diff options
| -rw-r--r-- | usr.sbin/ntpd/constraint.c | 41 |
1 files changed, 34 insertions, 7 deletions
diff --git a/usr.sbin/ntpd/constraint.c b/usr.sbin/ntpd/constraint.c index 48704dd2be7..841a28829d2 100644 --- a/usr.sbin/ntpd/constraint.c +++ b/usr.sbin/ntpd/constraint.c @@ -1,4 +1,4 @@ -/* $OpenBSD: constraint.c,v 1.41 2019/01/21 11:05:41 jsing Exp $ */ +/* $OpenBSD: constraint.c,v 1.42 2019/01/21 11:08:37 jsing Exp $ */ /* * Copyright (c) 2015 Reyk Floeter <reyk@openbsd.org> @@ -44,6 +44,9 @@ #include "ntpd.h" +#define IMF_FIXDATE "%a, %d %h %Y %T GMT" +#define X509_DATE "%Y-%m-%d %T UTC" + int constraint_addr_init(struct constraint *); struct constraint * constraint_byid(u_int32_t); @@ -909,9 +912,11 @@ httpsdate_free(void *arg) int httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) { + char timebuf1[32], timebuf2[32]; size_t outlen = 0, maxlength = CONSTRAINT_MAXHEADERLENGTH, len; char *line, *p, *buf; - time_t httptime; + time_t httptime, notbefore, notafter; + struct tm *tm; ssize_t ret; if ((httpsdate->tls_ctx = tls_client()) == NULL) @@ -967,7 +972,7 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) * or ANSI C's asctime() - the latter doesn't include * the timezone which is required here. */ - if (strptime(p, "%a, %d %h %Y %T GMT", + if (strptime(p, IMF_FIXDATE, &httpsdate->tls_tm) == NULL) { log_warnx("unsupported date format"); free(line); @@ -985,12 +990,34 @@ httpsdate_request(struct httpsdate *httpsdate, struct timeval *when) * TLS handshake, based on the time specified by the server's HTTP Date: * header. */ + notbefore = tls_peer_cert_notbefore(httpsdate->tls_ctx); + notafter = tls_peer_cert_notafter(httpsdate->tls_ctx); if ((httptime = timegm(&httpsdate->tls_tm)) == -1) goto fail; - if (httptime <= tls_peer_cert_notbefore(httpsdate->tls_ctx) || - httptime >= tls_peer_cert_notafter(httpsdate->tls_ctx)) { - log_warnx("tls certificate invalid: %s (%s):", - httpsdate->tls_addr, httpsdate->tls_hostname); + if (httptime <= notbefore) { + if ((tm = gmtime(¬before)) == NULL) + goto fail; + if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0) + goto fail; + if (strftime(timebuf2, sizeof(timebuf2), X509_DATE, + &httpsdate->tls_tm) == 0) + goto fail; + log_warnx("tls certificate not yet valid: %s (%s): " + "not before %s, now %s", httpsdate->tls_addr, + httpsdate->tls_hostname, timebuf1, timebuf2); + goto fail; + } + if (httptime >= notafter) { + if ((tm = gmtime(¬after)) == NULL) + goto fail; + if (strftime(timebuf1, sizeof(timebuf1), X509_DATE, tm) == 0) + goto fail; + if (strftime(timebuf2, sizeof(timebuf2), X509_DATE, + &httpsdate->tls_tm) == 0) + goto fail; + log_warnx("tls certificate expired: %s (%s): " + "not after %s, now %s", httpsdate->tls_addr, + httpsdate->tls_hostname, timebuf1, timebuf2); goto fail; } |