diff options
author | djm@openbsd.org <djm@openbsd.org> | 2018-03-12 00:52:01 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-03-14 18:55:32 +1100 |
commit | bf0fbf2b11a44f06a64b620af7d01ff171c28e13 (patch) | |
tree | bebb13975a12e80a295cafeec72417a6911ea750 /ssh-keygen.c | |
parent | fbd733ab7adc907118a6cf56c08ed90c7000043f (diff) |
upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@
OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r-- | ssh-keygen.c | 44 |
1 files changed, 5 insertions, 39 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c index d80930eeb..9aac64fc3 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: ssh-keygen.c,v 1.313 2018/02/23 15:58:38 markus Exp $ */ | 1 | /* $OpenBSD: ssh-keygen.c,v 1.314 2018/03/12 00:52:01 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
@@ -1798,40 +1798,6 @@ parse_relative_time(const char *s, time_t now) | |||
1798 | return now + (u_int64_t)(secs * mul); | 1798 | return now + (u_int64_t)(secs * mul); |
1799 | } | 1799 | } |
1800 | 1800 | ||
1801 | static u_int64_t | ||
1802 | parse_absolute_time(const char *s) | ||
1803 | { | ||
1804 | struct tm tm; | ||
1805 | time_t tt; | ||
1806 | char buf[32], *fmt; | ||
1807 | |||
1808 | /* | ||
1809 | * POSIX strptime says "The application shall ensure that there | ||
1810 | * is white-space or other non-alphanumeric characters between | ||
1811 | * any two conversion specifications" so arrange things this way. | ||
1812 | */ | ||
1813 | switch (strlen(s)) { | ||
1814 | case 8: | ||
1815 | fmt = "%Y-%m-%d"; | ||
1816 | snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6); | ||
1817 | break; | ||
1818 | case 14: | ||
1819 | fmt = "%Y-%m-%dT%H:%M:%S"; | ||
1820 | snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s", | ||
1821 | s, s + 4, s + 6, s + 8, s + 10, s + 12); | ||
1822 | break; | ||
1823 | default: | ||
1824 | fatal("Invalid certificate time format \"%s\"", s); | ||
1825 | } | ||
1826 | |||
1827 | memset(&tm, 0, sizeof(tm)); | ||
1828 | if (strptime(buf, fmt, &tm) == NULL) | ||
1829 | fatal("Invalid certificate time %s", s); | ||
1830 | if ((tt = mktime(&tm)) < 0) | ||
1831 | fatal("Certificate time %s cannot be represented", s); | ||
1832 | return (u_int64_t)tt; | ||
1833 | } | ||
1834 | |||
1835 | static void | 1801 | static void |
1836 | parse_cert_times(char *timespec) | 1802 | parse_cert_times(char *timespec) |
1837 | { | 1803 | { |
@@ -1867,15 +1833,15 @@ parse_cert_times(char *timespec) | |||
1867 | cert_valid_from = parse_relative_time(from, now); | 1833 | cert_valid_from = parse_relative_time(from, now); |
1868 | else if (strcmp(from, "always") == 0) | 1834 | else if (strcmp(from, "always") == 0) |
1869 | cert_valid_from = 0; | 1835 | cert_valid_from = 0; |
1870 | else | 1836 | else if (parse_absolute_time(from, &cert_valid_from) != 0) |
1871 | cert_valid_from = parse_absolute_time(from); | 1837 | fatal("Invalid from time \"%s\"", from); |
1872 | 1838 | ||
1873 | if (*to == '-' || *to == '+') | 1839 | if (*to == '-' || *to == '+') |
1874 | cert_valid_to = parse_relative_time(to, now); | 1840 | cert_valid_to = parse_relative_time(to, now); |
1875 | else if (strcmp(to, "forever") == 0) | 1841 | else if (strcmp(to, "forever") == 0) |
1876 | cert_valid_to = ~(u_int64_t)0; | 1842 | cert_valid_to = ~(u_int64_t)0; |
1877 | else | 1843 | else if (parse_absolute_time(to, &cert_valid_to) != 0) |
1878 | cert_valid_to = parse_absolute_time(to); | 1844 | fatal("Invalid to time \"%s\"", to); |
1879 | 1845 | ||
1880 | if (cert_valid_to <= cert_valid_from) | 1846 | if (cert_valid_to <= cert_valid_from) |
1881 | fatal("Empty certificate validity interval"); | 1847 | fatal("Empty certificate validity interval"); |