Browse Source

Improve logging for TLS certificate validity checking.

Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.
ok deraadt@ tb@
OPENBSD_6_5
jsing 5 years ago
parent
commit
37b88a442e
1 changed files with 34 additions and 7 deletions
  1. +34
    -7
      src/usr.sbin/ntpd/constraint.c

+ 34
- 7
src/usr.sbin/ntpd/constraint.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.41 2019/01/21 11:05:41 jsing Exp $ */
/* $OpenBSD: constraint.c,v 1.42 2019/01/21 11:08:37 jsing Exp $ */
/*
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@ -44,6 +44,9 @@
#include "ntpd.h"
#define IMF_FIXDATE "%a, %d %h %Y %T GMT"
#define X509_DATE "%Y-%m-%d %T UTC"
int constraint_addr_init(struct constraint *);
struct constraint *
constraint_byid(u_int32_t);
@ -909,9 +912,11 @@ httpsdate_free(void *arg)
int
httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
{
char timebuf1[32], timebuf2[32];
size_t outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len;
char *line, *p, *buf;
time_t httptime;
time_t httptime, notbefore, notafter;
struct tm *tm;
ssize_t ret;
if ((httpsdate->tls_ctx = tls_client()) == NULL)
@ -967,7 +972,7 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
* or ANSI C's asctime() - the latter doesn't include
* the timezone which is required here.
*/
if (strptime(p, "%a, %d %h %Y %T GMT",
if (strptime(p, IMF_FIXDATE,
&httpsdate->tls_tm) == NULL) {
log_warnx("unsupported date format");
free(line);
@ -985,12 +990,34 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
* TLS handshake, based on the time specified by the server's HTTP Date:
* header.
*/
notbefore = tls_peer_cert_notbefore(httpsdate->tls_ctx);
notafter = tls_peer_cert_notafter(httpsdate->tls_ctx);
if ((httptime = timegm(&httpsdate->tls_tm)) == -1)
goto fail;
if (httptime <= tls_peer_cert_notbefore(httpsdate->tls_ctx) ||
httptime >= tls_peer_cert_notafter(httpsdate->tls_ctx)) {
log_warnx("tls certificate invalid: %s (%s):",
httpsdate->tls_addr, httpsdate->tls_hostname);
if (httptime <= notbefore) {
if ((tm = gmtime(&notbefore)) == NULL)
goto fail;
if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
goto fail;
if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
&httpsdate->tls_tm) == 0)
goto fail;
log_warnx("tls certificate not yet valid: %s (%s): "
"not before %s, now %s", httpsdate->tls_addr,
httpsdate->tls_hostname, timebuf1, timebuf2);
goto fail;
}
if (httptime >= notafter) {
if ((tm = gmtime(&notafter)) == NULL)
goto fail;
if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
goto fail;
if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
&httpsdate->tls_tm) == 0)
goto fail;
log_warnx("tls certificate expired: %s (%s): "
"not after %s, now %s", httpsdate->tls_addr,
httpsdate->tls_hostname, timebuf1, timebuf2);
goto fail;
}


Loading…
Cancel
Save