From 37b88a442e8e9ec47e66d1de21adfc242bfd1589 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 21 Jan 2019 11:08:37 +0000
Subject: [PATCH] Improve logging for TLS certificate validity checking.

Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.

ok deraadt@ tb@
---
 src/usr.sbin/ntpd/constraint.c | 41 ++++++++++++++++++++++++++++------
 1 file changed, 34 insertions(+), 7 deletions(-)

diff --git a/src/usr.sbin/ntpd/constraint.c b/src/usr.sbin/ntpd/constraint.c
index 48704dd2..841a2882 100644
--- a/src/usr.sbin/ntpd/constraint.c
+++ b/src/usr.sbin/ntpd/constraint.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: constraint.c,v 1.41 2019/01/21 11:05:41 jsing Exp $	*/
+/*	$OpenBSD: constraint.c,v 1.42 2019/01/21 11:08:37 jsing Exp $	*/
 
 /*
  * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@@ -44,6 +44,9 @@
 
 #include "ntpd.h"
 
+#define	IMF_FIXDATE	"%a, %d %h %Y %T GMT"
+#define	X509_DATE	"%Y-%m-%d %T UTC"
+
 int	 constraint_addr_init(struct constraint *);
 struct constraint *
 	 constraint_byid(u_int32_t);
@@ -909,9 +912,11 @@ httpsdate_free(void *arg)
 int
 httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
 {
+	char	 timebuf1[32], timebuf2[32];
 	size_t	 outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len;
 	char	*line, *p, *buf;
-	time_t	 httptime;
+	time_t	 httptime, notbefore, notafter;
+	struct tm *tm;
 	ssize_t	 ret;
 
 	if ((httpsdate->tls_ctx = tls_client()) == NULL)
@@ -967,7 +972,7 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
 		 * or ANSI C's asctime() - the latter doesn't include
 		 * the timezone which is required here.
 		 */
-		if (strptime(p, "%a, %d %h %Y %T GMT",
+		if (strptime(p, IMF_FIXDATE,
 		    &httpsdate->tls_tm) == NULL) {
 			log_warnx("unsupported date format");
 			free(line);
@@ -985,12 +990,34 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
 	 * TLS handshake, based on the time specified by the server's HTTP Date:
 	 * header.
 	 */
+	notbefore = tls_peer_cert_notbefore(httpsdate->tls_ctx);
+	notafter = tls_peer_cert_notafter(httpsdate->tls_ctx);
 	if ((httptime = timegm(&httpsdate->tls_tm)) == -1)
 		goto fail;
-	if (httptime <= tls_peer_cert_notbefore(httpsdate->tls_ctx) ||
-	    httptime >= tls_peer_cert_notafter(httpsdate->tls_ctx)) {
-		log_warnx("tls certificate invalid: %s (%s):",
-		    httpsdate->tls_addr, httpsdate->tls_hostname);
+	if (httptime <= notbefore) {
+		if ((tm = gmtime(&notbefore)) == NULL)
+			goto fail;
+		if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
+			goto fail;
+		if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
+		    &httpsdate->tls_tm) == 0)
+			goto fail;
+		log_warnx("tls certificate not yet valid: %s (%s): "
+		    "not before %s, now %s", httpsdate->tls_addr,
+		    httpsdate->tls_hostname, timebuf1, timebuf2);
+		goto fail;
+	}
+	if (httptime >= notafter) {
+		if ((tm = gmtime(&notafter)) == NULL)
+			goto fail;
+		if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
+			goto fail;
+		if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
+		    &httpsdate->tls_tm) == 0)
+			goto fail;
+		log_warnx("tls certificate expired: %s (%s): "
+		    "not after %s, now %s", httpsdate->tls_addr,
+		    httpsdate->tls_hostname, timebuf1, timebuf2);
 		goto fail;
 	}