From: Roger Dingledine <arma@torproject.org>
Date: Mon, 3 Jan 2005 17:10:32 +0000 (+0000)
Subject: stop checking for clock skew, even for servers.
X-Git-Tag: debian-version-0.0.9.2-1~29
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=70075933c65d606a1b4dd24bff88ae10becea87d;p=thirdparty%2Ftor.git

stop checking for clock skew, even for servers.
this means we are vulnerable to an attack where somebody recovers
and uses a really old certificate. however, if they do that, they
probably can get our identity key just as easily.


svn:r3241
---

diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index 3a68fb7873..3520bd2ffc 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -391,6 +391,7 @@ connection_tls_finish_handshake(connection_t *conn) {
     log_fn(LOG_WARN, "Identity key not as expected for router claiming to be '%s' (%s:%d) ", nickname, conn->address, conn->port);
     return -1;
   }
+#if 0
   if (router_get_by_digest(digest_rcvd)) {
     /* This is a known router; don't cut it slack with its clock skew. */
     if (tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) {
@@ -399,6 +400,7 @@ connection_tls_finish_handshake(connection_t *conn) {
       return -1;
     }
   }
+#endif
 
   if (connection_or_nonopen_was_started_here(conn)) {
     /* I initiated this connection. */