@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.41 2019/01/21 11:05:41 jsing Exp $ */
/* $OpenBSD: constraint.c,v 1.42 2019/01/21 11:08:37 jsing Exp $ */
/*
* Copyright ( c ) 2015 Reyk Floeter < reyk @ openbsd . org >
@ -44,6 +44,9 @@
# include "ntpd.h"
# define IMF_FIXDATE "%a, %d %h %Y %T GMT"
# define X509_DATE "%Y-%m-%d %T UTC"
int constraint_addr_init ( struct constraint * ) ;
struct constraint *
constraint_byid ( u_int32_t ) ;
@ -909,9 +912,11 @@ httpsdate_free(void *arg)
int
httpsdate_request ( struct httpsdate * httpsdate , struct timeval * when )
{
char timebuf1 [ 32 ] , timebuf2 [ 32 ] ;
size_t outlen = 0 , maxlength = CONSTRAINT_MAXHEADERLENGTH , len ;
char * line , * p , * buf ;
time_t httptime ;
time_t httptime , notbefore , notafter ;
struct tm * tm ;
ssize_t ret ;
if ( ( httpsdate - > tls_ctx = tls_client ( ) ) = = NULL )
@ -967,7 +972,7 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
* or ANSI C ' s asctime ( ) - the latter doesn ' t include
* the timezone which is required here .
*/
if ( strptime ( p , " %a, %d %h %Y %T GMT " ,
if ( strptime ( p , IMF_FIXDATE ,
& httpsdate - > tls_tm ) = = NULL ) {
log_warnx ( " unsupported date format " ) ;
free ( line ) ;
@ -985,12 +990,34 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
* TLS handshake , based on the time specified by the server ' s HTTP Date :
* header .
*/
notbefore = tls_peer_cert_notbefore ( httpsdate - > tls_ctx ) ;
notafter = tls_peer_cert_notafter ( httpsdate - > tls_ctx ) ;
if ( ( httptime = timegm ( & httpsdate - > tls_tm ) ) = = - 1 )
goto fail ;
if ( httptime < = tls_peer_cert_notbefore ( httpsdate - > tls_ctx ) | |
httptime > = tls_peer_cert_notafter ( httpsdate - > tls_ctx ) ) {
log_warnx ( " tls certificate invalid: %s (%s): " ,
httpsdate - > tls_addr , httpsdate - > tls_hostname ) ;
if ( httptime < = notbefore ) {
if ( ( tm = gmtime ( & notbefore ) ) = = NULL )
goto fail ;
if ( strftime ( timebuf1 , sizeof ( timebuf1 ) , X509_DATE , tm ) = = 0 )
goto fail ;
if ( strftime ( timebuf2 , sizeof ( timebuf2 ) , X509_DATE ,
& httpsdate - > tls_tm ) = = 0 )
goto fail ;
log_warnx ( " tls certificate not yet valid: %s (%s): "
" not before %s, now %s " , httpsdate - > tls_addr ,
httpsdate - > tls_hostname , timebuf1 , timebuf2 ) ;
goto fail ;
}
if ( httptime > = notafter ) {
if ( ( tm = gmtime ( & notafter ) ) = = NULL )
goto fail ;
if ( strftime ( timebuf1 , sizeof ( timebuf1 ) , X509_DATE , tm ) = = 0 )
goto fail ;
if ( strftime ( timebuf2 , sizeof ( timebuf2 ) , X509_DATE ,
& httpsdate - > tls_tm ) = = 0 )
goto fail ;
log_warnx ( " tls certificate expired: %s (%s): "
" not after %s, now %s " , httpsdate - > tls_addr ,
httpsdate - > tls_hostname , timebuf1 , timebuf2 ) ;
goto fail ;
}