1 files changed, 6 insertions, 2 deletions

diff --git a/src/or/router.c b/src/or/router.c
index 135c115d1d..2c165a7aa8 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -332,6 +332,7 @@ init_keys(void)
   or_options_t *options = get_options();
   or_state_t *state = get_or_state();
   authority_type_t type;
+  time_t now = time(NULL);
 
   if (!key_lock)
     key_lock = tor_mutex_new();
@@ -389,14 +390,17 @@ init_keys(void)
   prkey = init_key_from_file(keydir, 1, LOG_ERR);
   if (!prkey) return -1;
   set_onion_key(prkey);
-  if (state->LastRotatedOnionKey > 100) { /* allow for some parsing slop. */
+  if (state->LastRotatedOnionKey > 100 && state->LastRotatedOnionKey < now) {
+    /* We allow for some parsing slop, but we don't want to risk accepting
+     * values in the distant future.  If we did, we might never rotate the
+     * onion key. */
     onionkey_set_at = state->LastRotatedOnionKey;
   } else {
     /* We have no LastRotatedOnionKey set; either we just created the key
      * or it's a holdover from 0.1.2.4-alpha-dev or earlier.  In either case,
      * start the clock ticking now so that we will eventually rotate it even
      * if we don't stay up for a full MIN_ONION_KEY_LIFETIME. */
-    state->LastRotatedOnionKey = onionkey_set_at = time(NULL);
+    state->LastRotatedOnionKey = onionkey_set_at = now;
     or_state_mark_dirty(state, options->AvoidDiskWrites ? time(NULL)+3600 : 0);
   }