Merge branch 'bug21420_029_squashed' into maint-0.3.0

This commit is contained in:
Nick Mathewson 2017-02-27 11:20:39 -05:00
commit 6747c62386
2 changed files with 19 additions and 3 deletions

3
changes/bug21420 Normal file
View File

@ -0,0 +1,3 @@
o Minor bugfixes (certificate expiration time):
- Avoid using link certificates that don't become valid till
some time in the future. Fixes bug 21420; bugfix on 0.2.4.11-alpha

View File

@ -483,8 +483,22 @@ MOCK_IMPL(STATIC X509 *,
* then we might pick a time where we're about to expire. Lastly, be
* sure to start on a day boundary. */
time_t now = time(NULL);
start_time = crypto_rand_time_range(now - cert_lifetime, now) + 2*24*3600;
start_time -= start_time % (24*3600);
/* Our certificate lifetime will be cert_lifetime no matter what, but if we
* start cert_lifetime in the past, we'll have 0 real lifetime. instead we
* start up to (cert_lifetime - min_real_lifetime - start_granularity) in
* the past. */
const time_t min_real_lifetime = 24*3600;
const time_t start_granularity = 24*3600;
time_t earliest_start_time = now - cert_lifetime + min_real_lifetime
+ start_granularity;
/* Don't actually start in the future! */
if (earliest_start_time >= now)
earliest_start_time = now - 1;
start_time = crypto_rand_time_range(earliest_start_time, now);
/* Round the start time back to the start of a day. */
start_time -= start_time % start_granularity;
end_time = start_time + cert_lifetime;
tor_assert(rsa);
tor_assert(cname);
@ -518,7 +532,6 @@ MOCK_IMPL(STATIC X509 *,
if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
goto error;
end_time = start_time + cert_lifetime;
if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
goto error;
if (!X509_set_pubkey(x509, pkey))