diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-11-15 11:56:21 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-11-15 15:57:46 -0500 |
commit | 69dd993a922fcc65e931d816e1a3c916e98133f2 (patch) | |
tree | 9e9164074c7c867898fdf8ed07302e149a7901f9 /src | |
parent | 87622e4c7e1a3b5c80e67141de7947d0304b6f31 (diff) | |
download | tor-69dd993a922fcc65e931d816e1a3c916e98133f2.tar.gz tor-69dd993a922fcc65e931d816e1a3c916e98133f2.zip |
Make certificate skew into a protocol warning
Diffstat (limited to 'src')
-rw-r--r-- | src/common/tortls.c | 35 | ||||
-rw-r--r-- | src/common/tortls.h | 6 | ||||
-rw-r--r-- | src/or/command.c | 8 |
3 files changed, 28 insertions, 21 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index ff0d3293f6..a41a10d136 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -212,7 +212,7 @@ static int tor_tls_context_init_one(tor_tls_context_t **ppcontext, static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, int is_client); -static int check_cert_lifetime_internal(const X509 *cert, +static int check_cert_lifetime_internal(int severity, const X509 *cert, int past_tolerance, int future_tolerance); /** Global TLS contexts. We keep them here because nobody else needs @@ -945,7 +945,8 @@ tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert) * the key is long enough. Return 1 if the cert is good, and 0 if it's bad or * we couldn't check it. */ int -tor_tls_cert_is_valid(const tor_cert_t *cert, +tor_tls_cert_is_valid(int severity, + const tor_cert_t *cert, const tor_cert_t *signing_cert, int check_rsa_1024) { @@ -961,7 +962,8 @@ tor_tls_cert_is_valid(const tor_cert_t *cert, /* okay, the signature checked out right. Now let's check the check the * lifetime. */ - if (check_cert_lifetime_internal(cert->cert, 48*60*60, 30*24*60*60) < 0) + if (check_cert_lifetime_internal(severity, cert->cert, + 48*60*60, 30*24*60*60) < 0) return 0; cert_key = X509_get_pubkey(cert->cert); @@ -1924,7 +1926,7 @@ tor_tls_get_peer_cert(tor_tls_t *tls) /** Warn that a certificate lifetime extends through a certain range. */ static void -log_cert_lifetime(const X509 *cert, const char *problem) +log_cert_lifetime(int severity, const X509 *cert, const char *problem) { BIO *bio = NULL; BUF_MEM *buf; @@ -1934,9 +1936,10 @@ log_cert_lifetime(const X509 *cert, const char *problem) struct tm tm; if (problem) - log_warn(LD_GENERAL, - "Certificate %s: is your system clock set incorrectly?", - problem); + log(severity, LD_GENERAL, + "Certificate %s. Either their clock is set wrong, or your clock " + "is wrong.", + problem); if (!(bio = BIO_new(BIO_s_mem()))) { log_warn(LD_GENERAL, "Couldn't allocate BIO!"); goto end; @@ -1958,9 +1961,9 @@ log_cert_lifetime(const X509 *cert, const char *problem) strftime(mytime, 32, "%b %d %H:%M:%S %Y GMT", tor_gmtime_r(&now, &tm)); - log_warn(LD_GENERAL, - "(certificate lifetime runs from %s through %s. Your time is %s.)", - s1,s2,mytime); + log(severity, LD_GENERAL, + "(certificate lifetime runs from %s through %s. Your time is %s.)", + s1,s2,mytime); end: /* Not expected to get invoked */ @@ -2069,7 +2072,8 @@ tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key) * NOTE: you should call tor_tls_verify before tor_tls_check_lifetime. */ int -tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance, int future_tolerance) +tor_tls_check_lifetime(int severity, tor_tls_t *tls, + int past_tolerance, int future_tolerance) { X509 *cert; int r = -1; @@ -2077,7 +2081,8 @@ tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance, int future_tolerance) if (!(cert = SSL_get_peer_certificate(tls->ssl))) goto done; - if (check_cert_lifetime_internal(cert, past_tolerance, future_tolerance) < 0) + if (check_cert_lifetime_internal(severity, cert, + past_tolerance, future_tolerance) < 0) goto done; r = 0; @@ -2095,7 +2100,7 @@ tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance, int future_tolerance) * <b>future_tolerance</b> seconds. If it is live, return 0. If it is not * live, log a message and return -1. */ static int -check_cert_lifetime_internal(const X509 *cert, int past_tolerance, +check_cert_lifetime_internal(int severity, const X509 *cert, int past_tolerance, int future_tolerance) { time_t now, t; @@ -2104,12 +2109,12 @@ check_cert_lifetime_internal(const X509 *cert, int past_tolerance, t = now + future_tolerance; if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) { - log_cert_lifetime(cert, "not yet valid"); + log_cert_lifetime(severity, cert, "not yet valid"); return -1; } t = now - past_tolerance; if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) { - log_cert_lifetime(cert, "already expired"); + log_cert_lifetime(severity, cert, "already expired"); return -1; } diff --git a/src/common/tortls.h b/src/common/tortls.h index 6791586f1d..673f18dfe8 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -68,7 +68,8 @@ void tor_tls_free(tor_tls_t *tls); int tor_tls_peer_has_cert(tor_tls_t *tls); tor_cert_t *tor_tls_get_peer_cert(tor_tls_t *tls); int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity); -int tor_tls_check_lifetime(tor_tls_t *tls, int past_tolerance, +int tor_tls_check_lifetime(int severity, + tor_tls_t *tls, int past_tolerance, int future_tolerance); int tor_tls_read(tor_tls_t *tls, char *cp, size_t len); int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n); @@ -124,7 +125,8 @@ int tor_tls_get_my_certs(int server, crypto_pk_env_t *tor_tls_get_my_client_auth_key(void); crypto_pk_env_t *tor_tls_cert_get_key(tor_cert_t *cert); int tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert); -int tor_tls_cert_is_valid(const tor_cert_t *cert, +int tor_tls_cert_is_valid(int severity, + const tor_cert_t *cert, const tor_cert_t *signing_cert, int check_rsa_1024); diff --git a/src/or/command.c b/src/or/command.c index 5d0ebaa68a..a963d4210b 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -991,9 +991,9 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) if (! tor_tls_cert_matches_key(conn->tls, link_cert)) { ERR("The link certificate didn't match the TLS public key"); } - if (! tor_tls_cert_is_valid(link_cert, id_cert, 0)) + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, link_cert, id_cert, 0)) ERR("The link certificate was not valid"); - if (! tor_tls_cert_is_valid(id_cert, id_cert, 1)) + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, 1)) ERR("The ID certificate was not valid"); conn->handshake_state->authenticated = 1; @@ -1026,9 +1026,9 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) ERR("The certs we wanted were missing"); /* Remember these certificates so we can check an AUTHENTICATE cell */ - if (! tor_tls_cert_is_valid(auth_cert, id_cert, 1)) + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, auth_cert, id_cert, 1)) ERR("The authentication certificate was not valid"); - if (! tor_tls_cert_is_valid(id_cert, id_cert, 1)) + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, 1)) ERR("The ID certificate was not valid"); log_info(LD_OR, "Got some good certificates from %s:%d: " |