Call for testing: OpenSSH-5.4

[Damien Miller]

On Mon, 1 Mar 2010, Iain Morgan wrote:

> On OS X (Intel), the snapshot builds but fails the regression tests:
> 
> certified host keys: test host cert connect cert not yet valid expect failure
> Invalid certificate time 20200101
> couldn't sign cert_host_key_rsa
> certified host keys: test host cert connect cert expired expect failure
> Invalid certificate time 19800101
> couldn't sign cert_host_key_rsa

Thanks for the report, this problem is now fixed in CVS and will be in
tomorrow's snapshot. If you can't wait or are curious, then this is the
diff:

Index: ssh-keygen.c
===================================================================
RCS file: /var/cvs/openssh/ssh-keygen.c,v
retrieving revision 1.192
diff -u -r1.192 ssh-keygen.c
--- ssh-keygen.c	26 Feb 2010 20:55:06 -0000	1.192
+++ ssh-keygen.c	2 Mar 2010 23:05:12 -0000
@@ -1243,13 +1243,29 @@
 {
 	struct tm tm;
 	time_t tt;
+	char buf[32], *fmt;
 
-	if (strlen(s) != 8 && strlen(s) != 14)
+	/*
+	 * POSIX strptime says "The application shall ensure that there 
+	 * is white-space or other non-alphanumeric characters between
+	 * any two conversion specifications" so arrange things this way.
+	 */
+	switch (strlen(s)) {
+	case 8:
+		fmt = "%Y/%m/%d";
+		snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s", s, s + 4, s + 6);
+		break;
+	case 14:
+		fmt = "%Y/%m/%d %H:%M:%S";
+		snprintf(buf, sizeof(buf), "%.4s/%.2s/%.2s %.2s:%.2s:%.2s",
+		    s, s + 4, s + 6, s + 8, s + 10, s + 12);
+		break;
+	default:
 		fatal("Invalid certificate time format %s", s);
+	}
 
 	bzero(&tm, sizeof(tm));
-	if (strptime(s,
-	    strlen(s) == 8 ? "%Y%m%d" : "%Y%m%d%H%M%S", &tm) == NULL)
+	if (strptime(buf, fmt, &tm) == NULL)
 		fatal("Invalid certificate time %s", s);
 	if ((tt = mktime(&tm)) < 0)
 		fatal("Certificate time %s cannot be represented", s);