[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] flagday} Rotate TLS contexts as needed; set expiry times sa...
- To: or-cvs@freehaven.net
- Subject: [or-cvs] flagday} Rotate TLS contexts as needed; set expiry times sa...
- From: nickm@seul.org (Nick Mathewson)
- Date: Sun, 18 Apr 2004 19:27:05 -0400 (EDT)
- Delivered-to: archiver@seul.org
- Delivered-to: or-cvs-outgoing@seul.org
- Delivered-to: or-cvs@seul.org
- Delivery-date: Sun, 18 Apr 2004 19:27:30 -0400
- Reply-to: or-dev@freehaven.net
- Sender: owner-or-cvs@freehaven.net
Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/tmp/cvs-serv31729/src/or
Modified Files:
Tag: tor-0_0_6incompat
main.c or.h router.c
Log Message:
{flagday} Rotate TLS contexts as needed; set expiry times sanely.
Index: main.c
===================================================================
RCS file: /home/or/cvsroot/src/or/main.c,v
retrieving revision 1.240.2.2
retrieving revision 1.240.2.3
diff -u -d -r1.240.2.2 -r1.240.2.3
--- main.c 18 Apr 2004 03:20:29 -0000 1.240.2.2
+++ main.c 18 Apr 2004 23:27:02 -0000 1.240.2.3
@@ -337,6 +337,7 @@
static void run_scheduled_events(time_t now) {
static long time_to_fetch_directory = 0;
static time_t last_uploaded_services = 0;
+ static time_t last_rotated_certificate = 0;
int i;
@@ -354,7 +355,20 @@
router_upload_dir_desc_to_dirservers();
}
- /* 1b. Every DirFetchPostPeriod seconds, we get a new directory and upload
+ /* 1b. Every MAX_LINK_KEY_LIFETIME seconds, we change our TLS context. */
+ if (!last_rotated_certificate)
+ last_rotated_certificate = now;
+ if (options.ORPort && last_rotated_certificate+MAX_SSL_KEY_LIFETIME < now) {
+ if (tor_tls_context_new(get_identity_key(), 1, options.Nickname,
+ MAX_SSL_KEY_LIFETIME) < 0) {
+ log_fn(LOG_WARN, "Error reinitializing TLS context");
+ }
+ last_rotated_certificate = now;
+ /* XXXX We should rotate TLS connections as well; this code doesn't change
+ * XXXX them at all. */
+ }
+
+ /* 1c. Every DirFetchPostPeriod seconds, we get a new directory and upload
* our descriptor (if any). */
if(time_to_fetch_directory < now) {
/* it's time to fetch a new directory and/or post our descriptor */
Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.319.2.2
retrieving revision 1.319.2.3
diff -u -d -r1.319.2.2 -r1.319.2.3
--- or.h 18 Apr 2004 03:20:29 -0000 1.319.2.2
+++ or.h 18 Apr 2004 23:27:02 -0000 1.319.2.3
@@ -110,6 +110,7 @@
#endif
#define MIN_ONION_KEY_LIFETIME (120*60)
+#define MAX_SSL_KEY_LIFETIME (120*60)
#define CIRC_ID_TYPE_LOWER 0
#define CIRC_ID_TYPE_HIGHER 1
Index: router.c
===================================================================
RCS file: /home/or/cvsroot/src/or/router.c,v
retrieving revision 1.26.2.2
retrieving revision 1.26.2.3
diff -u -d -r1.26.2.2 -r1.26.2.3
--- router.c 18 Apr 2004 03:20:30 -0000 1.26.2.2
+++ router.c 18 Apr 2004 23:27:02 -0000 1.26.2.3
@@ -151,7 +151,7 @@
/* OP's don't need keys. Just initialize the TLS context.*/
if (!options.ORPort) {
assert(!options.DirPort);
- if (tor_tls_context_new(NULL, 0, NULL)<0) {
+ if (tor_tls_context_new(NULL, 0, NULL, 0)<0) {
log_fn(LOG_ERR, "Error creating TLS context for OP.");
return -1;
}
@@ -185,7 +185,10 @@
set_onion_key(prkey);
/* 3. Initialize link key and TLS context. */
- if (tor_tls_context_new(get_identity_key(), 1, options.Nickname) < 0) {
+ /* XXXX use actual rotation interval as cert lifetime, once we do
+ * connection rotation. */
+ if (tor_tls_context_new(get_identity_key(), 1, options.Nickname,
+ MAX_SSL_KEY_LIFETIME) < 0) {
log_fn(LOG_ERR, "Error initializing TLS context");
return -1;
}