From: Wouter Wijngaards Date: Fri, 1 Oct 2010 12:14:05 +0000 (+0000) Subject: no override time, works on Minix and not needed for the tpkg. X-Git-Tag: release-1.4.7rc1~54 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f3a4dad2c8e8fb6b39d2b9e54050b7747c8f2f0f;p=thirdparty%2Funbound.git no override time, works on Minix and not needed for the tpkg. git-svn-id: file:///svn/unbound/trunk@2271 be551aaa-1e26-0410-a405-d3ace91eadb9 --- diff --git a/doc/unbound-anchor.8.in b/doc/unbound-anchor.8.in index 0c87bf7a1..a98cd0f83 100644 --- a/doc/unbound-anchor.8.in +++ b/doc/unbound-anchor.8.in @@ -108,9 +108,7 @@ errors by default; in that case the original root anchor file is simply left undisturbed, so that a recursive server can start right after it. .TP .B \-C \fIunbound.conf -Debug option to read unbound.conf into the resolution process used. For tests. -The validator date override option makes it possible to run a test on a -different date. +Debug option to read unbound.conf into the resolver process used. .TP .B \-P \fIport Set the port number to use for the https connection. The default is 443. diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c index 5c4bb5985..1550e72bb 100644 --- a/smallapp/unbound-anchor.c +++ b/smallapp/unbound-anchor.c @@ -296,32 +296,6 @@ create_unbound_context(char* res_conf, char* root_hints, char* debugconf, return ctx; } -/** - * Get current time. - * @param debugconf: with override time for tests - */ -static time_t -get_time_now(char* debugconf) -{ - if(debugconf) { - FILE* in = fopen(debugconf, "r"); - char line[1024]; - if(!in) { - if(verb) printf("%s: %s\n", debugconf, strerror(errno)); - return (time_t)time(NULL); - } - /* must be ^val-override-date: 1234567$ formatted */ - while(fgets(line, (int)sizeof(line), in)) { - if(strncmp(line, "val-override-date: ", 19) == 0) { - fclose(in); - return (time_t)atoi(line+19); - } - } - fclose(in); - } - return (time_t)time(NULL); -} - /** printout certificate in detail */ static void verb_cert(char* msg, X509* x) @@ -1482,7 +1456,7 @@ xml_parse(BIO* xml, time_t now) /** verify a PKCS7 signature, false on failure */ static int -verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, time_t now) +verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust) { X509_VERIFY_PARAM* param = X509_VERIFY_PARAM_new(); PKCS7* p7; @@ -1511,9 +1485,6 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, time_t now) if(verb >= 2) printf("parsed the PKCS7 signature\n"); /* convert trust to trusted certificate store */ - /* set current time */ - if(verb >= 2) printf("time set to %u %s", (unsigned)now, ctime(&now)); - X509_VERIFY_PARAM_set_time(param, now); /* do the selfcheck on the root certificate; it checks that the * input is valid */ #ifdef X509_V_FLAG_CHECK_SS_SIGNATURE @@ -1598,20 +1569,19 @@ write_root_anchor(char* root_anchor_file, BIO* ds) /** Perform the verification and update of the trustanchor file */ static void -verify_and_update_anchor(char* root_anchor_file, char* debugconf, - BIO* xml, BIO* p7s, STACK_OF(X509)* cert) +verify_and_update_anchor(char* root_anchor_file, BIO* xml, BIO* p7s, + STACK_OF(X509)* cert) { - time_t now = get_time_now(debugconf); BIO* ds; /* verify xml file */ - if(!verify_p7sig(xml, p7s, cert, now)) { + if(!verify_p7sig(xml, p7s, cert)) { printf("the PKCS7 signature failed\n"); exit(0); } /* parse the xml file into DS records */ - ds = xml_parse(xml, now); + ds = xml_parse(xml, time(NULL)); if(!ds) { /* the root zone is unsigned now */ write_unsigned_root(root_anchor_file); @@ -1645,7 +1615,7 @@ do_certupdate(char* root_anchor_file, char* root_cert_file, p7s = https(ip_list, p7sname, urlname); /* verify and update the root anchor */ - verify_and_update_anchor(root_anchor_file, debugconf, xml, p7s, cert); + verify_and_update_anchor(root_anchor_file, xml, p7s, cert); if(verb) printf("success: the anchor has been updated " "using the cert\n"); @@ -1831,18 +1801,17 @@ read_last_success_time(char* file) * and the failure cannot be solved with a certupdate. * The debugconf is to validation-override the date for testing. * @param root_anchor_file: filename of root key - * @param debugconf: debug unbound.conf (with override date) or NULL. * @return true if certupdate is ok. */ static int -probe_date_allows_certupdate(char* root_anchor_file, char* debugconf) +probe_date_allows_certupdate(char* root_anchor_file) { int32_t last_success = read_last_success_time(root_anchor_file); - int32_t now = (int32_t)get_time_now(debugconf); + int32_t now = (int32_t)time(NULL); int32_t leeway = 30 * 24 * 3600; /* 30 days leeway */ /* if the date is before 2010-07-15:00.00.00 then the root has not * been signed yet, and thus we refuse to take action. */ - if(get_time_now(debugconf) < xml_convertdate("2010-07-15T00:00:00")) { + if(time(NULL) < xml_convertdate("2010-07-15T00:00:00")) { if(verb) printf("the date is before the root was first signed," " please correct the clock\n"); return 0; @@ -1894,8 +1863,8 @@ do_root_update_work(char* root_anchor_file, char* root_cert_file, if(force && verb) printf("debug cert update forced\n"); /* if not (and NOERROR): check date and do certupdate */ - if((dnskey->rcode == 0 && probe_date_allows_certupdate(root_anchor_file, - debugconf)) || force) { + if((dnskey->rcode == 0 && + probe_date_allows_certupdate(root_anchor_file)) || force) { if(do_certupdate(root_anchor_file, root_cert_file, urlname, xmlname, p7sname, res_conf, root_hints, debugconf, ip4only, ip6only, port, dnskey)) diff --git a/testdata/10-unbound-anchor.tpkg b/testdata/10-unbound-anchor.tpkg index 004902132..aa768eff3 100644 Binary files a/testdata/10-unbound-anchor.tpkg and b/testdata/10-unbound-anchor.tpkg differ