[or-cvs] flagday} Rotate TLS contexts as needed; set expiry times sa...
Nick Mathewson
nickm at seul.org
Sun Apr 18 23:27:05 UTC 2004
Update of /home/or/cvsroot/src/common
In directory moria.mit.edu:/tmp/cvs-serv31729/src/common
Modified Files:
Tag: tor-0_0_6incompat
tortls.c tortls.h
Log Message:
{flagday} Rotate TLS contexts as needed; set expiry times sanely.
Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.c,v
retrieving revision 1.42.2.3
retrieving revision 1.42.2.4
diff -u -d -r1.42.2.3 -r1.42.2.4
--- tortls.c 17 Apr 2004 18:48:02 -0000 1.42.2.3
+++ tortls.c 18 Apr 2004 23:27:02 -0000 1.42.2.4
@@ -23,8 +23,8 @@
#include <openssl/asn1.h>
#include <openssl/bio.h>
-/* How long do certificates live? (sec) */
-#define CERT_LIFETIME (365*24*60*60)
+/* How long do identity certificates live? (sec) */
+#define IDENTITY_CERT_LIFETIME (365*24*60*60)
/* How much clock skew do we tolerate when checking certificates? (sec) */
#define CERT_ALLOW_SKEW (90*60)
@@ -46,7 +46,8 @@
static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
crypto_pk_env_t *rsa_sign,
const char *cname,
- const char *cname_sign);
+ const char *cname_sign,
+ unsigned int lifetime);
/* global tls context, keep it here because nobody else needs to touch it */
static tor_tls_context *global_tls_context = NULL;
@@ -139,7 +140,8 @@
tor_tls_create_certificate(crypto_pk_env_t *rsa,
crypto_pk_env_t *rsa_sign,
const char *cname,
- const char *cname_sign)
+ const char *cname_sign,
+ unsigned int cert_lifetime)
{
time_t start_time, end_time;
EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
@@ -187,7 +189,7 @@
if (!X509_time_adj(X509_get_notBefore(x509),0,&start_time))
goto error;
- end_time = start_time + CERT_LIFETIME;
+ end_time = start_time + cert_lifetime;
if (!X509_time_adj(X509_get_notAfter(x509),0,&end_time))
goto error;
if (!X509_set_pubkey(x509, pkey))
@@ -236,7 +238,8 @@
*/
int
tor_tls_context_new(crypto_pk_env_t *identity,
- int isServer, const char *nickname)
+ int isServer, const char *nickname,
+ unsigned int key_lifetime)
{
crypto_pk_env_t *rsa = NULL;
crypto_dh_env_t *dh = NULL;
@@ -253,8 +256,10 @@
goto error;
if (crypto_pk_generate_key(rsa)<0)
goto error;
- cert = tor_tls_create_certificate(rsa, identity, nickname, nn2);
- idcert = tor_tls_create_certificate(identity, identity, nn2, nn2);
+ cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
+ key_lifetime);
+ idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
+ IDENTITY_CERT_LIFETIME);
if (!cert || !idcert) {
log(LOG_WARN, "Error creating certificate");
goto error;
Index: tortls.h
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.h,v
retrieving revision 1.11.2.1
retrieving revision 1.11.2.2
diff -u -d -r1.11.2.1 -r1.11.2.2
--- tortls.h 17 Apr 2004 01:37:27 -0000 1.11.2.1
+++ tortls.h 18 Apr 2004 23:27:02 -0000 1.11.2.2
@@ -17,7 +17,8 @@
#define TOR_TLS_DONE 0
/* X509* tor_tls_write_certificate(char *certfile, crypto_pk_env_t *rsa, char *nickname); */
-int tor_tls_context_new(crypto_pk_env_t *rsa, int isServer, const char *nickname);
+int tor_tls_context_new(crypto_pk_env_t *rsa, int isServer,
+ const char *nickname, unsigned int key_lifetime);
tor_tls *tor_tls_new(int sock, int isServer);
void tor_tls_free(tor_tls *tls);
int tor_tls_peer_has_cert(tor_tls *tls);
More information about the tor-commits
mailing list