aboutsummaryrefslogtreecommitdiff
path: root/src/or
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2015-09-01 10:41:02 -0400
committerNick Mathewson <nickm@torproject.org>2015-09-22 09:24:35 -0400
commitd8f031aec2ee84c753ef282577c7f4fcf0123d2f (patch)
tree7a9298926d759902a4c43ed044350b633eb8a994 /src/or
parentd891e2a9c517e2b097456b7143f955ac66b112ea (diff)
downloadtor-d8f031aec2ee84c753ef282577c7f4fcf0123d2f.tar.gz
tor-d8f031aec2ee84c753ef282577c7f4fcf0123d2f.zip
Add a new --newpass option to add or remove secret key passphrases.
Diffstat (limited to 'src/or')
-rw-r--r--src/or/config.c10
-rw-r--r--src/or/or.h1
-rw-r--r--src/or/routerkeys.c23
3 files changed, 29 insertions, 5 deletions
diff --git a/src/or/config.c b/src/or/config.c
index 6e782de0e0..b4a490c70f 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1918,6 +1918,7 @@ static const struct {
{ "--dump-config", ARGUMENT_OPTIONAL },
{ "--list-fingerprint", TAKES_NO_ARGUMENT },
{ "--keygen", TAKES_NO_ARGUMENT },
+ { "--newpass", TAKES_NO_ARGUMENT },
{ "--no-passphrase", TAKES_NO_ARGUMENT },
{ "--passphrase-fd", ARGUMENT_NECESSARY },
{ "--verify-config", TAKES_NO_ARGUMENT },
@@ -4512,6 +4513,15 @@ options_init_from_torrc(int argc, char **argv)
}
}
+ if (config_line_find(cmdline_only_options, "--newpass")) {
+ if (command == CMD_KEYGEN) {
+ get_options_mutable()->change_key_passphrase = 1;
+ } else {
+ log_err(LD_CONFIG, "--newpass specified without --keygen!");
+ exit(1);
+ }
+ }
+
{
const config_line_t *fd_line = config_line_find(cmdline_only_options,
"--passphrase-fd");
diff --git a/src/or/or.h b/src/or/or.h
index 8c40f1ab67..0637325b24 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -4302,6 +4302,7 @@ typedef struct {
} keygen_force_passphrase;
int use_keygen_passphrase_fd;
int keygen_passphrase_fd;
+ int change_key_passphrase;
} or_options_t;
/** Persistent state for an onion router, as saved to disk. */
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 50659fcb69..be5c2c33a1 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -200,8 +200,17 @@ write_secret_key(const ed25519_secret_key_t *key, int encrypted,
{
if (encrypted) {
int r = write_encrypted_secret_key(key, encrypted_fname);
- if (r != 0)
- return r; /* Either succeeded or failed unrecoverably */
+ if (r == 1) {
+ /* Success! */
+
+ /* Try to unlink the unencrypted key, if any existed before */
+ if (strcmp(fname, encrypted_fname))
+ unlink(fname);
+ return r;
+ } else if (r != 0) {
+ /* Unrecoverable failure! */
+ return r;
+ }
fprintf(stderr, "Not encrypting the secret key.\n");
}
@@ -432,7 +441,7 @@ ed_key_init_from_file(const char *fname, uint32_t flags,
goto err;
}
- /* if it's absent, make a new keypair and save it. */
+ /* if it's absent, make a new keypair... */
if (!have_secret && !found_public) {
tor_free(keypair);
keypair = ed_key_new(signing_key, flags, now, lifetime,
@@ -441,8 +450,12 @@ ed_key_init_from_file(const char *fname, uint32_t flags,
tor_log(severity, LD_OR, "Couldn't create keypair");
goto err;
}
-
created_pk = created_sk = created_cert = 1;
+ }
+
+ /* Write it to disk if we're supposed to do with a new passphrase, or if
+ * we just created it. */
+ if (created_sk || (have_secret && get_options()->change_key_passphrase)) {
if (write_secret_key(&keypair->seckey,
encrypt_key,
secret_fname, tag, encrypted_secret_fname) < 0
@@ -671,7 +684,7 @@ load_ed_keys(const or_options_t *options, time_t now)
const int need_new_signing_key =
NULL == use_signing ||
EXPIRES_SOON(check_signing_cert, 0) ||
- options->command == CMD_KEYGEN;
+ (options->command == CMD_KEYGEN && ! options->change_key_passphrase);
const int want_new_signing_key =
need_new_signing_key ||
EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);