From 9334c9fd5d56ad39c7e3dc7a38d9ca4e3817bb29 Mon Sep 17 00:00:00 2001
From: nnposter <nnposter@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Thu, 24 Dec 2020 00:35:38 +0000
Subject: [PATCH] Ncat certs should last for one year Old Ncat versions were
 using one year but during OpenSSL API refresh (r36533), the duration was
 accidentally changed to one minute by copying Ncat test code from
 ncat/test/test-wildcard.c Fixes #2167, closes #2168

---
 CHANGELOG       | 4 ++++
 ncat/ncat_ssl.c | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 38a8db662..e25775853 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -31,6 +31,10 @@ o New UDP payloads:
 
 o [Ncat][GH#2154] Ncat no longer crashes when used with Unix domain sockets.
 
+o [Ncat][GH#2167][GH#2168] Ncat is now again generating certificates
+  with the duration of one year. Due to a bug, recent versions of Ncat were
+  using only one minute. [Tobias Girstmair]
+
 o [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most
   visible are that certificate SANs are properly split apart and that
   identities that are syntactically incorrect to be hostnames are now ignored.
diff --git a/ncat/ncat_ssl.c b/ncat/ncat_ssl.c
index dc1db31bb..093c35403 100644
--- a/ncat/ncat_ssl.c
+++ b/ncat/ncat_ssl.c
@@ -530,7 +530,7 @@ static int ssl_gen_cert(X509 **cert, EVP_PKEY **key)
             || X509_gmtime_adj(tb, 0) == 0
             || X509_set1_notBefore(*cert, tb) == 0
             || (ta = ASN1_STRING_dup(X509_get0_notAfter(*cert))) == 0
-            || X509_gmtime_adj(ta, 60) == 0
+            || X509_gmtime_adj(ta, DEFAULT_CERT_DURATION) == 0
             || X509_set1_notAfter(*cert, ta) == 0
             || X509_set_pubkey(*cert, *key) == 0) {
             ASN1_STRING_free(tb);