From 973502d2905ab4119b1c559295cff62504ada97b Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Tue, 11 Sep 2007 20:17:22 +0000
Subject:  r15046@catbus:  nickm | 2007-09-11 13:38:36 -0400  Check V3
 authority certificates for expiry, and warn the authority op as they get old.

svn:r11427
---
 src/or/main.c | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

(limited to 'src/or/main.c')

diff --git a/src/or/main.c b/src/or/main.c
index e6e45ecb9..aec50fbea 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -807,7 +807,9 @@ run_connection_housekeeping(int i, time_t now)
 static void
 run_scheduled_events(time_t now)
 {
-  static time_t last_rotated_certificate = 0;
+  static time_t last_rotated_x509_certificate = 0;
+  static time_t time_to_check_v3_certificate = 0;
+#define CHECK_V3_CERTIFICATE_INTERVAL (5*60)
   static time_t time_to_check_listeners = 0;
   static time_t time_to_check_descriptor = 0;
   static time_t time_to_check_ipaddress = 0;
@@ -873,16 +875,16 @@ run_scheduled_events(time_t now)
   }
 
   /** 1b. Every MAX_SSL_KEY_LIFETIME seconds, we change our TLS context. */
-  if (!last_rotated_certificate)
-    last_rotated_certificate = now;
-  if (last_rotated_certificate+MAX_SSL_KEY_LIFETIME < now) {
+  if (!last_rotated_x509_certificate)
+    last_rotated_x509_certificate = now;
+  if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME < now) {
     log_info(LD_GENERAL,"Rotating tls context.");
     if (tor_tls_context_new(get_identity_key(), options->Nickname,
                             MAX_SSL_KEY_LIFETIME) < 0) {
       log_warn(LD_BUG, "Error reinitializing TLS context");
       /* XXX is it a bug here, that we just keep going? */
     }
-    last_rotated_certificate = now;
+    last_rotated_x509_certificate = now;
     /* XXXX We should rotate TLS connections as well; this code doesn't change
      *      them at all. */
   }
@@ -921,6 +923,12 @@ run_scheduled_events(time_t now)
     }
   }
 
+  /* 1e. DOCDOC */
+  if (time_to_check_v3_certificate < now) {
+    v3_authority_check_key_expiry();
+    time_to_check_v3_certificate = now + CHECK_V3_CERTIFICATE_INTERVAL;
+  }
+
   /** 2. Periodically, we consider getting a new directory, getting a
    * new running-routers list, and/or force-uploading our descriptor
    * (if we've passed our internal checks). */
-- 
cgit v1.2.3