summaryrefslogtreecommitdiff
path: root/ssh-keygen.c
diff options
context:
space:
mode:
authordjm@openbsd.org <djm@openbsd.org>2018-03-12 00:52:01 +0000
committerDamien Miller <djm@mindrot.org>2018-03-14 18:55:32 +1100
commitbf0fbf2b11a44f06a64b620af7d01ff171c28e13 (patch)
treebebb13975a12e80a295cafeec72417a6911ea750 /ssh-keygen.c
parentfbd733ab7adc907118a6cf56c08ed90c7000043f (diff)
upstream: add valid-before="[time]" authorized_keys option. A
simple way of giving a key an expiry date. ok markus@ OpenBSD-Commit-ID: 1793b4dd5184fa87f42ed33c7b0f4f02bc877947
Diffstat (limited to 'ssh-keygen.c')
-rw-r--r--ssh-keygen.c44
1 files changed, 5 insertions, 39 deletions
diff --git a/ssh-keygen.c b/ssh-keygen.c
index d80930eeb..9aac64fc3 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: ssh-keygen.c,v 1.313 2018/02/23 15:58:38 markus Exp $ */ 1/* $OpenBSD: ssh-keygen.c,v 1.314 2018/03/12 00:52:01 djm Exp $ */
2/* 2/*
3 * Author: Tatu Ylonen <ylo@cs.hut.fi> 3 * Author: Tatu Ylonen <ylo@cs.hut.fi>
4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland 4 * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1798,40 +1798,6 @@ parse_relative_time(const char *s, time_t now)
1798 return now + (u_int64_t)(secs * mul); 1798 return now + (u_int64_t)(secs * mul);
1799} 1799}
1800 1800
1801static u_int64_t
1802parse_absolute_time(const char *s)
1803{
1804 struct tm tm;
1805 time_t tt;
1806 char buf[32], *fmt;
1807
1808 /*
1809 * POSIX strptime says "The application shall ensure that there
1810 * is white-space or other non-alphanumeric characters between
1811 * any two conversion specifications" so arrange things this way.
1812 */
1813 switch (strlen(s)) {
1814 case 8:
1815 fmt = "%Y-%m-%d";
1816 snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2s", s, s + 4, s + 6);
1817 break;
1818 case 14:
1819 fmt = "%Y-%m-%dT%H:%M:%S";
1820 snprintf(buf, sizeof(buf), "%.4s-%.2s-%.2sT%.2s:%.2s:%.2s",
1821 s, s + 4, s + 6, s + 8, s + 10, s + 12);
1822 break;
1823 default:
1824 fatal("Invalid certificate time format \"%s\"", s);
1825 }
1826
1827 memset(&tm, 0, sizeof(tm));
1828 if (strptime(buf, fmt, &tm) == NULL)
1829 fatal("Invalid certificate time %s", s);
1830 if ((tt = mktime(&tm)) < 0)
1831 fatal("Certificate time %s cannot be represented", s);
1832 return (u_int64_t)tt;
1833}
1834
1835static void 1801static void
1836parse_cert_times(char *timespec) 1802parse_cert_times(char *timespec)
1837{ 1803{
@@ -1867,15 +1833,15 @@ parse_cert_times(char *timespec)
1867 cert_valid_from = parse_relative_time(from, now); 1833 cert_valid_from = parse_relative_time(from, now);
1868 else if (strcmp(from, "always") == 0) 1834 else if (strcmp(from, "always") == 0)
1869 cert_valid_from = 0; 1835 cert_valid_from = 0;
1870 else 1836 else if (parse_absolute_time(from, &cert_valid_from) != 0)
1871 cert_valid_from = parse_absolute_time(from); 1837 fatal("Invalid from time \"%s\"", from);
1872 1838
1873 if (*to == '-' || *to == '+') 1839 if (*to == '-' || *to == '+')
1874 cert_valid_to = parse_relative_time(to, now); 1840 cert_valid_to = parse_relative_time(to, now);
1875 else if (strcmp(to, "forever") == 0) 1841 else if (strcmp(to, "forever") == 0)
1876 cert_valid_to = ~(u_int64_t)0; 1842 cert_valid_to = ~(u_int64_t)0;
1877 else 1843 else if (parse_absolute_time(to, &cert_valid_to) != 0)
1878 cert_valid_to = parse_absolute_time(to); 1844 fatal("Invalid to time \"%s\"", to);
1879 1845
1880 if (cert_valid_to <= cert_valid_from) 1846 if (cert_valid_to <= cert_valid_from)
1881 fatal("Empty certificate validity interval"); 1847 fatal("Empty certificate validity interval");