diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-07-12 14:46:49 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-09-04 08:08:26 -0400 |
commit | 309c1693acebfafa4429f3af39f067d9fe0f9987 (patch) | |
tree | 8a0c9f2b547c1ec2b7198a25e6080d696c6e01ba /src/mod_auth.c | |
parent | 82c199db3f112cf9c12e29931419690e85d7947a (diff) | |
download | lighttpd-git-309c1693acebfafa4429f3af39f067d9fe0f9987.tar.gz |
[multiple] Y2038 32-bit signed time_t mitigations
Most OS platforms have already provided solutions to
Y2038 32-bit signed time_t 5 - 10 years ago (or more!)
Notable exceptions are Linux i686 and FreeBSD i386.
Since 32-bit systems tend to be embedded systems,
and since many distros take years to pick up new software,
this commit aims to provide Y2038 mitigations for lighttpd
running on 32-bit systems with Y2038-unsafe 32-bit signed time_t
* Y2038: lighttpd 1.4.60 and later report Y2038 safety
$ lighttpd -V
+ Y2038 support # Y2038-SAFE
$ lighttpd -V
- Y2038 support (unsafe 32-bit signed time_t) # Y2038-UNSAFE
* Y2038: general platform info
* Y2038-SAFE: lighttpd 64-bit builds on platforms using 64-bit time_t
- all major 64-bit platforms (known to this author) use 64-bit time_t
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 64-bit time_t
- Linux x32 ABI (different from i686)
- FreeBSD all 32-bit and 64-bit architectures *except* 32-bit i386
- NetBSD 6.0 (released Oct 2012) all 32-bit and 64-bit architectures
- OpenBSD 5.5 (released May 2014) all 32-bit and 64-bit architectures
- Microsoft Windows XP and Visual Studio 2005 (? unsure ?)
Another reference suggests Visual Studio 2015 defaults to 64-bit time_t
- MacOS 10.15 Catalina (released 2019) drops support for 32-bit apps
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 32-bit unsigned time_t
- e.g. OpenVMS (unknown if lighttpd builds on this platform)
* Y2038-UNSAFE: lighttpd 32-bit builds on platforms using 32-bit signed time_t
- Linux 32-bit (including i686)
- glibc 32-bit library support not yet available for 64-bit time_t
- https://sourceware.org/glibc/wiki/Y2038ProofnessDesign
- Linux kernel 5.6 on 32-bit platforms does support 64-bit time_t
https://itsubuntu.com/linux-kernel-5-6-to-fix-the-year-2038-issue-unix-y2k/
- https://www.gnu.org/software/libc/manual/html_node/64_002dbit-time-symbol-handling.html
"Note: at this point, 64-bit time support in dual-time
configurations is work-in-progress, so for these
configurations, the public API only makes the 32-bit time
support available. In a later change, the public API will
allow user code to choose the time size for a given
compilation unit."
- compiling with -D_TIME_BITS=64 currently has no effect
- glibc recent (Jul 2021) mailing list discussion
- https://public-inbox.org/bug-gnulib/878s2ozq70.fsf@oldenburg.str.redhat.com/T/
- FreeBSD i386
- DragonFlyBSD 32-bit
* Y2038 mitigations attempted on Y2038-UNSAFE platforms (32-bit signed time_t)
* lighttpd prefers system monotonic clock instead of realtime clock
in places where realtime clock is not required
* lighttpd treats negative time_t values as after 19 Jan 2038 03:14:07 GMT
* (lighttpd presumes that lighttpd will not encounter dates before 1970
during normal operation.)
* lighttpd casts struct stat st.st_mtime (and st.st_*time) through uint64_t
to convert negative timestamps for comparisions with 64-bit timestamps
(treating negative timestamp values as after 19 Jan 2038 03:14:07 GMT)
* lighttpd provides unix_time64_t (int64_t) and
* lighttpd provides struct unix_timespec64 (unix_timespec64_t)
(struct timespec equivalent using unix_time64_t tv_sec member)
* lighttpd provides gmtime64_r() and localtime64_r() wrappers
for platforms 32-bit platforms using 32-bit time_t and
lighttpd temporarily shifts the year in order to use
gmtime_r() and localtime_r() (or gmtime() and localtime())
from standard libraries, before readjusting year and passing
struct tm to formatting functions such as strftime()
* lighttpd provides TIME64_CAST() macro to cast signed 32-bit time_t to
unsigned 32-bit and then to unix_time64_t
* Note: while lighttpd tries handle times past 19 Jan 2038 03:14:07 GMT
on 32-bit platforms using 32-bit signed time_t, underlying libraries and
underlying filesystems might not behave properly after 32-bit signed time_t
overflows (19 Jan 2038 03:14:08 GMT). If a given 32-bit OS does not work
properly using negative time_t values, then lighttpd likely will not work
properly on that system.
* Other references and blogs
- https://en.wikipedia.org/wiki/Year_2038_problem
- https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs
- http://www.lieberbiber.de/2017/03/14/a-look-at-the-year-20362038-problems-and-time-proofness-in-various-systems/
Diffstat (limited to 'src/mod_auth.c')
-rw-r--r-- | src/mod_auth.c | 24 |
1 files changed, 12 insertions, 12 deletions
diff --git a/src/mod_auth.c b/src/mod_auth.c index 627ddcb2..c0beb355 100644 --- a/src/mod_auth.c +++ b/src/mod_auth.c @@ -45,7 +45,7 @@ typedef struct { typedef struct { const struct http_auth_require_t *require; - time_t ctime; + unix_time64_t ctime; int dalgo; uint32_t dlen; uint32_t ulen; @@ -144,7 +144,7 @@ http_auth_cache_insert (splay_tree ** const sptree, const int ndx, void * const /* walk though cache, collect expired ids, and remove them in a second loop */ static void -mod_auth_tag_old_entries (splay_tree * const t, int * const keys, int * const ndx, const time_t max_age, const time_t cur_ts) +mod_auth_tag_old_entries (splay_tree * const t, int * const keys, int * const ndx, const time_t max_age, const unix_time64_t cur_ts) { if (*ndx == 8192) return; /*(must match num array entries in keys[])*/ if (t->left) @@ -160,7 +160,7 @@ mod_auth_tag_old_entries (splay_tree * const t, int * const keys, int * const nd __attribute_noinline__ static void -mod_auth_periodic_cleanup(splay_tree **sptree_ptr, const time_t max_age, const time_t cur_ts) +mod_auth_periodic_cleanup(splay_tree **sptree_ptr, const time_t max_age, const unix_time64_t cur_ts) { splay_tree *sptree = *sptree_ptr; int max_ndx, i; @@ -184,7 +184,7 @@ mod_auth_periodic_cleanup(splay_tree **sptree_ptr, const time_t max_age, const t TRIGGER_FUNC(mod_auth_periodic) { const plugin_data * const p = p_d; - const time_t cur_ts = log_monotonic_secs; + const unix_time64_t cur_ts = log_monotonic_secs; if (cur_ts & 0x7) return HANDLER_GO_ON; /*(continue once each 8 sec)*/ UNUSED(srv); @@ -867,7 +867,7 @@ enum http_auth_digest_params_e { typedef struct http_auth_digest_params_t { const char *ptr[http_auth_digest_params_sz]; uint16_t len[http_auth_digest_params_sz]; - time_t send_nextnonce_ts; + unix_time64_t send_nextnonce_ts; unsigned char rdigest[MD_DIGEST_LENGTH_MAX]; /*(last member)*/ } http_auth_digest_params_t; @@ -964,7 +964,7 @@ mod_auth_digest_mutate (http_auth_info_t * const ai, const http_auth_digest_para static void -mod_auth_append_nonce (buffer *b, time_t cur_ts, const struct http_auth_require_t *require, int dalgo, int *rndptr) +mod_auth_append_nonce (buffer *b, unix_time64_t cur_ts, const struct http_auth_require_t *require, int dalgo, int *rndptr) { buffer_append_uint_hex(b, (uintmax_t)cur_ts); buffer_append_string_len(b, CONST_STR_LEN(":")); @@ -1028,7 +1028,7 @@ mod_auth_append_nonce (buffer *b, time_t cur_ts, const struct http_auth_require_ static void -mod_auth_digest_www_authenticate (buffer *b, time_t cur_ts, const struct http_auth_require_t *require, int nonce_stale) +mod_auth_digest_www_authenticate (buffer *b, unix_time64_t cur_ts, const struct http_auth_require_t *require, int nonce_stale) { int algos = nonce_stale ? nonce_stale : require->algorithm; int n = 0; @@ -1093,7 +1093,7 @@ mod_auth_send_401_unauthorized_digest(request_st * const r, const struct http_au static void -mod_auth_digest_authentication_info (buffer *b, time_t cur_ts, const struct http_auth_require_t *require, int dalgo) +mod_auth_digest_authentication_info (buffer *b, unix_time64_t cur_ts, const struct http_auth_require_t *require, int dalgo) { buffer_clear(b); buffer_append_string_len(b, CONST_STR_LEN("nextnonce=\"")); @@ -1336,13 +1336,13 @@ mod_auth_digest_validate_nonce (request_st * const r, const struct http_auth_req * data value (included for unique nonces) will be exposed in the nonce * along with the timestamp, and the additional secret will be used to * validate that the server generated the nonce using that secret. */ - time_t ts = 0; + unix_time64_t ts = 0; const unsigned char * const nonce = (unsigned char *)dp->ptr[e_nonce]; int i; - for (i = 0; i < 8 && light_isxdigit(nonce[i]); ++i) - ts =(time_t)((uint32_t)ts << 4) | hex2int(nonce[i]); + for (i = 0; i < 16 && light_isxdigit(nonce[i]); ++i) + ts = (unix_time64_t)((uint64_t)ts << 4) | hex2int(nonce[i]); - const time_t cur_ts = log_epoch_secs; + const unix_time64_t cur_ts = log_epoch_secs; if (nonce[i] != ':' || ts > cur_ts || cur_ts - ts > 600) { /*(10 mins)*/ /* nonce is stale; have client regenerate digest */ return mod_auth_send_401_unauthorized_digest(r, require, ai->dalgo); |