From: claudio Date: Tue, 30 May 2023 12:14:48 +0000 (+0000) Subject: Revert commitid ANSBO0rBvIUtTi45: X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=0876134d1742bf4be7fe4c11b0677ae5d6d77f27;p=openbsd Revert commitid ANSBO0rBvIUtTi45: Make rpki-client choose the verification time of the time it is invoked rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time. Using the time of invocation does not work well with fast publishing CAs. It can take a few minutes to reach a repo and that CA may have issued certificates that are not yet valid if that startup time of rpki-client is used to validate. This still keeps the -P option to specify a fixed validation time. OK beck@ job@ tb@ --- diff --git a/regress/usr.sbin/rpki-client/test-aspa.c b/regress/usr.sbin/rpki-client/test-aspa.c index 1540751808f..88556a80367 100644 --- a/regress/usr.sbin/rpki-client/test-aspa.c +++ b/regress/usr.sbin/rpki-client/test-aspa.c @@ -1,4 +1,4 @@ -/* $Id: test-aspa.c,v 1.4 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-aspa.c,v 1.5 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -35,8 +35,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -98,3 +96,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-cert.c b/regress/usr.sbin/rpki-client/test-cert.c index e9998c30fb3..e17b55f7931 100644 --- a/regress/usr.sbin/rpki-client/test-cert.c +++ b/regress/usr.sbin/rpki-client/test-cert.c @@ -1,4 +1,4 @@ -/* $Id: test-cert.c,v 1.22 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-cert.c,v 1.23 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -36,8 +36,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -127,3 +125,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-gbr.c b/regress/usr.sbin/rpki-client/test-gbr.c index 36a4bbb9a3e..be76feed86b 100644 --- a/regress/usr.sbin/rpki-client/test-gbr.c +++ b/regress/usr.sbin/rpki-client/test-gbr.c @@ -1,4 +1,4 @@ -/* $Id: test-gbr.c,v 1.14 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-gbr.c,v 1.15 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -34,8 +34,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -98,3 +96,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-geofeed.c b/regress/usr.sbin/rpki-client/test-geofeed.c index 9490f5f5922..9a17c340c85 100644 --- a/regress/usr.sbin/rpki-client/test-geofeed.c +++ b/regress/usr.sbin/rpki-client/test-geofeed.c @@ -1,4 +1,4 @@ -/* $Id: test-geofeed.c,v 1.3 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-geofeed.c,v 1.4 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -34,8 +34,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -98,3 +96,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-ip.c b/regress/usr.sbin/rpki-client/test-ip.c index f208d6a8953..b214ef589e1 100644 --- a/regress/usr.sbin/rpki-client/test-ip.c +++ b/regress/usr.sbin/rpki-client/test-ip.c @@ -1,4 +1,4 @@ -/* $Id: test-ip.c,v 1.8 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-ip.c,v 1.9 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -35,8 +35,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - static void test(const char *res, uint16_t afiv, size_t sz, size_t unused, ...) { @@ -130,3 +128,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-mft.c b/regress/usr.sbin/rpki-client/test-mft.c index 16d47b549f6..f975c8496e5 100644 --- a/regress/usr.sbin/rpki-client/test-mft.c +++ b/regress/usr.sbin/rpki-client/test-mft.c @@ -1,4 +1,4 @@ -/* $Id: test-mft.c,v 1.24 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-mft.c,v 1.25 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -36,8 +36,6 @@ int outformats; int verbose; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -99,3 +97,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-roa.c b/regress/usr.sbin/rpki-client/test-roa.c index 97e95f61fa8..1ca25adf341 100644 --- a/regress/usr.sbin/rpki-client/test-roa.c +++ b/regress/usr.sbin/rpki-client/test-roa.c @@ -1,4 +1,4 @@ -/* $Id: test-roa.c,v 1.22 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-roa.c,v 1.23 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -34,8 +34,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -97,3 +95,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-rrdp.c b/regress/usr.sbin/rpki-client/test-rrdp.c index f50a4af2f00..abcd843d53f 100644 --- a/regress/usr.sbin/rpki-client/test-rrdp.c +++ b/regress/usr.sbin/rpki-client/test-rrdp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: test-rrdp.c,v 1.5 2023/04/27 08:37:53 beck Exp $ */ +/* $OpenBSD: test-rrdp.c,v 1.6 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2020 Nils Fisher * Copyright (c) 2021 Claudio Jeker @@ -37,8 +37,6 @@ int verbose; -int64_t evaluation_time; - #define REGRESS_NOTIFY_URI "https://rpki.example.com/notify.xml" #define MAX_SESSIONS 12 @@ -340,3 +338,9 @@ usage: "-d | -n | -s\n", "test-rrdp"); exit(1); } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-rsc.c b/regress/usr.sbin/rpki-client/test-rsc.c index edc90c57323..77c6b004da0 100644 --- a/regress/usr.sbin/rpki-client/test-rsc.c +++ b/regress/usr.sbin/rpki-client/test-rsc.c @@ -1,4 +1,4 @@ -/* $Id: test-rsc.c,v 1.7 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-rsc.c,v 1.8 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -37,8 +37,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -100,3 +98,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-tak.c b/regress/usr.sbin/rpki-client/test-tak.c index c84a9dfd50b..87d2b4474ea 100644 --- a/regress/usr.sbin/rpki-client/test-tak.c +++ b/regress/usr.sbin/rpki-client/test-tak.c @@ -1,4 +1,4 @@ -/* $Id: test-tak.c,v 1.4 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-tak.c,v 1.5 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2022 Job Snijders * Copyright (c) 2019 Kristaps Dzonsons @@ -35,8 +35,6 @@ int outformats; int verbose; int filemode; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -98,3 +96,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/regress/usr.sbin/rpki-client/test-tal.c b/regress/usr.sbin/rpki-client/test-tal.c index bac51e40363..3d9eb351f7c 100644 --- a/regress/usr.sbin/rpki-client/test-tal.c +++ b/regress/usr.sbin/rpki-client/test-tal.c @@ -1,4 +1,4 @@ -/* $Id: test-tal.c,v 1.11 2023/04/27 08:37:53 beck Exp $ */ +/* $Id: test-tal.c,v 1.12 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -32,8 +32,6 @@ int outformats; int verbose; -int64_t evaluation_time; - int main(int argc, char *argv[]) { @@ -82,3 +80,9 @@ main(int argc, char *argv[]) printf("OK\n"); return 0; } + +time_t +get_current_time(void) +{ + return time(NULL); +} diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 68d724de2cc..64c75cc87e0 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.181 2023/05/09 10:34:32 tb Exp $ */ +/* $OpenBSD: extern.h,v 1.182 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -951,6 +951,6 @@ int mkpathat(int, const char *); */ #define X509_TIME_MAX 253402300799LL #define X509_TIME_MIN -62167219200LL -extern int64_t evaluation_time; +extern time_t get_current_time(void); #endif /* ! EXTERN_H */ diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c index 110fb94a485..22c1c34001d 100644 --- a/usr.sbin/rpki-client/main.c +++ b/usr.sbin/rpki-client/main.c @@ -1,4 +1,4 @@ -/* $OpenBSD: main.c,v 1.239 2023/05/30 12:12:06 claudio Exp $ */ +/* $OpenBSD: main.c,v 1.240 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2021 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -74,7 +74,7 @@ int rrdpon = 1; int repo_timeout; time_t deadline; -int64_t evaluation_time; +int64_t evaluation_time = X509_TIME_MIN; struct stats stats; @@ -126,6 +126,14 @@ entity_free(struct entity *ent) free(ent); } +time_t +get_current_time(void) +{ + if (evaluation_time > X509_TIME_MIN) + return (time_t) evaluation_time; + return time(NULL); +} + /* * Read a queue entity from the descriptor. * Matched by entity_buffer_req(). @@ -966,8 +974,6 @@ main(int argc, char *argv[]) "proc exec unveil", NULL) == -1) err(1, "pledge"); - evaluation_time = time(NULL); - while ((c = getopt(argc, argv, "Ab:Bcd:e:fH:jmnoP:rRs:S:t:T:vV")) != -1) switch (c) { case 'A': @@ -1009,7 +1015,7 @@ main(int argc, char *argv[]) outformats |= FORMAT_OPENBGPD; break; case 'P': - evaluation_time = strtonum(optarg, X509_TIME_MIN, + evaluation_time = strtonum(optarg, X509_TIME_MIN + 1, X509_TIME_MAX, &errs); if (errs) errx(1, "-P: time in seconds %s", errs); diff --git a/usr.sbin/rpki-client/output-bird.c b/usr.sbin/rpki-client/output-bird.c index 22364a56de3..344f28d2724 100644 --- a/usr.sbin/rpki-client/output-bird.c +++ b/usr.sbin/rpki-client/output-bird.c @@ -1,4 +1,4 @@ -/* $OpenBSD: output-bird.c,v 1.17 2023/04/27 08:37:53 beck Exp $ */ +/* $OpenBSD: output-bird.c,v 1.18 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2020 Robert Scheck @@ -84,6 +84,7 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks, { extern const char *bird_tablename; struct vrp *v; + time_t now = get_current_time(); if (outputheader(out, st) < 0) return -1; @@ -91,7 +92,7 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks, if (fprintf(out, "\ndefine force_roa_table_update = %lld;\n\n" "roa4 table %s4;\nroa6 table %s6;\n\n" "protocol static {\n\troa4 { table %s4; };\n\n", - (long long)evaluation_time, bird_tablename, bird_tablename, + (long long)now, bird_tablename, bird_tablename, bird_tablename) < 0) return -1; diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index 7da33377ac3..93c0eca95b8 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.94 2023/05/11 20:13:30 job Exp $ */ +/* $OpenBSD: parser.c,v 1.95 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -312,6 +312,9 @@ static struct mft * proc_parser_mft_post(char *file, struct mft *mft, const char *path, const char *errstr) { + /* check that now is not before from */ + time_t now = get_current_time(); + if (mft == NULL) { if (errstr == NULL) errstr = "no valid mft available"; @@ -319,14 +322,14 @@ proc_parser_mft_post(char *file, struct mft *mft, const char *path, return NULL; } - /* check that evaluation_time is not before from */ - if (evaluation_time < mft->thisupdate) { + /* check that now is not before from */ + if (now < mft->thisupdate) { warnx("%s: mft not yet valid %s", file, time2str(mft->thisupdate)); mft->stale = 1; } - /* check that evaluation_time is not after until */ - if (evaluation_time > mft->nextupdate) { + /* check that now is not after until */ + if (now > mft->nextupdate) { warnx("%s: mft expired on %s", file, time2str(mft->nextupdate)); mft->stale = 1; diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c index 0aa20157cca..69612a83900 100644 --- a/usr.sbin/rpki-client/validate.c +++ b/usr.sbin/rpki-client/validate.c @@ -1,4 +1,4 @@ -/* $OpenBSD: validate.c,v 1.62 2023/05/23 06:42:08 tb Exp $ */ +/* $OpenBSD: validate.c,v 1.63 2023/05/30 12:14:48 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -415,7 +415,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a, cryptoerrx("OBJ_dup"); if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid)) cryptoerrx("X509_VERIFY_PARAM_add0_policy"); - X509_VERIFY_PARAM_set_time(params, evaluation_time); + X509_VERIFY_PARAM_set_time(params, get_current_time()); flags = X509_V_FLAG_CRL_CHECK; flags |= X509_V_FLAG_PARTIAL_CHAIN;