Fixed bug #74341

Added support for ASN.1 UTCTime without seconds part (being 11 characters
long instead of 13).

Additionally, fixed incorrect handling of DST on systems without gmtoff.

diff --git a/NEWS b/NEWS
index 32646abc052797042642f386af04c7e946a1bd07..ed0cff2ad8b569e71374cf385e2ca615eff33eb2 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,10 @@ PHP                                                                        NEWS
   . Fixed bug #74343 (compile fails on solaris 11 with system gd2 library).
     (krakjoe)
 
+- OpenSSL:
+  . Fixed bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without
+    seconds). (Moritz Fain)
+
 13 Apr 2017 PHP 7.0.18
 
 - Core:

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index da60bb9486074756a160ebfdeeb18142a142fad4..51f2667e8214bde7955315123b2cd70b1cd59658 100644 (file)
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -739,23 +739,26 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
        char * strbuf;
        char * thestr;
        long gmadjust = 0;
+       size_t timestr_len;
 
        if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME && ASN1_STRING_type(timestr) != V_ASN1_GENERALIZEDTIME) {
                php_error_docref(NULL, E_WARNING, "illegal ASN1 data type for timestamp");
                return (time_t)-1;
        }
 
-       if (ASN1_STRING_length(timestr) != strlen((const char*)ASN1_STRING_data(timestr))) {
+       timestr_len = (size_t)ASN1_STRING_length(timestr);
+
+       if (timestr_len != strlen((const char*)ASN1_STRING_data(timestr))) {
                php_error_docref(NULL, E_WARNING, "illegal length in timestamp");
                return (time_t)-1;
        }
 
-       if (ASN1_STRING_length(timestr) < 13) {
+       if (timestr_len < 13 && timestr_len != 11) {
                php_error_docref(NULL, E_WARNING, "unable to parse time string %s correctly", timestr->data);
                return (time_t)-1;
        }
 
-       if (ASN1_STRING_type(timestr) == V_ASN1_GENERALIZEDTIME && ASN1_STRING_length(timestr) < 15) {
+       if (ASN1_STRING_type(timestr) == V_ASN1_GENERALIZEDTIME && timestr_len < 15) {
                php_error_docref(NULL, E_WARNING, "unable to parse time string %s correctly", timestr->data);
                return (time_t)-1;
        }
@@ -766,11 +769,15 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
 
        /* we work backwards so that we can use atoi more easily */
 
-       thestr = strbuf + ASN1_STRING_length(timestr) - 3;
+       thestr = strbuf + timestr_len - 3;
 
-       thetime.tm_sec = atoi(thestr);
-       *thestr = '\0';
-       thestr -= 2;
+       if (timestr_len == 11) {
+               thetime.tm_sec = 0;
+       } else {
+               thetime.tm_sec = atoi(thestr);
+               *thestr = '\0';
+               thestr -= 2;
+       }
        thetime.tm_min = atoi(thestr);
        *thestr = '\0';
        thestr -= 2;
@@ -807,7 +814,7 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
        ** the value of timezone - 3600 seconds. Otherwise, we need to overcorrect and
        ** set the adjustment to the main timezone + 3600 seconds.
        */
-       gmadjust = -(thetime.tm_isdst ? (long)timezone - 3600 : (long)timezone + 3600);
+       gmadjust = -(thetime.tm_isdst ? (long)timezone - 3600 : (long)timezone);
 #endif
        ret += gmadjust;
 

diff --git a/ext/openssl/tests/bug74341.phpt b/ext/openssl/tests/bug74341.phpt
new file mode 100644 (file)
index 0000000..a3c78cf
--- /dev/null
+++ b/ext/openssl/tests/bug74341.phpt
@@ -0,0 +1,52 @@
+--TEST--
+Bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds)
+--SKIPIF--
+<?php if (!extension_loaded("openssl")) print "skip"; ?>
+--FILE--
+<?php
+
+$pem_cert = '
+-----BEGIN CERTIFICATE-----
+MIIGFDCCBPygAwIBAgIDKCHVMA0GCSqGSIb3DQEBBQUAMIHcMQswCQYDVQQGEwJV
+UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE
+ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE5MDcGA1UECxMwaHR0cDov
+L2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5MTEwLwYD
+VQQDEyhTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREw
+DwYDVQQFEwgxMDY4ODQzNTAcFwsxNDAxMDcwMDAwWhcNMTYwNDAxMDcwMDAwWjCB
+6zETMBEGCysGAQQBgjc8AgEDEwJVUzEYMBYGCysGAQQBgjc8AgECEwdBcml6b25h
+MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEUMBIGA1UEBRMLUi0xNzI0
+NzQxLTYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpT
+Y290dHNkYWxlMSQwIgYDVQQKExtTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBMTEMx
+KzApBgNVBAMTInZhbGlkLnNmaS5jYXRlc3Quc3RhcmZpZWxkdGVjaC5jb20wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt1LHQOza9tkKxwGL+/yKi/Fe5
+HM0sjvcM4ic1XVrvpewa4P/04IzGSjIGO3CXaSArxQMSzsTt2dcO9tSJ1Zk8c9NZ
+XM8eVqx92iTMEf9OQcubWpzWmrPc3TAFhbVnfEmCptsXEgtxbAIbntrNeDk/hBPd
+l4DYFYRdm3ZTk4JMIf/quDZe5Oti53J0UsxWXSSoqKyPNdb671Q+OTQfSDj7kVF4
++Ri3FIeAV16d2UnpBW1bgNqA5yITRskHE4bX98HDNHUTHioHpgA+fXfejWkGB/0F
+QN4HbZcysYHhf1L5cWBtz9w5J00YmjM5fzWvTc3UUF9ou7m7JE4aqEbNOWb9AgMB
+AAGjggHOMIIByjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwLQYDVR0RBCYwJIIidmFsaWQuc2ZpLmNh
+dGVzdC5zdGFyZmllbGR0ZWNoLmNvbTAdBgNVHQ4EFgQUcO+QEqZcHphPW9szww9t
+y+1AGmQwHwYDVR0jBBgwFoAUSUtSJ9EbvPKhIWpie1FCeorX1VYwOAYDVR0fBDEw
+LzAtoCugKYYnaHR0cDovL2NybC5zdGFyZmllbGR0ZWNoLmNvbS9zZnMzLTAuY3Js
+MIGNBggrBgEFBQcBAQSBgDB+MCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFy
+ZmllbGR0ZWNoLmNvbS8wUAYIKwYBBQUHMAKGRGh0dHA6Ly9jZXJ0aWZpY2F0ZXMu
+c3RhcmZpZWxkdGVjaC5jb20vcmVwb3NpdG9yeS9zZl9pbnRlcm1lZGlhdGUuY3J0
+MFIGA1UdIARLMEkwRwYLYIZIAYb9bgEHFwMwODA2BggrBgEFBQcCARYqaHR0cDov
+L2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEB
+BQUAA4IBAQAViYkLUjQkxWRmZl4DutL0/9/wJSURcJ1qunLP+TImJFp0A9RE/MNK
+ZOmQoAEoH6hMg7FL4etkvTcnruTdcx+3mvqYiECUiUEx6pkx3dmkYgZACEuk2nfy
+J0MkV/zwzqmI8aV+kunpOQv93aePZbrBgaAzkE8jDlExtd7c4pE7JF40jxmvDwjZ
+HwpyNDULreGtFBij7JcWJCfihM3uetqrao0kOoeih1PQyJXtz2RldhFYs6Jdk3IL
+Yv+84t5UMO+aS9nVBXIcbgaGjIMZjHDgR/tE9FKFB66k8UTDzAwwEs38VV24zx6h
+lOzTF7xAUxmPUnNb2teatMf2Rmj0fs+d
+-----END CERTIFICATE-----
+';
+
+$parsed_cert = openssl_x509_parse($pem_cert);
+var_dump($parsed_cert['validFrom_time_t']);
+var_dump($parsed_cert['validTo_time_t']);
+?>
+--EXPECTF--
+int(1389052800)
+int(1459494000)