Fincer
/
openntpd-openbsd
mirror of https://github.com/Fincer/openntpd-openbsd
1
0
Fork 0
Code Issues 0 Projects 0 Releases 61 Wiki Activity
Browse Source

Improve logging for TLS certificate validity checking. 

Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.
ok deraadt@ tb@
OPENBSD_6_5
jsing 5 years ago
parent
64715c5af0
commit
37b88a442e
1 changed files with 34 additions and 7 deletions
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. +34
    -7
      src/usr.sbin/ntpd/constraint.c

+ 34
- 7
src/usr.sbin/ntpd/constraint.c View File

@ -1,4 +1,4 @@
/* $OpenBSD: constraint.c,v 1.41 2019/01/21 11:05:41 jsing Exp $ */
/* $OpenBSD: constraint.c,v 1.42 2019/01/21 11:08:37 jsing Exp $ */
/* /*
* Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org>
@ -44,6 +44,9 @@
#include "ntpd.h" #include "ntpd.h"
#define IMF_FIXDATE "%a, %d %h %Y %T GMT"
#define X509_DATE "%Y-%m-%d %T UTC"
int constraint_addr_init(struct constraint *); int constraint_addr_init(struct constraint *);
struct constraint * struct constraint *
constraint_byid(u_int32_t); constraint_byid(u_int32_t);
@ -909,9 +912,11 @@ httpsdate_free(void *arg)
int int
httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
{ {
char timebuf1[32], timebuf2[32];
size_t outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len; size_t outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len;
char *line, *p, *buf; char *line, *p, *buf;
time_t httptime;
time_t httptime, notbefore, notafter;
struct tm *tm;
ssize_t ret; ssize_t ret;
if ((httpsdate->tls_ctx = tls_client()) == NULL) if ((httpsdate->tls_ctx = tls_client()) == NULL)
@ -967,7 +972,7 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
* or ANSI C's asctime() - the latter doesn't include * or ANSI C's asctime() - the latter doesn't include
* the timezone which is required here. * the timezone which is required here.
*/ */
if (strptime(p, "%a, %d %h %Y %T GMT",
if (strptime(p, IMF_FIXDATE,
&httpsdate->tls_tm) == NULL) { &httpsdate->tls_tm) == NULL) {
log_warnx("unsupported date format"); log_warnx("unsupported date format");
free(line); free(line);
@ -985,12 +990,34 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when)
* TLS handshake, based on the time specified by the server's HTTP Date: * TLS handshake, based on the time specified by the server's HTTP Date:
* header. * header.
*/ */
notbefore = tls_peer_cert_notbefore(httpsdate->tls_ctx);
notafter = tls_peer_cert_notafter(httpsdate->tls_ctx);
if ((httptime = timegm(&httpsdate->tls_tm)) == -1) if ((httptime = timegm(&httpsdate->tls_tm)) == -1)
goto fail; goto fail;
if (httptime <= tls_peer_cert_notbefore(httpsdate->tls_ctx) ||
httptime >= tls_peer_cert_notafter(httpsdate->tls_ctx)) {
log_warnx("tls certificate invalid: %s (%s):",
httpsdate->tls_addr, httpsdate->tls_hostname);
if (httptime <= notbefore) {
if ((tm = gmtime(&notbefore)) == NULL)
goto fail;
if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
goto fail;
if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
&httpsdate->tls_tm) == 0)
goto fail;
log_warnx("tls certificate not yet valid: %s (%s): "
"not before %s, now %s", httpsdate->tls_addr,
httpsdate->tls_hostname, timebuf1, timebuf2);
goto fail;
}
if (httptime >= notafter) {
if ((tm = gmtime(&notafter)) == NULL)
goto fail;
if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0)
goto fail;
if (strftime(timebuf2, sizeof(timebuf2), X509_DATE,
&httpsdate->tls_tm) == 0)
goto fail;
log_warnx("tls certificate expired: %s (%s): "
"not after %s, now %s", httpsdate->tls_addr,
httpsdate->tls_hostname, timebuf1, timebuf2);
goto fail; goto fail;
} }


Write Preview
Loading…
Cancel
Save