[Bug 3329] New: Certificate validity dates greater than 32bit are truncated to 2038-01-19T03:14:07
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jul 2 14:00:25 AEST 2021
https://bugzilla.mindrot.org/show_bug.cgi?id=3329
Bug ID: 3329
Summary: Certificate validity dates greater than 32bit are
truncated to 2038-01-19T03:14:07
Product: Portable OpenSSH
Version: 8.4p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh-keygen
Assignee: unassigned-bugs at mindrot.org
Reporter: anthony at ajmartinez.com
CC: dtucker at dtucker.net
Blocks: 3302
CC: dtucker at dtucker.net
Blocks: 3302
Attachment #3531 1
is obsolete:
Creation of certificates with validity dates beyond the 32-bit limit
are truncated to the edge.
Example from 8.4p1:
[user at disp8853 ~]$ ssh-keygen -t ecdsa -N "" -q -f ca
[user at disp8853 ~]$ ssh-keygen -t ecdsa -N "" -q -f user
[user at disp8853 ~]$ ssh-keygen -s ca -I bug-report -z 911 -n 32bitdates
-V always:20390101 user.pub
Signed user key user-cert.pub: id "bug-report" serial 911 for
32bitdates valid before 2038-01-19T03:14:07
[user at disp8853 ~]$ ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
This has been observed in several versions from 7.x to 8.x on x86_64
(Windows and Linux), and armv7 (Linux)
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
It looks like the cert validity is fine, it's the formatting function
that has the limit:
if (cert->valid_after != 0) {
/* XXX revisit INT_MAX in 2038 :) */
tt = cert->valid_after > INT_MAX ?
INT_MAX : cert->valid_after;
tm = localtime(&tt);
strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
}
Unfortunately there's no TIME_T_MAX, and while we can figure out how
big time_t is but there's nothing specifying whether it's signed or
unsigned.
Anyway there's a format_absolute_time in misc.c, we should factor these
out of sshkey.c and fix it in format_absolute_time.
--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3531
--> https://bugzilla.mindrot.org/attachment.cgi?id=3531&action=edit
allow formatting dates >INT_MAX
This patch ought to fix it on platforms with 64bit time_t, although
it'll also require some work in configure to be correct on other
systems.
--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3532
--> https://bugzilla.mindrot.org/attachment.cgi?id=3532&action=edit
allow formatting dates >INT_MAX
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3302
[Bug 3302] Tracking bug for openssh-8.7
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list