From: Paul Oehler <poehler@interworx.com>
Date: Tue, 13 May 2014 17:38:25 +0000 (-0400)
Subject: Added support for parsing ssl certificates using GeneralizedTime format.
X-Git-Tag: PRE_PHPNG_MERGE~228^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=f1480260178376d3128e7dd49db70ecf843be27d;p=php

Added support for parsing ssl certificates using GeneralizedTime format.

fix bug #65698
fix bug #66636
---

diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 4f8f4b7334..94d64744df 100755
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -708,7 +708,7 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
 	char * thestr;
 	long gmadjust = 0;
 
-	if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME) {
+	if (ASN1_STRING_type(timestr) != V_ASN1_UTCTIME && ASN1_STRING_type(timestr) != V_ASN1_GENERALIZEDTIME) {
 		php_error_docref(NULL TSRMLS_CC, E_WARNING, "illegal ASN1 data type for timestamp");
 		return (time_t)-1;
 	}
@@ -744,14 +744,21 @@ static time_t asn1_time_to_time_t(ASN1_UTCTIME * timestr TSRMLS_DC) /* {{{ */
 	*thestr = '\0';
 	thestr -= 2;
 	thetime.tm_mon = atoi(thestr)-1;
+
 	*thestr = '\0';
-	thestr -= 2;
-	thetime.tm_year = atoi(thestr);
+	if( ASN1_STRING_type(timestr) == V_ASN1_UTCTIME ) {
+		thestr -= 2;
+		thetime.tm_year = atoi(thestr);
 
-	if (thetime.tm_year < 68) {
-		thetime.tm_year += 100;
+		if (thetime.tm_year < 68) {
+			thetime.tm_year += 100;
+		}
+	} else if( ASN1_STRING_type(timestr) == V_ASN1_GENERALIZEDTIME ) {
+		thestr -= 4;
+		thetime.tm_year = atoi(thestr) - 1900;
 	}
 
+
 	thetime.tm_isdst = -1;
 	ret = mktime(&thetime);
 
diff --git a/ext/openssl/tests/bug65698.crt b/ext/openssl/tests/bug65698.crt
new file mode 100644
index 0000000000..c4a0261138
--- /dev/null
+++ b/ext/openssl/tests/bug65698.crt
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE-----
+MIIEsTCCA5mgAwIBAgIQdwrGwrpRpBwdXS+ZsmsMGjANBgkqhkiG9w0BAQUFADA+
+MQswCQYDVQQGEwJQTDEbMBkGA1UEChMSVW5pemV0byBTcC4geiBvLm8uMRIwEAYD
+VQQDEwlDZXJ0dW0gQ0EwIhgPMjAwOTAzMDMxMjUzMThaGA8yMDI0MDMwMzEyNTMx
+OFowdzELMAkGA1UEBhMCUEwxIjAgBgNVBAoTGVVuaXpldG8gVGVjaG5vbG9naWVz
+IFMuQS4xJzAlBgNVBAsTHkNlcnR1bSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTEb
+MBkGA1UEAxMSQ2VydHVtIExldmVsIElJIENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA4LE0Ixw8h5Lper9tHVtZkWIujxYsPVgUZABeZZgQsKTdJjaG
+VP64B/oiEV5Hd3AxRqaZ7dRRsf4Pg/PSS/2mHRQQ/SH3XACbrDHmucDvYgtU/WoZ
+yp9d6PXVPY4j7J5t/52s+EbZD5swSuQLGjZ9iwg9sXX3JdJ9Ty+B3z80oiajpK0B
+wqAxrcX3DekEOknj7LkAOK6iuQKI85REj4IVb9kD7KKIWdISGbfL4Ezh/TP51e0L
+/WhTJ7lHbHbRzFfPU/oi3Qyt5tEexrPKe+6N+Jrejdb5Ya7Ne3tKujDU7KlbO+dn
+pzFH7VHkBPJcQJ7QUrprPaqVsVg3JJ1PXTqVnwIDAQABo4IBbDCCAWgwDwYDVR0T
+AQH/BAUwAwEB/zAdBgNVHQ4EFgQUgGIR3sBrpxDhCPBVtDCDv/qPCGAwUgYDVR0j
+BEswSaFCpEAwPjELMAkGA1UEBhMCUEwxGzAZBgNVBAoTElVuaXpldG8gU3AuIHog
+by5vLjESMBAGA1UEAxMJQ2VydHVtIENBggMBACAwDgYDVR0PAQH/BAQDAgEGMCwG
+A1UdHwQlMCMwIaAfoB2GG2h0dHA6Ly9jcmwuY2VydHVtLnBsL2NhLmNybDBoBggr
+BgEFBQcBAQRcMFowKAYIKwYBBQUHMAGGHGh0dHA6Ly9zdWJjYS5vY3NwLWNlcnR1
+bS5jb20wLgYIKwYBBQUHMAKGImh0dHA6Ly9yZXBvc2l0b3J5LmNlcnR1bS5wbC9j
+YS5jZXIwOgYDVR0gBDMwMTAvBgRVHSAAMCcwJQYIKwYBBQUHAgEWGWh0dHBzOi8v
+d3d3LmNlcnR1bS5wbC9DUFMwDQYJKoZIhvcNAQEFBQADggEBAI/jSDAW/w9qLzF6
+4oQiIRB7dGKp2Nlj27xZFYDBRINn4DKyZExkpanASF2of9eEzvrS+qoDY29mhXCi
+MkiGr0vCsVhn0ReUpjg4Z5SsiQhZ2BGSjXiOJgaDI7Dw1MH7Ru6jdfSbLyd97EFj
+ER0ERGdrcA2kLw7KfQm78IkClXEEKjKnAUTn1d/5Y4UuBWDCEL0FLgO9AqNXEzIy
+rlXVGIs73kdefAK+Z1T6dm83vUrDMyzemWNRBI2tVBujkN6zkaF6uPjE4hfoIkEQ
+Z4317byFkG4mxjATU+tQLG1Bs88HUAOrxtJOo/WoeCNsFJaxbYPt4oQGxIVYdz29
+OUX9CQA=
+-----END CERTIFICATE-----
diff --git a/ext/openssl/tests/bug65698.phpt b/ext/openssl/tests/bug65698.phpt
new file mode 100644
index 0000000000..35d31764d5
--- /dev/null
+++ b/ext/openssl/tests/bug65698.phpt
@@ -0,0 +1,19 @@
+--TEST--
+Bug #65689 (GeneralizedTime format parsing)
+--SKIPIF--
+<?php 
+if (!extension_loaded("openssl")) die("skip"); 
+?>
+--FILE--
+<?php
+$crt = substr(__FILE__, 0, -4).'.crt';
+$info = openssl_x509_parse("file://$crt");
+var_dump($info["validFrom"], $info["validFrom_time_t"], $info["validTo"], $info["validTo_time_t"]);
+?>
+Done
+--EXPECTF--
+string(15) "20090303125318Z"
+int(1236084798)
+string(15) "20240303125318Z"
+int(1709470398)
+Done
diff --git a/ext/openssl/tests/cve-2013-6420.phpt b/ext/openssl/tests/cve-2013-6420.phpt
index 87c0210b2e..ccead0aab6 100644
--- a/ext/openssl/tests/cve-2013-6420.phpt
+++ b/ext/openssl/tests/cve-2013-6420.phpt
@@ -12,7 +12,7 @@ var_dump($info['issuer']['emailAddress'], $info["validFrom_time_t"]);
 ?>
 Done
 --EXPECTF--
-%s openssl_x509_parse(): illegal ASN1 data type for timestamp in %s%ecve-2013-6420.php on line 3
+%s openssl_x509_parse(): illegal length in timestamp in %s%ecve-2013-6420.php on line 3
 string(27) "stefan.esser@sektioneins.de"
 int(-1)
 Done