Allow up to a 30 days future skew, 48 hours past skew in certs.

This commit is contained in:
Nick Mathewson 2011-11-14 22:21:45 -05:00
parent 26fcb4bb8c
commit 87622e4c7e
3 changed files with 21 additions and 15 deletions

3
changes/bug4371 Normal file
View File

@ -0,0 +1,3 @@
o Minor bugfixes:
- Tolerate servers with more clock skew than previously. Fixes bug 4371;
bugfix on 0.2.3.6-alpha.

View File

@ -212,7 +212,8 @@ static int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity, static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity,
unsigned int key_lifetime, unsigned int key_lifetime,
int is_client); int is_client);
static int check_cert_lifetime_internal(const X509 *cert, int tolerance); static int check_cert_lifetime_internal(const X509 *cert,
int past_tolerance, int future_tolerance);
/** Global TLS contexts. We keep them here because nobody else needs /** Global TLS contexts. We keep them here because nobody else needs
* to touch them. */ * to touch them. */
@ -960,8 +961,7 @@ tor_tls_cert_is_valid(const tor_cert_t *cert,
/* okay, the signature checked out right. Now let's check the check the /* okay, the signature checked out right. Now let's check the check the
* lifetime. */ * lifetime. */
/*XXXX tolerance might be iffy here */ if (check_cert_lifetime_internal(cert->cert, 48*60*60, 30*24*60*60) < 0)
if (check_cert_lifetime_internal(cert->cert, 60*60) < 0)
return 0; return 0;
cert_key = X509_get_pubkey(cert->cert); cert_key = X509_get_pubkey(cert->cert);
@ -2062,14 +2062,14 @@ tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key)
return r; return r;
} }
/** Check whether the certificate set on the connection <b>tls</b> is /** Check whether the certificate set on the connection <b>tls</b> is expired
* expired or not-yet-valid, give or take <b>tolerance</b> * give or take <b>past_tolerance</b> seconds, or not-yet-valid give or take
* seconds. Return 0 for valid, -1 for failure. * <b>future_tolerance</b> seconds. Return 0 for valid, -1 for failure.
* *
* NOTE: you should call tor_tls_verify before tor_tls_check_lifetime. * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime.
*/ */
int int
tor_tls_check_lifetime(tor_tls_t *tls, int tolerance) tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance, int future_tolerance)
{ {
X509 *cert; X509 *cert;
int r = -1; int r = -1;
@ -2077,7 +2077,7 @@ tor_tls_check_lifetime(tor_tls_t *tls, int tolerance)
if (!(cert = SSL_get_peer_certificate(tls->ssl))) if (!(cert = SSL_get_peer_certificate(tls->ssl)))
goto done; goto done;
if (check_cert_lifetime_internal(cert, tolerance) < 0) if (check_cert_lifetime_internal(cert, past_tolerance, future_tolerance) < 0)
goto done; goto done;
r = 0; r = 0;
@ -2090,22 +2090,24 @@ tor_tls_check_lifetime(tor_tls_t *tls, int tolerance)
return r; return r;
} }
/** Helper: check whether <b>cert</b> is currently live, give or take /** Helper: check whether <b>cert</b> is expired give or take
* <b>tolerance</b> seconds. If it is live, return 0. If it is not live, * <b>past_tolerance</b> seconds, or not-yet-valid give or take
* log a message and return -1. */ * <b>future_tolerance</b> seconds. If it is live, return 0. If it is not
* live, log a message and return -1. */
static int static int
check_cert_lifetime_internal(const X509 *cert, int tolerance) check_cert_lifetime_internal(const X509 *cert, int past_tolerance,
int future_tolerance)
{ {
time_t now, t; time_t now, t;
now = time(NULL); now = time(NULL);
t = now + tolerance; t = now + future_tolerance;
if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) { if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
log_cert_lifetime(cert, "not yet valid"); log_cert_lifetime(cert, "not yet valid");
return -1; return -1;
} }
t = now - tolerance; t = now - past_tolerance;
if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) { if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
log_cert_lifetime(cert, "already expired"); log_cert_lifetime(cert, "already expired");
return -1; return -1;

View File

@ -68,7 +68,8 @@ void tor_tls_free(tor_tls_t *tls);
int tor_tls_peer_has_cert(tor_tls_t *tls); int tor_tls_peer_has_cert(tor_tls_t *tls);
tor_cert_t *tor_tls_get_peer_cert(tor_tls_t *tls); tor_cert_t *tor_tls_get_peer_cert(tor_tls_t *tls);
int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity); int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity);
int tor_tls_check_lifetime(tor_tls_t *tls, int tolerance); int tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance,
int future_tolerance);
int tor_tls_read(tor_tls_t *tls, char *cp, size_t len); int tor_tls_read(tor_tls_t *tls, char *cp, size_t len);
int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n); int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n);
int tor_tls_handshake(tor_tls_t *tls); int tor_tls_handshake(tor_tls_t *tls);