[or-cvs] stop checking for clock skew, even for servers.
Roger Dingledine
arma at seul.org
Mon Jan 3 17:10:34 UTC 2005
Update of /home2/or/cvsroot/tor/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/tor/src/or
Modified Files:
connection_or.c
Log Message:
stop checking for clock skew, even for servers.
this means we are vulnerable to an attack where somebody recovers
and uses a really old certificate. however, if they do that, they
probably can get our identity key just as easily.
Index: connection_or.c
===================================================================
RCS file: /home2/or/cvsroot/tor/src/or/connection_or.c,v
retrieving revision 1.150
retrieving revision 1.151
diff -u -d -r1.150 -r1.151
--- connection_or.c 13 Dec 2004 00:44:38 -0000 1.150
+++ connection_or.c 3 Jan 2005 17:10:32 -0000 1.151
@@ -391,6 +391,7 @@
log_fn(LOG_WARN, "Identity key not as expected for router claiming to be '%s' (%s:%d) ", nickname, conn->address, conn->port);
return -1;
}
+#if 0
if (router_get_by_digest(digest_rcvd)) {
/* This is a known router; don't cut it slack with its clock skew. */
if (tor_tls_check_lifetime(conn->tls, TIGHT_CERT_ALLOW_SKEW)<0) {
@@ -399,6 +400,7 @@
return -1;
}
}
+#endif
if (connection_or_nonopen_was_started_here(conn)) {
/* I initiated this connection. */
More information about the tor-commits
mailing list