From b760a2a040f7fcb043d6a8d21ed25d0dd9379818 Mon Sep 17 00:00:00 2001
From: Jacob Nevins <jacobn@chiark.greenend.org.uk>
Date: Sat, 5 Nov 2022 23:55:13 +0000
Subject: [PATCH] Use correct date in cert check error.

When a host certificate was used outside its valid date range, we were
displaying the current time where we meant to show the relevant bound of
the validity range.

(cherry picked from commit 68db3d195d00e3f3904a7e004a4efd00fd303efb)
---
 crypto/openssh-certs.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/crypto/openssh-certs.c b/crypto/openssh-certs.c
index cf0c2af3..4cd984e8 100644
--- a/crypto/openssh-certs.c
+++ b/crypto/openssh-certs.c
@@ -1033,12 +1033,14 @@ static bool opensshcert_check_cert(
      */
     if (time < ck->valid_after) {
         put_fmt(error, "Certificate is not valid until ");
-        opensshcert_time_to_iso8601(BinarySink_UPCAST(error), time);
+        opensshcert_time_to_iso8601(BinarySink_UPCAST(error),
+                                    ck->valid_after);
         goto out;
     }
     if (time >= ck->valid_before) {
         put_fmt(error, "Certificate expired at ");
-        opensshcert_time_to_iso8601(BinarySink_UPCAST(error), time);
+        opensshcert_time_to_iso8601(BinarySink_UPCAST(error),
+                                    ck->valid_before);
         goto out;
     }