nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-09-21 05:26:20 +02:00
Code Issues Packages Projects Releases Wiki Activity

Reload Ed25519 keys on sighup.

Browse Source 
Closes ticket 16790.
This commit is contained in:
Nick Mathewson 2015-08-18 11:36:19 -04:00
parent 428bb2d1c8
commit 037e8763a7
3 changed files with 22 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
changes/ed25519_hup Normal file
View File

@ -0,0 +1,4 @@
o Minor features (relay, Ed25519):
- On receiving a HUP signal, check to see whether the Ed25519
signing key has changed, and reload it if so. Closes ticket
16790.

8
src/or/main.c
View File

@ -2019,6 +2019,14 @@ do_hup(void)
* force a retry there. */ * force a retry there. */
if (server_mode(options)) { if (server_mode(options)) {
/* Maybe we've been given a new ed25519 key or certificate?
*/
time_t now = approx_time();
if (load_ed_keys(options, now) < 0 ||
generate_ed_link_cert(options, now)) {
log_warn(LD_OR, "Problem reloading Ed25519 keys; still using old keys.");
}
/* Update cpuworker and dnsworker processes, so they get up-to-date /* Update cpuworker and dnsworker processes, so they get up-to-date
* configuration options. */ * configuration options. */
cpuworkers_rotate_keyinfo(); cpuworkers_rotate_keyinfo();

16
src/or/routerkeys.c
View File

@ -635,11 +635,13 @@ load_ed_keys(const or_options_t *options, time_t now)
goto err; \ goto err; \
} while (0) } while (0)
#define SET_KEY(key, newval) do { \ #define SET_KEY(key, newval) do { \
ed25519_keypair_free(key); \ if ((key) != (newval)) \
ed25519_keypair_free(key); \
key = (newval); \ key = (newval); \
} while (0) } while (0)
#define SET_CERT(cert, newval) do { \ #define SET_CERT(cert, newval) do { \
tor_cert_free(cert); \ if ((cert) != (newval)) \
tor_cert_free(cert); \
cert = (newval); \ cert = (newval); \
} while (0) } while (0)
#define EXPIRES_SOON(cert, interval) \ #define EXPIRES_SOON(cert, interval) \
@ -648,10 +650,7 @@ load_ed_keys(const or_options_t *options, time_t now)
/* XXXX support encrypted identity keys fully */ /* XXXX support encrypted identity keys fully */
/* First try to get the signing key to see how it is. */ /* First try to get the signing key to see how it is. */
if (master_signing_key) { {
check_signing_cert = signing_key_cert;
use_signing = master_signing_key;
} else {
char *fname = char *fname =
options_get_datadir_fname2(options, "keys", "ed25519_signing"); options_get_datadir_fname2(options, "keys", "ed25519_signing");
sign = ed_key_init_from_file( sign = ed_key_init_from_file(
@ -665,6 +664,11 @@ load_ed_keys(const or_options_t *options, time_t now)
use_signing = sign; use_signing = sign;
} }
if (!use_signing && master_signing_key) {
check_signing_cert = signing_key_cert;
use_signing = master_signing_key;
}
const int need_new_signing_key = const int need_new_signing_key =
NULL == use_signing || NULL == use_signing ||
EXPIRES_SOON(check_signing_cert, 0) || EXPIRES_SOON(check_signing_cert, 0) ||