static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity,
unsigned int key_lifetime,
int is_client);
-static int check_cert_lifetime_internal(const X509 *cert,
+static int check_cert_lifetime_internal(int severity, const X509 *cert,
int past_tolerance, int future_tolerance);
/** Global TLS contexts. We keep them here because nobody else needs
* the key is long enough. Return 1 if the cert is good, and 0 if it's bad or
* we couldn't check it. */
int
-tor_tls_cert_is_valid(const tor_cert_t *cert,
+tor_tls_cert_is_valid(int severity,
+ const tor_cert_t *cert,
const tor_cert_t *signing_cert,
int check_rsa_1024)
{
/* okay, the signature checked out right. Now let's check the check the
* lifetime. */
- if (check_cert_lifetime_internal(cert->cert, 48*60*60, 30*24*60*60) < 0)
+ if (check_cert_lifetime_internal(severity, cert->cert,
+ 48*60*60, 30*24*60*60) < 0)
return 0;
cert_key = X509_get_pubkey(cert->cert);
/** Warn that a certificate lifetime extends through a certain range. */
static void
-log_cert_lifetime(const X509 *cert, const char *problem)
+log_cert_lifetime(int severity, const X509 *cert, const char *problem)
{
BIO *bio = NULL;
BUF_MEM *buf;
struct tm tm;
if (problem)
- log_warn(LD_GENERAL,
- "Certificate %s: is your system clock set incorrectly?",
- problem);
+ log(severity, LD_GENERAL,
+ "Certificate %s. Either their clock is set wrong, or your clock "
+ "is wrong.",
+ problem);
if (!(bio = BIO_new(BIO_s_mem()))) {
log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end;
strftime(mytime, 32, "%b %d %H:%M:%S %Y GMT", tor_gmtime_r(&now, &tm));
- log_warn(LD_GENERAL,
- "(certificate lifetime runs from %s through %s. Your time is %s.)",
- s1,s2,mytime);
+ log(severity, LD_GENERAL,
+ "(certificate lifetime runs from %s through %s. Your time is %s.)",
+ s1,s2,mytime);
end:
/* Not expected to get invoked */
* NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
*/
int
-tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance, int future_tolerance)
+tor_tls_check_lifetime(int severity, tor_tls_t *tls,
+ int past_tolerance, int future_tolerance)
{
X509 *cert;
int r = -1;
if (!(cert = SSL_get_peer_certificate(tls->ssl)))
goto done;
- if (check_cert_lifetime_internal(cert, past_tolerance, future_tolerance) < 0)
+ if (check_cert_lifetime_internal(severity, cert,
+ past_tolerance, future_tolerance) < 0)
goto done;
r = 0;
* <b>future_tolerance</b> seconds. If it is live, return 0. If it is not
* live, log a message and return -1. */
static int
-check_cert_lifetime_internal(const X509 *cert, int past_tolerance,
+check_cert_lifetime_internal(int severity, const X509 *cert, int past_tolerance,
int future_tolerance)
{
time_t now, t;
t = now + future_tolerance;
if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
- log_cert_lifetime(cert, "not yet valid");
+ log_cert_lifetime(severity, cert, "not yet valid");
return -1;
}
t = now - past_tolerance;
if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
- log_cert_lifetime(cert, "already expired");
+ log_cert_lifetime(severity, cert, "already expired");
return -1;
}
int tor_tls_peer_has_cert(tor_tls_t *tls);
tor_cert_t *tor_tls_get_peer_cert(tor_tls_t *tls);
int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
-int tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance,
+int tor_tls_check_lifetime(int severity,
+ tor_tls_t *tls, int past_tolerance,
int future_tolerance);
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n);
crypto_pk_env_t *tor_tls_get_my_client_auth_key(void);
crypto_pk_env_t *tor_tls_cert_get_key(tor_cert_t *cert);
int tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert);
-int tor_tls_cert_is_valid(const tor_cert_t *cert,
+int tor_tls_cert_is_valid(int severity,
+ const tor_cert_t *cert,
const tor_cert_t *signing_cert,
int check_rsa_1024);
if (! tor_tls_cert_matches_key(conn->tls, link_cert)) {
ERR("The link certificate didn't match the TLS public key");
}
- if (! tor_tls_cert_is_valid(link_cert, id_cert, 0))
+ if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, link_cert, id_cert, 0))
ERR("The link certificate was not valid");
- if (! tor_tls_cert_is_valid(id_cert, id_cert, 1))
+ if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, 1))
ERR("The ID certificate was not valid");
conn->handshake_state->authenticated = 1;
ERR("The certs we wanted were missing");
/* Remember these certificates so we can check an AUTHENTICATE cell */
- if (! tor_tls_cert_is_valid(auth_cert, id_cert, 1))
+ if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, auth_cert, id_cert, 1))
ERR("The authentication certificate was not valid");
- if (! tor_tls_cert_is_valid(id_cert, id_cert, 1))
+ if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, 1))
ERR("The ID certificate was not valid");
log_info(LD_OR, "Got some good certificates from %s:%d: "
projects / thirdparty / tor.git / commitdiff
