[openssh-commits] [openssh] 05/06: upstream commit

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Nov 3 16:20:51 AEDT 2017 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit d52131a98316e76c0caa348f09bf6f7b9b01a1b9
Author: djm at openbsd.org@openbsd.org <djm at openbsd.org@openbsd.org>
Date:   Fri Nov 3 05:14:04 2017 +0000

    upstream commit
    
    allow certificate validity intervals that specify only a
    start or stop time (we already support specifying both or neither)
    
    OpenBSD-Commit-ID: 9be486545603c003030bdb5c467d1318b46b4e42
---
 ssh-keygen.1 | 23 ++++++++++++++++-------
 ssh-keygen.c | 12 ++++++++----
 2 files changed, 24 insertions(+), 11 deletions(-)

diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 5f1ec09b..0ade33de 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.144 2017/07/08 18:32:54 jmc Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.145 2017/11/03 05:14:04 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo at cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: July 8 2017 $
+.Dd $Mdocdate: November 3 2017 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -584,13 +584,20 @@ Specify a validity interval when signing a certificate.
 A validity interval may consist of a single time, indicating that the
 certificate is valid beginning now and expiring at that time, or may consist
 of two times separated by a colon to indicate an explicit time interval.
-The start time may be specified as a date in YYYYMMDD format, a time
-in YYYYMMDDHHMMSS format or a relative time (to the current time) consisting
-of a minus sign followed by a relative time in the format described in the
+.Pp
+The start time may be specified as the string
+.Dq always
+to indicate the certificate has no specified start time,
+a date in YYYYMMDD format, a time in YYYYMMDDHHMMSS format,
+a relative time (to the current time) consisting of a minus sign followed by
+an interval in the format described in the
 TIME FORMATS section of
 .Xr sshd_config 5 .
-The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or
-a relative time starting with a plus character.
+.Pp
+The end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time,
+a relative time starting with a plus character or the string
+.Dq forever
+to indicate that the certificate has no expirty date.
 .Pp
 For example:
 .Dq +52w1d
@@ -601,6 +608,8 @@ For example:
 (valid from 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011),
 .Dq -1d:20110101
 (valid from yesterday to midnight, January 1st, 2011).
+.Dq -1m:forever
+(valid from one minute ago and never expiring).
 .It Fl v
 Verbose mode.
 Causes
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 835f7d01..02f9b3fb 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.307 2017/07/07 03:53:12 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.308 2017/11/03 05:14:04 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1832,7 +1832,7 @@ parse_absolute_time(const char *s)
 		    s, s + 4, s + 6, s + 8, s + 10, s + 12);
 		break;
 	default:
-		fatal("Invalid certificate time format %s", s);
+		fatal("Invalid certificate time format \"%s\"", s);
 	}
 
 	memset(&tm, 0, sizeof(tm));
@@ -1865,8 +1865,8 @@ parse_cert_times(char *timespec)
 
 	/*
 	 * from:to, where
-	 * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS
-	 *   to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS
+	 * from := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "always"
+	 *   to := [+-]timespec | YYYYMMDD | YYYYMMDDHHMMSS | "forever"
 	 */
 	from = xstrdup(timespec);
 	to = strchr(from, ':');
@@ -1876,11 +1876,15 @@ parse_cert_times(char *timespec)
 
 	if (*from == '-' || *from == '+')
 		cert_valid_from = parse_relative_time(from, now);
+	else if (strcmp(from, "always") == 0)
+		cert_valid_from = 0;
 	else
 		cert_valid_from = parse_absolute_time(from);
 
 	if (*to == '-' || *to == '+')
 		cert_valid_to = parse_relative_time(to, now);
+	else if (strcmp(to, "forever") == 0)
+		cert_valid_to = ~(u_int64_t)0;
 	else
 		cert_valid_to = parse_absolute_time(to);
 

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list