[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] Split X509 certificate liveness checks into a separate func...
- To: or-cvs@freehaven.net
- Subject: [or-cvs] Split X509 certificate liveness checks into a separate func...
- From: nickm@seul.org (Nick Mathewson)
- Date: Sun, 14 Nov 2004 17:07:50 -0500 (EST)
- Delivered-to: archiver@seul.org
- Delivered-to: or-cvs-outgoing@seul.org
- Delivered-to: or-cvs@seul.org
- Delivery-date: Sun, 14 Nov 2004 17:08:12 -0500
- Reply-to: or-dev@freehaven.net
- Sender: owner-or-cvs@freehaven.net
Update of /home/or/cvsroot/tor/src/common
In directory moria.mit.edu:/tmp/cvs-serv17546/src/common
Modified Files:
tortls.c tortls.h
Log Message:
Split X509 certificate liveness checks into a separate function
Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/common/tortls.c,v
retrieving revision 1.74
retrieving revision 1.75
diff -u -d -r1.74 -r1.75
--- tortls.c 9 Nov 2004 20:04:00 -0000 1.74
+++ tortls.c 14 Nov 2004 22:07:48 -0000 1.75
@@ -30,8 +30,6 @@
/** How long do identity certificates live? (sec) */
#define IDENTITY_CERT_LIFETIME (365*24*60*60)
-/** How much clock skew do we tolerate when checking certificates? (sec) */
-#define CERT_ALLOW_SKEW (90*60)
typedef struct tor_tls_context_st {
SSL_CTX *ctx;
@@ -678,7 +676,6 @@
EVP_PKEY *id_pkey = NULL;
RSA *rsa;
int num_in_chain;
- time_t now, t;
int r = -1, i;
*identity_key = NULL;
@@ -708,18 +705,6 @@
goto done;
}
- now = time(NULL);
- t = now + CERT_ALLOW_SKEW;
- if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
- log_cert_lifetime(cert, "not yet valid");
- goto done;
- }
- t = now - CERT_ALLOW_SKEW;
- if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
- log_cert_lifetime(cert, "already expired");
- goto done;
- }
-
if (!(id_pkey = X509_get_pubkey(id_cert)) ||
X509_verify(cert, id_pkey) <= 0) {
log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0");
@@ -747,6 +732,44 @@
return r;
}
+/** Check whether the certificate set on the connection <b>tls</b> is
+ * expired or not-yet-valid, give or take <b>tolerance</b>
+ * seconds. Return 0 for valid, -1 for failure.
+ *
+ * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
+ */
+int
+tor_tls_check_lifetime(tor_tls *tls, int tolerance)
+{
+ time_t now, t;
+ X509 *cert;
+ int r = -1;
+
+ now = time(NULL);
+
+ if (!(cert = SSL_get_peer_certificate(tls->ssl)))
+ goto done;
+
+ t = now + tolerance;
+ if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
+ log_cert_lifetime(cert, "not yet valid");
+ goto done;
+ }
+ t = now - tolerance;
+ if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
+ log_cert_lifetime(cert, "already expired");
+ goto done;
+ }
+
+ r = 0;
+ done:
+ if (cert)
+ X509_free(cert);
+
+ return r;
+}
+
+
/** Return the number of bytes available for reading from <b>tls</b>.
*/
int
Index: tortls.h
===================================================================
RCS file: /home/or/cvsroot/tor/src/common/tortls.h,v
retrieving revision 1.19
retrieving revision 1.20
diff -u -d -r1.19 -r1.20
--- tortls.h 14 Oct 2004 02:48:57 -0000 1.19
+++ tortls.h 14 Nov 2004 22:07:48 -0000 1.20
@@ -29,6 +29,7 @@
int tor_tls_peer_has_cert(tor_tls *tls);
int tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, size_t buflen);
int tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity);
+int tor_tls_check_lifetime(tor_tls *tls, int tolerance);
int tor_tls_read(tor_tls *tls, char *cp, size_t len);
int tor_tls_write(tor_tls *tls, char *cp, size_t n);
int tor_tls_handshake(tor_tls *tls);