October 2013 - tor-commits - lists.torproject.org

[tlsdate/master] Merge pull request #118 from elly/event-loop
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit 97d90d0c26a6695217c81eb496c5e4476fa17cac Merge: 0bd0c2d aa04c01 Author: \033]2;Jacob Appelbaum\007 <jacob(a)appelbaum.net> Date: Sat Sep 14 14:36:10 2013 -0700 Merge pull request #118 from elly/event-loop Refactor event loop. CHANGELOG | 2 + Makefile.am | 2 +- run-tests | 4 +- src/event-unittest.c | 48 ++++++++ src/event.c | 295 ++++++++++++++++++++++++++++++++++++++++++++++ src/event.h | 21 ++++ src/include.am | 10 +- src/tlsdate.h | 4 + src/tlsdated-unittest.c | 80 +++++++++++++ src/tlsdated.c | 300 +++++++++++++++++++++++++---------------------- src/util.c | 187 +++++++++++++++++++++++++++++ src/util.h | 19 +++ tests/common.sh | 2 +- 13 files changed, 831 insertions(+), 143 deletions(-)

1 0

[tlsdate/master] Change check for RTC to be configure based.
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit fddd223536b0f68ab5a09a35c454cca9d96d38c6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 10 15:01:53 2013 -0400 Change check for RTC to be configure based. Previously I had disabled it with #ifdef __linux__, but that's not very good autoconf style. --- configure.ac | 7 +++++++ src/util.c | 10 +++++++--- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/configure.ac b/configure.ac index 231547e..f1a424f 100644 --- a/configure.ac +++ b/configure.ac @@ -143,6 +143,13 @@ AC_CHECK_HEADERS([sys/wait.h], ,[AC_MSG_ERROR([Required headers missing; compila AC_CHECK_HEADERS([time.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])]) AC_CHECK_HEADERS([unistd.h], ,[AC_MSG_ERROR([Required headers missing; compilation will not succeed])]) +AC_CHECK_HEADERS([linux/rtc.h]) +AC_CHECK_TYPES([struct rtc_time], [], [], [ +#ifdef HAVE_LINUX_RTC_H +#include <linux/rtc.h> +#endif +]) + AC_CHECK_FUNCS([strnlen]) AM_CONDITIONAL(HAVE_STRNLEN, [test "x${ac_cv_func_strnlen}" = xyes]) diff --git a/src/util.c b/src/util.c index 129de8d..4f1d0e0 100644 --- a/src/util.c +++ b/src/util.c @@ -11,7 +11,7 @@ #include <fcntl.h> #include <grp.h> #include <limits.h> -#ifdef __linux__ +#ifdef HAVE_LINUX_RTC_H #include <linux/rtc.h> #endif #include <pwd.h> @@ -29,6 +29,10 @@ #include "src/util.h" +#if defined(HAVE_STRUCT_RTC_TIME) && defined(RTC_SET_TIME) && defined(RTC_RD_TIME) +#define ENABLE_RTC +#endif + const char *kTempSuffix = DEFAULT_DAEMON_TMPSUFFIX; /** helper function to print message and die */ @@ -145,7 +149,7 @@ wait_with_timeout(int *status, int timeout_secs) return exited; } -#ifdef __linux__ +#ifdef ENABLE_RTC struct rtc_handle { int fd; @@ -308,7 +312,7 @@ int pgrp_kill(void) } static struct platform default_platform = { -#ifdef __linux__ +#ifdef ENABLE_RTC .rtc_open = rtc_open, .rtc_write = rtc_write, .rtc_read = rtc_read,

1 0

[tlsdate/master] Merge pull request #119 from redpig/showtime=raw
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit cb812067f3fa70058779c6ba3f610924b34ff853 Merge: 97d90d0 d8fc0e8 Author: \033]2;Jacob Appelbaum\007 <jacob(a)appelbaum.net> Date: Sat Sep 14 14:43:20 2013 -0700 Merge pull request #119 from redpig/showtime=raw tlsdate: add optional --showtime support for "raw" man/tlsdate.1 | 5 +++-- src/tlsdate-helper.c | 7 +++++++ src/tlsdate.c | 10 +++++----- src/tlsdate.h | 1 + 4 files changed, 16 insertions(+), 7 deletions(-)

1 0

[tlsdate/master] Rudimentary support for HTTP Date headers
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit 16ee83468552bee9205d6de6b3c4633b160986d6 Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Sep 18 14:26:05 2013 -0400 Rudimentary support for HTTP Date headers Since I'm going on a personal crusade to kill off gmt_unix_time, I should provide an alternative. That alternative can be the Date header from HTTP -- unlike gmt_unix_time, the Date header is required by the RFC to actually be an accurate clock-like clock, and nobody is trying to get rid of it. This code is pretty hack-ish and does some nonportable stuff, like using memmem() and timegm(). It's not super-tolerant of non-standards-compliant HTTP servers. I hope I didn't make any pointer mistakes. --- src/tlsdate-helper.c | 175 ++++++++++++++++++++++++++++++++++++++++++++++++-- src/tlsdate-helper.h | 2 +- src/tlsdate.c | 10 ++- src/util.c | 6 ++ 4 files changed, 183 insertions(+), 10 deletions(-) diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index 4058f5e..2a92195 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -193,6 +193,129 @@ make_ssl_bio(SSL_CTX *ctx) return ssl; } + +static int +write_all_to_bio(BIO *bio, const char *string) +{ + int n = (int) strlen(string); + int r; + + while (n) { + r = BIO_write(bio, string, n); + if (r > 0) { + if (r > n) + return -1; + n -= r; + string += r; + } else { + return 0; + } + } + + return 1; +} + +static int +handle_date_line(const char *dateline, uint32_t *result) +{ + int year,mon,day,hour,min,sec; + char month[4]; + struct tm tm; + int i; + time_t t; + + static const char *MONTHS[] = + { "Jan", "Feb", "Mar", "Apr", "May", "Jun", + "Jul", "Aug", "Sep", "Oct", "Nov", "Dec", NULL }; + + if (strncmp("\r\nDate: ", dateline, 8)) + return 0; + + dateline += 8; + verb("V: The alleged date is <%s>\n", dateline); + + while (*dateline == ' ') + ++dateline; + while (*dateline && *dateline != ' ') + ++dateline; + while (*dateline == ' ') + ++dateline; + /* We just skipped over the day of the week. Now we have:*/ + if (sscanf(dateline, "%d %3s %d %d:%d:%d", + &day, month, &year, &hour, &min, &sec) == 6 || + sscanf(dateline, "%d-%3s-%d %d:%d:%d", + &day, month, &year, &hour, &min, &sec) == 6 || + sscanf(dateline, "%3s %d %d:%d:%d %d", + month, &day, &hour, &min, &sec, &year) == 6) { + + if (year < 100) + year += 1900; + + verb("V: Parsed the date: %04d-%s-%02d %02d:%02d:%02d\n", + year, month, day, hour, min, sec); + } else { + verb("V: Couldn't parse date.\n"); + return -1; + } + + for (i = 0; ; ++i) { + if (!MONTHS[i]) + return -2; + if (!strcmp(month, MONTHS[i])) { + mon = i; + break; + } + } + + memset(&tm, 0, sizeof(tm)); + tm.tm_year = year - 1900; + tm.tm_mon = mon; + tm.tm_mday = day; + tm.tm_hour = hour; + tm.tm_min = min; + tm.tm_sec = sec; + + t = timegm(&tm); + if (t > 0xffffffff || t < 0) + return -1; + + *result = (uint32_t) t; + + return 1; +} + +#define MAX_HTTP_HEADERS_SIZE 8192 + +static int +read_http_date_from_bio(BIO *bio, uint32_t *result) +{ + int n; + char buf[MAX_HTTP_HEADERS_SIZE]; + int buf_len=0; + char *dateline, *endofline; + + while (buf_len < sizeof(buf)-1) { + n = BIO_read(bio, buf+buf_len, sizeof(buf)-buf_len-1); + if (n <= 0) + return 0; + buf_len += n; + buf[buf_len] = 0; + verb("V: read %d bytes.", n, buf); + + dateline = memmem(buf, buf_len, "\r\nDate: ", 8); + if (NULL == dateline) + continue; + + endofline = memmem(dateline+2, buf_len - (dateline-buf+2), "\r\n", 2); + if (NULL == endofline) + continue; + + *endofline = 0; + return handle_date_line(dateline, result); + } + return -2; +} + /** helper function for 'malloc' */ static void * xmalloc (size_t size) @@ -773,6 +896,13 @@ inspect_key (SSL *ssl, const char *hostname) } #endif +#define HTTP_REQUEST \ + "HEAD / HTTP/1.1\r\n" \ + "User-Agent: %s\r\n" \ + "Host: %s\r\n" \ + "\r\n" +#define HTTP_USER_AGENT "TLSDate/1.0" + #ifdef USE_POLARSSL void check_timestamp (uint32_t server_time) @@ -819,9 +949,12 @@ static int ssl_do_handshake_part(ssl_context *ssl) * 'time_map'. * * @param time_map where to store the current time + * @param time_is_an_illusion + * @param http whether to do an http request and take the date from that + * instead. */ static void -run_ssl (uint32_t *time_map, int time_is_an_illusion) +run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) { entropy_context entropy; ctr_drbg_context ctr_drbg; @@ -958,14 +1091,18 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion) * 'time_map'. * * @param time_map where to store the current time + * @param time_is_an_illusion + * @param http whether to do an http request and take the date from that + * instead. */ static void -run_ssl (uint32_t *time_map, int time_is_an_illusion) +run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) { BIO *s_bio; SSL_CTX *ctx; SSL *ssl; struct stat statbuf; + uint32_t result_time; SSL_load_error_strings(); SSL_library_init(); @@ -1044,6 +1181,28 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion) if (1 != BIO_do_handshake(s_bio)) die ("SSL handshake failed\n"); + if (http) { + char buf[1024]; + verb("V: Starting HTTP\n"); + if (snprintf(buf, sizeof(buf), + HTTP_REQUEST, HTTP_USER_AGENT, hostname_to_verify) >= 1024) + die("hostname too long"); + buf[1023]='\0'; /* Unneeded. */ + verb("V: Writing HTTP request\n"); + if (1 != write_all_to_bio(s_bio, buf)) + die ("write all to bio failed.\n"); + verb("V: Reading HTTP response\n"); + if (1 != read_http_date_from_bio(s_bio, &result_time)) + die ("read all from bio failed.\n"); + verb("V: Got HTTP response. T=%lu\n", (unsigned long)result_time); + + result_time = htonl(result_time); + } else { + // from /usr/include/openssl/ssl3.h + // ssl->s3->server_random is an unsigned char of 32 bits + memcpy(&result_time, ssl->s3->server_random, sizeof (uint32_t)); + } + // Verify the peer certificate against the CA certs on the local system if (ca_racket) { inspect_key (ssl, hostname_to_verify); @@ -1051,9 +1210,9 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion) verb ("V: Certificate verification skipped!\n"); } check_key_length(ssl); - // from /usr/include/openssl/ssl3.h - // ssl->s3->server_random is an unsigned char of 32 bits - memcpy(time_map, ssl->s3->server_random, sizeof (uint32_t)); + + memcpy(time_map, &result_time, sizeof (uint32_t)); + SSL_free(ssl); SSL_CTX_free(ctx); } @@ -1074,8 +1233,9 @@ main(int argc, char **argv) int showtime_raw; int timewarp; int leap; + int http; - if (argc != 12) + if (argc != 13) return 1; host = argv[1]; hostname_to_verify = argv[1]; @@ -1090,6 +1250,7 @@ main(int argc, char **argv) timewarp = (0 == strcmp ("timewarp", argv[9])); leap = (0 == strcmp ("leapaway", argv[10])); proxy = (0 == strcmp ("none", argv[11]) ? NULL : argv[11]); + http = (0 == (strcmp("http", argv[12]))); /* Initalize warp_time with RECENT_COMPILE_DATE */ clock_init_time(&warp_time, RECENT_COMPILE_DATE, 0); @@ -1169,7 +1330,7 @@ main(int argc, char **argv) if (0 == ssl_child) { drop_privs_to (UNPRIV_USER, UNPRIV_GROUP); - run_ssl (time_map, leap); + run_ssl (time_map, leap, http); (void) munmap (time_map, sizeof (uint32_t)); _exit (0); } diff --git a/src/tlsdate-helper.h b/src/tlsdate-helper.h index 2456efc..6890a88 100644 --- a/src/tlsdate-helper.h +++ b/src/tlsdate-helper.h @@ -118,6 +118,6 @@ void inspect_key (SSL *ssl, const char *hostname); uint32_t dns_label_count (char *label, char *delim); uint32_t check_wildcard_match_rfc2595 (const char *orig_hostname, const char *orig_cert_wild_card); -static void run_ssl (uint32_t *time_map, int time_is_an_illusion); +static void run_ssl (uint32_t *time_map, int time_is_an_illusion, int http); #endif diff --git a/src/tlsdate.c b/src/tlsdate.c index 26e9432..82dd217 100644 --- a/src/tlsdate.c +++ b/src/tlsdate.c @@ -94,7 +94,8 @@ usage(void) " [-V|--showtime] [human|raw]\n" " [-t|--timewarp]\n" " [-l|--leap]\n" - " [-x|--proxy] [url]\n"); + " [-x|--proxy] [url]\n" + " [-w|--http]\n"); } @@ -112,6 +113,7 @@ main(int argc, char **argv) int timewarp; int leap; const char *proxy; + int http; host = DEFAULT_HOST; port = DEFAULT_PORT; @@ -124,6 +126,7 @@ main(int argc, char **argv) timewarp = 0; leap = 0; proxy = NULL; + http = 0; while (1) { int option_index = 0; @@ -143,10 +146,11 @@ main(int argc, char **argv) {"timewarp", 0, 0, 't'}, {"leap", 0, 0, 'l'}, {"proxy", 0, 0, 'x'}, + {"http", 0, 0, 'w'}, {0, 0, 0, 0} }; - c = getopt_long(argc, argv, "vV::shH:p:P:nC:tlx:", + c = getopt_long(argc, argv, "vV::shH:p:P:nC:tlx:w", long_options, &option_index); if (c == -1) break; @@ -164,6 +168,7 @@ main(int argc, char **argv) case 't': timewarp = 1; break; case 'l': leap = 1; break; case 'x': proxy = optarg; break; + case 'w': http = 1; break; case '?': break; default : fprintf(stderr, "Unknown option!\n"); usage(); exit(1); } @@ -194,6 +199,7 @@ main(int argc, char **argv) (timewarp ? "timewarp" : "no-fun"), (leap ? "leapaway" : "holdfast"), (proxy ? proxy : "none"), + (http ? "http" : "tls"), NULL); perror("Failed to run tlsdate-helper"); return 1; diff --git a/src/util.c b/src/util.c index fe5c370..129de8d 100644 --- a/src/util.c +++ b/src/util.c @@ -11,7 +11,9 @@ #include <fcntl.h> #include <grp.h> #include <limits.h> +#ifdef __linux__ #include <linux/rtc.h> +#endif #include <pwd.h> #include <signal.h> #include <stdarg.h> @@ -143,6 +145,7 @@ wait_with_timeout(int *status, int timeout_secs) return exited; } +#ifdef __linux__ struct rtc_handle { int fd; @@ -226,6 +229,7 @@ int rtc_close(void *handle) free(h); return 0; } +#endif int file_write(const char *path, void *buf, size_t sz) { @@ -304,10 +308,12 @@ int pgrp_kill(void) } static struct platform default_platform = { +#ifdef __linux__ .rtc_open = rtc_open, .rtc_write = rtc_write, .rtc_read = rtc_read, .rtc_close = rtc_close, +#endif .file_write = file_write, .file_read = file_read,

1 0

[tlsdate/master] Describe what an HTTP date is
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit 0c085d991f65af84ed838007fbd5d6af51cb5e6f Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 10 15:08:30 2013 -0400 Describe what an HTTP date is --- src/tlsdate-helper.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index 2a92195..2e0e2fb 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -223,6 +223,15 @@ handle_date_line(const char *dateline, uint32_t *result) struct tm tm; int i; time_t t; + /* We recognize the three formats in RFC2616, section 3.3.1. Month + names are always in English. The formats are: + + Sun, 06 Nov 1994 08:49:37 GMT ; RFC 822, updated by RFC 1123 + Sunday, 06-Nov-94 08:49:37 GMT ; RFC 850, obsoleted by RFC 1036 + Sun Nov 6 08:49:37 1994 ; ANSI C's asctime() format + + Note that the first is preferred. + */ static const char *MONTHS[] = { "Jan", "Feb", "Mar", "Apr", "May", "Jun",

1 0

[tlsdate/master] Don't log raw dates, in case they contain junk.
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit 2dafddce642c497477c27a3f7a005be2865755f2 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 10 15:08:33 2013 -0400 Don't log raw dates, in case they contain junk. --- src/tlsdate-helper.c | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index 2e0e2fb..a5017d5 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -215,6 +215,19 @@ write_all_to_bio(BIO *bio, const char *string) return 1; } +/* If the string is all nice clean ascii that it's safe to log, return + * it. Otherwise return a placeholder "This is junk" string. */ +static const char * +sanitize_string(const char *s) +{ + const unsigned char *cp; + for (cp = (const unsigned char *)s; *cp; cp++) { + if (*cp < 32 || *cp > 127) + return "string with invalid characters"; + } + return s; +} + static int handle_date_line(const char *dateline, uint32_t *result) { @@ -241,7 +254,7 @@ handle_date_line(const char *dateline, uint32_t *result) return 0; dateline += 8; - verb("V: The alleged date is <%s>\n", dateline); + verb("V: The alleged date is <%s>\n", sanitize_string(dateline)); while (*dateline == ' ') ++dateline;

1 0

[tlsdate/master] Document magic "1900" value
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit 9d2f77df0b99ec03545418caa05903dd6aaf1adc Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 10 15:11:17 2013 -0400 Document magic "1900" value --- src/tlsdate-helper.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index a5017d5..a724402 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -270,6 +270,8 @@ handle_date_line(const char *dateline, uint32_t *result) sscanf(dateline, "%3s %d %d:%d:%d %d", month, &day, &hour, &min, &sec, &year) == 6) { + /* Two digit dates are defined to be relative to 1900; all other dates + * are supposed to be represented as four digits. */ if (year < 100) year += 1900;

1 0

[tlsdate/master] Make user-agent a configuration option
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit 671152207209a890f35f774ef938cff24cdc3b98 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 10 15:28:09 2013 -0400 Make user-agent a configuration option --- configure.ac | 10 ++++++++++ src/tlsdate-helper.c | 3 +-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index f1a424f..99b81de 100644 --- a/configure.ac +++ b/configure.ac @@ -39,6 +39,16 @@ dnl Place we install our config file TLSDATE_CONF_DIR="${sysconfdir}/$PACKAGE_NAME/" AC_SUBST([TLSDATE_CONF_DIR]) +dnl HTTPS User-agent +AC_ARG_WITH([https-user-agent], + [AS_HELP_STRING([--with-https-user-agent=AGENT], + [a User-Agent value to send when running in HTTPS mode])], + [], + [with_https_user_agent="TLSDate/1.0"]) +AC_DEFINE_UNQUOTED([HTTPS_USER_AGENT], + ["${with_https_user_agent}"], + [User-Agent value to send when running as an HTTPS client]) + dnl check for PolarSSL OPT_POLARSSL=yes diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index 4dce354..7813158 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -925,7 +925,6 @@ inspect_key (SSL *ssl, const char *hostname) "User-Agent: %s\r\n" \ "Host: %s\r\n" \ "\r\n" -#define HTTP_USER_AGENT "TLSDate/1.0" #ifdef USE_POLARSSL void @@ -1214,7 +1213,7 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) char buf[1024]; verb("V: Starting HTTP\n"); if (snprintf(buf, sizeof(buf), - HTTP_REQUEST, HTTP_USER_AGENT, hostname_to_verify) >= 1024) + HTTP_REQUEST, HTTPS_USER_AGENT, hostname_to_verify) >= 1024) die("hostname too long"); buf[1023]='\0'; /* Unneeded. */ verb("V: Writing HTTP request\n");

1 0

[tlsdate/master] Update manpage with http option
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit 0aa0bf8ee6102d032c8833db043c007cd5bc36c2 Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 10 15:21:50 2013 -0400 Update manpage with http option --- man/tlsdate-helper.1 | 2 +- man/tlsdate.1 | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/man/tlsdate-helper.1 b/man/tlsdate-helper.1 index 8260434..d81f694 100644 --- a/man/tlsdate-helper.1 +++ b/man/tlsdate-helper.1 @@ -6,7 +6,7 @@ tlsdate-helper \- secure parasitic rdate replacement .SH SYNOPSIS .B tlsdate-helper host port protocol ca_racket verbose certdir setclock \ -showtime timewarp leapaway proxy-type://proxyhost:proxyport +showtime timewarp leapaway proxy-type://proxyhost:proxyport httpmode .SH DESCRIPTION .B tlsdate-helper is a tool for setting the system clock by hand or by communication diff --git a/man/tlsdate.1 b/man/tlsdate.1 index e34c81d..82e3d7c 100644 --- a/man/tlsdate.1 +++ b/man/tlsdate.1 @@ -5,7 +5,7 @@ .SH NAME tlsdate \- secure parasitic rdate replacement .SH SYNOPSIS -.B tlsdate [\-hnvVstl] [\-H [hostname]] [\-p [port]] [\-P [sslv23|sslv3|tlsv1]] \ +.B tlsdate [\-hnvVstlw] [\-H [hostname]] [\-p [port]] [\-P [sslv23|sslv3|tlsv1]] \ [\-\-certdir [dirname]] [\-x [\-\-proxy] proxy\-type://proxyhost:proxyport] .SH DESCRIPTION .B tlsdate @@ -76,6 +76,10 @@ if there are any other issues, such as self-signed certificates or if the user pins to a CA that is not used by the remote server. This is useful if your RTC is broken on boot and you are unable to use DNSEC until you've at least had some kind of leap of cryptographically assured data. +.IP "\-w | \-\-http" +Run in web mode: look for the time in an HTTP "Date" header inside an +HTTPS connection, rather than in the TLS connection itself. The provided +hostname and port must support HTTPS. .SH BUGS It's likely! Let us know by contacting jacob(a)appelbaum.net

1 0

[tlsdate/master] In verbose mode, display TLS time as well as HTTPS time
by ioerror＠torproject.org 31 Oct '13

31 Oct '13

commit f70fba4051e1a1abcf12cebb2cc462ea5bd847cd Author: Nick Mathewson <nickm(a)torproject.org> Date: Thu Oct 10 15:16:23 2013 -0400 In verbose mode, display TLS time as well as HTTPS time --- src/tlsdate-helper.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/tlsdate-helper.c b/src/tlsdate-helper.c index a724402..4dce354 100644 --- a/src/tlsdate-helper.c +++ b/src/tlsdate-helper.c @@ -1205,6 +1205,11 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) if (1 != BIO_do_handshake(s_bio)) die ("SSL handshake failed\n"); + // from /usr/include/openssl/ssl3.h + // ssl->s3->server_random is an unsigned char of 32 bits + memcpy(&result_time, ssl->s3->server_random, sizeof (uint32_t)); + verb("V: In TLS response, T=%lu\n", (unsigned long)ntohl(result_time)); + if (http) { char buf[1024]; verb("V: Starting HTTP\n"); @@ -1221,10 +1226,6 @@ run_ssl (uint32_t *time_map, int time_is_an_illusion, int http) verb("V: Got HTTP response. T=%lu\n", (unsigned long)result_time); result_time = htonl(result_time); - } else { - // from /usr/include/openssl/ssl3.h - // ssl->s3->server_random is an unsigned char of 32 bits - memcpy(&result_time, ssl->s3->server_random, sizeof (uint32_t)); } // Verify the peer certificate against the CA certs on the local system

1 0