From: beck <beck@openbsd.org>
Date: Thu, 27 Apr 2023 08:37:53 +0000 (+0000)
Subject: Make rpki-client choose the verification time of the time it is invoked
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=f0813572b9943620ce24288717a3f4233a19439f;p=openbsd

Make rpki-client choose the verification time of the time it is invoked
rather than always getting the current system time for every certificate
verification. This will result in output that is not variable on run-time.

ok tb@ claudio@
---

diff --git a/regress/usr.sbin/rpki-client/test-aspa.c b/regress/usr.sbin/rpki-client/test-aspa.c
index 9aef5462d55..1540751808f 100644
--- a/regress/usr.sbin/rpki-client/test-aspa.c
+++ b/regress/usr.sbin/rpki-client/test-aspa.c
@@ -1,4 +1,4 @@
-/*	$Id: test-aspa.c,v 1.3 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-aspa.c,v 1.4 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -35,6 +35,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-cert.c b/regress/usr.sbin/rpki-client/test-cert.c
index 110565c95c2..e9998c30fb3 100644
--- a/regress/usr.sbin/rpki-client/test-cert.c
+++ b/regress/usr.sbin/rpki-client/test-cert.c
@@ -1,4 +1,4 @@
-/*	$Id: test-cert.c,v 1.21 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-cert.c,v 1.22 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -36,6 +36,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -125,9 +127,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-gbr.c b/regress/usr.sbin/rpki-client/test-gbr.c
index 02386278afc..36a4bbb9a3e 100644
--- a/regress/usr.sbin/rpki-client/test-gbr.c
+++ b/regress/usr.sbin/rpki-client/test-gbr.c
@@ -1,4 +1,4 @@
-/*	$Id: test-gbr.c,v 1.13 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-gbr.c,v 1.14 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -34,6 +34,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-geofeed.c b/regress/usr.sbin/rpki-client/test-geofeed.c
index aff4685e8e5..9490f5f5922 100644
--- a/regress/usr.sbin/rpki-client/test-geofeed.c
+++ b/regress/usr.sbin/rpki-client/test-geofeed.c
@@ -1,4 +1,4 @@
-/*	$Id: test-geofeed.c,v 1.2 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-geofeed.c,v 1.3 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -34,6 +34,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-ip.c b/regress/usr.sbin/rpki-client/test-ip.c
index 7fe22070e0b..f208d6a8953 100644
--- a/regress/usr.sbin/rpki-client/test-ip.c
+++ b/regress/usr.sbin/rpki-client/test-ip.c
@@ -1,4 +1,4 @@
-/*	$Id: test-ip.c,v 1.7 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-ip.c,v 1.8 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -35,6 +35,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 static void
 test(const char *res, uint16_t afiv, size_t sz, size_t unused, ...)
 {
@@ -128,9 +130,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-mft.c b/regress/usr.sbin/rpki-client/test-mft.c
index 8ceb2e2cd77..16d47b549f6 100644
--- a/regress/usr.sbin/rpki-client/test-mft.c
+++ b/regress/usr.sbin/rpki-client/test-mft.c
@@ -1,4 +1,4 @@
-/*	$Id: test-mft.c,v 1.23 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-mft.c,v 1.24 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -36,6 +36,8 @@
 int outformats;
 int verbose;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -97,9 +99,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-roa.c b/regress/usr.sbin/rpki-client/test-roa.c
index a6927ac21ae..97e95f61fa8 100644
--- a/regress/usr.sbin/rpki-client/test-roa.c
+++ b/regress/usr.sbin/rpki-client/test-roa.c
@@ -1,4 +1,4 @@
-/*	$Id: test-roa.c,v 1.21 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-roa.c,v 1.22 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -34,6 +34,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -95,9 +97,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-rrdp.c b/regress/usr.sbin/rpki-client/test-rrdp.c
index f269452bc29..f50a4af2f00 100644
--- a/regress/usr.sbin/rpki-client/test-rrdp.c
+++ b/regress/usr.sbin/rpki-client/test-rrdp.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: test-rrdp.c,v 1.4 2023/04/27 06:11:43 claudio Exp $ */
+/*	$OpenBSD: test-rrdp.c,v 1.5 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com>
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@@ -37,6 +37,8 @@
 
 int verbose;
 
+int64_t evaluation_time;
+
 #define REGRESS_NOTIFY_URI	"https://rpki.example.com/notify.xml"
 
 #define MAX_SESSIONS	12
@@ -338,9 +340,3 @@ usage:
 	    "-d | -n | -s\n", "test-rrdp");
 	exit(1);
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-rsc.c b/regress/usr.sbin/rpki-client/test-rsc.c
index 1bd61cd5c3b..edc90c57323 100644
--- a/regress/usr.sbin/rpki-client/test-rsc.c
+++ b/regress/usr.sbin/rpki-client/test-rsc.c
@@ -1,4 +1,4 @@
-/*	$Id: test-rsc.c,v 1.6 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-rsc.c,v 1.7 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -37,6 +37,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -98,9 +100,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-tak.c b/regress/usr.sbin/rpki-client/test-tak.c
index c9229011273..c84a9dfd50b 100644
--- a/regress/usr.sbin/rpki-client/test-tak.c
+++ b/regress/usr.sbin/rpki-client/test-tak.c
@@ -1,4 +1,4 @@
-/*	$Id: test-tak.c,v 1.3 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-tak.c,v 1.4 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2022 Job Snijders <job@fastly.com>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -35,6 +35,8 @@ int outformats;
 int verbose;
 int filemode;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/regress/usr.sbin/rpki-client/test-tal.c b/regress/usr.sbin/rpki-client/test-tal.c
index de59cf2a44a..bac51e40363 100644
--- a/regress/usr.sbin/rpki-client/test-tal.c
+++ b/regress/usr.sbin/rpki-client/test-tal.c
@@ -1,4 +1,4 @@
-/*	$Id: test-tal.c,v 1.10 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-tal.c,v 1.11 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -32,6 +32,8 @@
 int outformats;
 int verbose;
 
+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@@ -80,9 +82,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h
index a5a3200b308..4c1217aa975 100644
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.179 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: extern.h,v 1.180 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -950,6 +950,6 @@ int	mkpathat(int, const char *);
  */
 #define X509_TIME_MAX 253402300799LL
 #define X509_TIME_MIN -62167219200LL
-extern time_t  get_current_time(void);
+extern int64_t evaluation_time;
 
 #endif /* ! EXTERN_H */
diff --git a/usr.sbin/rpki-client/main.c b/usr.sbin/rpki-client/main.c
index 6cdbc213025..0b899c4aed1 100644
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.235 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: main.c,v 1.236 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -74,7 +74,7 @@ int	rrdpon = 1;
 int	repo_timeout;
 time_t	deadline;
 
-int64_t  evaluation_time = X509_TIME_MIN;
+int64_t  evaluation_time;
 
 struct stats	 stats;
 
@@ -126,14 +126,6 @@ entity_free(struct entity *ent)
 	free(ent);
 }
 
-time_t
-get_current_time(void)
-{
-	if (evaluation_time > X509_TIME_MIN)
-		return (time_t) evaluation_time;
-	return time(NULL);
-}
-
 /*
  * Read a queue entity from the descriptor.
  * Matched by entity_buffer_req().
@@ -973,6 +965,8 @@ main(int argc, char *argv[])
 	    "proc exec unveil", NULL) == -1)
 		err(1, "pledge");
 
+	evaluation_time = time(NULL);
+
 	while ((c = getopt(argc, argv, "Ab:Bcd:e:fH:jmnoP:rRs:S:t:T:vV")) != -1)
 		switch (c) {
 		case 'A':
@@ -1014,7 +1008,7 @@ main(int argc, char *argv[])
 			outformats |= FORMAT_OPENBGPD;
 			break;
 		case 'P':
-			evaluation_time = strtonum(optarg, X509_TIME_MIN + 1,
+			evaluation_time = strtonum(optarg, X509_TIME_MIN,
 			    X509_TIME_MAX, &errs);
 			if (errs)
 				errx(1, "-P: time in seconds %s", errs);
diff --git a/usr.sbin/rpki-client/output-bird.c b/usr.sbin/rpki-client/output-bird.c
index 39582912702..22364a56de3 100644
--- a/usr.sbin/rpki-client/output-bird.c
+++ b/usr.sbin/rpki-client/output-bird.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: output-bird.c,v 1.16 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: output-bird.c,v 1.17 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2020 Robert Scheck <robert@fedoraproject.org>
@@ -84,7 +84,6 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
 {
 	extern		const char *bird_tablename;
 	struct vrp	*v;
-	time_t		 now = get_current_time();
 
 	if (outputheader(out, st) < 0)
 		return -1;
@@ -92,7 +91,7 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
 	if (fprintf(out, "\ndefine force_roa_table_update = %lld;\n\n"
 	    "roa4 table %s4;\nroa6 table %s6;\n\n"
 	    "protocol static {\n\troa4 { table %s4; };\n\n",
-	    (long long)now, bird_tablename, bird_tablename,
+	    (long long)evaluation_time, bird_tablename, bird_tablename,
 	    bird_tablename) < 0)
 		return -1;
 
diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c
index 8bcde343d80..4da886e7549 100644
--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.92 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: parser.c,v 1.93 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@@ -311,9 +311,6 @@ static struct mft *
 proc_parser_mft_post(char *file, struct mft *mft, const char *path,
     const char *errstr)
 {
-	/* check that now is not before from */
-	time_t now = get_current_time();
-
 	if (mft == NULL) {
 		if (errstr == NULL)
 			errstr = "no valid mft available";
@@ -321,14 +318,14 @@ proc_parser_mft_post(char *file, struct mft *mft, const char *path,
 		return NULL;
 	}
 
-	/* check that now is not before from */
-	if (now < mft->thisupdate) {
+	/* check that evaluation_time is not before from */
+	if (evaluation_time < mft->thisupdate) {
 		warnx("%s: mft not yet valid %s", file,
 		    time2str(mft->thisupdate));
 		mft->stale = 1;
 	}
-	/* check that now is not after until */
-	if (now > mft->nextupdate) {
+	/* check that evaluation_time is not after until */
+	if (evaluation_time > mft->nextupdate) {
 		warnx("%s: mft expired on %s", file,
 		    time2str(mft->nextupdate));
 		mft->stale = 1;
diff --git a/usr.sbin/rpki-client/validate.c b/usr.sbin/rpki-client/validate.c
index 412b6e61382..b21ff004c64 100644
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.58 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: validate.c,v 1.59 2023/04/27 08:37:53 beck Exp $ */
 /*
  * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -401,7 +401,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a,
 		cryptoerrx("OBJ_dup");
 	if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid))
 		cryptoerrx("X509_VERIFY_PARAM_add0_policy");
-	X509_VERIFY_PARAM_set_time(params, get_current_time());
+	X509_VERIFY_PARAM_set_time(params, evaluation_time);
 
 	flags = X509_V_FLAG_CRL_CHECK;
 	flags |= X509_V_FLAG_POLICY_CHECK;