diff options
Diffstat (limited to 'sshkey.c')
-rw-r--r-- | sshkey.c | 32 |
1 files changed, 21 insertions, 11 deletions
@@ -1,4 +1,4 @@ -/* $OpenBSD: sshkey.c,v 1.118 2021/07/12 06:08:57 dtucker Exp $ */ +/* $OpenBSD: sshkey.c,v 1.119 2021/07/23 03:37:52 djm Exp $ */ /* * Copyright (c) 2000, 2001 Markus Friedl. All rights reserved. * Copyright (c) 2008 Alexander von Gernler. All rights reserved. @@ -3077,10 +3077,9 @@ sshkey_certify(struct sshkey *k, struct sshkey *ca, const char *alg, int sshkey_cert_check_authority(const struct sshkey *k, int want_host, int require_principal, int wildcard_pattern, - const char *name, const char **reason) + uint64_t verify_time, const char *name, const char **reason) { u_int i, principal_matches; - time_t now = time(NULL); if (reason == NULL) return SSH_ERR_INVALID_ARGUMENT; @@ -3099,16 +3098,11 @@ sshkey_cert_check_authority(const struct sshkey *k, return SSH_ERR_KEY_CERT_INVALID; } } - if (now < 0) { - /* yikes - system clock before epoch! */ - *reason = "Certificate invalid: not yet valid"; - return SSH_ERR_KEY_CERT_INVALID; - } - if ((u_int64_t)now < k->cert->valid_after) { + if (verify_time < k->cert->valid_after) { *reason = "Certificate invalid: not yet valid"; return SSH_ERR_KEY_CERT_INVALID; } - if ((u_int64_t)now >= k->cert->valid_before) { + if (verify_time >= k->cert->valid_before) { *reason = "Certificate invalid: expired"; return SSH_ERR_KEY_CERT_INVALID; } @@ -3141,13 +3135,29 @@ sshkey_cert_check_authority(const struct sshkey *k, } int +sshkey_cert_check_authority_now(const struct sshkey *k, + int want_host, int require_principal, int wildcard_pattern, + const char *name, const char **reason) +{ + time_t now; + + if ((now = time(NULL)) < 0) { + /* yikes - system clock before epoch! */ + *reason = "Certificate invalid: not yet valid"; + return SSH_ERR_KEY_CERT_INVALID; + } + return sshkey_cert_check_authority(k, want_host, require_principal, + wildcard_pattern, (uint64_t)now, name, reason); +} + +int sshkey_cert_check_host(const struct sshkey *key, const char *host, int wildcard_principals, const char *ca_sign_algorithms, const char **reason) { int r; - if ((r = sshkey_cert_check_authority(key, 1, 0, wildcard_principals, + if ((r = sshkey_cert_check_authority_now(key, 1, 0, wildcard_principals, host, reason)) != 0) return r; if (sshbuf_len(key->cert->critical) != 0) { |