mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Reload Ed25519 keys on sighup.
Closes ticket 16790.
This commit is contained in:
parent
428bb2d1c8
commit
037e8763a7
4
changes/ed25519_hup
Normal file
4
changes/ed25519_hup
Normal file
@ -0,0 +1,4 @@
|
|||||||
|
o Minor features (relay, Ed25519):
|
||||||
|
- On receiving a HUP signal, check to see whether the Ed25519
|
||||||
|
signing key has changed, and reload it if so. Closes ticket
|
||||||
|
16790.
|
@ -2019,6 +2019,14 @@ do_hup(void)
|
|||||||
* force a retry there. */
|
* force a retry there. */
|
||||||
|
|
||||||
if (server_mode(options)) {
|
if (server_mode(options)) {
|
||||||
|
/* Maybe we've been given a new ed25519 key or certificate?
|
||||||
|
*/
|
||||||
|
time_t now = approx_time();
|
||||||
|
if (load_ed_keys(options, now) < 0 ||
|
||||||
|
generate_ed_link_cert(options, now)) {
|
||||||
|
log_warn(LD_OR, "Problem reloading Ed25519 keys; still using old keys.");
|
||||||
|
}
|
||||||
|
|
||||||
/* Update cpuworker and dnsworker processes, so they get up-to-date
|
/* Update cpuworker and dnsworker processes, so they get up-to-date
|
||||||
* configuration options. */
|
* configuration options. */
|
||||||
cpuworkers_rotate_keyinfo();
|
cpuworkers_rotate_keyinfo();
|
||||||
|
@ -635,10 +635,12 @@ load_ed_keys(const or_options_t *options, time_t now)
|
|||||||
goto err; \
|
goto err; \
|
||||||
} while (0)
|
} while (0)
|
||||||
#define SET_KEY(key, newval) do { \
|
#define SET_KEY(key, newval) do { \
|
||||||
|
if ((key) != (newval)) \
|
||||||
ed25519_keypair_free(key); \
|
ed25519_keypair_free(key); \
|
||||||
key = (newval); \
|
key = (newval); \
|
||||||
} while (0)
|
} while (0)
|
||||||
#define SET_CERT(cert, newval) do { \
|
#define SET_CERT(cert, newval) do { \
|
||||||
|
if ((cert) != (newval)) \
|
||||||
tor_cert_free(cert); \
|
tor_cert_free(cert); \
|
||||||
cert = (newval); \
|
cert = (newval); \
|
||||||
} while (0)
|
} while (0)
|
||||||
@ -648,10 +650,7 @@ load_ed_keys(const or_options_t *options, time_t now)
|
|||||||
/* XXXX support encrypted identity keys fully */
|
/* XXXX support encrypted identity keys fully */
|
||||||
|
|
||||||
/* First try to get the signing key to see how it is. */
|
/* First try to get the signing key to see how it is. */
|
||||||
if (master_signing_key) {
|
{
|
||||||
check_signing_cert = signing_key_cert;
|
|
||||||
use_signing = master_signing_key;
|
|
||||||
} else {
|
|
||||||
char *fname =
|
char *fname =
|
||||||
options_get_datadir_fname2(options, "keys", "ed25519_signing");
|
options_get_datadir_fname2(options, "keys", "ed25519_signing");
|
||||||
sign = ed_key_init_from_file(
|
sign = ed_key_init_from_file(
|
||||||
@ -665,6 +664,11 @@ load_ed_keys(const or_options_t *options, time_t now)
|
|||||||
use_signing = sign;
|
use_signing = sign;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (!use_signing && master_signing_key) {
|
||||||
|
check_signing_cert = signing_key_cert;
|
||||||
|
use_signing = master_signing_key;
|
||||||
|
}
|
||||||
|
|
||||||
const int need_new_signing_key =
|
const int need_new_signing_key =
|
||||||
NULL == use_signing ||
|
NULL == use_signing ||
|
||||||
EXPIRES_SOON(check_signing_cert, 0) ||
|
EXPIRES_SOON(check_signing_cert, 0) ||
|
||||||
|
Loading…
Reference in New Issue
Block a user