[BACK]Return to sshkey.c CVS log [TXT][DIR] Up to [local] / src / usr.bin / ssh

Diff for /src/usr.bin/ssh/sshkey.c between version 1.118 and 1.119

version 1.118, 2021/07/12 06:08:57 version 1.119, 2021/07/23 03:37:52
Line 3025 
Line 3025 
 int  int
 sshkey_cert_check_authority(const struct sshkey *k,  sshkey_cert_check_authority(const struct sshkey *k,
     int want_host, int require_principal, int wildcard_pattern,      int want_host, int require_principal, int wildcard_pattern,
     const char *name, const char **reason)      uint64_t verify_time, const char *name, const char **reason)
 {  {
         u_int i, principal_matches;          u_int i, principal_matches;
         time_t now = time(NULL);  
   
         if (reason == NULL)          if (reason == NULL)
                 return SSH_ERR_INVALID_ARGUMENT;                  return SSH_ERR_INVALID_ARGUMENT;
Line 3047 
Line 3046 
                         return SSH_ERR_KEY_CERT_INVALID;                          return SSH_ERR_KEY_CERT_INVALID;
                 }                  }
         }          }
         if (now < 0) {          if (verify_time < k->cert->valid_after) {
                 /* yikes - system clock before epoch! */  
                 *reason = "Certificate invalid: not yet valid";                  *reason = "Certificate invalid: not yet valid";
                 return SSH_ERR_KEY_CERT_INVALID;                  return SSH_ERR_KEY_CERT_INVALID;
         }          }
         if ((u_int64_t)now < k->cert->valid_after) {          if (verify_time >= k->cert->valid_before) {
                 *reason = "Certificate invalid: not yet valid";  
                 return SSH_ERR_KEY_CERT_INVALID;  
         }  
         if ((u_int64_t)now >= k->cert->valid_before) {  
                 *reason = "Certificate invalid: expired";                  *reason = "Certificate invalid: expired";
                 return SSH_ERR_KEY_CERT_INVALID;                  return SSH_ERR_KEY_CERT_INVALID;
         }          }
Line 3089 
Line 3083 
 }  }
   
 int  int
   sshkey_cert_check_authority_now(const struct sshkey *k,
       int want_host, int require_principal, int wildcard_pattern,
       const char *name, const char **reason)
   {
           time_t now;
   
           if ((now = time(NULL)) < 0) {
                   /* yikes - system clock before epoch! */
                   *reason = "Certificate invalid: not yet valid";
                   return SSH_ERR_KEY_CERT_INVALID;
           }
           return sshkey_cert_check_authority(k, want_host, require_principal,
               wildcard_pattern, (uint64_t)now, name, reason);
   }
   
   int
 sshkey_cert_check_host(const struct sshkey *key, const char *host,  sshkey_cert_check_host(const struct sshkey *key, const char *host,
     int wildcard_principals, const char *ca_sign_algorithms,      int wildcard_principals, const char *ca_sign_algorithms,
     const char **reason)      const char **reason)
 {  {
         int r;          int r;
   
         if ((r = sshkey_cert_check_authority(key, 1, 0, wildcard_principals,          if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals,
             host, reason)) != 0)              host, reason)) != 0)
                 return r;                  return r;
         if (sshbuf_len(key->cert->critical) != 0) {          if (sshbuf_len(key->cert->critical) != 0) {
Legend:
Removed from v.1.118  
changed lines
  Added in v.1.119