[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] r17208: {tor} patch from karsten to not use or accept expired certs. fixes (in tor/trunk: . src/or)



Author: nickm
Date: 2008-11-07 08:38:49 -0500 (Fri, 07 Nov 2008)
New Revision: 17208

Modified:
   tor/trunk/ChangeLog
   tor/trunk/src/or/dirvote.c
   tor/trunk/src/or/networkstatus.c
Log:
patch from karsten to not use or accept expired certs. fixes bug 851. 

Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog	2008-11-07 05:11:41 UTC (rev 17207)
+++ tor/trunk/ChangeLog	2008-11-07 13:38:49 UTC (rev 17208)
@@ -12,6 +12,8 @@
       detailed logging on credential switching, set CREDENTIAL_LOG_LEVEL
       in common/compat.c to LOG_NOTICE or higher. Patch by Jacob Appelbaum
       and Steven Murdoch.
+    - Do not use or believe expired certificates.  Patch from Karsten.
+      Fixes bug 851.
 
   o Minor features:
     - Now NodeFamily and MyFamily config options allow spaces in

Modified: tor/trunk/src/or/dirvote.c
===================================================================
--- tor/trunk/src/or/dirvote.c	2008-11-07 05:11:41 UTC (rev 17207)
+++ tor/trunk/src/or/dirvote.c	2008-11-07 13:38:49 UTC (rev 17208)
@@ -1568,6 +1568,7 @@
   networkstatus_t *ns;
   char *contents;
   pending_vote_t *pending_vote;
+  time_t now = time(NULL);
 
   int status;
   const char *msg = "";
@@ -1575,6 +1576,9 @@
   if (!cert || !key) {
     log_warn(LD_NET, "Didn't find key/certificate to generate v3 vote");
     return -1;
+  } else if (now < cert->expires) {
+    log_warn(LD_NET, "Can't generate v3 vote with expired certificate");
+    return -1;
   }
   if (!(ns = dirserv_generate_networkstatus_vote_obj(key, cert)))
     return -1;

Modified: tor/trunk/src/or/networkstatus.c
===================================================================
--- tor/trunk/src/or/networkstatus.c	2008-11-07 05:11:41 UTC (rev 17207)
+++ tor/trunk/src/or/networkstatus.c	2008-11-07 13:38:49 UTC (rev 17208)
@@ -387,6 +387,7 @@
   smartlist_t *unrecognized = smartlist_create();
   smartlist_t *missing_authorities = smartlist_create();
   int severity;
+  time_t now = time(NULL);
 
   tor_assert(consensus->type == NS_TYPE_CONSENSUS);
 
@@ -403,7 +404,7 @@
         smartlist_add(unrecognized, voter);
         ++n_unknown;
         continue;
-      } else if (!cert) {
+      } else if (!cert || now > cert->expires) {
         smartlist_add(need_certs_from, voter);
         ++n_missing_key;
         continue;