r15046@catbus: nickm | 2007-09-11 13:38:36 -0400

 Check V3 authority certificates for expiry, and warn the authority op as they get old.


svn:r11427

doc/TODO

@@ -69,7 +69,7 @@ Things we'd like to do in 0.2.0.x:
         o Don't count votes with a different valid-after when generating
           the same consensus.
         - Dump certificates with the wrong time.  Or just warn?
-        - Warn authority ops when their certs are nearly invalid.
+        o Warn authority ops when their certs are nearly invalid.
         - When checking a consensus, make sure that its times are plausible.
         o Add a function that will eventually tell us about our clock skew.
           For now, just require that authorities not be skewed.

src/or/main.c

@@ -807,7 +807,9 @@ run_connection_housekeeping(int i, time_t now)
 static void
 run_scheduled_events(time_t now)
 {
-  static time_t last_rotated_certificate = 0;
+  static time_t last_rotated_x509_certificate = 0;
+  static time_t time_to_check_v3_certificate = 0;
+#define CHECK_V3_CERTIFICATE_INTERVAL (5*60)
   static time_t time_to_check_listeners = 0;
   static time_t time_to_check_descriptor = 0;
   static time_t time_to_check_ipaddress = 0;
@@ -873,16 +875,16 @@ run_scheduled_events(time_t now)
   }
 
   /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
-  if (!last_rotated_certificate)
-    last_rotated_certificate = now;
-  if (last_rotated_certificate+MAX_SSL_KEY_LIFETIME < now) {
+  if (!last_rotated_x509_certificate)
+    last_rotated_x509_certificate = now;
+  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) {
     log_info(LD_GENERAL,"Rotating tls context.");
     if (tor_tls_context_new(get_identity_key(), options->Nickname,
                             MAX_SSL_KEY_LIFETIME) < 0) {
       log_warn(LD_BUG, "Error reinitializing TLS context");
       /* XXX is it a bug here, that we just keep going? */
     }
-    last_rotated_certificate = now;
+    last_rotated_x509_certificate = now;
     /* XXXX We should rotate TLS connections as well; this code doesn't change
      *      them at all. */
   }
@@ -921,6 +923,12 @@ run_scheduled_events(time_t now)
     }
   }
 
+  /* 1e. DOCDOC */
+  if (time_to_check_v3_certificate < now) {
+    v3_authority_check_key_expiry();
+    time_to_check_v3_certificate = now + CHECK_V3_CERTIFICATE_INTERVAL;
+  }
+
   /** 2. Periodically, we consider getting a new directory, getting a
    * new running-routers list, and/or force-uploading our descriptor
    * (if we've passed our internal checks). */

src/or/or.h

@@ -3340,6 +3340,8 @@ void dup_onion_keys(crypto_pk_env_t **key, crypto_pk_env_t **last);
 void rotate_onion_key(void);
 crypto_pk_env_t *init_key_from_file(const char *fname, int generate,
                                     int severity);
+void v3_authority_check_key_expiry(void);
+
 int init_keys(void);
 
 int check_whether_orport_reachable(void);

src/or/router.c

@@ -259,7 +259,7 @@ init_key_from_file(const char *fname, int generate, int severity)
 
 /** Load the v3 (voting) authority signing key and certificate from
  * <b>keydir</b>, if they are present. */
-/* XXXX020 maybe move to dirserv.c */
+/* XXXX020 maybe move to dirserv.c or dirvote.c */
 static void
 init_v3_authority_keys(const char *keydir)
 {
@@ -299,6 +299,8 @@ init_v3_authority_keys(const char *keydir)
   parsed->cache_info.signed_descriptor_len = eos-cert;
   cert = NULL;
 
+  /* Free old values! XXXX020 */
+
   authority_key_certificate = parsed;
   authority_signing_key = signing_key;
   parsed = NULL;
@@ -313,6 +315,51 @@ init_v3_authority_keys(const char *keydir)
     authority_cert_free(parsed);
 }
 
+/* DOCDOC */
+void
+v3_authority_check_key_expiry(void)
+{
+  time_t now, expires;
+  static time_t last_warned = 0;
+  int badness, time_left, warn_interval;
+  if (!authdir_mode_v3(get_options()) || !authority_key_certificate)
+    return;
+
+  now = time(NULL);
+  expires = authority_key_certificate->expires;
+  time_left = expires - now;
+  if (time_left <= 0) {
+    badness = LOG_ERR;
+    warn_interval = 60*60;
+  } else if (time_left <= 24*60*60) {
+    badness = LOG_WARN;
+    warn_interval = 60*60;
+  } else if (time_left <= 24*60*60*7) {
+    badness = LOG_WARN;
+    warn_interval = 24*60*60;
+  } else if (time_left <= 24*60*60*30) {
+    badness = LOG_WARN;
+    warn_interval = 24*60*60*5;
+  } else {
+    return;
+  }
+
+  if (last_warned + warn_interval > now)
+    return;
+
+  if (time_left <= 0) {
+    log(badness, LD_DIR, "Your v3 authority certificate has expired."
+        " Generate a new one NOW.");
+  } else if (time_left <= 24*60*60) {
+    log(badness, LD_DIR, "Your v3 authority certificate expires in %d hours;"
+        " Generate a new one NOW.", time_left/(60*60));
+  } else {
+    log(badness, LD_DIR, "Your v3 authority certificate expires in %d days;"
+        " Generate a new one soon.", time_left/(24*60*60));
+  }
+  last_warned = now;
+}
+
 /** Initialize all OR private keys, and the TLS context, as necessary.
  * On OPs, this only initializes the tls context. Return 0 on success,
  * or -1 if Tor should die.