[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] flagday} Rotate TLS contexts as needed; set expiry times sa...



Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/tmp/cvs-serv31729/src/or

Modified Files:
      Tag: tor-0_0_6incompat
	main.c or.h router.c 
Log Message:
{flagday} Rotate TLS contexts as needed; set expiry times sanely.

Index: main.c
===================================================================
RCS file: /home/or/cvsroot/src/or/main.c,v
retrieving revision 1.240.2.2
retrieving revision 1.240.2.3
diff -u -d -r1.240.2.2 -r1.240.2.3
--- main.c	18 Apr 2004 03:20:29 -0000	1.240.2.2
+++ main.c	18 Apr 2004 23:27:02 -0000	1.240.2.3
@@ -337,6 +337,7 @@
 static void run_scheduled_events(time_t now) {
   static long time_to_fetch_directory = 0;
   static time_t last_uploaded_services = 0;
+  static time_t last_rotated_certificate = 0;
   int i;
 
 
@@ -354,7 +355,20 @@
     router_upload_dir_desc_to_dirservers();
   }
 
-  /* 1b. Every DirFetchPostPeriod seconds, we get a new directory and upload
+  /* 1b. Every MAX_LINK_KEY_LIFETIME seconds, we change our TLS context. */
+  if (!last_rotated_certificate)
+    last_rotated_certificate = now;
+  if (options.ORPort && last_rotated_certificate+MAX_SSL_KEY_LIFETIME < now) {
+    if (tor_tls_context_new(get_identity_key(), 1, options.Nickname,
+                            MAX_SSL_KEY_LIFETIME) < 0) {
+      log_fn(LOG_WARN, "Error reinitializing TLS context");
+    }
+    last_rotated_certificate = now;
+    /* XXXX We should rotate TLS connections as well; this code doesn't change
+     * XXXX them at all. */
+  }
+
+  /* 1c. Every DirFetchPostPeriod seconds, we get a new directory and upload
    *    our descriptor (if any). */
   if(time_to_fetch_directory < now) {
     /* it's time to fetch a new directory and/or post our descriptor */

Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.319.2.2
retrieving revision 1.319.2.3
diff -u -d -r1.319.2.2 -r1.319.2.3
--- or.h	18 Apr 2004 03:20:29 -0000	1.319.2.2
+++ or.h	18 Apr 2004 23:27:02 -0000	1.319.2.3
@@ -110,6 +110,7 @@
 #endif
 
 #define MIN_ONION_KEY_LIFETIME (120*60)
+#define MAX_SSL_KEY_LIFETIME (120*60)
 
 #define CIRC_ID_TYPE_LOWER 0
 #define CIRC_ID_TYPE_HIGHER 1

Index: router.c
===================================================================
RCS file: /home/or/cvsroot/src/or/router.c,v
retrieving revision 1.26.2.2
retrieving revision 1.26.2.3
diff -u -d -r1.26.2.2 -r1.26.2.3
--- router.c	18 Apr 2004 03:20:30 -0000	1.26.2.2
+++ router.c	18 Apr 2004 23:27:02 -0000	1.26.2.3
@@ -151,7 +151,7 @@
   /* OP's don't need keys.  Just initialize the TLS context.*/
   if (!options.ORPort) {
     assert(!options.DirPort);
-    if (tor_tls_context_new(NULL, 0, NULL)<0) {
+    if (tor_tls_context_new(NULL, 0, NULL, 0)<0) {
       log_fn(LOG_ERR, "Error creating TLS context for OP.");
       return -1;
     }
@@ -185,7 +185,10 @@
   set_onion_key(prkey);
 
   /* 3. Initialize link key and TLS context. */
-  if (tor_tls_context_new(get_identity_key(), 1, options.Nickname) < 0) {
+  /* XXXX use actual rotation interval as cert lifetime, once we do
+   *  connection rotation. */
+  if (tor_tls_context_new(get_identity_key(), 1, options.Nickname,
+                          MAX_SSL_KEY_LIFETIME) < 0) {
     log_fn(LOG_ERR, "Error initializing TLS context");
     return -1;
   }