diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-03-01 14:36:40 +0100 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-05-28 10:42:30 -0400 |
| commit | 57189acd6f6b56a419d63a7acb012a9b8abac319 (patch) | |
| tree | cae61ade268b8e599ca4299a73b403203f15a584 /src/or/routerkeys.c | |
| parent | 64450c5f775c6453568c5ac218669ff0525dc232 (diff) | |
| download | tor-57189acd6f6b56a419d63a7acb012a9b8abac319.tar.gz tor-57189acd6f6b56a419d63a7acb012a9b8abac319.zip | |
# This is a combination of 2 commits.
# The first commit's message is:
Regenerate ed25519 keys when they will expire soon.
Also, have testing-level options to set the lifetimes and
expiration-tolerances of all key types, plus a non-testing-level
option to set the lifetime of any auto-generated signing key.
# The 2nd commit message will be skipped:
# fixup! Regenerate ed25519 keys when they will expire soon.
Diffstat (limited to 'src/or/routerkeys.c')
| -rw-r--r-- | src/or/routerkeys.c | 34 |
1 files changed, 24 insertions, 10 deletions
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index ab12b90445..2482f59421 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -306,9 +306,6 @@ load_ed_keys(const or_options_t *options, time_t now) /* XXXX support encrypted identity keys fully */ - /* XXXX use options. */ - (void) options; - /* First try to get the signing key to see how it is. */ if (master_signing_key) { check_signing_cert = signing_key_cert; @@ -329,7 +326,7 @@ load_ed_keys(const or_options_t *options, time_t now) EXPIRES_SOON(check_signing_cert, 0); const int want_new_signing_key = need_new_signing_key || - EXPIRES_SOON(check_signing_cert, 86400/*???*/); + EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop); { uint32_t flags = @@ -365,7 +362,7 @@ load_ed_keys(const or_options_t *options, time_t now) options_get_datadir_fname2(options, "keys", "ed25519_signing"), flags, LOG_WARN, sign_signing_key_with_id, now, - 30*86400/*XXX option*/, + options->SigningKeyLifetime, CERT_TYPE_ID_SIGNING, &sign_cert); if (!sign) FAIL("Missing signing key"); @@ -383,18 +380,22 @@ load_ed_keys(const or_options_t *options, time_t now) * it, if we loaded it in the first place. */ memwipe(id->seckey.seckey, 0, sizeof(id->seckey)); - if (!current_link_key || EXPIRES_SOON(link_key_cert, 7200/*???*/)) { + if (!current_link_key || + EXPIRES_SOON(link_key_cert, options->TestingLinkKeySlop)) { link = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT, - now, 2*86400/*XXX option??*/, + now, + options->TestingLinkKeyLifetime, CERT_TYPE_SIGNING_LINK, &link_cert); if (!link) FAIL("Can't create link key"); } - if (!current_auth_key || EXPIRES_SOON(auth_key_cert, 7200)/*???*/) { + if (!current_auth_key || + EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) { auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT, - now, 2*86400/*XXX option??*/, + now, + options->TestingAuthKeyLifetime, CERT_TYPE_SIGNING_AUTH, &auth_cert); if (!auth) @@ -434,9 +435,22 @@ load_ed_keys(const or_options_t *options, time_t now) #undef FAIL #undef SET_KEY #undef SET_CERT -#undef EXPIRES_SOON } +int +should_make_new_ed_keys(const or_options_t *options, const time_t now) +{ + return (!master_identity_key || + !master_signing_key || + !current_link_key || + !current_auth_key || + EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) || + EXPIRES_SOON(link_key_cert, options->TestingLinkKeySlop) || + EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)); +} + +#undef EXPIRES_SOON + const ed25519_public_key_t * get_master_identity_key(void) { |