2 files changed, 17 insertions, 0 deletions

diff --git a/changes/warn-when-time-goes-backwards b/changes/warn-when-time-goes-backwards
new file mode 100644
index 0000000000..d7e584d9ff
--- /dev/null
+++ b/changes/warn-when-time-goes-backwards
@@ -0,0 +1,5 @@
+  o Minor features (security, clock):
+    - Warn when the system clock is set back in time (when the
+      state file was last written in the future). Tor doesn't know
+      that consensuses have expired if the clock is in the past.
+      Patch by "teor". Implements ticket #17188.
diff --git a/src/or/statefile.c b/src/or/statefile.c
index dd1894beb7..a904c411f4 100644
--- a/src/or/statefile.c
+++ b/src/or/statefile.c
@@ -372,6 +372,18 @@ or_state_load(void)
     new_state = or_state_new();
   } else if (contents) {
     log_info(LD_GENERAL, "Loaded state from \"%s\"", fname);
+    /* Warn the user if their clock has been set backwards,
+     * they could be tricked into using old consensuses */
+    if (new_state->LastWritten > time(NULL)) {
+      char last_written_str[ISO_TIME_LEN+1];
+      char now_str[ISO_TIME_LEN+1];
+      format_iso_time(last_written_str, new_state->LastWritten),
+      format_iso_time(now_str, time(NULL));
+      log_warn(LD_GENERAL, "Your system clock has been set back in time. "
+               "Tor needs an accurate clock to know when the consensus "
+               "expires. Clock time is %s, state file time is %s.",
+               now_str, last_written_str);
+    }
   } else {
     log_info(LD_GENERAL, "Initialized state");
   }