nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Change "warn if unverified routers are very skewed" to "never warn about unverified router skew"

Browse Source 
svn:r2885
This commit is contained in:
Nick Mathewson 2004-11-15 04:28:24 +00:00
parent f3650047df
commit 930464c889
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/or/connection_or.c
View File

@ -15,9 +15,6 @@
/** How much clock skew do we tolerate when checking certificates for /** How much clock skew do we tolerate when checking certificates for
* known routers? (sec) */ * known routers? (sec) */
#define TIGHT_CERT_ALLOW_SKEW (90*60) #define TIGHT_CERT_ALLOW_SKEW (90*60)
/** How much clock skew do we tolerate when checking certificates for
* unknown routers/clients? (sec) */
#define LOOSE_CERT_ALLOW_SKEW (24*60*60)
static int connection_tls_finish_handshake(connection_t *conn); static int connection_tls_finish_handshake(connection_t *conn);
static int connection_or_process_cells_from_inbuf(connection_t *conn); static int connection_or_process_cells_from_inbuf(connection_t *conn);
@ -369,11 +366,13 @@ connection_tls_finish_handshake(connection_t *conn) {
nickname, conn->address, conn->port); nickname, conn->address, conn->port);
return -1; return -1;
} }
#if 0
if(tor_tls_check_lifetime(conn->tls, LOOSE_CERT_ALLOW_SKEW)<0) { if(tor_tls_check_lifetime(conn->tls, LOOSE_CERT_ALLOW_SKEW)<0) {
log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate. Closing.", log_fn(LOG_WARN,"Other side '%s' (%s:%d) has a very highly skewed clock, or an expired certificate. Closing.",
nickname, conn->address, conn->port); nickname, conn->address, conn->port);
return -1; return -1;
} }
#endif
log_fn(LOG_DEBUG,"The router's cert is valid."); log_fn(LOG_DEBUG,"The router's cert is valid.");
crypto_pk_get_digest(identity_rcvd, digest_rcvd); crypto_pk_get_digest(identity_rcvd, digest_rcvd);
@ -394,7 +393,7 @@ connection_tls_finish_handshake(connection_t *conn) {
if (router_get_by_digest(digest_rcvd)) { if (router_get_by_digest(digest_rcvd)) {
/* This is a known router; don't cut it slack with its clock skew. */ /* This is a known router; don't cut it slack with its clock skew. */
if(tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) { if(tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) {
log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate. Closing.", log_fn(LOG_WARN,"Router '%s' (%s:%d) has a skewed clock, or an expired certificate; or else our clock is skewed. Closing.",
nickname, conn->address, conn->port); nickname, conn->address, conn->port);
return -1; return -1;
} }