X Abandoned
0.0.9pre6:
-N - clients now have certs, which means we warn when their certs have
+ o clients now have certs, which means we warn when their certs have
incorrect times. we need to stop that.
- Oct 20 16:45:10.237 [warn] parse_addr_port(): Port '0' out of range
o clean up parse_*_policy code
#include "or.h"
+/** How much clock skew do we tolerate when checking certificates for
+ * known routers? (sec) */
+#define TIGHT_CERT_ALLOW_SKEW (90*60)
+/** How much clock skew do we tolerate when checking certificates for
+ * unknown routers/clients? (sec) */
+#define LOOSE_CERT_ALLOW_SKEW (24*60*60)
+
static int connection_tls_finish_handshake(connection_t *conn);
static int connection_or_process_cells_from_inbuf(connection_t *conn);
nickname, conn->address, conn->port);
return -1;
}
+ if(tor_tls_check_lifetime(conn->tls, LOOSE_CERT_ALLOW_SKEW)<0) {
+ log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate. Closing.",
+ nickname, conn->address, conn->port);
+ return -1;
+ }
log_fn(LOG_DEBUG,"The router's cert is valid.");
crypto_pk_get_digest(identity_rcvd, digest_rcvd);
log_fn(LOG_WARN, "Identity key not as expected for %s", nickname);
return -1;
}
+ if (router_get_by_digest(digest_rcvd)) {
+ /* This is a known router; don't cut it slack with its clock skew. */
+ if(tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) {
+ log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate. Closing.",
+ nickname, conn->address, conn->port);
+ return -1;
+ }
+ }
if (connection_or_nonopen_was_started_here(conn)) {
/* I initiated this connection. */
projects / thirdparty / tor.git / commitdiff
