add ci for checking timebombs

aws · Sep 30, 2024 · a5741ac · a5741ac
1 parent 36e0307
commit a5741ac
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 2 deletions.
diff --git a/.github/workflows/actions-ci.yml b/.github/workflows/actions-ci.yml
@@ -29,6 +29,26 @@ jobs:
           cmake -GNinja -Btest_build_dir
           ninja -C test_build_dir run_tests
 
+  # Update the system time and check for any potential time bomb tests in the future.
+  # Integration tests can't connect to endpoints properly with a misaligned system time,
+  # so we only check crypto_test and ssl_test.
+  time-bomb-check-test-run:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone the repository
+        uses: actions/checkout@v3
+      - name: Checking for Time-bombs Test Run
+        run: |
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get install ninja-build
+          sudo timedatectl set-ntp 0
+          trap 'sudo timedatectl set-ntp 1' EXIT
+          sudo date -s "+10 years"
+          cmake -GNinja -Btest_build_dir
+          ninja -C test_build_dir
+          ./test_build_dir/crypto/crypto_test
+          ./test_build_dir/ssl/ssl_test
+
   macOS-x86:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]

diff --git a/crypto/ocsp/ocsp_test.cc b/crypto/ocsp/ocsp_test.cc
@@ -416,11 +416,14 @@ TEST(OCSPTest, TestGoodOCSP) {
   // This will cause the function to fail in two places, once when checking
   // if "(current_time + nsec) > thisupd [Status Not Yet Valid]", and a second
   // time when checking if "nextupd > (current_time - nsec) [Status Expired]".
+  // The inverse happens when |thisupd| is outdated.
   EXPECT_FALSE(OCSP_check_validity(thisupd, nextupd, -time(nullptr), -1));
   err = ERR_get_error();
-  EXPECT_EQ(OCSP_R_STATUS_NOT_YET_VALID, ERR_GET_REASON(err));
+  EXPECT_TRUE(ERR_GET_REASON(err) == OCSP_R_STATUS_NOT_YET_VALID ||
+              ERR_GET_REASON(err) == OCSP_R_STATUS_EXPIRED);
   err = ERR_get_error();
-  EXPECT_EQ(OCSP_R_STATUS_EXPIRED, ERR_GET_REASON(err));
+  EXPECT_TRUE(ERR_GET_REASON(err) == OCSP_R_STATUS_NOT_YET_VALID ||
+              ERR_GET_REASON(err) == OCSP_R_STATUS_EXPIRED);
   ERR_clear_error();
 
   // Check that "NEXTUPDATE_BEFORE_THISUPDATE" is properly detected. We have to