openssh bugs - Jul 2021 - [Bug 3329] New: Certificate validity dates greater than 32bit are truncated to 2038-01-19T03:14:07

https://bugzilla.mindrot.org/show_bug.cgi?id=3329

            Bug ID: 3329
           Summary: Certificate validity dates greater than 32bit are
                    truncated to 2038-01-19T03:14:07
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-keygen
          Assignee: unassigned-bugs at mindrot.org
          Reporter: anthony at ajmartinez.com
                CC: dtucker at dtucker.net
            Blocks: 3302
                CC: dtucker at dtucker.net
            Blocks: 3302
   Attachment #3531 1
       is obsolete:

Creation of certificates with validity dates beyond the 32-bit limit
are truncated to the edge.

Example from 8.4p1:

[user at disp8853 ~]$ ssh-keygen -t ecdsa -N "" -q -f ca
[user at disp8853 ~]$ ssh-keygen -t ecdsa -N "" -q -f user
[user at disp8853 ~]$ ssh-keygen -s ca -I bug-report -z 911 -n 32bitdates
-V always:20390101 user.pub
Signed user key user-cert.pub: id "bug-report" serial 911 for
32bitdates valid before 2038-01-19T03:14:07
[user at disp8853 ~]$ ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021

This has been observed in several versions from 7.x to 8.x on x86_64
(Windows and Linux), and armv7 (Linux)

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
It looks like the cert validity is fine, it's the formatting function
that has the limit:

        if (cert->valid_after != 0) {
                /* XXX revisit INT_MAX in 2038 :) */
                tt = cert->valid_after > INT_MAX ?
                    INT_MAX : cert->valid_after;
                tm = localtime(&tt);
                strftime(from, sizeof(from), "%Y-%m-%dT%H:%M:%S", tm);
        }

Unfortunately there's no TIME_T_MAX, and while we can figure out how
big time_t is but there's nothing specifying whether it's signed or
unsigned.

Anyway there's a format_absolute_time in misc.c, we should factor these
out of sshkey.c and fix it in format_absolute_time.

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3531
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3531&action=edit
allow formatting dates >INT_MAX

This patch ought to fix it on platforms with 64bit time_t, although
it'll also require some work in configure to be correct on other
systems.

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3532
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3532&action=edit
allow formatting dates >INT_MAX


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3302
[Bug 3302] Tracking bug for openssh-8.7
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3329

--- Comment #4 from Anthony J. Martinez <anthony at ajmartinez.com> ---
That makes a lot more sense. I'm not a C programmer by any means, but I
saw uint64 in the cert creation code and the protocol spec and was
baffled by this output from ssh-keygen. Thanks for finding the root
cause!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3329

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
The fixes have gone in and will be in the next major release.  Thanks
for the report.

https://github.com/openssh/openssh-portable/commit/6c29b387cd64a57b0ec8ae7d2c8d02789d88fcc3
and
https://github.com/openssh/openssh-portable/commit/f5fc6a4c3404bbf65c21ca6361853b33d78aa87e

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3329

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.