commit 599aeef9bc9e707ec7146da79b2018bf2f2924b3 Author: Roger Dingledine arma@torproject.org Date: Sat Mar 9 16:42:35 2013 -0500
parameterize SSLKeyLifetime
no actual changes in behavior yet --- src/or/config.c | 1 + src/or/or.h | 5 +++-- src/or/router.c | 7 +++++-- 3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/src/or/config.c b/src/or/config.c index dad5719..b7613bd 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -380,6 +380,7 @@ static config_var_t option_vars_[] = { V(SocksPolicy, LINELIST, NULL), VPORT(SocksPort, LINELIST, NULL), V(SocksTimeout, INTERVAL, "2 minutes"), + V(SSLKeyLifetime, INTERVAL, "365 days"), OBSOLETE("StatusFetchPeriod"), V(StrictNodes, BOOL, "0"), OBSOLETE("SysLog"), diff --git a/src/or/or.h b/src/or/or.h index c2cd8a6..a71468c 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -177,8 +177,6 @@ #define MIN_ONION_KEY_LIFETIME (7*24*60*60) /** How often do we rotate TLS contexts? */ #define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60) -/** What expiry time shall we place on our SSL certs? */ -#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)
/** How old do we allow a router to get before removing it * from the router list? In seconds. */ @@ -4010,6 +4008,9 @@ typedef struct { */ int DisableV2DirectoryInfo_;
+ /** What expiry time shall we place on our SSL certs? */ + int SSLKeyLifetime; + } or_options_t;
/** Persistent state for an onion router, as saved to disk. */ diff --git a/src/or/router.c b/src/or/router.c index 95aa70a..c9c35f6 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -650,6 +650,7 @@ router_initialize_tls_context(void) { unsigned int flags = 0; const or_options_t *options = get_options(); + int lifetime = options->SSLKeyLifetime; if (public_server_mode(options)) flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER; if (options->TLSECGroup) { @@ -659,11 +660,13 @@ router_initialize_tls_context(void) flags |= TOR_TLS_CTX_USE_ECDHE_P224; }
+ /* It's ok to pass lifetime in as an unsigned int, since + * config_parse_interval() checked it. */ return tor_tls_context_init(flags, get_tlsclient_identity_key(), - server_mode(get_options()) ? + server_mode(options) ? get_server_identity_key() : NULL, - MAX_SSL_KEY_LIFETIME_ADVERTISED); + (unsigned int)lifetime); }
/** Initialize all OR private keys, and the TLS context, as necessary.
tor-commits@lists.torproject.org