Make rpki-client choose the verification time of the time it is invoked

rather than always getting the current system time for every certificate verification. This will result in output that is not variable on run-time. ok tb@ claudio@
2025-01-10 06:47:55 -08:00 · 2023-04-27 08:37:53 +00:00 · 2023-04-27 08:37:53 +00:00 · f0813572b9
commit f0813572b9
parent f389ce7a1d
16 changed files with 49 additions and 103 deletions
--- a/regress/usr.sbin/rpki-client/test-aspa.c
+++ b/regress/usr.sbin/rpki-client/test-aspa.c
@ -1,4 +1,4 @@
-/*	$Id: test-aspa.c,v 1.3 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-aspa.c,v 1.4 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2022 Job Snijders <job@fastly.com>
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -35,6 +35,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-cert.c
+++ b/regress/usr.sbin/rpki-client/test-cert.c
@ -1,4 +1,4 @@
-/*	$Id: test-cert.c,v 1.21 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-cert.c,v 1.22 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -36,6 +36,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -125,9 +127,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-gbr.c
+++ b/regress/usr.sbin/rpki-client/test-gbr.c
@ -1,4 +1,4 @@
-/*	$Id: test-gbr.c,v 1.13 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-gbr.c,v 1.14 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -34,6 +34,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-geofeed.c
+++ b/regress/usr.sbin/rpki-client/test-geofeed.c
@ -1,4 +1,4 @@
-/*	$Id: test-geofeed.c,v 1.2 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-geofeed.c,v 1.3 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -34,6 +34,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-ip.c
+++ b/regress/usr.sbin/rpki-client/test-ip.c
@ -1,4 +1,4 @@
-/*	$Id: test-ip.c,v 1.7 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-ip.c,v 1.8 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -35,6 +35,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 static void
 test(const char *res, uint16_t afiv, size_t sz, size_t unused, ...)
 {
@ -128,9 +130,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-mft.c
+++ b/regress/usr.sbin/rpki-client/test-mft.c
@ -1,4 +1,4 @@
-/*	$Id: test-mft.c,v 1.23 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-mft.c,v 1.24 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -36,6 +36,8 @@
 int outformats;
 int verbose;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -97,9 +99,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-roa.c
+++ b/regress/usr.sbin/rpki-client/test-roa.c
@ -1,4 +1,4 @@
-/*	$Id: test-roa.c,v 1.21 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-roa.c,v 1.22 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -34,6 +34,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -95,9 +97,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-rrdp.c
+++ b/regress/usr.sbin/rpki-client/test-rrdp.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: test-rrdp.c,v 1.4 2023/04/27 06:11:43 claudio Exp $ */
+/*	$OpenBSD: test-rrdp.c,v 1.5 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2020 Nils Fisher <nils_fisher@hotmail.com>
 * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
@ -37,6 +37,8 @@

 int verbose;

+int64_t evaluation_time;
+
 #define REGRESS_NOTIFY_URI	"https://rpki.example.com/notify.xml"

 #define MAX_SESSIONS	12
@ -338,9 +340,3 @@ usage:
 	    "-d | -n | -s\n", "test-rrdp");
 	exit(1);
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-rsc.c
+++ b/regress/usr.sbin/rpki-client/test-rsc.c
@ -1,4 +1,4 @@
-/*	$Id: test-rsc.c,v 1.6 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-rsc.c,v 1.7 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -37,6 +37,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -98,9 +100,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-tak.c
+++ b/regress/usr.sbin/rpki-client/test-tak.c
@ -1,4 +1,4 @@
-/*	$Id: test-tak.c,v 1.3 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-tak.c,v 1.4 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2022 Job Snijders <job@fastly.com>
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -35,6 +35,8 @@ int outformats;
 int verbose;
 int filemode;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -96,9 +98,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/regress/usr.sbin/rpki-client/test-tal.c
+++ b/regress/usr.sbin/rpki-client/test-tal.c
@ -1,4 +1,4 @@
-/*	$Id: test-tal.c,v 1.10 2023/04/27 06:11:43 claudio Exp $ */
+/*	$Id: test-tal.c,v 1.11 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -32,6 +32,8 @@
 int outformats;
 int verbose;

+int64_t evaluation_time;
+
 int
 main(int argc, char *argv[])
 {
@ -80,9 +82,3 @@ main(int argc, char *argv[])
 	printf("OK\n");
 	return 0;
 }
-
-time_t
-get_current_time(void)
-{
-	return time(NULL);
-}
--- a/usr.sbin/rpki-client/extern.h
+++ b/usr.sbin/rpki-client/extern.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: extern.h,v 1.179 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: extern.h,v 1.180 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -950,6 +950,6 @@ int	mkpathat(int, const char *);
 */
 #define X509_TIME_MAX 253402300799LL
 #define X509_TIME_MIN -62167219200LL
-extern time_t  get_current_time(void);
+extern int64_t evaluation_time;

 #endif /* ! EXTERN_H */
--- a/usr.sbin/rpki-client/main.c
+++ b/usr.sbin/rpki-client/main.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: main.c,v 1.235 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: main.c,v 1.236 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2021 Claudio Jeker <claudio@openbsd.org>
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -74,7 +74,7 @@ int	rrdpon = 1;
 int	repo_timeout;
 time_t	deadline;

-int64_t  evaluation_time = X509_TIME_MIN;
+int64_t  evaluation_time;

 struct stats	 stats;

@ -126,14 +126,6 @@ entity_free(struct entity *ent)
 	free(ent);
 }

-time_t
-get_current_time(void)
-{
-	if (evaluation_time > X509_TIME_MIN)
-		return (time_t) evaluation_time;
-	return time(NULL);
-}
-
 /*
 * Read a queue entity from the descriptor.
 * Matched by entity_buffer_req().
@ -973,6 +965,8 @@ main(int argc, char *argv[])
 	    "proc exec unveil", NULL) == -1)
 		err(1, "pledge");

+	evaluation_time = time(NULL);
+
 	while ((c = getopt(argc, argv, "Ab:Bcd:e:fH:jmnoP:rRs:S:t:T:vV")) != -1)
 		switch (c) {
 		case 'A':
@ -1014,7 +1008,7 @@ main(int argc, char *argv[])
 			outformats |= FORMAT_OPENBGPD;
 			break;
 		case 'P':
-			evaluation_time = strtonum(optarg, X509_TIME_MIN + 1,
+			evaluation_time = strtonum(optarg, X509_TIME_MIN,
 			    X509_TIME_MAX, &errs);
 			if (errs)
 				errx(1, "-P: time in seconds %s", errs);
--- a/usr.sbin/rpki-client/output-bird.c
+++ b/usr.sbin/rpki-client/output-bird.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: output-bird.c,v 1.16 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: output-bird.c,v 1.17 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
 * Copyright (c) 2020 Robert Scheck <robert@fedoraproject.org>
@ -84,7 +84,6 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
 {
 	extern		const char *bird_tablename;
 	struct vrp	*v;
-	time_t		 now = get_current_time();

 	if (outputheader(out, st) < 0)
 		return -1;
@ -92,7 +91,7 @@ output_bird2(FILE *out, struct vrp_tree *vrps, struct brk_tree *brks,
 	if (fprintf(out, "\ndefine force_roa_table_update = %lld;\n\n"
 	    "roa4 table %s4;\nroa6 table %s6;\n\n"
 	    "protocol static {\n\troa4 { table %s4; };\n\n",
-	    (long long)now, bird_tablename, bird_tablename,
+	    (long long)evaluation_time, bird_tablename, bird_tablename,
 	    bird_tablename) < 0)
 		return -1;

--- a/usr.sbin/rpki-client/parser.c
+++ b/usr.sbin/rpki-client/parser.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: parser.c,v 1.92 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: parser.c,v 1.93 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
@ -311,9 +311,6 @@ static struct mft *
 proc_parser_mft_post(char *file, struct mft *mft, const char *path,
    const char *errstr)
 {
-	/* check that now is not before from */
-	time_t now = get_current_time();
-
 	if (mft == NULL) {
 		if (errstr == NULL)
 			errstr = "no valid mft available";
@ -321,14 +318,14 @@ proc_parser_mft_post(char *file, struct mft *mft, const char *path,
 		return NULL;
 	}

-	/* check that now is not before from */
-	if (now < mft->thisupdate) {
+	/* check that evaluation_time is not before from */
+	if (evaluation_time < mft->thisupdate) {
 		warnx("%s: mft not yet valid %s", file,
 		    time2str(mft->thisupdate));
 		mft->stale = 1;
 	}
-	/* check that now is not after until */
-	if (now > mft->nextupdate) {
+	/* check that evaluation_time is not after until */
+	if (evaluation_time > mft->nextupdate) {
 		warnx("%s: mft expired on %s", file,
 		    time2str(mft->nextupdate));
 		mft->stale = 1;
--- a/usr.sbin/rpki-client/validate.c
+++ b/usr.sbin/rpki-client/validate.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: validate.c,v 1.58 2023/04/26 22:05:28 beck Exp $ */
+/*	$OpenBSD: validate.c,v 1.59 2023/04/27 08:37:53 beck Exp $ */
 /*
 * Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
 *
@ -401,7 +401,7 @@ valid_x509(char *file, X509_STORE_CTX *store_ctx, X509 *x509, struct auth *a,
 		cryptoerrx("OBJ_dup");
 	if (!X509_VERIFY_PARAM_add0_policy(params, cp_oid))
 		cryptoerrx("X509_VERIFY_PARAM_add0_policy");
-	X509_VERIFY_PARAM_set_time(params, get_current_time());
+	X509_VERIFY_PARAM_set_time(params, evaluation_time);

 	flags = X509_V_FLAG_CRL_CHECK;
 	flags |= X509_V_FLAG_POLICY_CHECK;