From 94076d9e3b74ad1f6aee8a96f51eb4af5f5bdb64 Mon Sep 17 00:00:00 2001 From: George Kadianakis Date: Thu, 24 Nov 2011 22:59:01 +0100 Subject: [PATCH] Move crypto_get_stored_dynamic_prime() to crypto.c --- src/common/crypto.c | 70 ++++++++++++++++++++++++++++++++++++++------- src/common/crypto.h | 5 ++-- src/or/config.c | 14 +++++---- src/or/router.c | 58 ++++--------------------------------- src/or/router.h | 2 -- 5 files changed, 75 insertions(+), 74 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index a3c292324b..c6285e5ce9 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1851,7 +1851,7 @@ crypto_generate_dynamic_prime(void) /** Store our dynamic prime to fname for future use. */ int -router_store_dynamic_prime(const char *fname) +crypto_store_dynamic_prime(const char *fname) { FILE *fp = NULL; int retval = -1; @@ -1889,13 +1889,61 @@ router_store_dynamic_prime(const char *fname) return retval; } +/** Return the dynamic prime stored in fname. If there is no + dynamic prime stored in fname, return NULL. */ +static BIGNUM * +crypto_get_stored_dynamic_prime(const char *fname) +{ + int retval; + char *contents = NULL; + BIGNUM *dynamic_prime = BN_new(); + + tor_assert(fname); + + if (!dynamic_prime) + goto err; + + contents = read_file_to_str(fname, RFTS_IGNORE_MISSING, NULL); + if (!contents) + goto err; + + retval = BN_hex2bn(&dynamic_prime, contents); + if (!retval) { + log_notice(LD_GENERAL, "Could not understand the dynamic prime " + "format in '%s'", fname); + goto err; + } + + { /* log the dynamic prime: */ + char *s = BN_bn2hex(dynamic_prime); + tor_assert(s); + log_info(LD_OR, "Found stored dynamic prime: [%s]", s); + OPENSSL_free(s); + } + + goto done; + + err: + if (dynamic_prime) { + BN_free(dynamic_prime); + dynamic_prime = NULL; + } + + done: + tor_free(contents); + + return dynamic_prime; +} + + /** Set the global TLS Diffie-Hellman modulus. - * If use_dynamic_primes is not set, use the prime - * modulus of mod_ssl. - * If use_dynamic_primes is set, use stored_dynamic_prime - * if it exists, otherwise generate and use a new prime modulus. */ + * If dynamic_prime_fname is set, try to read a dynamic prime + * off it and use it as the DH modulus. If that's not possible, + * generate a new dynamic prime. + * If dynamic_prime_fname is NULL, use the Apache mod_ssl DH + * modulus. */ void -crypto_set_tls_dh_prime(int use_dynamic_primes, BIGNUM *stored_dynamic_prime) +crypto_set_tls_dh_prime(const char *dynamic_prime_fname) { BIGNUM *tls_prime = NULL; int r; @@ -1906,11 +1954,11 @@ crypto_set_tls_dh_prime(int use_dynamic_primes, BIGNUM *stored_dynamic_prime) dh_param_p_tls = NULL; } - if (use_dynamic_primes) { /* use dynamic primes: */ - if (stored_dynamic_prime) { - log_info(LD_OR, "Using stored dynamic prime."); - tls_prime = stored_dynamic_prime; - } else { + if (dynamic_prime_fname) { /* use dynamic primes: */ + log_info(LD_OR, "Using stored dynamic prime."); + tls_prime = crypto_get_stored_dynamic_prime(dynamic_prime_fname); + + if (!tls_prime) { log_info(LD_OR, "Generating fresh dynamic prime."); tls_prime = crypto_generate_dynamic_prime(); } diff --git a/src/common/crypto.h b/src/common/crypto.h index 8c99dd7a37..20298b3c49 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -95,9 +95,8 @@ int crypto_global_cleanup(void); crypto_pk_env_t *crypto_new_pk_env(void); void crypto_free_pk_env(crypto_pk_env_t *env); -void crypto_set_tls_dh_prime(int use_dynamic_primes, - BIGNUM *stored_dynamic_prime); -int router_store_dynamic_prime(const char *fname); +void crypto_set_tls_dh_prime(const char *dynamic_prime_fname); +int crypto_store_dynamic_prime(const char *fname); /* convenience function: wraps crypto_create_crypto_env, set_key, and init. */ crypto_cipher_env_t *crypto_create_init_cipher(const char *key, diff --git a/src/or/config.c b/src/or/config.c index 78e91bbe11..e1e71b0593 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -1365,17 +1365,19 @@ options_act(const or_options_t *old_options) /* If needed, generate a new TLS DH prime according to the current torrc. */ if (!old_options) { if (options->DynamicPrimes) { - crypto_set_tls_dh_prime(1, router_get_stored_dynamic_prime()); + char *fname = get_datadir_fname2("keys", "dynamic_prime"); + crypto_set_tls_dh_prime(fname); + tor_free(fname); } else { - crypto_set_tls_dh_prime(0, NULL); + crypto_set_tls_dh_prime(NULL); } } else { if (options->DynamicPrimes && !old_options->DynamicPrimes) { - crypto_set_tls_dh_prime(1, router_get_stored_dynamic_prime()); + char *fname = get_datadir_fname2("keys", "dynamic_prime"); + crypto_set_tls_dh_prime(fname); + tor_free(fname); } else if (!options->DynamicPrimes && old_options->DynamicPrimes) { - crypto_set_tls_dh_prime(0, NULL); - } else { - tor_assert(crypto_get_tls_dh_prime()); + crypto_set_tls_dh_prime(NULL); } } diff --git a/src/or/router.c b/src/or/router.c index dd5b9fff52..c554d5b961 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -484,52 +484,6 @@ v3_authority_check_key_expiry(void) last_warned = now; } - -/** Return the dynamic prime stored in the disk. If there is no - dynamic prime stored in the disk, return NULL. */ -BIGNUM * -router_get_stored_dynamic_prime(void) -{ - int retval; - char *contents = NULL; - char *fname = get_datadir_fname2("keys", "dynamic_prime"); - BIGNUM *dynamic_prime = BN_new(); - if (!dynamic_prime) - goto err; - - contents = read_file_to_str(fname, RFTS_IGNORE_MISSING, NULL); - if (!contents) - goto err; - - retval = BN_hex2bn(&dynamic_prime, contents); - if (!retval) { - log_notice(LD_GENERAL, "Could not understand the dynamic prime " - "format in '%s'", fname); - goto err; - } - - { /* log the dynamic prime: */ - char *s = BN_bn2hex(dynamic_prime); - tor_assert(s); - log_info(LD_OR, "Found stored dynamic prime: [%s]", s); - OPENSSL_free(s); - } - - goto done; - - err: - if (dynamic_prime) { - BN_free(dynamic_prime); - dynamic_prime = NULL; - } - - done: - tor_free(fname); - tor_free(contents); - - return dynamic_prime; -} - /** Initialize all OR private keys, and the TLS context, as necessary. * On OPs, this only initializes the tls context. Return 0 on success, * or -1 if Tor should die. @@ -682,12 +636,12 @@ init_keys(void) /** 3b. If we use a dynamic prime, store it to disk. */ if (get_options()->DynamicPrimes) { - const char *fname = get_datadir_fname2("keys", "dynamic_prime"); - if (crypto_store_dynamic_prime(fname)) { - log_notice(LD_GENERAL, "Failed while storing dynamic prime. " - "Make sure your data directory is sane."); - } - tor_free(fname); + char *fname = get_datadir_fname2("keys", "dynamic_prime"); + if (crypto_store_dynamic_prime(fname)) { + log_notice(LD_GENERAL, "Failed while storing dynamic prime. " + "Make sure your data directory is sane."); + } + tor_free(fname); } /* 4. Build our router descriptor. */ diff --git a/src/or/router.h b/src/or/router.h index a998335aa3..b9e9f2a713 100644 --- a/src/or/router.h +++ b/src/or/router.h @@ -29,8 +29,6 @@ void rotate_onion_key(void); crypto_pk_env_t *init_key_from_file(const char *fname, int generate, int severity); -BIGNUM *router_get_stored_dynamic_prime(void); - void v3_authority_check_key_expiry(void); int init_keys(void);