Make rpki-client choose the verification time of the time it is invoked

rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@

5 files changed, 16 insertions, 26 deletions

diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index a5a3200b308..4c1217aa975 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.179 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: extern.h,v 1.180 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -950,6 +950,6 @@ int	mkpathat(int, const char *);
  */
 #define X509_TIME_MAX 253402300799LL
 #define X509_TIME_MIN -62167219200LL
-extern time_t  get_current_time(void);
+extern int64_t evaluation_time;
 
 #endif /* ! EXTERN_H */
diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index 6cdbc213025..0b899c4aed1 100644
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.235 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: main.c,v 1.236 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -74,7 +74,7 @@ int	rrdpon = 1;
 int	repo_timeout;
 time_t	deadline;
 
-int64_t  evaluation_time = X509_TIME_MIN;
+int64_t  evaluation_time;
 
 struct stats	 stats;
 
@@ -126,14 +126,6 @@ entity_free(struct entity *ent)
 	free(ent);
 }
 
-time_t
-get_current_time(void)
-{
-	if (evaluation_time > X509_TIME_MIN)
-		return (time_t) evaluation_time;
-	return time(NULL);
-}
-
 /*
  * Read a queue entity from the descriptor.
  * Matched by entity_buffer_req().
@@ -973,6 +965,8 @@ main(int argc, char *argv[])
 	    "proc exec unveil", NULL) == -1)
 		err(1, "pledge");
 
+	evaluation_time = time(NULL);
+
 	while ((c = getopt(argc, argv, "Ab:Bcd:e:fH:jmnoP:rRs:S:t:T:vV")) != -1)
 		switch (c) {
 		case 'A':
@@ -1014,7 +1008,7 @@ main(int argc, char *argv[])
 			outformats |= FORMAT_OPENBGPD;
 			break;
 		case 'P':
-			evaluation_time = strtonum(optarg, X509_TIME_MIN + 1,
+			evaluation_time = strtonum(optarg, X509_TIME_MIN,
 			    X509_TIME_MAX, &errs);
 			if (errs)
 				errx(1, "-P: time in seconds %s", errs);
diff --git a/usr.sbin/rpki-client/output-bird.c b/usr.sbin/rpki-client/output-bird.c
index 39582912702..22364a56de3 100644
--- a/usr.sbin/rpki-client/output-bird.c
+++ b/usr.sbin/rpki-client/output-bird.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: output-bird.c,v 1.16 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: output-bird.c,v 1.17 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2020 Robert Scheck <robert@fedoraproject.org>
@@ -84,7 +84,6 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
 {
 	extern		const char *bird_tablename;
 	struct vrp	*v;
-	time_t		 now = get_current_time();
 
 	if (outputheader(out, st) < 0)
 		return -1;
@@ -92,7 +91,7 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
 	if (fprintf(out, "\ndefine force_roa_table_update = %lld;\n\n"
 	    "roa4 table %s4;\nroa6 table %s6;\n\n"
 	    "protocol static {\n\troa4 { table %s4; };\n\n",
-	    (long long)now, bird_tablename, bird_tablename,
+	    (long long)evaluation_time, bird_tablename, bird_tablename,
 	    bird_tablename) < 0)
 		return -1;
 
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 8bcde343d80..4da886e7549 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.92 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: parser.c,v 1.93 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -311,9 +311,6 @@ static struct mft *
 proc_parser_mft_post(char *file, struct mft *mft, const char *path,
     const char *errstr)
 {
-	/* check that now is not before from */
-	time_t now = get_current_time();
-
 	if (mft == NULL) {
 		if (errstr == NULL)
 			errstr = "no valid mft available";
@@ -321,14 +318,14 @@ proc_parser_mft_post(char *file, struct mft *mft, const char *path,
 		return NULL;
 	}
 
-	/* check that now is not before from */
-	if (now < mft->thisupdate) {
+	/* check that evaluation_time is not before from */
+	if (evaluation_time < mft->thisupdate) {
 		warnx("%s: mft not yet valid %s", file,
 		    time2str(mft->thisupdate));
 		mft->stale = 1;
 	}
-	/* check that now is not after until */
-	if (now > mft->nextupdate) {
+	/* check that evaluation_time is not after until */
+	if (evaluation_time > mft->nextupdate) {
 		warnx("%s: mft expired on %s", file,
 		    time2str(mft->nextupdate));
 		mft->stale = 1;
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 412b6e61382..b21ff004c64 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.58 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: validate.c,v 1.59 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -401,7 +401,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a,
 		cryptoerrx("OBJ_dup");
 	if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid))
 		cryptoerrx("X509_VERIFY_PARAM_add0_policy");
-	X509_VERIFY_PARAM_set_time(params, get_current_time());
+	X509_VERIFY_PARAM_set_time(params, evaluation_time);
 
 	flags = X509_V_FLAG_CRL_CHECK;
 	flags |= X509_V_FLAG_POLICY_CHECK;