From 68db3d195d00e3f3904a7e004a4efd00fd303efb Mon Sep 17 00:00:00 2001
From: Jacob Nevins <jacobn@chiark.greenend.org.uk>
Date: Sat, 5 Nov 2022 23:55:13 +0000
Subject: [PATCH] Use correct date in cert check error.

When a host certificate was used outside its valid date range, we were
displaying the current time where we meant to show the relevant bound of
the validity range.
---
 crypto/openssh-certs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/openssh-certs.c b/crypto/openssh-certs.c
index cf0c2af3..4cd984e8 100644
--- a/crypto/openssh-certs.c
+++ b/crypto/openssh-certs.c
@@ -1033,12 +1033,14 @@ static bool opensshcert_check_cert(
      */
     if (time < ck->valid_after) {
         put_fmt(error, "Certificate is not valid until ");
-        opensshcert_time_to_iso8601(BinarySink_UPCAST(error), time);
+        opensshcert_time_to_iso8601(BinarySink_UPCAST(error),
+                                    ck->valid_after);
         goto out;
     }
     if (time >= ck->valid_before) {
         put_fmt(error, "Certificate expired at ");
-        opensshcert_time_to_iso8601(BinarySink_UPCAST(error), time);
+        opensshcert_time_to_iso8601(BinarySink_UPCAST(error),
+                                    ck->valid_before);
         goto out;
     }