mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Relays make sure their own descriptor has an ntor key
This commit is contained in:
parent
33da2abd05
commit
24e8bb2d83
@ -1,4 +1,8 @@
|
||||
o Major bug fixes (circuit building):
|
||||
- Authorites should not trust the version a relay claims (if any),
|
||||
instead, they should check specifically for an ntor key.
|
||||
- Tor authorities, relays, and clients no longer support
|
||||
circuit-building using TAP. (The hidden service protocol
|
||||
still uses TAP.)
|
||||
- Relays make sure their own descriptor has an ntor key.
|
||||
- Authorites no longer trust the version a relay claims (if any),
|
||||
instead, they check specifically for an ntor key.
|
||||
Fixes bug 19163; bugfix on 0.2.4.18-rc.
|
||||
|
@ -2753,6 +2753,10 @@ router_dump_router_to_string(routerinfo_t *router,
|
||||
(const char *)router->onion_curve25519_pkey->public_key,
|
||||
CURVE25519_PUBKEY_LEN, BASE64_ENCODE_MULTILINE);
|
||||
smartlist_add_asprintf(chunks, "ntor-onion-key %s", kbuf);
|
||||
} else {
|
||||
/* Authorities will start rejecting relays without ntor keys in 0.2.9 */
|
||||
log_err(LD_BUG, "A relay must have an ntor onion key");
|
||||
goto err;
|
||||
}
|
||||
|
||||
/* Write the exit policy to the end of 's'. */
|
||||
|
@ -116,6 +116,7 @@ test_dir_formats(void *arg)
|
||||
const addr_policy_t *p;
|
||||
time_t now = time(NULL);
|
||||
port_cfg_t orport, dirport;
|
||||
char cert_buf[256];
|
||||
|
||||
(void)arg;
|
||||
pk1 = pk_generate(0);
|
||||
@ -135,6 +136,11 @@ test_dir_formats(void *arg)
|
||||
tor_addr_parse(&r1->ipv6_addr, "1:2:3:4::");
|
||||
r1->ipv6_orport = 9999;
|
||||
r1->onion_pkey = crypto_pk_dup_key(pk1);
|
||||
/* Fake just enough of an ntor key to get by */
|
||||
curve25519_keypair_t r1_onion_keypair;
|
||||
curve25519_keypair_generate(&r1_onion_keypair, 0);
|
||||
r1->onion_curve25519_pkey = tor_memdup(&r1_onion_keypair.pubkey,
|
||||
sizeof(curve25519_public_key_t));
|
||||
r1->identity_pkey = crypto_pk_dup_key(pk2);
|
||||
r1->bandwidthrate = 1000;
|
||||
r1->bandwidthburst = 5000;
|
||||
@ -167,11 +173,6 @@ test_dir_formats(void *arg)
|
||||
&kp2.pubkey,
|
||||
now, 86400,
|
||||
CERT_FLAG_INCLUDE_SIGNING_KEY);
|
||||
char cert_buf[256];
|
||||
base64_encode(cert_buf, sizeof(cert_buf),
|
||||
(const char*)r2->cache_info.signing_key_cert->encoded,
|
||||
r2->cache_info.signing_key_cert->encoded_len,
|
||||
BASE64_ENCODE_MULTILINE);
|
||||
r2->platform = tor_strdup(platform);
|
||||
r2->cache_info.published_on = 5;
|
||||
r2->or_port = 9005;
|
||||
@ -247,6 +248,11 @@ test_dir_formats(void *arg)
|
||||
strlcat(buf2, "hidden-service-dir\n", sizeof(buf2));
|
||||
strlcat(buf2, "contact Magri White <magri@elsewhere.example.com>\n",
|
||||
sizeof(buf2));
|
||||
strlcat(buf2, "ntor-onion-key ", sizeof(buf2));
|
||||
base64_encode(cert_buf, sizeof(cert_buf),
|
||||
(const char*)r1_onion_keypair.pubkey.public_key, 32,
|
||||
BASE64_ENCODE_MULTILINE);
|
||||
strlcat(buf2, cert_buf, sizeof(buf2));
|
||||
strlcat(buf2, "reject *:*\n", sizeof(buf2));
|
||||
strlcat(buf2, "tunnelled-dir-server\nrouter-signature\n", sizeof(buf2));
|
||||
buf[strlen(buf2)] = '\0'; /* Don't compare the sig; it's never the same
|
||||
@ -276,6 +282,10 @@ test_dir_formats(void *arg)
|
||||
"router Fred 10.3.2.1 9005 0 0\n"
|
||||
"identity-ed25519\n"
|
||||
"-----BEGIN ED25519 CERT-----\n", sizeof(buf2));
|
||||
base64_encode(cert_buf, sizeof(cert_buf),
|
||||
(const char*)r2->cache_info.signing_key_cert->encoded,
|
||||
r2->cache_info.signing_key_cert->encoded_len,
|
||||
BASE64_ENCODE_MULTILINE);
|
||||
strlcat(buf2, cert_buf, sizeof(buf2));
|
||||
strlcat(buf2, "-----END ED25519 CERT-----\n", sizeof(buf2));
|
||||
strlcat(buf2, "master-key-ed25519 ", sizeof(buf2));
|
||||
|
Loading…
Reference in New Issue
Block a user