[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] Reload Ed25519 keys on sighup.
commit 037e8763a7cb6358b4622ebef30bda6e11bb2ce5
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Tue Aug 18 11:36:19 2015 -0400
Reload Ed25519 keys on sighup.
Closes ticket 16790.
---
changes/ed25519_hup | 4 ++++
src/or/main.c | 8 ++++++++
src/or/routerkeys.c | 16 ++++++++++------
3 files changed, 22 insertions(+), 6 deletions(-)
diff --git a/changes/ed25519_hup b/changes/ed25519_hup
new file mode 100644
index 0000000..d2de90d
--- /dev/null
+++ b/changes/ed25519_hup
@@ -0,0 +1,4 @@
+ o Minor features (relay, Ed25519):
+ - On receiving a HUP signal, check to see whether the Ed25519
+ signing key has changed, and reload it if so. Closes ticket
+ 16790.
diff --git a/src/or/main.c b/src/or/main.c
index 0b0207b..6971810 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -2019,6 +2019,14 @@ do_hup(void)
* force a retry there. */
if (server_mode(options)) {
+ /* Maybe we've been given a new ed25519 key or certificate?
+ */
+ time_t now = approx_time();
+ if (load_ed_keys(options, now) < 0 ||
+ generate_ed_link_cert(options, now)) {
+ log_warn(LD_OR, "Problem reloading Ed25519 keys; still using old keys.");
+ }
+
/* Update cpuworker and dnsworker processes, so they get up-to-date
* configuration options. */
cpuworkers_rotate_keyinfo();
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 80b26e6..ad91547 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -635,11 +635,13 @@ load_ed_keys(const or_options_t *options, time_t now)
goto err; \
} while (0)
#define SET_KEY(key, newval) do { \
- ed25519_keypair_free(key); \
+ if ((key) != (newval)) \
+ ed25519_keypair_free(key); \
key = (newval); \
} while (0)
#define SET_CERT(cert, newval) do { \
- tor_cert_free(cert); \
+ if ((cert) != (newval)) \
+ tor_cert_free(cert); \
cert = (newval); \
} while (0)
#define EXPIRES_SOON(cert, interval) \
@@ -648,10 +650,7 @@ load_ed_keys(const or_options_t *options, time_t now)
/* XXXX support encrypted identity keys fully */
/* First try to get the signing key to see how it is. */
- if (master_signing_key) {
- check_signing_cert = signing_key_cert;
- use_signing = master_signing_key;
- } else {
+ {
char *fname =
options_get_datadir_fname2(options, "keys", "ed25519_signing");
sign = ed_key_init_from_file(
@@ -665,6 +664,11 @@ load_ed_keys(const or_options_t *options, time_t now)
use_signing = sign;
}
+ if (!use_signing && master_signing_key) {
+ check_signing_cert = signing_key_cert;
+ use_signing = master_signing_key;
+ }
+
const int need_new_signing_key =
NULL == use_signing ||
EXPIRES_SOON(check_signing_cert, 0) ||
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits