[tor-commits] [tor/master] parameterize SSLKeyLifetime

arma at torproject.org arma at torproject.org
Mon Mar 11 03:42:21 UTC 2013 

commit 599aeef9bc9e707ec7146da79b2018bf2f2924b3
Author: Roger Dingledine <arma at torproject.org>
Date:   Sat Mar 9 16:42:35 2013 -0500

    parameterize SSLKeyLifetime
    
    no actual changes in behavior yet
---
 src/or/config.c |    1 +
 src/or/or.h     |    5 +++--
 src/or/router.c |    7 +++++--
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/or/config.c b/src/or/config.c
index dad5719..b7613bd 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -380,6 +380,7 @@ static config_var_t option_vars_[] = {
   V(SocksPolicy,                 LINELIST, NULL),
   VPORT(SocksPort,                   LINELIST, NULL),
   V(SocksTimeout,                INTERVAL, "2 minutes"),
+  V(SSLKeyLifetime,              INTERVAL, "365 days"),
   OBSOLETE("StatusFetchPeriod"),
   V(StrictNodes,                 BOOL,     "0"),
   OBSOLETE("SysLog"),
diff --git a/src/or/or.h b/src/or/or.h
index c2cd8a6..a71468c 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -177,8 +177,6 @@
 #define MIN_ONION_KEY_LIFETIME (7*24*60*60)
 /** How often do we rotate TLS contexts? */
 #define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)
-/** What expiry time shall we place on our SSL certs? */
-#define MAX_SSL_KEY_LIFETIME_ADVERTISED (365*24*60*60)
 
 /** How old do we allow a router to get before removing it
  * from the router list? In seconds. */
@@ -4010,6 +4008,9 @@ typedef struct {
    */
   int DisableV2DirectoryInfo_;
 
+  /** What expiry time shall we place on our SSL certs? */
+  int SSLKeyLifetime;
+
 } or_options_t;
 
 /** Persistent state for an onion router, as saved to disk. */
diff --git a/src/or/router.c b/src/or/router.c
index 95aa70a..c9c35f6 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -650,6 +650,7 @@ router_initialize_tls_context(void)
 {
   unsigned int flags = 0;
   const or_options_t *options = get_options();
+  int lifetime = options->SSLKeyLifetime;
   if (public_server_mode(options))
     flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
   if (options->TLSECGroup) {
@@ -659,11 +660,13 @@ router_initialize_tls_context(void)
       flags |= TOR_TLS_CTX_USE_ECDHE_P224;
   }
 
+  /* It's ok to pass lifetime in as an unsigned int, since
+   * config_parse_interval() checked it. */
   return tor_tls_context_init(flags,
                               get_tlsclient_identity_key(),
-                              server_mode(get_options()) ?
+                              server_mode(options) ?
                               get_server_identity_key() : NULL,
-                              MAX_SSL_KEY_LIFETIME_ADVERTISED);
+                              (unsigned int)lifetime);
 }
 
 /** Initialize all OR private keys, and the TLS context, as necessary.

More information about the tor-commits mailing list