From 98736e8bbd25702b95323930bbb80ce84fe2f36f Mon Sep 17 00:00:00 2001
From: Jakub Zelenka <bukka@php.net>
Date: Sun, 2 Jun 2024 16:09:41 +0100
Subject: [PATCH] Fix GH-13343: openssl_x509_parse should not allow omitted
 seconds in UTCTimes

Closes GH-14439

Signed-off-by: Jakub Zelenka <bukka@php.net>
---
 NEWS                                          |  2 +
 UPGRADING                                     |  3 +
 ext/openssl/openssl.c                         | 12 ++--
 ext/openssl/tests/gh13343.phpt                | 56 +++++++++++++++++++
 .../{bug74341.phpt => gh13343_openssl33.phpt} | 13 +++--
 5 files changed, 72 insertions(+), 14 deletions(-)
 create mode 100644 ext/openssl/tests/gh13343.phpt
 rename ext/openssl/tests/{bug74341.phpt => gh13343_openssl33.phpt} (90%)

diff --git a/NEWS b/NEWS
index e2cf902265b..e2bcc21e002 100644
--- a/NEWS
+++ b/NEWS
@@ -143,6 +143,8 @@ PHP                                                                        NEWS
   . Added compile-time option --with-openssl-legacy-provider to enable legacy
     provider. (Adam Saponara)
   . Added support for Curve25519 + Curve448 based keys. (Manuel Mausz)
+  . Fixed bug GH-13343 (openssl_x509_parse should not allow omitted seconds in
+    UTCTimes). (Jakub Zelenka)
 
 - Output:
   . Clear output handler status flags during handler initialization. (haszi)
diff --git a/UPGRADING b/UPGRADING
index 69e645abfb8..73dea4f4d33 100644
--- a/UPGRADING
+++ b/UPGRADING
@@ -426,6 +426,9 @@ PHP 8.4 UPGRADE NOTES
     a single entry.
   . New serial_hex parameter added to openssl_csr_sign to allow setting serial
     number in the hexadecimal format.
+  . Parsing ASN.1 UTCTime by openssl_x509_parse fails if seconds are omitted
+    for OpenSSL version below 3.2 (-1 is returned for such fields). The
+    OpenSSL version 3.3+ does not load such certificates already.
 
 - ODBC:
   . Parameter $row of odbc_fetch_object(), odbc_fetch_array(), and
diff --git a/ext/openssl/openssl.c b/ext/openssl/openssl.c
index 0e5caada721..0744cdab3f9 100644
--- a/ext/openssl/openssl.c
+++ b/ext/openssl/openssl.c
@@ -760,7 +760,7 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
 		return (time_t)-1;
 	}
 
-	if (timestr_len < 13 && timestr_len != 11) {
+	if (timestr_len < 13) {
 		php_error_docref(NULL, E_WARNING, "Unable to parse time string %s correctly", timestr->data);
 		return (time_t)-1;
 	}
@@ -778,13 +778,9 @@ static time_t php_openssl_asn1_time_to_time_t(ASN1_UTCTIME * timestr) /* {{{ */
 
 	thestr = strbuf + timestr_len - 3;
 
-	if (timestr_len == 11) {
-		thetime.tm_sec = 0;
-	} else {
-		thetime.tm_sec = atoi(thestr);
-		*thestr = '\0';
-		thestr -= 2;
-	}
+	thetime.tm_sec = atoi(thestr);
+	*thestr = '\0';
+	thestr -= 2;
 	thetime.tm_min = atoi(thestr);
 	*thestr = '\0';
 	thestr -= 2;
diff --git a/ext/openssl/tests/gh13343.phpt b/ext/openssl/tests/gh13343.phpt
new file mode 100644
index 00000000000..2f6590e04bb
--- /dev/null
+++ b/ext/openssl/tests/gh13343.phpt
@@ -0,0 +1,56 @@
+--TEST--
+GH-13343: openssl_x509_parse should not allow omitted seconds in UTCTimes
+--EXTENSIONS--
+openssl
+--SKIPIF--
+<?php
+if (OPENSSL_VERSION_NUMBER >= 0x30300000) die('skip For OpenSSL < 3.3');
+?>
+--FILE--
+<?php
+
+$pem_cert = '
+-----BEGIN CERTIFICATE-----
+MIIGFDCCBPygAwIBAgIDKCHVMA0GCSqGSIb3DQEBBQUAMIHcMQswCQYDVQQGEwJV
+UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE
+ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE5MDcGA1UECxMwaHR0cDov
+L2NlcnRpZmljYXRlcy5zdGFyZmllbGR0ZWNoLmNvbS9yZXBvc2l0b3J5MTEwLwYD
+VQQDEyhTdGFyZmllbGQgU2VjdXJlIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MREw
+DwYDVQQFEwgxMDY4ODQzNTAcFwsxNDAxMDcwMDAwWhcNMTYwNDAxMDcwMDAwWjCB
+6zETMBEGCysGAQQBgjc8AgEDEwJVUzEYMBYGCysGAQQBgjc8AgECEwdBcml6b25h
+MR0wGwYDVQQPExRQcml2YXRlIE9yZ2FuaXphdGlvbjEUMBIGA1UEBRMLUi0xNzI0
+NzQxLTYxCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdBcml6b25hMRMwEQYDVQQHEwpT
+Y290dHNkYWxlMSQwIgYDVQQKExtTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBMTEMx
+KzApBgNVBAMTInZhbGlkLnNmaS5jYXRlc3Quc3RhcmZpZWxkdGVjaC5jb20wggEi
+MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCt1LHQOza9tkKxwGL+/yKi/Fe5
+HM0sjvcM4ic1XVrvpewa4P/04IzGSjIGO3CXaSArxQMSzsTt2dcO9tSJ1Zk8c9NZ
+XM8eVqx92iTMEf9OQcubWpzWmrPc3TAFhbVnfEmCptsXEgtxbAIbntrNeDk/hBPd
+l4DYFYRdm3ZTk4JMIf/quDZe5Oti53J0UsxWXSSoqKyPNdb671Q+OTQfSDj7kVF4
++Ri3FIeAV16d2UnpBW1bgNqA5yITRskHE4bX98HDNHUTHioHpgA+fXfejWkGB/0F
+QN4HbZcysYHhf1L5cWBtz9w5J00YmjM5fzWvTc3UUF9ou7m7JE4aqEbNOWb9AgMB
+AAGjggHOMIIByjAMBgNVHRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
+FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwLQYDVR0RBCYwJIIidmFsaWQuc2ZpLmNh
+dGVzdC5zdGFyZmllbGR0ZWNoLmNvbTAdBgNVHQ4EFgQUcO+QEqZcHphPW9szww9t
+y+1AGmQwHwYDVR0jBBgwFoAUSUtSJ9EbvPKhIWpie1FCeorX1VYwOAYDVR0fBDEw
+LzAtoCugKYYnaHR0cDovL2NybC5zdGFyZmllbGR0ZWNoLmNvbS9zZnMzLTAuY3Js
+MIGNBggrBgEFBQcBAQSBgDB+MCoGCCsGAQUFBzABhh5odHRwOi8vb2NzcC5zdGFy
+ZmllbGR0ZWNoLmNvbS8wUAYIKwYBBQUHMAKGRGh0dHA6Ly9jZXJ0aWZpY2F0ZXMu
+c3RhcmZpZWxkdGVjaC5jb20vcmVwb3NpdG9yeS9zZl9pbnRlcm1lZGlhdGUuY3J0
+MFIGA1UdIARLMEkwRwYLYIZIAYb9bgEHFwMwODA2BggrBgEFBQcCARYqaHR0cDov
+L2NlcnRzLnN0YXJmaWVsZHRlY2guY29tL3JlcG9zaXRvcnkvMA0GCSqGSIb3DQEB
+BQUAA4IBAQAViYkLUjQkxWRmZl4DutL0/9/wJSURcJ1qunLP+TImJFp0A9RE/MNK
+ZOmQoAEoH6hMg7FL4etkvTcnruTdcx+3mvqYiECUiUEx6pkx3dmkYgZACEuk2nfy
+J0MkV/zwzqmI8aV+kunpOQv93aePZbrBgaAzkE8jDlExtd7c4pE7JF40jxmvDwjZ
+HwpyNDULreGtFBij7JcWJCfihM3uetqrao0kOoeih1PQyJXtz2RldhFYs6Jdk3IL
+Yv+84t5UMO+aS9nVBXIcbgaGjIMZjHDgR/tE9FKFB66k8UTDzAwwEs38VV24zx6h
+lOzTF7xAUxmPUnNb2teatMf2Rmj0fs+d
+-----END CERTIFICATE-----
+';
+
+$parsed_cert = openssl_x509_parse($pem_cert);
+var_dump($parsed_cert['validFrom_time_t']);
+?>
+--EXPECTF--
+
+Warning: openssl_x509_parse(): Unable to parse time string 1401070000Z correctly in %s on line %d
+int(-1)
diff --git a/ext/openssl/tests/bug74341.phpt b/ext/openssl/tests/gh13343_openssl33.phpt
similarity index 90%
rename from ext/openssl/tests/bug74341.phpt
rename to ext/openssl/tests/gh13343_openssl33.phpt
index 27269f473bf..2060708be06 100644
--- a/ext/openssl/tests/bug74341.phpt
+++ b/ext/openssl/tests/gh13343_openssl33.phpt
@@ -1,7 +1,11 @@
 --TEST--
-Bug #74341 (openssl_x509_parse fails to parse ASN.1 UTCTime without seconds)
+GH-13343: openssl_x509_parse should not allow omitted seconds in UTCTimes for OpenSSL 3.3+
 --EXTENSIONS--
 openssl
+--SKIPIF--
+<?php
+if (OPENSSL_VERSION_NUMBER < 0x30300000) die('skip For OpenSSL >= 3.3');
+?>
 --FILE--
 <?php
 
@@ -43,10 +47,7 @@ lOzTF7xAUxmPUnNb2teatMf2Rmj0fs+d
 -----END CERTIFICATE-----
 ';
 
-$parsed_cert = openssl_x509_parse($pem_cert);
-var_dump($parsed_cert['validFrom_time_t']);
-var_dump($parsed_cert['validTo_time_t']);
+var_dump(openssl_x509_parse($pem_cert));
 ?>
 --EXPECT--
-int(1389052800)
-int(1459494000)
+bool(false)