[multiple] Y2038 32-bit signed time_t mitigations

Most OS platforms have already provided solutions to
Y2038 32-bit signed time_t 5 - 10 years ago (or more!)
Notable exceptions are Linux i686 and FreeBSD i386.

Since 32-bit systems tend to be embedded systems,
and since many distros take years to pick up new software,
this commit aims to provide Y2038 mitigations for lighttpd
running on 32-bit systems with Y2038-unsafe 32-bit signed time_t

* Y2038: lighttpd 1.4.60 and later report Y2038 safety
  $ lighttpd -V
    + Y2038 support                                    # Y2038-SAFE
  $ lighttpd -V
    - Y2038 support (unsafe 32-bit signed time_t)      # Y2038-UNSAFE

* Y2038: general platform info
  * Y2038-SAFE: lighttpd 64-bit builds on platforms using 64-bit time_t
      - all major 64-bit platforms (known to this author) use 64-bit time_t
  * Y2038-SAFE: lighttpd 32-bit builds on platforms using 64-bit time_t
      - Linux x32 ABI (different from i686)
      - FreeBSD all 32-bit and 64-bit architectures *except* 32-bit i386
      - NetBSD 6.0 (released Oct 2012) all 32-bit and 64-bit architectures
      - OpenBSD 5.5 (released May 2014) all 32-bit and 64-bit architectures
      - Microsoft Windows XP and Visual Studio 2005 (? unsure ?)
        Another reference suggests Visual Studio 2015 defaults to 64-bit time_t
      - MacOS 10.15 Catalina (released 2019) drops support for 32-bit apps
  * Y2038-SAFE: lighttpd 32-bit builds on platforms using 32-bit unsigned time_t
      - e.g. OpenVMS (unknown if lighttpd builds on this platform)
  * Y2038-UNSAFE: lighttpd 32-bit builds on platforms using 32-bit signed time_t
      - Linux 32-bit (including i686)
          - glibc 32-bit library support not yet available for 64-bit time_t
              - https://sourceware.org/glibc/wiki/Y2038ProofnessDesign
              - Linux kernel 5.6 on 32-bit platforms does support 64-bit time_t
                https://itsubuntu.com/linux-kernel-5-6-to-fix-the-year-2038-issue-unix-y2k/
              - https://www.gnu.org/software/libc/manual/html_node/64_002dbit-time-symbol-handling.html
                "Note: at this point, 64-bit time support in dual-time
                 configurations is work-in-progress, so for these
                 configurations, the public API only makes the 32-bit time
                 support available. In a later change, the public API will
                 allow user code to choose the time size for a given
                 compilation unit."
              - compiling with -D_TIME_BITS=64 currently has no effect
          - glibc recent (Jul 2021) mailing list discussion
              - https://public-inbox.org/bug-gnulib/878s2ozq70.fsf@oldenburg.str.redhat.com/T/
      - FreeBSD i386
      - DragonFlyBSD 32-bit

* Y2038 mitigations attempted on Y2038-UNSAFE platforms (32-bit signed time_t)
  * lighttpd prefers system monotonic clock instead of realtime clock
    in places where realtime clock is not required
  * lighttpd treats negative time_t values as after 19 Jan 2038 03:14:07 GMT
  * (lighttpd presumes that lighttpd will not encounter dates before 1970
    during normal operation.)
  * lighttpd casts struct stat st.st_mtime (and st.st_*time) through uint64_t
    to convert negative timestamps for comparisions with 64-bit timestamps
    (treating negative timestamp values as after 19 Jan 2038 03:14:07 GMT)
  * lighttpd provides unix_time64_t (int64_t) and
  * lighttpd provides struct unix_timespec64 (unix_timespec64_t)
    (struct timespec equivalent using unix_time64_t tv_sec member)
  * lighttpd provides gmtime64_r() and localtime64_r() wrappers
    for platforms 32-bit platforms using 32-bit time_t and
    lighttpd temporarily shifts the year in order to use
    gmtime_r() and localtime_r() (or gmtime() and localtime())
    from standard libraries, before readjusting year and passing
    struct tm to formatting functions such as strftime()
  * lighttpd provides TIME64_CAST() macro to cast signed 32-bit time_t to
    unsigned 32-bit and then to unix_time64_t

* Note: while lighttpd tries handle times past 19 Jan 2038 03:14:07 GMT
  on 32-bit platforms using 32-bit signed time_t, underlying libraries and
  underlying filesystems might not behave properly after 32-bit signed time_t
  overflows (19 Jan 2038 03:14:08 GMT).  If a given 32-bit OS does not work
  properly using negative time_t values, then lighttpd likely will not work
  properly on that system.

* Other references and blogs
  - https://en.wikipedia.org/wiki/Year_2038_problem
  - https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs
  - http://www.lieberbiber.de/2017/03/14/a-look-at-the-year-20362038-problems-and-time-proofness-in-various-systems/

1 files changed, 12 insertions, 12 deletions

diff --git a/src/mod_auth.c b/src/mod_auth.c
index 627ddcb2..c0beb355 100644
--- a/src/mod_auth.c
+++ b/src/mod_auth.c
@@ -45,7 +45,7 @@ typedef struct {
 
 typedef struct {
     const struct http_auth_require_t *require;
-    time_t ctime;
+    unix_time64_t ctime;
     int dalgo;
     uint32_t dlen;
     uint32_t ulen;
@@ -144,7 +144,7 @@ http_auth_cache_insert (splay_tree ** const sptree, const int ndx, void * const
 
 /* walk though cache, collect expired ids, and remove them in a second loop */
 static void
-mod_auth_tag_old_entries (splay_tree * const t, int * const keys, int * const ndx, const time_t max_age, const time_t cur_ts)
+mod_auth_tag_old_entries (splay_tree * const t, int * const keys, int * const ndx, const time_t max_age, const unix_time64_t cur_ts)
 {
     if (*ndx == 8192) return; /*(must match num array entries in keys[])*/
     if (t->left)
@@ -160,7 +160,7 @@ mod_auth_tag_old_entries (splay_tree * const t, int * const keys, int * const nd
 
 __attribute_noinline__
 static void
-mod_auth_periodic_cleanup(splay_tree **sptree_ptr, const time_t max_age, const time_t cur_ts)
+mod_auth_periodic_cleanup(splay_tree **sptree_ptr, const time_t max_age, const unix_time64_t cur_ts)
 {
     splay_tree *sptree = *sptree_ptr;
     int max_ndx, i;
@@ -184,7 +184,7 @@ mod_auth_periodic_cleanup(splay_tree **sptree_ptr, const time_t max_age, const t
 TRIGGER_FUNC(mod_auth_periodic)
 {
     const plugin_data * const p = p_d;
-    const time_t cur_ts = log_monotonic_secs;
+    const unix_time64_t cur_ts = log_monotonic_secs;
     if (cur_ts & 0x7) return HANDLER_GO_ON; /*(continue once each 8 sec)*/
     UNUSED(srv);
 
@@ -867,7 +867,7 @@ enum http_auth_digest_params_e {
 typedef struct http_auth_digest_params_t {
     const char *ptr[http_auth_digest_params_sz];
     uint16_t len[http_auth_digest_params_sz];
-    time_t send_nextnonce_ts;
+    unix_time64_t send_nextnonce_ts;
     unsigned char rdigest[MD_DIGEST_LENGTH_MAX]; /*(last member)*/
 } http_auth_digest_params_t;
 
@@ -964,7 +964,7 @@ mod_auth_digest_mutate (http_auth_info_t * const ai, const http_auth_digest_para
 
 
 static void
-mod_auth_append_nonce (buffer *b, time_t cur_ts, const struct http_auth_require_t *require, int dalgo, int *rndptr)
+mod_auth_append_nonce (buffer *b, unix_time64_t cur_ts, const struct http_auth_require_t *require, int dalgo, int *rndptr)
 {
     buffer_append_uint_hex(b, (uintmax_t)cur_ts);
     buffer_append_string_len(b, CONST_STR_LEN(":"));
@@ -1028,7 +1028,7 @@ mod_auth_append_nonce (buffer *b, time_t cur_ts, const struct http_auth_require_
 
 
 static void
-mod_auth_digest_www_authenticate (buffer *b, time_t cur_ts, const struct http_auth_require_t *require, int nonce_stale)
+mod_auth_digest_www_authenticate (buffer *b, unix_time64_t cur_ts, const struct http_auth_require_t *require, int nonce_stale)
 {
     int algos = nonce_stale ? nonce_stale : require->algorithm;
     int n = 0;
@@ -1093,7 +1093,7 @@ mod_auth_send_401_unauthorized_digest(request_st * const r, const struct http_au
 
 
 static void
-mod_auth_digest_authentication_info (buffer *b, time_t cur_ts, const struct http_auth_require_t *require, int dalgo)
+mod_auth_digest_authentication_info (buffer *b, unix_time64_t cur_ts, const struct http_auth_require_t *require, int dalgo)
 {
     buffer_clear(b);
     buffer_append_string_len(b, CONST_STR_LEN("nextnonce=\""));
@@ -1336,13 +1336,13 @@ mod_auth_digest_validate_nonce (request_st * const r, const struct http_auth_req
      * data value (included for unique nonces) will be exposed in the nonce
      * along with the timestamp, and the additional secret will be used to
      * validate that the server generated the nonce using that secret. */
-    time_t ts = 0;
+    unix_time64_t ts = 0;
     const unsigned char * const nonce = (unsigned char *)dp->ptr[e_nonce];
     int i;
-    for (i = 0; i < 8 && light_isxdigit(nonce[i]); ++i)
-        ts =(time_t)((uint32_t)ts << 4) | hex2int(nonce[i]);
+    for (i = 0; i < 16 && light_isxdigit(nonce[i]); ++i)
+        ts = (unix_time64_t)((uint64_t)ts << 4) | hex2int(nonce[i]);
 
-    const time_t cur_ts = log_epoch_secs;
+    const unix_time64_t cur_ts = log_epoch_secs;
     if (nonce[i] != ':' || ts > cur_ts || cur_ts - ts > 600) { /*(10 mins)*/
         /* nonce is stale; have client regenerate digest */
         return mod_auth_send_401_unauthorized_digest(r, require, ai->dalgo);