Improve logging for TLS certificate validity checking.

Actually specify whether the certificate is not yet valid or has expired, and log the actual time values to hopefully save some head scratching. ok deraadt@ tb@
5 years ago · 37b88a442e
--- a/src/usr.sbin/ntpd/constraint.c
+++ b/src/usr.sbin/ntpd/constraint.c
@ -1,4 +1,4 @@
 /*	$OpenBSD: constraint.c,v 1.41 2019/01/21 11:05:41 jsing Exp $	*/
 /*	$OpenBSD: constraint.c,v 1.42 2019/01/21 11:08:37 jsing Exp $	*/

 /*
 * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@ -44,6 +44,9 @@

 #include "ntpd.h"

 #define	IMF_FIXDATE	"%a, %d %h %Y %T GMT"
 #define	X509_DATE	"%Y-%m-%d %T UTC"

 int	 constraint_addr_init(struct constraint *);
 struct constraint *
 	 constraint_byid(u_int32_t);
@ -909,9 +912,11 @@ httpsdate_free(void *arg)
 int
 httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
 {
 	char	 timebuf1[32], timebuf2[32];
 	size_t	 outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len;
 	char	*line, *p, *buf;
 	time_t	 httptime;
 	time_t	 httptime, notbefore, notafter;
 	struct tm *tm;
 	ssize_t	 ret;

 	if ((httpsdate->tls_ctx = tls_client()) == NULL)
@ -967,7 +972,7 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
 		 * or ANSI C's asctime() - the latter doesn't include
 		 * the timezone which is required here.
 		 */
 		if (strptime(p, "%a, %d %h %Y %T GMT",
 		if (strptime(p, IMF_FIXDATE,
 		    &httpsdate->tls_tm) == NULL) {
 			log_warnx("unsupported date format");
 			free(line);
@ -985,12 +990,34 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
 	 * TLS handshake, based on the time specified by the server's HTTP Date:
 	 * header.
 	 */
 	notbefore = tls_peer_cert_notbefore(httpsdate->tls_ctx);
 	notafter = tls_peer_cert_notafter(httpsdate->tls_ctx);
 	if ((httptime = timegm(&httpsdate->tls_tm)) == -1)
 		goto fail;
 	if (httptime <= tls_peer_cert_notbefore(httpsdate->tls_ctx) ||
 	    httptime >= tls_peer_cert_notafter(httpsdate->tls_ctx)) {
 		log_warnx("tls certificate invalid: %s (%s):",
 		    httpsdate->tls_addr, httpsdate->tls_hostname);
 	if (httptime <= notbefore) {
 		if ((tm = gmtime(&notbefore)) == NULL)
 			goto fail;
 		if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
 			goto fail;
 		if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
 		    &httpsdate->tls_tm) == 0)
 			goto fail;
 		log_warnx("tls certificate not yet valid: %s (%s): "
 		    "not before %s, now %s", httpsdate->tls_addr,
 		    httpsdate->tls_hostname, timebuf1, timebuf2);
 		goto fail;
 	}
 	if (httptime >= notafter) {
 		if ((tm = gmtime(&notafter)) == NULL)
 			goto fail;
 		if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
 			goto fail;
 		if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
 		    &httpsdate->tls_tm) == 0)
 			goto fail;
 		log_warnx("tls certificate expired: %s (%s): "
 		    "not after %s, now %s", httpsdate->tls_addr,
 		    httpsdate->tls_hostname, timebuf1, timebuf2);
 		goto fail;
 	}