diff --git a/src/common/tortls.c b/src/common/tortls.c index a881ac575b..001c9c054e 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -30,8 +30,6 @@ /** How long do identity certificates live? (sec) */ #define IDENTITY_CERT_LIFETIME (365*24*60*60) -/** How much clock skew do we tolerate when checking certificates? (sec) */ -#define CERT_ALLOW_SKEW (90*60) typedef struct tor_tls_context_st { SSL_CTX *ctx; @@ -678,7 +676,6 @@ tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity_key) EVP_PKEY *id_pkey = NULL; RSA *rsa; int num_in_chain; - time_t now, t; int r = -1, i; *identity_key = NULL; @@ -708,18 +705,6 @@ tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity_key) goto done; } - now = time(NULL); - t = now + CERT_ALLOW_SKEW; - if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) { - log_cert_lifetime(cert, "not yet valid"); - goto done; - } - t = now - CERT_ALLOW_SKEW; - if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) { - log_cert_lifetime(cert, "already expired"); - goto done; - } - if (!(id_pkey = X509_get_pubkey(id_cert)) || X509_verify(cert, id_pkey) <= 0) { log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0"); @@ -747,6 +732,44 @@ tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity_key) return r; } +/** Check whether the certificate set on the connection tls is + * expired or not-yet-valid, give or take tolerance + * seconds. Return 0 for valid, -1 for failure. + * + * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime. + */ +int +tor_tls_check_lifetime(tor_tls *tls, int tolerance) +{ + time_t now, t; + X509 *cert; + int r = -1; + + now = time(NULL); + + if (!(cert = SSL_get_peer_certificate(tls->ssl))) + goto done; + + t = now + tolerance; + if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) { + log_cert_lifetime(cert, "not yet valid"); + goto done; + } + t = now - tolerance; + if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) { + log_cert_lifetime(cert, "already expired"); + goto done; + } + + r = 0; + done: + if (cert) + X509_free(cert); + + return r; +} + + /** Return the number of bytes available for reading from tls. */ int diff --git a/src/common/tortls.h b/src/common/tortls.h index 9b7e24d7f9..ff2d69e1de 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -29,6 +29,7 @@ void tor_tls_free(tor_tls *tls); int tor_tls_peer_has_cert(tor_tls *tls); int tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, size_t buflen); int tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity); +int tor_tls_check_lifetime(tor_tls *tls, int tolerance); int tor_tls_read(tor_tls *tls, char *cp, size_t len); int tor_tls_write(tor_tls *tls, char *cp, size_t n); int tor_tls_handshake(tor_tls *tls);