diff options
author | Glenn Strauss <gstrauss@gluelogic.com> | 2021-07-12 14:46:49 -0400 |
---|---|---|
committer | Glenn Strauss <gstrauss@gluelogic.com> | 2021-09-04 08:08:26 -0400 |
commit | 309c1693acebfafa4429f3af39f067d9fe0f9987 (patch) | |
tree | 8a0c9f2b547c1ec2b7198a25e6080d696c6e01ba /src/mod_gnutls.c | |
parent | 82c199db3f112cf9c12e29931419690e85d7947a (diff) | |
download | lighttpd-git-309c1693acebfafa4429f3af39f067d9fe0f9987.tar.gz |
[multiple] Y2038 32-bit signed time_t mitigations
Most OS platforms have already provided solutions to
Y2038 32-bit signed time_t 5 - 10 years ago (or more!)
Notable exceptions are Linux i686 and FreeBSD i386.
Since 32-bit systems tend to be embedded systems,
and since many distros take years to pick up new software,
this commit aims to provide Y2038 mitigations for lighttpd
running on 32-bit systems with Y2038-unsafe 32-bit signed time_t
* Y2038: lighttpd 1.4.60 and later report Y2038 safety
$ lighttpd -V
+ Y2038 support # Y2038-SAFE
$ lighttpd -V
- Y2038 support (unsafe 32-bit signed time_t) # Y2038-UNSAFE
* Y2038: general platform info
* Y2038-SAFE: lighttpd 64-bit builds on platforms using 64-bit time_t
- all major 64-bit platforms (known to this author) use 64-bit time_t
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 64-bit time_t
- Linux x32 ABI (different from i686)
- FreeBSD all 32-bit and 64-bit architectures *except* 32-bit i386
- NetBSD 6.0 (released Oct 2012) all 32-bit and 64-bit architectures
- OpenBSD 5.5 (released May 2014) all 32-bit and 64-bit architectures
- Microsoft Windows XP and Visual Studio 2005 (? unsure ?)
Another reference suggests Visual Studio 2015 defaults to 64-bit time_t
- MacOS 10.15 Catalina (released 2019) drops support for 32-bit apps
* Y2038-SAFE: lighttpd 32-bit builds on platforms using 32-bit unsigned time_t
- e.g. OpenVMS (unknown if lighttpd builds on this platform)
* Y2038-UNSAFE: lighttpd 32-bit builds on platforms using 32-bit signed time_t
- Linux 32-bit (including i686)
- glibc 32-bit library support not yet available for 64-bit time_t
- https://sourceware.org/glibc/wiki/Y2038ProofnessDesign
- Linux kernel 5.6 on 32-bit platforms does support 64-bit time_t
https://itsubuntu.com/linux-kernel-5-6-to-fix-the-year-2038-issue-unix-y2k/
- https://www.gnu.org/software/libc/manual/html_node/64_002dbit-time-symbol-handling.html
"Note: at this point, 64-bit time support in dual-time
configurations is work-in-progress, so for these
configurations, the public API only makes the 32-bit time
support available. In a later change, the public API will
allow user code to choose the time size for a given
compilation unit."
- compiling with -D_TIME_BITS=64 currently has no effect
- glibc recent (Jul 2021) mailing list discussion
- https://public-inbox.org/bug-gnulib/878s2ozq70.fsf@oldenburg.str.redhat.com/T/
- FreeBSD i386
- DragonFlyBSD 32-bit
* Y2038 mitigations attempted on Y2038-UNSAFE platforms (32-bit signed time_t)
* lighttpd prefers system monotonic clock instead of realtime clock
in places where realtime clock is not required
* lighttpd treats negative time_t values as after 19 Jan 2038 03:14:07 GMT
* (lighttpd presumes that lighttpd will not encounter dates before 1970
during normal operation.)
* lighttpd casts struct stat st.st_mtime (and st.st_*time) through uint64_t
to convert negative timestamps for comparisions with 64-bit timestamps
(treating negative timestamp values as after 19 Jan 2038 03:14:07 GMT)
* lighttpd provides unix_time64_t (int64_t) and
* lighttpd provides struct unix_timespec64 (unix_timespec64_t)
(struct timespec equivalent using unix_time64_t tv_sec member)
* lighttpd provides gmtime64_r() and localtime64_r() wrappers
for platforms 32-bit platforms using 32-bit time_t and
lighttpd temporarily shifts the year in order to use
gmtime_r() and localtime_r() (or gmtime() and localtime())
from standard libraries, before readjusting year and passing
struct tm to formatting functions such as strftime()
* lighttpd provides TIME64_CAST() macro to cast signed 32-bit time_t to
unsigned 32-bit and then to unix_time64_t
* Note: while lighttpd tries handle times past 19 Jan 2038 03:14:07 GMT
on 32-bit platforms using 32-bit signed time_t, underlying libraries and
underlying filesystems might not behave properly after 32-bit signed time_t
overflows (19 Jan 2038 03:14:08 GMT). If a given 32-bit OS does not work
properly using negative time_t values, then lighttpd likely will not work
properly on that system.
* Other references and blogs
- https://en.wikipedia.org/wiki/Year_2038_problem
- https://en.wikipedia.org/wiki/Time_formatting_and_storage_bugs
- http://www.lieberbiber.de/2017/03/14/a-look-at-the-year-20362038-problems-and-time-proofness-in-various-systems/
Diffstat (limited to 'src/mod_gnutls.c')
-rw-r--r-- | src/mod_gnutls.c | 33 |
1 files changed, 17 insertions, 16 deletions
diff --git a/src/mod_gnutls.c b/src/mod_gnutls.c index e9a892a2..a5e4fb45 100644 --- a/src/mod_gnutls.c +++ b/src/mod_gnutls.c @@ -68,8 +68,8 @@ typedef struct { gnutls_datum_t *ssl_pemfile_x509; gnutls_privkey_t ssl_pemfile_pkey; const buffer *ssl_stapling_file; - time_t ssl_stapling_loadts; - time_t ssl_stapling_nextts; + unix_time64_t ssl_stapling_loadts; + unix_time64_t ssl_stapling_nextts; } plugin_cert; typedef struct { @@ -273,15 +273,15 @@ mod_gnutls_datum_wipe (gnutls_datum_t * const d) * to store keys that are not yet active * (mirror from mod_openssl, even though not all bits are used here) */ typedef struct tlsext_ticket_key_st { - time_t active_ts; /* tickets not issued w/ key until activation timestamp */ - time_t expire_ts; /* key not valid after expiration timestamp */ + unix_time64_t active_ts; /* tickets not issued w/ key until activation ts*/ + unix_time64_t expire_ts; /* key not valid after expiration timestamp */ unsigned char tick_key_name[TLSEXT_KEYNAME_LENGTH]; unsigned char tick_hmac_key[TLSEXT_TICK_KEY_LENGTH]; unsigned char tick_aes_key[TLSEXT_TICK_KEY_LENGTH]; } tlsext_ticket_key_t; static tlsext_ticket_key_t session_ticket_keys[1]; /* temp store until active */ -static time_t stek_rotate_ts; +static unix_time64_t stek_rotate_ts; static gnutls_datum_t session_ticket_key; @@ -348,8 +348,8 @@ mod_gnutls_session_ticket_key_file (const char *fn) if (0 != fdevent_load_file_bytes((char *)buf,(off_t)sizeof(buf),0,fn,NULL)) return rc; if (buf[0] == 0) { /*(format version 0)*/ - session_ticket_keys[0].active_ts = buf[1]; - session_ticket_keys[0].expire_ts = buf[2]; + session_ticket_keys[0].active_ts = TIME64_CAST(buf[1]); + session_ticket_keys[0].expire_ts = TIME64_CAST(buf[2]); #ifndef __COVERITY__ memcpy(&session_ticket_keys[0].tick_key_name, buf+3, 80); #else @@ -369,16 +369,17 @@ mod_gnutls_session_ticket_key_file (const char *fn) static void -mod_gnutls_session_ticket_key_check (server *srv, const plugin_data *p, const time_t cur_ts) +mod_gnutls_session_ticket_key_check (server *srv, const plugin_data *p, const unix_time64_t cur_ts) { - static time_t detect_retrograde_ts; + static unix_time64_t detect_retrograde_ts; if (detect_retrograde_ts > cur_ts && detect_retrograde_ts - cur_ts > 28800) stek_rotate_ts = 0; detect_retrograde_ts = cur_ts; if (p->ssl_stek_file) { struct stat st; - if (0 == stat(p->ssl_stek_file, &st) && st.st_mtime > stek_rotate_ts + if (0 == stat(p->ssl_stek_file, &st) + && TIME64_CAST(st.st_mtime) > stek_rotate_ts && mod_gnutls_session_ticket_key_file(p->ssl_stek_file)) { stek_rotate_ts = cur_ts; } @@ -923,7 +924,7 @@ mod_gnutls_expire_stapling_file (server *srv, plugin_cert *pc) static int -mod_gnutls_reload_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ts) +mod_gnutls_reload_stapling_file (server *srv, plugin_cert *pc, const unix_time64_t cur_ts) { #if GNUTLS_VERSION_NUMBER < 0x030603 /* load file into gnutls_ocsp_resp_t before loading into @@ -970,7 +971,7 @@ mod_gnutls_reload_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ pc->ssl_stapling_loadts = cur_ts; pc->ssl_stapling_nextts = nextupd; - if (pc->ssl_stapling_nextts == (time_t)-1) { + if (pc->ssl_stapling_nextts == -1) { /* "Next Update" might not be provided by OCSP responder * Use 3600 sec (1 hour) in that case. */ /* retry in 1 hour if unable to determine Next Update */ @@ -985,13 +986,13 @@ mod_gnutls_reload_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ static int -mod_gnutls_refresh_stapling_file (server *srv, plugin_cert *pc, const time_t cur_ts) +mod_gnutls_refresh_stapling_file (server *srv, plugin_cert *pc, const unix_time64_t cur_ts) { if (pc->ssl_stapling_nextts > cur_ts + 256) return 0; /* skip check for refresh unless close to expire */ struct stat st; if (0 != stat(pc->ssl_stapling_file->ptr, &st) - || st.st_mtime <= pc->ssl_stapling_loadts) { + || TIME64_CAST(st.st_mtime) <= pc->ssl_stapling_loadts) { if (pc->ssl_stapling_nextts < cur_ts) mod_gnutls_expire_stapling_file(srv, pc); return 0; @@ -1001,7 +1002,7 @@ mod_gnutls_refresh_stapling_file (server *srv, plugin_cert *pc, const time_t cur static void -mod_gnutls_refresh_stapling_files (server *srv, const plugin_data *p, const time_t cur_ts) +mod_gnutls_refresh_stapling_files (server *srv, const plugin_data *p, const unix_time64_t cur_ts) { /* future: might construct array of (plugin_cert *) at startup * to avoid the need to search for them here */ @@ -2979,7 +2980,7 @@ REQUEST_FUNC(mod_gnutls_handle_request_reset) TRIGGER_FUNC(mod_gnutls_handle_trigger) { const plugin_data * const p = p_d; - const time_t cur_ts = log_epoch_secs; + const unix_time64_t cur_ts = log_epoch_secs; if (cur_ts & 0x3f) return HANDLER_GO_ON; /*(continue once each 64 sec)*/ mod_gnutls_session_ticket_key_check(srv, p, cur_ts); |