mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-27 22:03:31 +01:00
Reload Ed25519 keys on sighup.
Closes ticket 16790.
This commit is contained in:
parent
428bb2d1c8
commit
037e8763a7
4
changes/ed25519_hup
Normal file
4
changes/ed25519_hup
Normal file
@ -0,0 +1,4 @@
|
||||
o Minor features (relay, Ed25519):
|
||||
- On receiving a HUP signal, check to see whether the Ed25519
|
||||
signing key has changed, and reload it if so. Closes ticket
|
||||
16790.
|
@ -2019,6 +2019,14 @@ do_hup(void)
|
||||
* force a retry there. */
|
||||
|
||||
if (server_mode(options)) {
|
||||
/* Maybe we've been given a new ed25519 key or certificate?
|
||||
*/
|
||||
time_t now = approx_time();
|
||||
if (load_ed_keys(options, now) < 0 ||
|
||||
generate_ed_link_cert(options, now)) {
|
||||
log_warn(LD_OR, "Problem reloading Ed25519 keys; still using old keys.");
|
||||
}
|
||||
|
||||
/* Update cpuworker and dnsworker processes, so they get up-to-date
|
||||
* configuration options. */
|
||||
cpuworkers_rotate_keyinfo();
|
||||
|
@ -635,11 +635,13 @@ load_ed_keys(const or_options_t *options, time_t now)
|
||||
goto err; \
|
||||
} while (0)
|
||||
#define SET_KEY(key, newval) do { \
|
||||
ed25519_keypair_free(key); \
|
||||
if ((key) != (newval)) \
|
||||
ed25519_keypair_free(key); \
|
||||
key = (newval); \
|
||||
} while (0)
|
||||
#define SET_CERT(cert, newval) do { \
|
||||
tor_cert_free(cert); \
|
||||
if ((cert) != (newval)) \
|
||||
tor_cert_free(cert); \
|
||||
cert = (newval); \
|
||||
} while (0)
|
||||
#define EXPIRES_SOON(cert, interval) \
|
||||
@ -648,10 +650,7 @@ load_ed_keys(const or_options_t *options, time_t now)
|
||||
/* XXXX support encrypted identity keys fully */
|
||||
|
||||
/* First try to get the signing key to see how it is. */
|
||||
if (master_signing_key) {
|
||||
check_signing_cert = signing_key_cert;
|
||||
use_signing = master_signing_key;
|
||||
} else {
|
||||
{
|
||||
char *fname =
|
||||
options_get_datadir_fname2(options, "keys", "ed25519_signing");
|
||||
sign = ed_key_init_from_file(
|
||||
@ -665,6 +664,11 @@ load_ed_keys(const or_options_t *options, time_t now)
|
||||
use_signing = sign;
|
||||
}
|
||||
|
||||
if (!use_signing && master_signing_key) {
|
||||
check_signing_cert = signing_key_cert;
|
||||
use_signing = master_signing_key;
|
||||
}
|
||||
|
||||
const int need_new_signing_key =
|
||||
NULL == use_signing ||
|
||||
EXPIRES_SOON(check_signing_cert, 0) ||
|
||||
|
Loading…
Reference in New Issue
Block a user