diff options
| author | Joel Sing <jsing@cvs.openbsd.org> | 2019-01-21 11:08:38 +0000 |
|---|---|---|
| committer | Joel Sing <jsing@cvs.openbsd.org> | 2019-01-21 11:08:38 +0000 |
| commit | 04dd025545634f79d42dc66e3600b9a3323f37c5 (patch) | |
| tree | 477f4e2fc09114766cfb329fad01b2868bbe16ea /usr.sbin/ntpd | |
| parent | fc399486e9b1cefa07f9ee2da5d516574a9b0575 (diff) | |
Improve logging for TLS certificate validity checking.
Actually specify whether the certificate is not yet valid or has expired,
and log the actual time values to hopefully save some head scratching.
ok deraadt@ tb@
Diffstat (limited to 'usr.sbin/ntpd')
| -rw-r--r-- | usr.sbin/ntpd/constraint.c | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c index 48704dd2be7..841a28829d2 100644 --- a/usr.sbin/ntpd/constraint.c +++ b/usr.sbin/ntpd/constraint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraint.c,v 1.41 2019/01/21 11:05:41 jsing Exp $ */ +/* $OpenBSD: constraint.c,v 1.42 2019/01/21 11:08:37 jsing Exp $ */ /* * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -44,6 +44,9 @@ #include "ntpd.h" +#define IMF_FIXDATE "%a, %d %h %Y %T GMT" +#define X509_DATE "%Y-%m-%d %T UTC" + int constraint_addr_init(struct constraint *); struct constraint * constraint_byid(u_int32_t); @@ -909,9 +912,11 @@ httpsdate_free(void *arg) int httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) { + char timebuf1[32], timebuf2[32]; size_t outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len; char *line, *p, *buf; - time_t httptime; + time_t httptime, notbefore, notafter; + struct tm *tm; ssize_t ret; if ((httpsdate->tls_ctx = tls_client()) == NULL) @@ -967,7 +972,7 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) * or ANSI C's asctime() - the latter doesn't include * the timezone which is required here. */ - if (strptime(p, "%a, %d %h %Y %T GMT", + if (strptime(p, IMF_FIXDATE, &httpsdate->tls_tm) == NULL) { log_warnx("unsupported date format"); free(line); @@ -985,12 +990,34 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) * TLS handshake, based on the time specified by the server's HTTP Date: * header. */ + notbefore = tls_peer_cert_notbefore(httpsdate->tls_ctx); + notafter = tls_peer_cert_notafter(httpsdate->tls_ctx); if ((httptime = timegm(&httpsdate->tls_tm)) == -1) goto fail; - if (httptime <= tls_peer_cert_notbefore(httpsdate->tls_ctx) || - httptime >= tls_peer_cert_notafter(httpsdate->tls_ctx)) { - log_warnx("tls certificate invalid: %s (%s):", - httpsdate->tls_addr, httpsdate->tls_hostname); + if (httptime <= notbefore) { + if ((tm = gmtime(¬before)) == NULL) + goto fail; + if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0) + goto fail; + if (strftime(timebuf2, sizeof(timebuf2), X509_DATE, + &httpsdate->tls_tm) == 0) + goto fail; + log_warnx("tls certificate not yet valid: %s (%s): " + "not before %s, now %s", httpsdate->tls_addr, + httpsdate->tls_hostname, timebuf1, timebuf2); + goto fail; + } + if (httptime >= notafter) { + if ((tm = gmtime(¬after)) == NULL) + goto fail; + if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0) + goto fail; + if (strftime(timebuf2, sizeof(timebuf2), X509_DATE, + &httpsdate->tls_tm) == 0) + goto fail; + log_warnx("tls certificate expired: %s (%s): " + "not after %s, now %s", httpsdate->tls_addr, + httpsdate->tls_hostname, timebuf1, timebuf2); goto fail; } |