[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] r13679: Add --passphrase-fd to tor-gencert. (in tor/trunk: . doc src/tools)
Author: nickm
Date: 2008-02-22 14:07:52 -0500 (Fri, 22 Feb 2008)
New Revision: 13679
Modified:
tor/trunk/
tor/trunk/ChangeLog
tor/trunk/doc/tor-gencert.1
tor/trunk/src/tools/tor-gencert.c
Log:
r14396@tombo: nickm | 2008-02-22 14:07:37 -0500
Add --passphrase-fd to tor-gencert.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r14396] on 49666b30-7950-49c5-bedf-9dc8f3168102
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2008-02-22 19:03:09 UTC (rev 13678)
+++ tor/trunk/ChangeLog 2008-02-22 19:07:52 UTC (rev 13679)
@@ -58,6 +58,10 @@
- When built with --enable-gcc-warnings, check for whether Apple's
warning "-Wshorten-64-to-32" is enabled.
+ o Minor features (misc):
+ - Add a --passphrase-fd argument to tor-gencert command for
+ scriptability.
+
o Minor bugfixes:
- Log the correct memory chunk sizes for empty RAM chunks in mempool.c.
- Directory mirrors no longer include a guess at the client's IP
Modified: tor/trunk/doc/tor-gencert.1
===================================================================
--- tor/trunk/doc/tor-gencert.1 2008-02-22 19:03:09 UTC (rev 13678)
+++ tor/trunk/doc/tor-gencert.1 2008-02-22 19:07:52 UTC (rev 13679)
@@ -63,6 +63,11 @@
Number of months that the certificate should be valid. Default: 12.
.LP
.TP
+\fB--passphrase-fd \fR\fIFILEDES\fP
+Filedescriptor to read the file descriptor from. Ends at the first
+NUL or newline. Default: read from the terminal.
+.LP
+.TP
\fB-a \fR\fIaddress\fR:\fIport\fP
If provided, advertise the address:port combination as this authority's
preferred directory port in its certificate. If the address is a hostname,
Modified: tor/trunk/src/tools/tor-gencert.c
===================================================================
--- tor/trunk/src/tools/tor-gencert.c 2008-02-22 19:03:09 UTC (rev 13678)
+++ tor/trunk/src/tools/tor-gencert.c 2008-02-22 19:07:52 UTC (rev 13679)
@@ -44,8 +44,12 @@
int verbose = 0;
int make_new_id = 0;
int months_lifetime = DEFAULT_LIFETIME;
+int passphrase_fd = -1;
char *address = NULL;
+char *passphrase = NULL;
+size_t passphrase_len = 0;
+
EVP_PKEY *identity_key = NULL;
EVP_PKEY *signing_key = NULL;
@@ -57,7 +61,8 @@
"tor-gencert [-h|--help] [-v] [-r|--reuse] [--create-identity-key]\n"
" [-i identity_key_file] [-s signing_key_file] "
"[-c certificate_file]\n"
- " [-m lifetime_in_months] [-a address:port]\n");
+ " [-m lifetime_in_months] [-a address:port] "
+ "[--passphrase-fd <fd>]\n");
}
@@ -83,6 +88,34 @@
}
}
+/** Read the passphrase from the passphrase fd. */
+static int
+load_passphrase(void)
+{
+ char *cp;
+ char buf[1024]; /* "Ought to be enough for anybody." */
+ int n = read_all(passphrase_fd, buf, sizeof(buf), 0);
+ if (n < 0) {
+ log_err(LD_GENERAL, "Couldn't read from passphrase fd: %s",
+ strerror(errno));
+ return -1;
+ }
+ cp = memchr(buf, '\n', n);
+ passphrase_len = cp-buf;
+ passphrase = tor_strndup(buf, passphrase_len);
+ memset(buf, 0, sizeof(buf));
+ return 0;
+}
+
+static void
+clear_passphrase(void)
+{
+ if (passphrase) {
+ memset(passphrase, 0, passphrase_len);
+ tor_free(passphrase);
+ }
+}
+
/** Read the command line options from <b>argc</b> and <b>argv</b>,
* setting global option vars as needed.
*/
@@ -143,6 +176,12 @@
tor_snprintf(address, INET_NTOA_BUF_LEN+32, "%s:%d", b, (int)port);
} else if (!strcmp(argv[i], "--create-identity-key")) {
make_new_id = 1;
+ } else if (!strcmp(argv[i], "--passphrase-fd")) {
+ if (i+1>=argc) {
+ fprintf(stderr, "No argument to -m\n");
+ return 1;
+ }
+ passphrase_fd = atoi(argv[++i]);
} else {
fprintf(stderr, "Unrecognized option %s\n", argv[i]);
return 1;
@@ -170,6 +209,10 @@
log_info(LD_GENERAL, "No signing key file given; defaulting to %s",
certificate_file);
}
+ if (passphrase_fd >= 0) {
+ if (load_passphrase()<0)
+ return 1;
+ }
return 0;
}
@@ -209,9 +252,11 @@
&open_file)))
return 1;
+ /* Write the key to the file. If passphrase is not set, takes it from
+ * the terminal. */
if (!PEM_write_PKCS8PrivateKey_nid(f, identity_key,
NID_pbe_WithSHA1And3_Key_TripleDES_CBC,
- NULL, 0, /* no password here. */
+ passphrase, (int)passphrase_len,
NULL, NULL)) {
log_err(LD_GENERAL, "Couldn't write identity key to %s",
identity_key_file);
@@ -235,7 +280,8 @@
return 1;
}
- identity_key = PEM_read_PrivateKey(f, NULL, NULL, NULL);
+ /* Read the key. If passphrase is not set, takes it from the terminal. */
+ identity_key = PEM_read_PrivateKey(f, NULL, NULL, passphrase);
if (!identity_key) {
log_err(LD_GENERAL, "Couldn't read identity key from %s",
identity_key_file);
@@ -444,6 +490,7 @@
r = 0;
done:
+ clear_passphrase();
if (identity_key)
EVP_PKEY_free(identity_key);
if (signing_key)