mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Write hashed bridge fingerprint to logs and to disk.
Implements #10884.
This commit is contained in:
parent
bf1678603f
commit
3ca5fe81e3
5
changes/bug10884
Normal file
5
changes/bug10884
Normal file
@ -0,0 +1,5 @@
|
||||
o Minor features:
|
||||
- Bridges write the SHA1 digest of their identity key fingerprint to
|
||||
notice-level logs and to hashed-fingerprint, so that bridge
|
||||
operators can look up their bridge in Globe and similar tools.
|
||||
|
@ -2305,6 +2305,10 @@ __DataDirectory__**/keys/***::
|
||||
__DataDirectory__**/fingerprint**::
|
||||
Only used by servers. Holds the fingerprint of the server's identity key.
|
||||
|
||||
__DataDirectory__**/hashed-fingerprint**::
|
||||
Only used by bridges. Holds the hashed fingerprint of the bridge's
|
||||
identity key. (That is, the hash of the hash of the identity key.)
|
||||
|
||||
__DataDirectory__**/approved-routers**::
|
||||
Only for naming authoritative directory servers (see
|
||||
**NamingAuthoritativeDirectory**). This file lists nickname to identity
|
||||
|
@ -1374,6 +1374,28 @@ crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out, int add_space)
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Given a private or public key <b>pk</b>, put a hashed fingerprint of
|
||||
* the public key into <b>fp_out</b> (must have at least FINGERPRINT_LEN+1
|
||||
* bytes of space). Return 0 on success, -1 on failure.
|
||||
*
|
||||
* Hashed fingerprints are computed as the SHA1 digest of the SHA1 digest
|
||||
* of the ASN.1 encoding of the public key, converted to hexadecimal, in
|
||||
* upper case.
|
||||
*/
|
||||
int
|
||||
crypto_pk_get_hashed_fingerprint(crypto_pk_t *pk, char *fp_out)
|
||||
{
|
||||
char digest[DIGEST_LEN], hashed_digest[DIGEST_LEN];
|
||||
if (crypto_pk_get_digest(pk, digest)) {
|
||||
return -1;
|
||||
}
|
||||
if (crypto_digest(hashed_digest, digest, DIGEST_LEN)) {
|
||||
return -1;
|
||||
}
|
||||
base16_encode(fp_out, FINGERPRINT_LEN + 1, hashed_digest, DIGEST_LEN);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/* symmetric crypto */
|
||||
|
||||
/** Return a pointer to the key set for the cipher in <b>env</b>.
|
||||
|
@ -182,6 +182,7 @@ crypto_pk_t *crypto_pk_asn1_decode(const char *str, size_t len);
|
||||
int crypto_pk_get_digest(crypto_pk_t *pk, char *digest_out);
|
||||
int crypto_pk_get_all_digests(crypto_pk_t *pk, digests_t *digests_out);
|
||||
int crypto_pk_get_fingerprint(crypto_pk_t *pk, char *fp_out,int add_space);
|
||||
int crypto_pk_get_hashed_fingerprint(crypto_pk_t *pk, char *fp_out);
|
||||
|
||||
/* symmetric crypto */
|
||||
const char *crypto_cipher_get_key(crypto_cipher_t *env);
|
||||
|
@ -2764,6 +2764,8 @@ sandbox_init_filter(void)
|
||||
get_datadir_fname2("keys", "secret_id_key.tmp"), 1,
|
||||
get_datadir_fname("fingerprint"), 1,
|
||||
get_datadir_fname("fingerprint.tmp"), 1,
|
||||
get_datadir_fname("hashed-fingerprint"), 1,
|
||||
get_datadir_fname("hashed-fingerprint.tmp"), 1,
|
||||
get_datadir_fname("cached-consensus"), 1,
|
||||
get_datadir_fname("cached-consensus.tmp"), 1,
|
||||
"/etc/resolv.conf", 0,
|
||||
|
100
src/or/router.c
100
src/or/router.c
@ -684,6 +684,68 @@ router_initialize_tls_context(void)
|
||||
(unsigned int)lifetime);
|
||||
}
|
||||
|
||||
/** Compute fingerprint (or hashed fingerprint if hashed is 1) and write
|
||||
* it to 'fingerprint' (or 'hashed-fingerprint'). Return 0 on success, or
|
||||
* -1 if Tor should die,
|
||||
*/
|
||||
static int
|
||||
router_write_fingerprint(int hashed)
|
||||
{
|
||||
char *keydir, *cp;
|
||||
const char *fname = hashed ? "hashed-fingerprint" :
|
||||
"fingerprint";
|
||||
char fingerprint[FINGERPRINT_LEN+1];
|
||||
const or_options_t *options = get_options();
|
||||
/*nickname<space>fp\n\0 */
|
||||
char fingerprint_line[MAX_NICKNAME_LEN+FINGERPRINT_LEN+3];
|
||||
keydir = get_datadir_fname(fname);
|
||||
log_info(LD_GENERAL,"Dumping %sfingerprint to \"%s\"...",
|
||||
hashed ? "hashed " : "", keydir);
|
||||
if (!hashed) {
|
||||
if (crypto_pk_get_fingerprint(get_server_identity_key(),
|
||||
fingerprint, 0) < 0) {
|
||||
log_err(LD_GENERAL,"Error computing fingerprint");
|
||||
tor_free(keydir);
|
||||
return -1;
|
||||
}
|
||||
} else {
|
||||
if (crypto_pk_get_hashed_fingerprint(get_server_identity_key(),
|
||||
fingerprint) < 0) {
|
||||
log_err(LD_GENERAL,"Error computing hashed fingerprint");
|
||||
tor_free(keydir);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
tor_assert(strlen(options->Nickname) <= MAX_NICKNAME_LEN);
|
||||
if (tor_snprintf(fingerprint_line, sizeof(fingerprint_line),
|
||||
"%s %s\n",options->Nickname, fingerprint) < 0) {
|
||||
log_err(LD_GENERAL,"Error writing %sfingerprint line",
|
||||
hashed ? "hashed " : "");
|
||||
tor_free(keydir);
|
||||
return -1;
|
||||
}
|
||||
/* Check whether we need to write the (hashed-)fingerprint file. */
|
||||
cp = NULL;
|
||||
if (file_status(keydir) == FN_FILE)
|
||||
cp = read_file_to_str(keydir, 0, NULL);
|
||||
if (!cp || strcmp(cp, fingerprint_line)) {
|
||||
if (write_str_to_file(keydir, fingerprint_line, 0)) {
|
||||
log_err(LD_FS, "Error writing %sfingerprint line to file",
|
||||
hashed ? "hashed " : "");
|
||||
tor_free(keydir);
|
||||
tor_free(cp);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
tor_free(cp);
|
||||
tor_free(keydir);
|
||||
|
||||
log_notice(LD_GENERAL, "Your Tor %s identity key fingerprint is '%s %s'",
|
||||
hashed ? "bridge's hashed" : "server's", options->Nickname,
|
||||
fingerprint);
|
||||
return 0;
|
||||
}
|
||||
|
||||
/** Initialize all OR private keys, and the TLS context, as necessary.
|
||||
* On OPs, this only initializes the tls context. Return 0 on success,
|
||||
* or -1 if Tor should die.
|
||||
@ -692,14 +754,10 @@ int
|
||||
init_keys(void)
|
||||
{
|
||||
char *keydir;
|
||||
char fingerprint[FINGERPRINT_LEN+1];
|
||||
/*nickname<space>fp\n\0 */
|
||||
char fingerprint_line[MAX_NICKNAME_LEN+FINGERPRINT_LEN+3];
|
||||
const char *mydesc;
|
||||
crypto_pk_t *prkey;
|
||||
char digest[DIGEST_LEN];
|
||||
char v3_digest[DIGEST_LEN];
|
||||
char *cp;
|
||||
const or_options_t *options = get_options();
|
||||
dirinfo_type_t type;
|
||||
time_t now = time(NULL);
|
||||
@ -889,40 +947,16 @@ init_keys(void)
|
||||
}
|
||||
}
|
||||
|
||||
/* 5. Dump fingerprint to 'fingerprint' */
|
||||
keydir = get_datadir_fname("fingerprint");
|
||||
log_info(LD_GENERAL,"Dumping fingerprint to \"%s\"...",keydir);
|
||||
if (crypto_pk_get_fingerprint(get_server_identity_key(),
|
||||
fingerprint, 0) < 0) {
|
||||
log_err(LD_GENERAL,"Error computing fingerprint");
|
||||
tor_free(keydir);
|
||||
/* 5. Dump fingerprint and possibly hashed fingerprint to files. */
|
||||
if (router_write_fingerprint(0)) {
|
||||
log_err(LD_FS, "Error writing fingerprint to file");
|
||||
return -1;
|
||||
}
|
||||
tor_assert(strlen(options->Nickname) <= MAX_NICKNAME_LEN);
|
||||
if (tor_snprintf(fingerprint_line, sizeof(fingerprint_line),
|
||||
"%s %s\n",options->Nickname, fingerprint) < 0) {
|
||||
log_err(LD_GENERAL,"Error writing fingerprint line");
|
||||
tor_free(keydir);
|
||||
if (!public_server_mode(options) && router_write_fingerprint(1)) {
|
||||
log_err(LD_FS, "Error writing hashed fingerprint to file");
|
||||
return -1;
|
||||
}
|
||||
/* Check whether we need to write the fingerprint file. */
|
||||
cp = NULL;
|
||||
if (file_status(keydir) == FN_FILE)
|
||||
cp = read_file_to_str(keydir, 0, NULL);
|
||||
if (!cp || strcmp(cp, fingerprint_line)) {
|
||||
if (write_str_to_file(keydir, fingerprint_line, 0)) {
|
||||
log_err(LD_FS, "Error writing fingerprint line to file");
|
||||
tor_free(keydir);
|
||||
tor_free(cp);
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
tor_free(cp);
|
||||
tor_free(keydir);
|
||||
|
||||
log_notice(LD_GENERAL,
|
||||
"Your Tor server's identity key fingerprint is '%s %s'",
|
||||
options->Nickname, fingerprint);
|
||||
if (!authdir_mode(options))
|
||||
return 0;
|
||||
/* 6. [authdirserver only] load approved-routers file */
|
||||
|
Loading…
Reference in New Issue
Block a user