.pem data/template-rsa-sha3-224.pem \ data/template-rsa-sha3-384.pem data/long-oids.pem \ data/name-constraints-ip2.pem data/chain-md5.pem \ + templates/template-dates-after2038.tmpl data/template-dates-after2038.pem \ data/gost-cert.pem data/gost-cert-nogost.pem data/gost94-cert.pem \ templates/template-tlsfeature.tmpl data/userid.pem data/cert-with-crl.p12 \ data/template-tlsfeature.pem data/template-tlsfeature.csr \ @@ -138,7 +139,7 @@ TESTS_ENVIRONMENT = EXEEXT=$(EXEEXT) \ VALGRIND="$(VALGRIND)" \ LIBTOOL="$(LIBTOOL)" \ top_builddir="$(top_builddir)" \ - ac_cv_sizeof_unsigned_long_int="$(ac_cv_sizeof_unsigned_long_int)" \ + ac_cv_sizeof_time_t="$(ac_cv_sizeof_time_t)" \ ASAN_OPTIONS="detect_leaks=0:exitcode=6" \ srcdir="$(srcdir)" diff --git a/tests/cert-tests/crl b/tests/cert-tests/crl index b7febc3bb2..f82bb0196c 100755 --- a/tests/cert-tests/crl +++ b/tests/cert-tests/crl @@ -25,7 +25,7 @@ export TZ="UTC" srcdir="${srcdir:-.}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" -ac_cv_sizeof_unsigned_long_int="${ac_cv_sizeof_unsigned_long_int:-8}" +ac_cv_sizeof_time_t="${ac_cv_sizeof_time_t:-8}" if ! test -x "${CERTTOOL}"; then exit 77 @@ -179,7 +179,7 @@ if test "$?" != "0"; then exit 1 fi -if test "${ac_cv_sizeof_unsigned_long_int}" = 8;then +if test "${ac_cv_sizeof_time_t}" = 8;then # we should test that on systems which have 64-bit time_t datefudge -s "2138-01-20 10:00:00" ${VALGRIND} \ "${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \ diff --git a/tests/cert-tests/data/template-dates-after2038.pem b/tests/cert-tests/data/template-dates-after2038.pem new file mode 100644 index 0000000000..865ddc901a --- /dev/null +++ b/tests/cert-tests/data/template-dates-after2038.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3jCCA0egAwIBAgIBBzANBgkqhkiG9w0BAQsFADCBuDEVMBMGA1UEAxMMQ2lu +ZHkgTGF1cGVyMRcwFQYKCZImiZPyLGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xl +ZXBpbmcgZGVwdC4xEjAQBgNVBAoTCUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtp +MQswCQYDVQQGEwJHUjEMMAoGA1UEDBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAa +BgkqhkiG9w0BCQEWDW5vbmVAbm9uZS5vcmcwHhcNMzkwMTEyMTEzNjExWhcNNDMw +NTI0MTQyOTEyWjCBuDEVMBMGA1UEAxMMQ2luZHkgTGF1cGVyMRcwFQYKCZImiZPy +LGQBARMHY2xhdXBlcjEXMBUGA1UECxMOc2xlZXBpbmcgZGVwdC4xEjAQBgNVBAoT +CUtva28gaW5jLjEPMA0GA1UECBMGQXR0aWtpMQswCQYDVQQGEwJHUjEMMAoGA1UE +DBMDRHIuMQ8wDQYDVQRBEwZqYWNrYWwxHDAaBgkqhkiG9w0BCQEWDW5vbmVAbm9u +ZS5vcmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKXGznVDhL9kngInE/ED +Wfd5LZLtfC9QpAPxLXm5hosFfjq7RKqvhM8TmB4cSjj3My16n3LUa20msDE3cBD7 +QunYnRhlfhlJ/AWWBGiDHneGv+315RI7E/4zGJwaeh1pr0cCYHofuejP28g0MFGW +PYyWXAC8Yd4ID7E2IX+pAOMFAgMBAAGjgfUwgfIwDwYDVR0TAQH/BAUwAwEB/zBq +BgNVHREEYzBhggx3d3cubm9uZS5vcmeCE3d3dy5tb3JldGhhbm9uZS5vcmeCF3d3 +dy5ldmVubW9yZXRoYW5vbmUub3JnhwTAqAEBgQ1ub25lQG5vbmUub3JngQ53aGVy +ZUBub25lLm9yZzATBgNVHSUEDDAKBggrBgEFBQcDCTAPBgNVHQ8BAf8EBQMDBwQA +MB0GA1UdDgQWBBRdQK3wzpRAlYt+mZQdklQiynI2XzAuBgNVHR8EJzAlMCOgIaAf +hh1odHRwOi8vd3d3LmdldGNybC5jcmwvZ2V0Y3JsLzANBgkqhkiG9w0BAQsFAAOB +gQCTELknONiixbQdjpBVaelZZfymC4ixUfw/IqeWMK7bYoPWi3JQyY8McQOtijna +RZwSVga9nthtBhHYjxuW3w8kPYQCoyK3ugw7aI8WYmlGeEAT+BiVualE3ZMm7Lf0 +CwmtHA8I0CHKEzfsMCN3wu9EJ3C+9nq5qRtm2lfQSbSsvw== +-----END CERTIFICATE----- diff --git a/tests/cert-tests/template-test b/tests/cert-tests/template-test index 3d32b78c90..fe954e528a 100755 --- a/tests/cert-tests/template-test +++ b/tests/cert-tests/template-test @@ -21,7 +21,7 @@ #set -e srcdir="${srcdir:-.}" -ac_cv_sizeof_unsigned_long_int="${ac_cv_sizeof_unsigned_long_int:-8}" +ac_cv_sizeof_time_t="${ac_cv_sizeof_time_t:-8}" CERTTOOL="${CERTTOOL:-../../src/certtool${EXEEXT}}" DIFF="${DIFF:-diff}" @@ -36,6 +36,8 @@ TMPFILE=tmp-tt.pem.$$.tmp check_for_datefudge +echo "Running test for ${ac_cv_sizeof_time_t}-byte time_t" + # Note that in rare cases this test may fail because the # time set using datefudge could have changed since the generation # (if example the system was busy) @@ -123,7 +125,6 @@ fi rm -f ${TMPFILE} # The following test works in 64-bit systems -if test "${ac_cv_sizeof_unsigned_long_int}" = 8;then datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ @@ -131,17 +132,30 @@ datefudge -s "2007-04-22" \ --template "${srcdir}/templates/template-overflow2.tmpl" \ --outfile ${TMPFILE} 2>/dev/null -${DIFF} "${srcdir}/data/template-overflow2.pem" ${TMPFILE} >/dev/null 2>&1 rc=$? +if test "${ac_cv_sizeof_time_t}" -lt 8;then + if test "$rc" = "0"; then + echo "Test 5-1 (overflow2) succeeded unexpectedly with 32-bit time_t" + exit ${rc} + fi +else + if test "$rc" != "0"; then + echo "Test 5-1 (overflow2) failed" + exit ${rc} + fi -# We're done. -if test "${rc}" != "0"; then - echo "Test 5 (overflow2) failed" - exit ${rc} -fi + ${DIFF} "${srcdir}/data/template-overflow2.pem" ${TMPFILE} #>/dev/null 2>&1 + rc=$? + + # We're done. + if test "${rc}" != "0"; then + echo $TMPFILE + echo "Test 5-2 (overflow2) failed" + exit ${rc} + fi -rm -f ${TMPFILE} fi +rm -f ${TMPFILE} datefudge -s "2007-04-22" \ "${CERTTOOL}" --generate-self-signed \ @@ -160,6 +174,34 @@ fi rm -f ${TMPFILE} +datefudge -s "2007-04-22" \ + "${CERTTOOL}" --generate-self-signed \ + --load-privkey "${srcdir}/data/template-test.key" \ + --template "${srcdir}/templates/template-dates-after2038.tmpl" \ + --outfile ${TMPFILE} 2>/dev/null +rc=$? +if test "${ac_cv_sizeof_time_t}" -lt 8;then + if test "$rc" = "0"; then + echo "Test 6-2 (explicit dates) succeeded unexpectedly with 32-bit long" + exit ${rc} + fi +else + if test "$rc" != "0"; then + echo "Test 6-2 (explicit dates) failed" + exit ${rc} + fi + + ${DIFF} "${srcdir}/data/template-dates-after2038.pem" ${TMPFILE} >/dev/null 2>&1 + rc=$? + + if test "${rc}" != "0"; then + echo "Test 6-3 (explicit dates) failed" + exit ${rc} + fi +fi + +rm -f ${TMPFILE} + # Test name constraints generation datefudge -s "2007-04-22" \ @@ -181,7 +223,7 @@ rm -f ${TMPFILE} # Test the GeneralizedTime support -if test "${ac_cv_sizeof_unsigned_long_int}" = 8;then +if test "${ac_cv_sizeof_time_t}" = 8;then # we should test that on systems which have 64-bit time_t. datefudge -s "2051-04-22" \ "${CERTTOOL}" --generate-self-signed \ diff --git a/tests/cert-tests/templates/template-dates-after2038.tmpl b/tests/cert-tests/templates/template-dates-after2038.tmpl new file mode 100644 index 0000000000..cb173875a3 --- /dev/null +++ b/tests/cert-tests/templates/template-dates-after2038.tmpl @@ -0,0 +1,97 @@ +# X.509 Certificate options +# +# DN options + +# The organization of the subject. +organization = "Koko inc." + +# The organizational unit of the subject. +unit = "sleeping dept." + +# The locality of the subject. +# locality = + +# The state of the certificate owner. +state = "Attiki" + +# The country of the subject. Two letter code. +country = GR + +# The common name of the certificate owner. +cn = "Cindy Lauper" + +# A user id of the certificate owner. +uid = "clauper" + +# If the supported DN OIDs are not adequate you can set +# any OID here. +# For example set the X.520 Title and the X.520 Pseudonym +# by using OID and string pairs. +dn_oid = 2.5.4.12 Dr. +dn_oid = 2.5.4.65 jackal + +# This is deprecated and should not be used in new +# certificates. +pkcs9_email = "none@none.org" + +# The serial number of the certificate +serial = 7 + +expiration_date = 2043-05-24 14:29:12 +activation_date = 2039-01-12 11:36:11 + +# X.509 v3 extensions + +# A dnsname in case of a WWW server. +dns_name = "www.none.org" +dns_name = "www.morethanone.org" + +# An IP address in case of a server. +ip_address = "192.168.1.1" + +dns_name = "www.evenmorethanone.org" + +# An email in case of a person +email = "none@none.org" + +# An URL that has CRLs (certificate revocation lists) +# available. Needed in CA certificates. +crl_dist_points = "http://www.getcrl.crl/getcrl/" + +email = "where@none.org" + +# Whether this is a CA certificate or not +ca + +# Whether this certificate will be used for a TLS client +#tls_www_client + +# Whether this certificate will be used for a TLS server +#tls_www_server + +# Whether this certificate will be used to sign data (needed +# in TLS DHE ciphersuites). +signing_key + +# Whether this certificate will be used to encrypt data (needed +# in TLS RSA ciphersuites). Note that it is preferred to use different +# keys for encryption and signing. +#encryption_key + +# Whether this key will be used to sign other certificates. +cert_signing_key + +# Whether this key will be used to sign CRLs. +#crl_signing_key + +# Whether this key will be used to sign code. +#code_signing_key + +# Whether this key will be used to sign OCSP data. +ocsp_signing_key + +# Whether this key will be used for time stamping. +#time_stamping_key + +# Whether this key will be used for IPsec IKE operations. +#ipsec_ike_key diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 35ac52e5a6..10c25738dd 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -69,7 +69,7 @@ GETPORT='rc=0; myrandom=$(date +%N | sed s/^0*//) check_for_datefudge() { # On certain platforms running datefudge date fails (e.g., x86 datefudge # with x86-64 date app). - if test ${SKIP_DATEFUDGE_CHECK} = 1;then + if test "${SKIP_DATEFUDGE_CHECK}" = 1;then return fi |