diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2021-07-23 03:37:52 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2021-07-23 14:07:19 +1000 |
| commit | d0bb1ce731762c55acb95817df4d5fab526c7ecd (patch) | |
| tree | d842850a20b4d61cd15e7ff9c9dc6474831797ca /sshkey.c | |
| parent | 44142068dc7ef783d135e91ff954e754d2ed432e (diff) | |
| download | openssh-git-d0bb1ce731762c55acb95817df4d5fab526c7ecd.tar.gz | |
upstream: Let allowed signers files used by ssh-keygen(1)
signatures support key lifetimes, and allow the verification mode to specify
a signature time to check at. This is intended for use by git to support
signing objects using ssh keys. ok dtucker@
OpenBSD-Commit-ID: 3e2c67b7dcd94f0610194d1e8e4907829a40cf31
Diffstat (limited to 'sshkey.c')
| -rw-r--r-- | sshkey.c | 32 |
1 files changed, 21 insertions, 11 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.118 2021/07/12 06:08:57 dtucker Exp $ */ +/* $OpenBSD: sshkey.c,v 1.119 2021/07/23 03:37:52 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -3077,10 +3077,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, int sshkey_cert_check_authority(const struct sshkey *k, int want_host, int require_principal, int wildcard_pattern, - const char *name, const char **reason) + uint64_t verify_time, const char *name, const char **reason) { u_int i, principal_matches; - time_t now = time(NULL); if (reason == NULL) return SSH_ERR_INVALID_ARGUMENT; @@ -3099,16 +3098,11 @@ sshkey_cert_check_authority(const struct sshkey *k, return SSH_ERR_KEY_CERT_INVALID; } } - if (now < 0) { - /* yikes - system clock before epoch! */ - *reason = "Certificate invalid: not yet valid"; - return SSH_ERR_KEY_CERT_INVALID; - } - if ((u_int64_t)now < k->cert->valid_after) { + if (verify_time < k->cert->valid_after) { *reason = "Certificate invalid: not yet valid"; return SSH_ERR_KEY_CERT_INVALID; } - if ((u_int64_t)now >= k->cert->valid_before) { + if (verify_time >= k->cert->valid_before) { *reason = "Certificate invalid: expired"; return SSH_ERR_KEY_CERT_INVALID; } @@ -3141,13 +3135,29 @@ sshkey_cert_check_authority(const struct sshkey *k, } int +sshkey_cert_check_authority_now(const struct sshkey *k, + int want_host, int require_principal, int wildcard_pattern, + const char *name, const char **reason) +{ + time_t now; + + if ((now = time(NULL)) < 0) { + /* yikes - system clock before epoch! */ + *reason = "Certificate invalid: not yet valid"; + return SSH_ERR_KEY_CERT_INVALID; + } + return sshkey_cert_check_authority(k, want_host, require_principal, + wildcard_pattern, (uint64_t)now, name, reason); +} + +int sshkey_cert_check_host(const struct sshkey *key, const char *host, int wildcard_principals, const char *ca_sign_algorithms, const char **reason) { int r; - if ((r = sshkey_cert_check_authority(key, 1, 0, wildcard_principals, + if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, host, reason)) != 0) return r; if (sshbuf_len(key->cert->critical) != 0) { |