add valid-before="[time]" authorized_keys option. A simple way of

giving a key an expiry date. ok markus@
author: djm <djm@openbsd.org> 2018-03-12 00:52:01 +0000
committer: djm <djm@openbsd.org> 2018-03-12 00:52:01 +0000
commit: 45f84e9d4711cf7e36b9180b0e226b30eae007df (patch)
tree: 33f827868ef9808f731bb61f0c8b0bf413e42a24 /usr.bin/ssh/ssh-keygen.c
parent: gre(4) supports MPLS in GRE encapsulation like rfc 4023 describes (diff)
download: wireguard-openbsd-45f84e9d4711cf7e36b9180b0e226b30eae007df.tar.xz
wireguard-openbsd-45f84e9d4711cf7e36b9180b0e226b30eae007df.zip
1 files changed, 5 insertions, 39 deletions
diff --git a/usr.bin/ssh/ssh-keygen.c b/usr.bin/ssh/ssh-keygen.c
index d57ef78d49a..a15b85c0868 100644
--- a/usr.bin/ssh/ssh-keygen.c
+++ b/usr.bin/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.313 2018/02/23 15:58:38 markus Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.314 2018/03/12 00:52:01 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1782,40 +1782,6 @@ parse_relative_time(const char *s, time_t now)
 	return now + (u_int64_t)(secs * mul);
 }
 
-static u_int64_t
-parse_absolute_time(const char *s)
-{
-	struct tm tm;
-	time_t tt;
-	char buf[32], *fmt;
-
-	/*
-	 * POSIX strptime says "The application shall ensure that there
-	 * is white-space or other non-alphanumeric characters between
-	 * any two conversion specifications" so arrange things this way.
-	 */
-	switch (strlen(s)) {
-	case 8:
-		fmt = "%Y-%m-%d";
-		snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6);
-		break;
-	case 14:
-		fmt = "%Y-%m-%dT%H:%M:%S";
-		snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s",
-		    s, s + 4, s + 6, s + 8, s + 10, s + 12);
-		break;
-	default:
-		fatal("Invalid certificate time format \"%s\"", s);
-	}
-
-	memset(&tm, 0, sizeof(tm));
-	if (strptime(buf, fmt, &tm) == NULL)
-		fatal("Invalid certificate time %s", s);
-	if ((tt = mktime(&tm)) < 0)
-		fatal("Certificate time %s cannot be represented", s);
-	return (u_int64_t)tt;
-}
-
 static void
 parse_cert_times(char *timespec)
 {
@@ -1851,15 +1817,15 @@ parse_cert_times(char *timespec)
 		cert_valid_from = parse_relative_time(from, now);
 	else if (strcmp(from, "always") == 0)
 		cert_valid_from = 0;
-	else
-		cert_valid_from = parse_absolute_time(from);
+	else if (parse_absolute_time(from, &cert_valid_from) != 0)
+		fatal("Invalid from time \"%s\"", from);
 
 	if (*to == '-' || *to == '+')
 		cert_valid_to = parse_relative_time(to, now);
 	else if (strcmp(to, "forever") == 0)
 		cert_valid_to = ~(u_int64_t)0;
-	else
-		cert_valid_to = parse_absolute_time(to);
+	else if (parse_absolute_time(to, &cert_valid_to) != 0)
+		fatal("Invalid to time \"%s\"", to);
 
 	if (cert_valid_to <= cert_valid_from)
 		fatal("Empty certificate validity interval");
author	djm <djm@openbsd.org>	2018-03-12 00:52:01 +0000
committer	djm <djm@openbsd.org>	2018-03-12 00:52:01 +0000
commit	45f84e9d4711cf7e36b9180b0e226b30eae007df (patch)
tree	33f827868ef9808f731bb61f0c8b0bf413e42a24 /usr.bin/ssh/ssh-keygen.c
parent	gre(4) supports MPLS in GRE encapsulation like rfc 4023 describes (diff)
download	wireguard-openbsd-45f84e9d4711cf7e36b9180b0e226b30eae007df.tar.xz wireguard-openbsd-45f84e9d4711cf7e36b9180b0e226b30eae007df.zip