parameterize SSLKeyLifetime

no actual changes in behavior yet
2024-11-10 21:23:58 +01:00 · 2013-03-09 16:42:35 -05:00 · 2013-03-09 16:42:35 -05:00 · 599aeef9bc
commit 599aeef9bc
parent e270a066a6
3 changed files with 9 additions and 4 deletions
--- a/src/or/config.c
+++ b/src/or/config.c
@ -380,6 +380,7 @@ static config_var_t option_vars_[] = {
  V(SocksPolicy,                 LINELIST, NULL),
  VPORT(SocksPort,                   LINELIST, NULL),
  V(SocksTimeout,                INTERVAL, "2 minutes"),
+  V(SSLKeyLifetime,              INTERVAL, "365 days"),
  OBSOLETE("StatusFetchPeriod"),
  V(StrictNodes,                 BOOL,     "0"),
  OBSOLETE("SysLog"),
--- a/src/or/or.h
+++ b/src/or/or.h
@ -177,8 +177,6 @@
 #define MIN_ONION_KEY_LIFETIME (7*24*60*60)
 /** How often do we rotate TLS contexts? */
 #define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
-/** What expiry time shall we place on our SSL certs? */
-#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)

 /** How old do we allow a router to get before removing it
 * from the router list? In seconds. */
@ -4010,6 +4008,9 @@ typedef struct {
   */
  int DisableV2DirectoryInfo_;

+  /** What expiry time shall we place on our SSL certs? */
+  int SSLKeyLifetime;
+
 } or_options_t;

 /** Persistent state for an onion router, as saved to disk. */
--- a/src/or/router.c
+++ b/src/or/router.c
@ -650,6 +650,7 @@ router_initialize_tls_context(void)
 {
  unsigned int flags = 0;
  const or_options_t *options = get_options();
+  int lifetime = options->SSLKeyLifetime;
  if (public_server_mode(options))
    flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
  if (options->TLSECGroup) {
@ -659,11 +660,13 @@ router_initialize_tls_context(void)
      flags |= TOR_TLS_CTX_USE_ECDHE_P224;
  }

+  /* It's ok to pass lifetime in as an unsigned int, since
+   * config_parse_interval() checked it. */
  return tor_tls_context_init(flags,
                              get_tlsclient_identity_key(),
-                              server_mode(get_options()) ?
+                              server_mode(options) ?
                              get_server_identity_key() : NULL,
-                              MAX_SSL_KEY_LIFETIME_ADVERTISED);
+                              (unsigned int)lifetime);
 }

 /** Initialize all OR private keys, and the TLS context, as necessary.