===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/ssh/auth-options.c,v
retrieving revision 1.76
retrieving revision 1.77
diff -u -r1.76 -r1.77
--- src/usr.bin/ssh/auth-options.c	2018/03/03 03:15:51	1.76
+++ src/usr.bin/ssh/auth-options.c	2018/03/12 00:52:01	1.77
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.76 2018/03/03 03:15:51 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.77 2018/03/12 00:52:01 djm Exp $ */
 /*
  * Copyright (c) 2018 Damien Miller <djm@mindrot.org>
  *
@@ -308,6 +308,7 @@
 	int r;
 	struct sshauthopt *ret = NULL;
 	const char *errstr = "unknown error";
+	uint64_t valid_before;
 
 	if (errstrp != NULL)
 		*errstrp = NULL;
@@ -363,6 +364,19 @@
 			    &errstr);
 			if (ret->required_from_host_keys == NULL)
 				goto fail;
+		} else if (opt_match(&opts, "valid-before")) {
+			if ((opt = opt_dequote(&opts, &errstr)) == NULL)
+				goto fail;
+			if (parse_absolute_time(opt, &valid_before) != 0 ||
+			    valid_before == 0) {
+				free(opt);
+				errstr = "invalid expires time";
+				goto fail;
+			}
+			free(opt);
+			if (ret->valid_before == 0 ||
+			    valid_before < ret->valid_before)
+				ret->valid_before = valid_before;
 		} else if (opt_match(&opts, "environment")) {
 			if (ret->nenv > INT_MAX) {
 				errstr = "too many environment strings";
@@ -569,6 +583,13 @@
 	OPTFLAG(permit_user_rc);
 #undef OPTFLAG
 
+	/* Earliest expiry time should win */
+	if (primary->valid_before != 0)
+		ret->valid_before = primary->valid_before;
+	if (additional->valid_before != 0 &&
+	    additional->valid_before < ret->valid_before)
+		ret->valid_before = additional->valid_before;
+
 	/*
 	 * When both multiple forced-command are specified, only
 	 * proceed if they are identical, otherwise fail.
@@ -628,6 +649,7 @@
 	OPTSCALAR(restricted);
 	OPTSCALAR(cert_authority);
 	OPTSCALAR(force_tun_device);
+	OPTSCALAR(valid_before);
 #undef OPTSCALAR
 #define OPTSTRING(x) \
 	do { \
@@ -748,14 +770,15 @@
 {
 	int r = SSH_ERR_INTERNAL_ERROR;
 
-	/* Flag options */
+	/* Flag and simple integer options */
 	if ((r = sshbuf_put_u8(m, opts->permit_port_forwarding_flag)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->permit_agent_forwarding_flag)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->permit_x11_forwarding_flag)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->permit_pty_flag)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->permit_user_rc)) != 0 ||
 	    (r = sshbuf_put_u8(m, opts->restricted)) != 0 ||
-	    (r = sshbuf_put_u8(m, opts->cert_authority)) != 0)
+	    (r = sshbuf_put_u8(m, opts->cert_authority)) != 0 ||
+	    (r = sshbuf_put_u64(m, opts->valid_before)) != 0)
 		return r;
 
 	/* tunnel number can be negative to indicate "unset" */
@@ -811,6 +834,9 @@
 	OPT_FLAG(restricted);
 	OPT_FLAG(cert_authority);
 #undef OPT_FLAG
+
+	if ((r = sshbuf_get_u64(m, &opts->valid_before)) != 0)
+		goto out;
 
 	/* tunnel number can be negative to indicate "unset" */
 	if ((r = sshbuf_get_u8(m, &f)) != 0 ||