From a5741acb3f4b062c4777744877a19b72395d9189 Mon Sep 17 00:00:00 2001
From: samuel40791765 <sachiang@amazon.com>
Date: Mon, 30 Sep 2024 21:14:39 +0000
Subject: [PATCH] add ci for checking timebombs

---
 .github/workflows/actions-ci.yml | 20 ++++++++++++++++++++
 crypto/ocsp/ocsp_test.cc         |  7 +++++--
 2 files changed, 25 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/actions-ci.yml b/.github/workflows/actions-ci.yml
index 26f3c09e7f..ac2f30651b 100644
--- a/.github/workflows/actions-ci.yml
+++ b/.github/workflows/actions-ci.yml
@@ -29,6 +29,26 @@ jobs:
           cmake -GNinja -Btest_build_dir
           ninja -C test_build_dir run_tests
 
+  # Update the system time and check for any potential time bomb tests in the future.
+  # Integration tests can't connect to endpoints properly with a misaligned system time,
+  # so we only check crypto_test and ssl_test.
+  time-bomb-check-test-run:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Git clone the repository
+        uses: actions/checkout@v3
+      - name: Checking for Time-bombs Test Run
+        run: |
+          sudo apt-get update -o Acquire::Languages=none -o Acquire::Translation=none
+          sudo apt-get install ninja-build
+          sudo timedatectl set-ntp 0
+          trap 'sudo timedatectl set-ntp 1' EXIT
+          sudo date -s "+10 years"
+          cmake -GNinja -Btest_build_dir
+          ninja -C test_build_dir
+          ./test_build_dir/crypto/crypto_test
+          ./test_build_dir/ssl/ssl_test
+
   macOS-x86:
     if: github.repository_owner == 'aws'
     needs: [sanity-test-run]
diff --git a/crypto/ocsp/ocsp_test.cc b/crypto/ocsp/ocsp_test.cc
index 357e5bf564..cb999ac46d 100644
--- a/crypto/ocsp/ocsp_test.cc
+++ b/crypto/ocsp/ocsp_test.cc
@@ -416,11 +416,14 @@ TEST(OCSPTest, TestGoodOCSP) {
   // This will cause the function to fail in two places, once when checking
   // if "(current_time + nsec) > thisupd [Status Not Yet Valid]", and a second
   // time when checking if "nextupd > (current_time - nsec) [Status Expired]".
+  // The inverse happens when |thisupd| is outdated.
   EXPECT_FALSE(OCSP_check_validity(thisupd, nextupd, -time(nullptr), -1));
   err = ERR_get_error();
-  EXPECT_EQ(OCSP_R_STATUS_NOT_YET_VALID, ERR_GET_REASON(err));
+  EXPECT_TRUE(ERR_GET_REASON(err) == OCSP_R_STATUS_NOT_YET_VALID ||
+              ERR_GET_REASON(err) == OCSP_R_STATUS_EXPIRED);
   err = ERR_get_error();
-  EXPECT_EQ(OCSP_R_STATUS_EXPIRED, ERR_GET_REASON(err));
+  EXPECT_TRUE(ERR_GET_REASON(err) == OCSP_R_STATUS_NOT_YET_VALID ||
+              ERR_GET_REASON(err) == OCSP_R_STATUS_EXPIRED);
   ERR_clear_error();
 
   // Check that "NEXTUPDATE_BEFORE_THISUPDATE" is properly detected. We have to