diff options
| author | Nick Mathewson <nickm@torproject.org> | 2007-09-11 20:17:22 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2007-09-11 20:17:22 +0000 |
| commit | 973502d2905ab4119b1c559295cff62504ada97b (patch) | |
| tree | 7b26c9ffbfef215d1cbec48d9984ed348b256711 /src/or/router.c | |
| parent | 3c7652ccdbb352351b92c2d00106646e01c87cb6 (diff) | |
| download | tor-973502d2905ab4119b1c559295cff62504ada97b.tar.gz tor-973502d2905ab4119b1c559295cff62504ada97b.zip | |
r15046@catbus: nickm | 2007-09-11 13:38:36 -0400
Check V3 authority certificates for expiry, and warn the authority op as they get old.
svn:r11427
Diffstat (limited to 'src/or/router.c')
| -rw-r--r-- | src/or/router.c | 49 |
1 files changed, 48 insertions, 1 deletions
diff --git a/src/or/router.c b/src/or/router.c index 6cfd47fbc5..3420674fe3 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -259,7 +259,7 @@ init_key_from_file(const char *fname, int generate, int severity) /** Load the v3 (voting) authority signing key and certificate from * <b>keydir</b>, if they are present. */ -/* XXXX020 maybe move to dirserv.c */ +/* XXXX020 maybe move to dirserv.c or dirvote.c */ static void init_v3_authority_keys(const char *keydir) { @@ -299,6 +299,8 @@ init_v3_authority_keys(const char *keydir) parsed->cache_info.signed_descriptor_len = eos-cert; cert = NULL; + /* Free old values! XXXX020 */ + authority_key_certificate = parsed; authority_signing_key = signing_key; parsed = NULL; @@ -313,6 +315,51 @@ init_v3_authority_keys(const char *keydir) authority_cert_free(parsed); } +/* DOCDOC */ +void +v3_authority_check_key_expiry(void) +{ + time_t now, expires; + static time_t last_warned = 0; + int badness, time_left, warn_interval; + if (!authdir_mode_v3(get_options()) || !authority_key_certificate) + return; + + now = time(NULL); + expires = authority_key_certificate->expires; + time_left = expires - now; + if (time_left <= 0) { + badness = LOG_ERR; + warn_interval = 60*60; + } else if (time_left <= 24*60*60) { + badness = LOG_WARN; + warn_interval = 60*60; + } else if (time_left <= 24*60*60*7) { + badness = LOG_WARN; + warn_interval = 24*60*60; + } else if (time_left <= 24*60*60*30) { + badness = LOG_WARN; + warn_interval = 24*60*60*5; + } else { + return; + } + + if (last_warned + warn_interval > now) + return; + + if (time_left <= 0) { + log(badness, LD_DIR, "Your v3 authority certificate has expired." + " Generate a new one NOW."); + } else if (time_left <= 24*60*60) { + log(badness, LD_DIR, "Your v3 authority certificate expires in %d hours;" + " Generate a new one NOW.", time_left/(60*60)); + } else { + log(badness, LD_DIR, "Your v3 authority certificate expires in %d days;" + " Generate a new one soon.", time_left/(24*60*60)); + } + last_warned = now; +} + /** Initialize all OR private keys, and the TLS context, as necessary. * On OPs, this only initializes the tls context. Return 0 on success, * or -1 if Tor should die. |