Bug#1031553: gnutls28: please depend on faketime instead of datefudge

Sat, 18 Feb 2023 06:48:23 -0800 

Source: gnutls28
Version: 3.7.9-1
Severity: wishlist
Tags: patch upstream

Hello.

Datefudge is broken on 32-bit architectures (release-critical bug
#1028587).  The author recommends to use alternative tools in message
24 of the bug log.  Only two consumers are remaining, gnutls28 and
oath-toolkit.

The attached diff replaces datefudge with faketime in gnutls28.
The change only affects tests.
A test fails after a local build, but the timestamps seem correct.

The severity is 'wishlist' for gnutls28, but the attached patch (and a
similar one for oath-toolkit) would allow to remove the datefudge
package and 1 RC bug from bookworm.

>From c19e8f2261f9b29a37503d13728ae100c8a50168 Mon Sep 17 00:00:00 2001
From: Nicolas Boulenguez <nico...@debian.org>
Date: Sat, 18 Feb 2023 15:28:29 +0100
Subject: [PATCH] Replace datefudge with faketime

---
 debian/control                                |    2 +-
 .../replace-datefudge-with-faketime.diff      | 1642 +++++++++++++++++
 debian/patches/series                         |    1 +
 debian/tests/control                          |    2 +-
 4 files changed, 1645 insertions(+), 2 deletions(-)
 create mode 100644 debian/patches/replace-datefudge-with-faketime.diff

diff --git a/debian/control b/debian/control
index 5985ac3..37e60ef 100644
--- a/debian/control
+++ b/debian/control
@@ -11,7 +11,7 @@ Build-Depends:
  bison,
  ca-certificates <!nocheck>,
  chrpath,
- datefudge <!nocheck>,
+ faketime <!nocheck>,
  debhelper-compat (= 13),
  freebsd-net-tools [kfreebsd-i386 kfreebsd-amd64] <!nocheck>,
  gperf,
diff --git a/debian/patches/replace-datefudge-with-faketime.diff b/debian/patches/replace-datefudge-with-faketime.diff
new file mode 100644
index 0000000..7c0a54e
--- /dev/null
+++ b/debian/patches/replace-datefudge-with-faketime.diff
@@ -0,0 +1,1642 @@
+Description: replace datefudge with faketime
+ Datefudge is broken on 32-bit architectures.  The author recommends
+ to use alternative tools in message 24 of #1028587.
+ .
+ There only remains two users of datefudge, which has an RC bug.
+ .
+ The equivalent of datefudge -s/--static 'FREE FORM DATE'
+ is                faketime -f 'YYYY-MM-DD HH:MM:SS'.
+ .
+ SKIP_DATEFUDGE_CHECK looks like a work-around for datefudge on 32-bit
+ architectures, not required by faketime.
+ .
+ Ideally, 'tests/datefudge-check.c' should be renamed, but plain diff
+ format does not (fully) deal with file renamings.
+ The shell subprograms
+ tests/scripts/common.sh:check_for_datefudge
+ tests/scripts/common.sh:skip_if_no_datefudge
+ could also be renamed, but this would produce a lot of meaningless
+ noise in this diff.
+ It should be easy to
+ # mv tests/datefudge-check.c tests/faketime-check.c
+ # grep -lr datefudge tests | xargs sed -i 's/datefudge/faketime/g'
+ after the main suggestion has been tested and accepted.
+Author: Nicolas Boulenguez <nico...@debian.org>
+
+--- a/CONTRIBUTING.md
++++ b/CONTRIBUTING.md
+@@ -44,7 +44,7 @@
+ 
+ Certificates for testing purposes are available at [cert-common.h](tests/cert-common.h).
+ Note that we do not regenerate test certificates when they expire, but
+-we rather fix the test's time using datefudge or gnutls_global_set_time_function().
++we rather fix the test's time using faketime or gnutls_global_set_time_function().
+ For example, see [x509cert-tl.c](tests/x509cert-tl.c).
+ 
+ 
+--- a/README.md
++++ b/README.md
+@@ -85,7 +85,7 @@
+ 
+ * [Valgrind](https://valgrind.org/) (optional)
+ * [Libasan](https://gcc.gnu.org//) (optional)
+-* [datefudge](https://packages.debian.org/datefudge) (optional)
++* [faketime](https://github.com/wolfcw/libfaketime) (optional)
+ * [nodejs](https://nodejs.org/) (needed for certain test cases)
+ * [softhsm](https://www.opendnssec.org/softhsm/) (for testing smart card support)
+ * [dieharder](https://www.phy.duke.edu/~rgb/General/dieharder.php) (for testing PRNG)
+@@ -95,7 +95,7 @@
+ 
+ Debian/Ubuntu:
+ ```
+-apt-get install -y valgrind nodejs softhsm2 datefudge lcov libssl-dev libcmocka-dev expect libev-dev
++apt-get install -y valgrind nodejs softhsm2 faketime lcov libssl-dev libcmocka-dev expect libev-dev
+ apt-get install -y dieharder openssl abigail-tools socat net-tools ppp util-linux
+ ```
+ 
+@@ -107,7 +107,7 @@
+ 
+ Fedora/RHEL:
+ ```
+-yum install -y valgrind libasan libasan-static libubsan nodejs softhsm datefudge lcov openssl-devel expect libev-devel
++yum install -y valgrind libasan libasan-static libubsan nodejs softhsm faketime lcov openssl-devel expect libev-devel
+ yum install -y dieharder mbedtls-utils openssl libabigail libcmocka-devel socat util-linux
+ ```
+ 
+--- a/tests/cert-reencoding.sh
++++ b/tests/cert-reencoding.sh
+@@ -239,18 +239,18 @@
+ 
+ echo "=== Bringing TLS server up ==="
+ 
+-TESTDATE="2018-03-01"
++TESTDATE="2018-03-01 00:00:00"
+ 
+ # Start OpenSSL TLS server
+ #
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${OPENSSL}" s_server -cert ${SERVER_CERT_FILE} -key ${SERVER_KEY_FILE} \
+ 	  -CAfile ${CA_FILE} -port ${PORT} -Verify 1 -verify_return_error -www
+ SERVER_PID="${!}"
+ wait_server "${SERVER_PID}"
+ 
+-datefudge -s "${TESTDATE}" \
++faketime -f "${TESTDATE}" \
+       "${CLI}" --x509certfile ${CLIENT_CERT_FILE} \
+       --x509keyfile ${CLIENT_KEY_FILE} --x509cafile=${CA_FILE} \
+       --port="${PORT}" localhost </dev/null
+--- a/tests/cert-tests/alt-chain.sh
++++ b/tests/cert-tests/alt-chain.sh
+@@ -42,7 +42,7 @@
+ NEW_CA_FILE="${srcdir}/data/alt-chain-new-ca.pem"
+ 
+ echo ""
+-datefudge -s "2017-5-10" \
++faketime -f "2017-5-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --load-ca-certificate ${OLD_CA_FILE} --verify-hostname www.google.com --verify --infile "${srcdir}/data/alt-chain.pem" >${OUTFILE}
+ rc=$?
+ 
+@@ -53,7 +53,7 @@
+ fi
+ 
+ echo ""
+-datefudge -s "2017-5-10" \
++faketime -f "2017-5-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --load-ca-certificate ${NEW_CA_FILE} --verify-hostname www.google.com --verify --infile "${srcdir}/data/alt-chain.pem" >${OUTFILE}
+ rc=$?
+ 
+--- a/tests/cert-tests/cert-critical.sh
++++ b/tests/cert-tests/cert-critical.sh
+@@ -38,7 +38,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge "2017-2-28" \
++faketime "2017-2-28" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-root.pem
+ rc=$?
+ 
+@@ -47,7 +47,7 @@
+ 	exit 1
+ fi
+ 
+-datefudge "2017-2-28" \
++faketime "2017-2-28" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-endcert.pem
+ rc=$?
+ 
+@@ -56,7 +56,7 @@
+ 	exit 1
+ fi
+ 
+-datefudge "2017-2-28" \
++faketime "2017-2-28" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-with-critical-on-intermediate.pem
+ rc=$?
+ 
+--- a/tests/cert-tests/cert-non-digits-time.sh
++++ b/tests/cert-tests/cert-non-digits-time.sh
+@@ -35,7 +35,7 @@
+ skip_if_no_datefudge
+ 
+ # Check whether certificates with non-digits time fields are accepted
+-datefudge -s "2019-12-19" \
++faketime -f "2019-12-19 00:00:00" \
+ ${VALGRIND}"${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-with-non-digits-time-ca.pem" --infile "${srcdir}/data/cert-with-non-digits-time.pem"
+ rc=$?
+ 
+--- a/tests/cert-tests/certtool-eddsa.sh
++++ b/tests/cert-tests/certtool-eddsa.sh
+@@ -127,7 +127,7 @@
+ skip_if_no_datefudge
+ 
+ # Test certificate chain using Ed25519
+-datefudge "2017-7-6" \
++faketime "2017-7-6" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --infile ${srcdir}/data/chain-eddsa.pem
+ 
+ if test $? != 0; then
+--- a/tests/cert-tests/certtool-rsa-pss.sh
++++ b/tests/cert-tests/certtool-rsa-pss.sh
+@@ -212,7 +212,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge "2012-11-22" \
++faketime "2012-11-22" \
+ ${VALGRIND} "${CERTTOOL}" --verify --load-ca-certificate "${srcdir}/data/cert-rsa-pss.pem" --infile "${srcdir}/data/cert-rsa-pss.pem"
+ rc=$?
+ 
+--- a/tests/cert-tests/certtool-verify-profiles.sh
++++ b/tests/cert-tests/certtool-verify-profiles.sh
+@@ -39,7 +39,7 @@
+ skip_if_no_datefudge
+ 
+ echo "Checking chain with insecure leaf"
+-datefudge -s "2019-12-19" \
++faketime -f "2019-12-19 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-leaf.pem" >${OUTFILE}
+ rc=$?
+ 
+@@ -50,7 +50,7 @@
+ fi
+ 
+ echo "Checking chain with insecure subca"
+-datefudge -s "2019-12-19" \
++faketime -f "2019-12-19 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-subca.pem" >${OUTFILE}
+ rc=$?
+ 
+@@ -62,7 +62,7 @@
+ 
+ 
+ echo "Checking chain with insecure ca"
+-datefudge -s "2019-12-19" \
++faketime -f "2019-12-19 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain --verify-profile=medium --infile "${srcdir}/data/chain-512-ca.pem" >${OUTFILE}
+ rc=$?
+ 
+--- a/tests/cert-tests/certtool.sh
++++ b/tests/cert-tests/certtool.sh
+@@ -173,7 +173,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|datefudge "2012-11-22" \
++cat "${srcdir}/../certs/cert-ecc256.pem" "${srcdir}/../certs/ca-cert-ecc.pem"|faketime "2012-11-22" \
+ ${VALGRIND} "${CERTTOOL}" --verify-chain
+ rc=$?
+ 
+--- a/tests/cert-tests/crl.sh
++++ b/tests/cert-tests/crl.sh
+@@ -173,7 +173,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge -s "2020-01-20 10:00:00" ${VALGRIND} \
++faketime -f "2020-01-20 10:00:00" ${VALGRIND} \
+ 	"${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \
+ 	--load-ca-certificate "${srcdir}/data/template-test.pem" \
+ 	--load-certificate "${srcdir}/data/ca-certs.pem" --template \
+@@ -195,7 +195,7 @@
+ 
+ if test "${ac_cv_sizeof_time_t}" = 8;then
+ 	# we should test that on systems which have 64-bit time_t
+-	datefudge -s "2138-01-20 10:00:00" ${VALGRIND} \
++	faketime -f "2138-01-20 10:00:00" ${VALGRIND} \
+ 		"${CERTTOOL}" --generate-crl --load-ca-privkey "${srcdir}/data/template-test.key" \
+ 		--load-ca-certificate "${srcdir}/data/template-test.pem" \
+ 		--load-certificate "${srcdir}/data/ca-certs.pem" --template \
+--- a/tests/cert-tests/crq.sh
++++ b/tests/cert-tests/crq.sh
+@@ -60,7 +60,7 @@
+ rm -f "${OUTFILE}"
+ 
+ # check whether the honor_crq_extension option works
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-request \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-tlsfeature.tmpl" \
+@@ -79,7 +79,7 @@
+ 	exit 1
+ fi
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-certificate \
+ 		--load-ca-privkey "${srcdir}/data/template-test.key" \
+ 		--load-ca-certificate "${srcdir}/data/template-tlsfeature.pem" \
+@@ -132,7 +132,7 @@
+ __EOF__
+ 
+ setsid \
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" -q \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--outfile "${OUTFILE}" <$TMPFILE 2>/dev/null
+@@ -148,7 +148,7 @@
+ fi
+ 
+ # check whether the generation with extension works
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-request \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/arb-extensions.tmpl" \
+@@ -169,7 +169,7 @@
+ fi
+ 
+ # Generate certificate from CRQ with no explicit extensions
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-certificate \
+ 		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+ 		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+@@ -192,7 +192,7 @@
+ fi
+ 
+ # Generate certificate from CRQ with CRQ extensions
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-certificate \
+ 		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+ 		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+@@ -215,7 +215,7 @@
+ fi
+ 
+ # Generate certificate from CRQ with explicit extensions
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-certificate \
+ 		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+ 		--load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" \
+--- a/tests/cert-tests/inhibit-anypolicy.sh
++++ b/tests/cert-tests/inhibit-anypolicy.sh
+@@ -38,7 +38,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge -s "2017-04-22" \
++faketime -f "2017-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/key-ca.pem" \
+ 		--template "${srcdir}/templates/inhibit-anypolicy.tmpl" \
+@@ -57,7 +57,7 @@
+ echo ca > $TEMPLFILE
+ echo "cn = sub-CA" >> $TEMPLFILE
+ 
+-datefudge -s "2017-04-23" \
++faketime -f "2017-04-23 00:00:00" \
+ "${CERTTOOL}" -d 2 --generate-certificate --template $TEMPLFILE \
+ 	--load-ca-privkey "${srcdir}/data/key-ca.pem" \
+ 	--load-ca-certificate $CAFILE \
+@@ -72,7 +72,7 @@
+ cat $SUBCAFILE $CAFILE > ${TMPFILE}
+ 
+ # we do not support the inhibit any policy extension for verification
+-datefudge -s "2017-04-25" "${CERTTOOL}" --verify-chain --infile ${TMPFILE}
++faketime -f "2017-04-25 00:00:00" "${CERTTOOL}" --verify-chain --infile ${TMPFILE}
+ rc=$?
+ if test "$rc" != "0"; then
+ 	echo "Verification failed unexpectedly ($rc)"
+--- a/tests/cert-tests/invalid-sig.sh
++++ b/tests/cert-tests/invalid-sig.sh
+@@ -87,7 +87,7 @@
+ 
+ if check_for_datefudge; then
+ 	#this was causing a double free; verify that we receive the expected error code
+-	datefudge -s 2020-01-01 \
++	faketime -f "2020-01-01 00:00:00" \
+ 	${VALGRIND} "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/cve-2019-3829.pem"
+ 	rc=$?
+ 
+--- a/tests/cert-tests/krb5-test.sh
++++ b/tests/cert-tests/krb5-test.sh
+@@ -42,10 +42,10 @@
+ fi
+ 
+ # Note that in rare cases this test may fail because the
+-# time set using datefudge could have changed since the generation
++# time set using faketime could have changed since the generation
+ # (if example the system was busy)
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-krb5name.tmpl" \
+@@ -71,7 +71,7 @@
+ cp "${srcdir}/templates/template-krb5name.tmpl" ${TMPLFILE}
+ echo "krb5_principal = 'xxxxxxxxxxxxxx'" >>${TMPLFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template ${TMPLFILE} \
+@@ -88,7 +88,7 @@
+ cp "${srcdir}/templates/template-krb5name.tmpl" ${TMPLFILE}
+ echo "krb5_principal = 'comp1/comp2/comp3/comp4/comp5/comp6/comp7/comp8/comp9/com...@realm.com'" >>${TMPLFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template ${TMPLFILE} \
+--- a/tests/cert-tests/md5-test.sh
++++ b/tests/cert-tests/md5-test.sh
+@@ -38,7 +38,7 @@
+ 
+ # Test MD5 signatures
+ 
+-datefudge -s "2016-04-15" \
++faketime -f "2016-04-15 00:00:00" \
+ 	"${CERTTOOL}" --verify-chain --infile "${srcdir}/data/chain-md5.pem" >/dev/null 2>&1
+ rc=$?
+ if test "${rc}" != "1"; then
+@@ -46,7 +46,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2016-04-15" \
++faketime -f "2016-04-15 00:00:00" \
+ 	"${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/chain-md5.pem" >/dev/null 2>&1
+ rc=$?
+ if test "${rc}" != "0"; then
+--- a/tests/cert-tests/name-constraints.sh
++++ b/tests/cert-tests/name-constraints.sh
+@@ -38,7 +38,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge -s "2016-04-22" \
++faketime -f "2016-04-22 00:00:00" \
+ 	${VALGRIND} "${CERTTOOL}" --verify-allow-broken -e --infile "${srcdir}/data/name-constraints-ip.pem"
+ rc=$?
+ 
+--- a/tests/cert-tests/othername-test.sh
++++ b/tests/cert-tests/othername-test.sh
+@@ -36,10 +36,10 @@
+ skip_if_no_datefudge
+ 
+ # Note that in rare cases this test may fail because the
+-# time set using datefudge could have changed since the generation
++# time set using faketime could have changed since the generation
+ # (if example the system was busy)
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-othername.tmpl" \
+@@ -54,7 +54,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-othername-xmpp.tmpl" \
+--- a/tests/cert-tests/pkcs1-pad.sh
++++ b/tests/cert-tests/pkcs1-pad.sh
+@@ -43,8 +43,8 @@
+ 
+ EXPECT1=2002
+ 
+-datefudge "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok.pem" | tee $TMPFILE1 >/dev/null 2>&1
+-datefudge "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken.pem" | tee $TMPFILE2 >/dev/null 2>&1
++faketime "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok.pem" | tee $TMPFILE1 >/dev/null 2>&1
++faketime "2006-09-23" "${CERTTOOL}" --verify-allow-broken --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken.pem" | tee $TMPFILE2 >/dev/null 2>&1
+ 
+ out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
+ out2oks=`grep 'Verified.' $TMPFILE2 | wc -l | tr -d " "`
+@@ -66,8 +66,8 @@
+ 
+ EXPECT2=2002
+ 
+-datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok2.pem" | tee $TMPFILE1 >/dev/null 2>&1
+-datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken2.pem" | tee $TMPFILE2 >/dev/null 2>&1
++faketime "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-ok2.pem" | tee $TMPFILE1 >/dev/null 2>&1
++faketime "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken2.pem" | tee $TMPFILE2 >/dev/null 2>&1
+ 
+ out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
+ out2oks=`grep 'Verified.' $TMPFILE2 | wc -l | tr -d " "`
+@@ -89,7 +89,7 @@
+ # by Andrei Pyshkin, Erik Tews and Ralf-Philipp Weinmann.
+ 
+ 
+-datefudge "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken3.pem" | tee $TMPFILE1 >/dev/null 2>&1
++faketime "2006-09-23" "${CERTTOOL}" --verify-chain --infile "${srcdir}/data/pkcs1-pad-broken3.pem" | tee $TMPFILE1 >/dev/null 2>&1
+ 
+ out1oks=`grep 'Verified.' $TMPFILE1 | wc -l | tr -d " "`
+ out1fails=`grep 'Not verified.' $TMPFILE1 | wc -l | tr -d " "`
+--- a/tests/cert-tests/pkcs7-cat.sh
++++ b/tests/cert-tests/pkcs7-cat.sh
+@@ -37,7 +37,7 @@
+ . ${srcdir}/../scripts/common.sh
+ 
+ skip_if_no_datefudge
+-datefudge -s "2016-10-1" \
++faketime -f "2016-10-1 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken --p7-verify --inder --infile "${srcdir}/data/pkcs7-cat.p7" --load-ca-certificate "${srcdir}/data/pkcs7-cat-ca.pem" 
+ rc=$?
+ 
+--- a/tests/cert-tests/pkcs7-constraints.sh
++++ b/tests/cert-tests/pkcs7-constraints.sh
+@@ -52,7 +52,7 @@
+ FILE="signing-verify-no-purpose"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2015-1-10" \
++faketime -f "2015-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -64,7 +64,7 @@
+ FILE="signing-verify-valid-purpose"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2015-1-10" \
++faketime -f "2015-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -76,7 +76,7 @@
+ FILE="signing-verify-invalid-purpose"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2015-1-10" \
++faketime -f "2015-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -88,7 +88,7 @@
+ FILE="signing-verify-invalid-date-1"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2011-1-10" \
++faketime -f "2011-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -100,7 +100,7 @@
+ FILE="signing-verify-invalid-date-2"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2018-1-10" \
++faketime -f "2018-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-ca-certificate "${srcdir}/data/code-signing-ca.pem" <"${OUTFILE}"
+ rc=$?
+ 
+--- a/tests/cert-tests/pkcs7-constraints2.sh
++++ b/tests/cert-tests/pkcs7-constraints2.sh
+@@ -52,7 +52,7 @@
+ FILE="signing-verify-no-purpose"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2015-1-10" \
++faketime -f "2015-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -64,7 +64,7 @@
+ FILE="signing-verify-valid-purpose"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2015-1-10" \
++faketime -f "2015-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -76,7 +76,7 @@
+ FILE="signing-verify-invalid-purpose"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2015-1-10" \
++faketime -f "2015-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.1 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -88,7 +88,7 @@
+ FILE="signing-verify-invalid-date-1"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2011-1-10" \
++faketime -f "2011-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+ rc=$?
+ 
+@@ -100,7 +100,7 @@
+ FILE="signing-verify-invalid-date-2"
+ echo ""
+ echo "test: $FILE"
+-datefudge -s "2018-1-10" \
++faketime -f "2018-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-purpose 1.3.6.1.5.5.7.3.3 --p7-verify --load-certificate "${srcdir}/data/code-signing-cert.pem" <"${OUTFILE}"
+ rc=$?
+ 
+--- a/tests/cert-tests/pkcs7.sh
++++ b/tests/cert-tests/pkcs7.sh
+@@ -81,7 +81,7 @@
+ 
+ for FILE in full.p7b openssl.p7b openssl-keyid.p7b; do
+ # check validation with date prior to CA issuance
+-datefudge -s "2011-1-10" \
++faketime -f "2011-1-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+ rc=$?
+ 
+@@ -91,7 +91,7 @@
+ fi
+ 
+ # check validation with date prior to intermediate cert issuance
+-datefudge -s "2011-5-28 08:38:00 UTC" \
++faketime -f "2011-5-28 08:38:00" \
+ ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+ rc=$?
+ 
+@@ -101,7 +101,7 @@
+ fi
+ 
+ # check validation with date after intermediate cert issuance
+-datefudge -s "2038-10-13" \
++faketime -f "2038-10-13 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --inder --p7-verify --load-ca-certificate "${srcdir}/../../doc/credentials/x509/ca.pem" --infile "${srcdir}/data/${FILE}" >"${OUTFILE}"
+ rc=$?
+ 
+--- a/tests/cert-tests/rsa-pss-pad.sh
++++ b/tests/cert-tests/rsa-pss-pad.sh
+@@ -36,13 +36,13 @@
+ skip_if_no_datefudge
+ 
+ # Note that in rare cases this test may fail because the
+-# time set using datefudge could have changed since the generation
++# time set using faketime could have changed since the generation
+ # (if example the system was busy)
+ 
+ # Test PSS signatures on certificate
+ 
+ for i in sha256 sha384 sha512;do
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ "${CERTTOOL}" --generate-self-signed --key-type rsa-pss \
+ 		--load-privkey "${srcdir}/data/privkey1.pem" \
+ 		--template "${srcdir}/templates/template-test.tmpl" \
+@@ -60,7 +60,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2007-04-25" \
++faketime -f "2007-04-25 00:00:00" \
+ 	"${CERTTOOL}" --load-ca-certificate "${TMPFILE}" --verify --infile "${TMPFILE}" >/dev/null 2>&1
+ rc=$?
+ if test "${rc}" != "0"; then
+--- a/tests/cert-tests/sha3-test.sh
++++ b/tests/cert-tests/sha3-test.sh
+@@ -36,13 +36,13 @@
+ skip_if_no_datefudge
+ 
+ # Note that in rare cases this test may fail because the
+-# time set using datefudge could have changed since the generation
++# time set using faketime could have changed since the generation
+ # (if example the system was busy)
+ 
+ # Test SHA3 signatures
+ 
+ for i in sha3-224 sha3-256 sha3-384 sha3-512;do
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ "${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-test.tmpl" \
+@@ -60,7 +60,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2007-04-25" \
++faketime -f "2007-04-25 00:00:00" \
+ 	"${CERTTOOL}" --load-ca-certificate "${TMPFILE}" --verify --infile "${TMPFILE}" >/dev/null 2>&1
+ rc=$?
+ if test "${rc}" != "0"; then
+@@ -72,7 +72,7 @@
+ # Test SHA3 signatures with ECDSA
+ 
+ for i in sha3-224 sha3-256 sha3-384 sha3-512;do
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ "${CERTTOOL}" --generate-self-signed \
+ 	--load-privkey "${srcdir}/data/template-test-ecc.key" \
+ 	--template "${srcdir}/templates/template-test.tmpl" \
+@@ -84,7 +84,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2007-04-25" \
++faketime -f "2007-04-25 00:00:00" \
+ 	"${CERTTOOL}" --load-ca-certificate "${TMPFILE}" --verify --infile "${TMPFILE}" >/dev/null 2>&1
+ rc=$?
+ if test "${rc}" != "0"; then
+--- a/tests/cert-tests/smime.sh
++++ b/tests/cert-tests/smime.sh
+@@ -47,7 +47,7 @@
+ fi
+ 
+ 
+-datefudge -s "2017-4-6" \
++faketime -f "2017-4-6 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --p7-verify --load-certificate "${srcdir}/../../doc/credentials/x509/cert-rsa.pem" <"${OUTFILE}"
+ rc=$?
+ 
+--- a/tests/cert-tests/template-exts-test.sh
++++ b/tests/cert-tests/template-exts-test.sh
+@@ -35,7 +35,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/arb-extensions.tmpl" \
+@@ -53,7 +53,7 @@
+ rm -f "$OUTFILE"
+ 
+ # Test adding critical extensions only
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/crit-extensions.tmpl" \
+@@ -70,7 +70,7 @@
+ 
+ rm -f "$OUTFILE"
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-request \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/arb-extensions.tmpl" \
+--- a/tests/cert-tests/template-policy-test.sh
++++ b/tests/cert-tests/template-policy-test.sh
+@@ -35,7 +35,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/simple-policy.tmpl" \
+--- a/tests/cert-tests/template-test.sh
++++ b/tests/cert-tests/template-test.sh
+@@ -39,10 +39,10 @@
+ echo "Running test for ${ac_cv_sizeof_time_t}-byte time_t"
+ 
+ # Note that in rare cases this test may fail because the
+-# time set using datefudge could have changed since the generation
++# time set using faketime could have changed since the generation
+ # (if example the system was busy)
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-test.tmpl" \
+@@ -59,7 +59,7 @@
+ 
+ rm -f ${TMPFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-utf8.tmpl" \
+@@ -76,7 +76,7 @@
+ 
+ rm -f ${TMPFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-dn.tmpl" \
+@@ -95,7 +95,7 @@
+ 
+ echo "Running test for certificate generation with --generate-self-signed"
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-certificate \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--load-ca-privkey "${srcdir}/../../doc/credentials/x509/ca-key.pem" \
+@@ -114,7 +114,7 @@
+ 
+ rm -f ${TMPFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-dn-err.tmpl" \
+@@ -128,7 +128,7 @@
+ 
+ rm -f ${TMPFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-overflow.tmpl" \
+@@ -147,7 +147,7 @@
+ 
+ # The following test works in 64-bit systems
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-overflow2.tmpl" \
+@@ -177,7 +177,7 @@
+ fi
+ rm -f ${TMPFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-date.tmpl" \
+@@ -194,7 +194,7 @@
+ 
+ rm -f ${TMPFILE}
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-dates-after2038.tmpl" \
+@@ -224,7 +224,7 @@
+ 
+ # Test name constraints generation
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-nc.tmpl" \
+@@ -245,7 +245,7 @@
+ # Test the GeneralizedTime support
+ if test "${ac_cv_sizeof_time_t}" = 8;then
+ 	# we should test that on systems which have 64-bit time_t.
+-	datefudge -s "2051-04-22" \
++	faketime -f "2051-04-22 00:00:00" \
+ 			"${CERTTOOL}" --generate-self-signed \
+ 				--load-privkey "${srcdir}/data/template-test.key" \
+ 				--template "${srcdir}/templates/template-generalized.tmpl" \
+@@ -265,7 +265,7 @@
+ 
+ # Test unique ID field generation
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-unique.tmpl" \
+@@ -284,7 +284,7 @@
+ 
+ # Test generation with very long dns names
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-long-dns.tmpl" \
+@@ -303,7 +303,7 @@
+ 
+ # Test generation with larger serial number
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ 	"${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-long-serial.tmpl" \
+--- a/tests/cert-tests/tlsfeature-test.sh
++++ b/tests/cert-tests/tlsfeature-test.sh
+@@ -39,7 +39,7 @@
+ #
+ # Test certificate generation
+ #
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ "${CERTTOOL}" --generate-self-signed \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-tlsfeature.tmpl" \
+@@ -98,7 +98,7 @@
+ # Test certificate request generation
+ #
+ 
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ "${CERTTOOL}" --generate-request \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--template "${srcdir}/templates/template-tlsfeature.tmpl" \
+@@ -159,7 +159,7 @@
+ #
+ # Test certificate generation after a request
+ #
+-datefudge -s "2007-04-22" \
++faketime -f "2007-04-22 00:00:00" \
+ "${CERTTOOL}" --generate-certificate \
+ 		--load-privkey "${srcdir}/data/template-test.key" \
+ 		--load-ca-privkey "${srcdir}/data/template-test.key" \
+--- a/tests/certtool-pkcs11.sh
++++ b/tests/certtool-pkcs11.sh
+@@ -116,7 +116,7 @@
+ 	file=$2
+ 
+ 	echo -n "* Verifying a certificate... "
+-	datefudge -s "2015-10-10" \
++	faketime -f "2015-10-10 00:00:00" \
+ 	$CERTTOOL ${ADDITIONAL_PARAM} --verify --load-ca-certificate "$url" --infile "$file" >>"${TMPFILE}" 2>&1
+ 	if test $? = 0; then
+ 		echo ok
+--- a/tests/datefudge-check.c
++++ b/tests/datefudge-check.c
+@@ -4,6 +4,7 @@
+  * Author: Daiki Ueno
+  *
+  * This file is part of GnuTLS.
++ * Its name is historical, it has no relation with the datefudge tool anymore.
+  *
+  * GnuTLS is free software; you can redistribute it and/or modify it
+  * under the terms of the GNU General Public License as published by
+--- a/tests/gnutls-cli-debug.sh
++++ b/tests/gnutls-cli-debug.sh
+@@ -71,7 +71,7 @@
+ PID=$!
+ wait_server ${PID}
+ 
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ 
+ kill ${PID}
+@@ -118,7 +118,7 @@
+ PID=$!
+ wait_server ${PID}
+ 
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ 
+ kill ${PID}
+@@ -160,7 +160,7 @@
+ PID=$!
+ wait_server ${PID}
+ 
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ 
+ kill ${PID}
+@@ -186,7 +186,7 @@
+ _EOF_
+ 
+ GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}" \
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ 
+ kill ${PID}
+@@ -209,7 +209,7 @@
+ 	PID=$!
+ 	wait_server ${PID}
+ 
+-	timeout 1800 datefudge "2017-08-9" \
++	timeout 1800 faketime "2017-08-9" \
+ 	"${DCLI}" -p "${PORT}" localhost >$OUTFILE 2>&1 || fail ${PID} "gnutls-cli-debug run should have succeeded!"
+ 
+ 	kill ${PID}
+--- a/tests/gnutls-cli-invalid-crl.sh
++++ b/tests/gnutls-cli-invalid-crl.sh
+@@ -168,7 +168,7 @@
+ PID=$!
+ wait_server ${PID}
+ 
+-datefudge "2018-9-19" \
++faketime "2018-9-19" \
+ ${VALGRIND} "${CLI}" -p "${PORT}" localhost --x509crlfile ${CRLFILE} --x509cafile ${CAFILE} >${TMPFILE} 2>&1 </dev/null && \
+ 	fail ${PID} "1. handshake should have failed!"
+ 
+--- a/tests/gnutls-cli-self-signed.sh
++++ b/tests/gnutls-cli-self-signed.sh
+@@ -123,7 +123,7 @@
+ PID=$!
+ wait_server ${PID}
+ 
+-datefudge "2018-1-1" \
++faketime "2018-1-1" \
+ ${VALGRIND} "${CLI}" -p "${PORT}" localhost >${TMPFILE} 2>&1 </dev/null && \
+ 	fail ${PID} "1. handshake should have failed!"
+ 
+--- a/tests/ocsp-tests/ocsp-load-chain.sh
++++ b/tests/ocsp-tests/ocsp-load-chain.sh
+@@ -33,7 +33,7 @@
+ 
+ skip_if_no_datefudge
+ 
+-datefudge -s "2017-06-19" \
++faketime -f "2017-06-19 00:00:00" \
+ 	"${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken
+ rc=$?
+ 
+@@ -43,7 +43,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2017-06-19" \
++faketime -f "2017-06-19 00:00:00" \
+ 	"${OCSPTOOL}" -e --load-chain "${srcdir}/ocsp-tests/certs/chain-amazon.com-unsorted.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-amazon.com.der" --verify-allow-broken
+ rc=$?
+ 
+@@ -54,7 +54,7 @@
+ fi
+ 
+ # verify an OCSP response using ECDSA
+-datefudge -s "2017-06-29" \
++faketime -f "2017-06-29 00:00:00" \
+ 	"${OCSPTOOL}" -d 6 -e --load-chain "${srcdir}/ocsp-tests/certs/chain-akamai.com.pem" --infile "${srcdir}/ocsp-tests/certs/ocsp-akamai.com.der"
+ rc=$?
+ 
+--- a/tests/ocsp-tests/ocsp-must-staple-connection.sh
++++ b/tests/ocsp-tests/ocsp-must-staple-connection.sh
+@@ -75,9 +75,9 @@
+     exit 77
+ fi
+ 
+-CERTDATE="2016-04-28"
+-TESTDATE="2016-04-29"
+-EXP_OCSP_DATE="2016-03-27"
++CERTDATE="2016-04-28 00:00:00"
++TESTDATE="2016-04-29 00:00:00"
++EXP_OCSP_DATE="2016-03-27 00:00:00"
+ 
+ OCSP_PID=""
+ TLS_SERVER_PID=""
+@@ -101,7 +101,7 @@
+ echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/"; >>"$TEMPLATE_FILE"
+ 
+ # Generate certificates with the random port
+-datefudge -s "${CERTDATE}" ${CERTTOOL} \
++faketime -f "${CERTDATE}" ${CERTTOOL} \
+ 	--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ 	--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+@@ -110,7 +110,7 @@
+ # Generate certificates with the random port (with mandatory stapling extension)
+ echo "tls_feature = 5" >>"$TEMPLATE_FILE"
+ 
+-datefudge -s "${CERTDATE}" ${CERTTOOL} \
++faketime -f "${CERTDATE}" ${CERTTOOL} \
+ 	--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ 	--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+@@ -130,7 +130,7 @@
+ # SO_REUSEADDR usage.
+ PORT=${OCSP_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${OPENSSL}" ocsp -index "${INDEXFILE}" -text \
+ 	  -port "${OCSP_PORT}" \
+ 	  -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
+@@ -146,7 +146,7 @@
+ t=0
+ while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
+     # Run a test request to make sure the server works
+-    datefudge "${TESTDATE}" \
++    faketime "${TESTDATE}" \
+ 	      ${VALGRIND} "${OCSPTOOL}" --ask \
+ 	      --load-cert "${SERVER_CERT_FILE}" \
+ 	      --load-issuer "${srcdir}/ocsp-tests/certs/ca.pem" \
+@@ -171,7 +171,7 @@
+ 
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -182,7 +182,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -203,7 +203,7 @@
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -215,7 +215,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -238,7 +238,7 @@
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -250,7 +250,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -274,7 +274,7 @@
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -286,7 +286,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -308,7 +308,7 @@
+ # Generate an OCSP response which expires in 2 days and use it after
+ # a month. gnutls server doesn't send such a staple to clients.
+ ${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}"
+-datefudge -s ${EXP_OCSP_DATE} \
++faketime -f ${EXP_OCSP_DATE} \
+ 	${OPENSSL} ocsp -index "${INDEXFILE}" -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}" -ndays 2
+ 
+ eval "${GETPORT}"
+@@ -332,7 +332,7 @@
+ echo "=== Test 5.1: Server with valid certificate - expired staple (ignoring errors) ==="
+ 
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -345,7 +345,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -368,7 +368,7 @@
+ rm -f "${OCSP_RESPONSE_FILE}"
+ 
+ ${VALGRIND} ${OCSPTOOL} --generate-request --load-issuer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --load-cert "${SERVER_CERT_FILE}" --outfile "${OCSP_REQ_FILE}"
+-datefudge -s ${EXP_OCSP_DATE} \
++faketime -f ${EXP_OCSP_DATE} \
+ 	${OPENSSL} ocsp -index ${INDEXFILE} -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" -rkey "${srcdir}/ocsp-tests/certs/ocsp-server.key" -CA "${srcdir}/ocsp-tests/certs/ca.pem" -reqin "${OCSP_REQ_FILE}" -respout "${OCSP_RESPONSE_FILE}"
+ 
+ eval "${GETPORT}"
+@@ -376,7 +376,7 @@
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -388,7 +388,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -409,7 +409,7 @@
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -421,7 +421,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --priority "NORMAL:%NO_EXTENSIONS" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -442,7 +442,7 @@
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_NO_EXT_FILE}" \
+@@ -454,7 +454,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -475,7 +475,7 @@
+ TLS_SERVER_PORT=$PORT
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -487,7 +487,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+--- a/tests/ocsp-tests/ocsp-signer-verify.sh
++++ b/tests/ocsp-tests/ocsp-signer-verify.sh
+@@ -31,14 +31,14 @@
+ 
+ skip_if_no_datefudge
+ 
+-date="2021-07-14 00:00"
++date="2021-07-14 00:00:00"
+ sample_dir="${srcdir}/ocsp-tests/signer-verify"
+ trusted="${sample_dir}/trust.pem"
+ 
+ verify_response ()
+ {
+     echo "verifying ${sample_dir}/${1} using ${trusted}"
+-    datefudge --static "${date}" \
++    faketime -f "${date}" \
+               "${OCSPTOOL}" --infile="${sample_dir}/${1}" \
+               --verify-response --load-trust="${trusted}"
+     return $?
+--- a/tests/ocsp-tests/ocsp-test.sh
++++ b/tests/ocsp-tests/ocsp-test.sh
+@@ -35,10 +35,10 @@
+ skip_if_no_datefudge
+ 
+ # Note that in rare cases this test may fail because the
+-# time set using datefudge could have changed since the generation
++# time set using faketime could have changed since the generation
+ # (if example the system was busy)
+ 
+-datefudge -s "2016-04-22" \
++faketime -f "2016-04-22 00:00:00" \
+ 	"${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ca.pem" --infile "${srcdir}/ocsp-tests/response1.der"
+ rc=$?
+ 
+@@ -48,7 +48,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2016-04-22" \
++faketime -f "2016-04-22 00:00:00" \
+ 	"${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ocsp-server.pem" --infile "${srcdir}/ocsp-tests/response2.der"
+ rc=$?
+ 
+@@ -58,7 +58,7 @@
+ 	exit ${rc}
+ fi
+ 
+-datefudge -s "2016-04-22" \
++faketime -f "2016-04-22 00:00:00" \
+ 	"${OCSPTOOL}" -e --load-signer "${srcdir}/ocsp-tests/certs/ca.pem" --infile "${srcdir}/ocsp-tests/response2.der" -d 4
+ rc=$?
+ 
+--- a/tests/ocsp-tests/ocsp-tls-connection.sh
++++ b/tests/ocsp-tests/ocsp-tls-connection.sh
+@@ -75,8 +75,8 @@
+     exit 77
+ fi
+ 
+-CERTDATE="2016-04-28"
+-TESTDATE="2016-04-29"
++CERTDATE="2016-04-28 00:00:00"
++TESTDATE="2016-04-29 00:00:00"
+ 
+ OCSP_PID=""
+ TLS_SERVER_PID=""
+@@ -97,7 +97,7 @@
+ echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/"; >>"$TEMPLATE_FILE"
+ 
+ # Generate certificates with the random port
+-datefudge -s "${CERTDATE}" ${CERTTOOL} \
++faketime -f "${CERTDATE}" ${CERTTOOL} \
+ 	--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ 	--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	--load-privkey "${srcdir}/ocsp-tests/certs/server_good.key" \
+@@ -112,7 +112,7 @@
+ # SO_REUSEADDR usage.
+ PORT=${OCSP_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${OPENSSL}" ocsp -index "${srcdir}/ocsp-tests/certs/ocsp_index.txt" -text \
+ 	  -port "${OCSP_PORT}" \
+ 	  -rsigner "${srcdir}/ocsp-tests/certs/ocsp-server.pem" \
+@@ -128,7 +128,7 @@
+ t=0
+ while test "${t}" -lt "${SERVER_START_TIMEOUT}"; do
+     # Run a test request to make sure the server works
+-    datefudge "${TESTDATE}" \
++    faketime "${TESTDATE}" \
+ 	      ${VALGRIND} "${OCSPTOOL}" --ask \
+ 	      --load-cert "${SERVER_CERT_FILE}" \
+ 	      --load-issuer "${srcdir}/ocsp-tests/certs/ca.pem"
+@@ -150,7 +150,7 @@
+ 
+ PORT=${TLS_SERVER_PORT}
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_good.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -161,7 +161,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+@@ -183,7 +183,7 @@
+ echo "ocsp_uri=http://localhost:${OCSP_PORT}/ocsp/"; >>"$TEMPLATE_FILE"
+ 
+ # Generate certificates with the random port
+-datefudge -s "${CERTDATE}" ${CERTTOOL} \
++faketime -f "${CERTDATE}" ${CERTTOOL} \
+ 	--generate-certificate --load-ca-privkey "${srcdir}/ocsp-tests/certs/ca.key" \
+ 	--load-ca-certificate "${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	--load-privkey "${srcdir}/ocsp-tests/certs/server_bad.key" \
+@@ -195,7 +195,7 @@
+ TLS_SERVER_PORT=$PORT
+ 
+ launch_bare_server \
+-	  datefudge "${TESTDATE}" \
++	  faketime "${TESTDATE}" \
+ 	  "${SERV}" --echo --disable-client-cert \
+ 	  --x509keyfile="${srcdir}/ocsp-tests/certs/server_bad.key" \
+ 	  --x509certfile="${SERVER_CERT_FILE}" \
+@@ -205,7 +205,7 @@
+ wait_for_port "${TLS_SERVER_PORT}"
+ 
+ echo "test 123456" | \
+-    datefudge -s "${TESTDATE}" \
++    faketime -f "${TESTDATE}" \
+ 	      "${CLI}" --ocsp --x509cafile="${srcdir}/ocsp-tests/certs/ca.pem" \
+ 	      --port="${TLS_SERVER_PORT}" localhost
+ rc=$?
+--- a/tests/pkcs7-cat.sh
++++ b/tests/pkcs7-cat.sh
+@@ -37,7 +37,7 @@
+ skip_if_no_datefudge
+ 
+ #try verification
+-datefudge -s "2010-10-10" \
++faketime -f "2010-10-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/pkcs7-cat-ca.pem"
+ rc=$?
+ 
+@@ -46,7 +46,7 @@
+ 	exit 1
+ fi
+ 
+-datefudge -s "2016-10-10" \
++faketime -f "2016-10-10 00:00:00" \
+ ${VALGRIND} "${CERTTOOL}" --verify-allow-broken --inder --p7-verify --infile "${srcdir}/data/test1.cat" --load-certificate "${srcdir}/data/pkcs7-cat-ca.pem"
+ rc=$?
+ 
+--- a/tests/rsa-md5-collision/rsa-md5-collision.sh
++++ b/tests/rsa-md5-collision/rsa-md5-collision.sh
+@@ -37,7 +37,7 @@
+ ASAN_OPTIONS="detect_leaks=0"
+ export ASAN_OPTIONS
+ 
+-datefudge -s "2006-10-1" \
++faketime -f "2006-10-1 00:00:00" \
+ "${CERTTOOL}" --verify-chain --outfile "$TMPFILE1" --infile "${srcdir}/rsa-md5-collision/colliding-chain-md5-1.pem"
+ if test $? = 0;then
+ 	echo "Verification on chain1 succeeded"
+@@ -51,7 +51,7 @@
+ fi
+ 
+ 
+-datefudge -s "2006-10-1" \
++faketime -f "2006-10-1 00:00:00" \
+ "${CERTTOOL}" --verify-chain --outfile "$TMPFILE2" --infile "${srcdir}/rsa-md5-collision/colliding-chain-md5-2.pem"
+ if test $? = 0;then
+ 	echo "Verification on chain2 succeeded"
+--- a/tests/scripts/common.sh
++++ b/tests/scripts/common.sh
+@@ -97,13 +97,7 @@
+ '
+ 
+ check_for_datefudge() {
+-	# On certain platforms running datefudge date fails (e.g., x86 datefudge
+-	# with x86-64 date app).
+-	if test "${SKIP_DATEFUDGE_CHECK}" = 1;then
+-		return
+-	fi
+-
+-	TSTAMP=`datefudge -s "2006-09-23" "${top_builddir}/tests/datefudge-check" || true`
++	TSTAMP=`faketime -f "2006-09-23 00:00:00" "${top_builddir}/tests/datefudge-check" || true`
+ 	if test "$TSTAMP" != "1158969600" || test "$WINDOWS" = 1; then
+ 		return 1
+ 	fi
+@@ -111,7 +105,7 @@
+ 
+ skip_if_no_datefudge() {
+ 	if ! check_for_datefudge; then
+-		echo "You need datefudge to run this test"
++		echo "You need faketime to run this test"
+ 		exit 77
+ 	fi
+ }
+--- a/tests/server-multi-keys.sh
++++ b/tests/server-multi-keys.sh
+@@ -65,15 +65,15 @@
+ PID=$!
+ wait_server ${PID}
+ 
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA" </dev/null || \
+ 	fail ${PID} "1. handshake with RSA should have succeeded!"
+ 
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-ECDSA" </dev/null || \
+ 	fail ${PID} "2. handshake with ECC should have succeeded!"
+ 
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-VERS-ALL:+VERS-TLS1.2:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-SHA256" --save-cert ${TMPFILE} </dev/null || \
+ 	fail ${PID} "3. handshake with RSA should have succeeded!"
+ 
+@@ -82,13 +82,13 @@
+ 	fail ${PID} "3. the certificate used by server was not the expected"
+ fi
+ 
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:+SIGN-RSA-SHA256:+SIGN-RSA-PSS-RSAE-SHA256" --save-cert ${TMPFILE} </dev/null || \
+ 	fail ${PID} "4. handshake with RSA should have succeeded!"
+ 
+ 
+ # check whether the server used the RSA-PSS certificate when we asked for RSA-PSS signature
+-timeout 1800 datefudge "2017-08-9" \
++timeout 1800 faketime "2017-08-9" \
+ "${CLI}" -p "${PORT}" localhost --x509cafile ${CAFILE} --priority "NORMAL:-KX-ALL:+ECDHE-RSA:-SIGN-ALL:+SIGN-RSA-PSS-SHA256" --save-cert ${TMPFILE} </dev/null || \
+ 	fail ${PID} "4. handshake with RSA-PSS and SHA256 should have succeeded!"
+ 
+--- a/tests/server-weak-keys.sh
++++ b/tests/server-weak-keys.sh
+@@ -58,11 +58,11 @@
+ PID=$!
+ wait_server ${PID}
+ 
+-timeout 1800 datefudge "2019-12-20" \
++timeout 1800 faketime "2019-12-20" \
+ "${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL:-VERS-TLS-ALL:+VERS-TLS1.2 </dev/null && \
+ 	fail ${PID} "1. handshake with RSA should have failed!"
+ 
+-timeout 1800 datefudge "2019-12-20" \
++timeout 1800 faketime "2019-12-20" \
+ "${CLI}" -d 4 -p "${PORT}" localhost --x509cafile ${CERT1} --priority NORMAL </dev/null && \
+ 	fail ${PID} "2. handshake with RSA should have failed!"
+ 
+--- a/tests/system-override-profiles.sh
++++ b/tests/system-override-profiles.sh
+@@ -62,17 +62,17 @@
+ export GNUTLS_DEBUG_LEVEL=3
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+ 	fail "expected connection to succeed (1)"
+ 
+ export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+ 	fail "expected connection to succeed (2)"
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+ 	fail "expected connection to succeed (3)"
+ 
+@@ -85,17 +85,17 @@
+ 
+ unset GNUTLS_SYSTEM_PRIORITY_FILE
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null ||
+ 	fail "expected connection to succeed (1)"
+ 
+ export GNUTLS_SYSTEM_PRIORITY_FILE="${TMPFILE}"
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_LOW --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
+ 	fail "expected connection to fail (1)"
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:%PROFILE_MEDIUM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" --logfile ${TMPFILE2} </dev/null >/dev/null &&
+ 	fail "expected connection to fail (2)"
+ 
+--- a/tests/system-override-tls.sh
++++ b/tests/system-override-tls.sh
+@@ -53,11 +53,11 @@
+ #successful case, test whether the ciphers we disable below work
+ echo "Sanity testing"
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+ 	fail ${PID} "stage1: expected connection to succeed (1)"
+ 
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+ 	fail ${PID} "stage1: expected connection to succeed (2)"
+ 
+@@ -76,43 +76,43 @@
+ 
+ echo "Testing TLS1.3"
+ echo " * sanity"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+ 	fail ${PID} "stage2: expected connection to succeed (1)"
+ 
+ echo " * fallback to good options"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM:+AES-256-GCM:-GROUP-ALL:+GROUP-FFDHE2048:+GROUP-FFDHE3072 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+ 	fail ${PID} "stage2: expected connection to succeed (2)"
+ 
+ echo " * disabled cipher"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-CIPHER-ALL:+AES-128-GCM --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null && #>/dev/null &&
+ 	fail ${PID} "stage2: expected connection to fail (1)"
+ 
+ echo " * disabled group"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-GROUP-ALL:+GROUP-FFDHE2048 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
+ 	fail ${PID} "stage2: expected connection to fail (2)"
+ 
+ echo "Testing TLS1.2"
+ echo " * sanity"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+ 	fail ${PID} "stage3: expected connection to succeed (1)"
+ 
+ echo " * fallback to good options"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC:+AES-256-CBC:+AES-256-GCM:-MAC-ALL:+SHA1:+AEAD --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null ||
+ 	fail ${PID} "stage3: expected connection to succeed (2)"
+ 
+ echo " * disabled cipher"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-CIPHER-ALL:+AES-128-CBC --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
+ 	fail ${PID} "stage3: expected connection to fail (1)"
+ 
+ echo " * disabled MAC"
+-datefudge "2017-11-22" \
++faketime "2017-11-22" \
+ "${CLI}" -p "${PORT}" 127.0.0.1 --priority NORMAL:-VERS-ALL:+VERS-TLS1.2:-MAC-ALL:+SHA1 --verify-hostname localhost --x509cafile "${srcdir}/certs/ca-cert-ecc.pem" </dev/null >/dev/null &&
+ 	fail ${PID} "stage3: expected connection to fail (2)"
+ 
+--- a/tests/testpkcs11.sh
++++ b/tests/testpkcs11.sh
+@@ -67,7 +67,7 @@
+ P11TOOL="${VALGRIND} ${P11TOOL} --batch"
+ SERV="${SERV} -q"
+ 
+-TESTDATE=2020-12-01
++TESTDATE="2020-12-01 00:00:00"
+ 
+ . ${srcdir}/scripts/common.sh
+ 
+@@ -562,7 +562,7 @@
+ 	pubkey="$5"
+ 
+ 	echo -n "* Generating client certificate... "
+-	datefudge -s "$TESTDATE" \
++	faketime -f "$TESTDATE" \
+ 	"${CERTTOOL}" ${CERTTOOL_PARAM} ${ADDITIONAL_PARAM}  --generate-certificate --load-ca-privkey "${cakey}"  --load-ca-certificate "${cacert}"  \
+ 	--template ${srcdir}/testpkcs11-certs/client-tmpl --load-privkey "${token};object=gnutls-client;object-type=private" \
+ 	--load-pubkey "$pubkey" --outfile tmp-client.crt >>"${LOGFILE}" 2>&1
+@@ -940,7 +940,7 @@
+ 	echo -n "* Using PKCS #11 with gnutls-cli (${txt})... "
+ 	# start server
+ 	eval "${GETPORT}"
+-	launch_bare_server datefudge -s "$TESTDATE" \
++	launch_bare_server faketime -f "$TESTDATE" \
+ 	        $VALGRIND $SERV $DEBUG -p "$PORT" \
+ 		${ADDITIONAL_PARAM} --debug 10 --echo --priority NORMAL --x509certfile="${certfile}" \
+ 		--x509keyfile="$keyfile" --x509cafile="${cafile}" \
+@@ -950,16 +950,16 @@
+ 	wait_server ${PID}
+ 
+ 	# connect to server using SC
+-	datefudge -s "$TESTDATE" \
++	faketime -f "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 && \
+ 		fail ${PID} "Connection should have failed!"
+ 
+-	datefudge -s "$TESTDATE" \
++	faketime -f "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${certfile}" \
+ 	--x509keyfile="$keyfile" --x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
+ 		fail ${PID} "Connection (with files) should have succeeded!"
+ 
+-	datefudge -s "$TESTDATE" \
++	faketime -f "$TESTDATE" \
+ 	${VALGRIND} "${CLI}" ${ADDITIONAL_PARAM} -p "${PORT}" localhost --priority NORMAL --x509certfile="${token};object=gnutls-client;object-type=cert" \
+ 		--x509keyfile="${token};object=gnutls-client;object-type=private" \
+ 		--x509cafile="${cafile}" </dev/null >>"${LOGFILE}" 2>&1 || \
diff --git a/debian/patches/series b/debian/patches/series
index eb1315c..67535af 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,4 @@
 40_srptest_doubletimeout.diff
 50_Fix-removal-of-duplicate-certs-during-verification.patch
 51_add-gnulib-linkedhash-list-module.diff
+replace-datefudge-with-faketime.diff
diff --git a/debian/tests/control b/debian/tests/control
index 7cc0ef3..cd83bd0 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -2,7 +2,7 @@ Tests: run-upstream-testsuite
 Depends:
  build-essential,
  ca-certificates,
- datefudge,
+ faketime,
  freebsd-net-tools [kfreebsd-i386 kfreebsd-amd64],
  net-tools [!kfreebsd-i386 !kfreebsd-amd64],
  openssl,
-- 
2.39.1

Reply via email to