Bugfix: Regenerate more certificates when appropriate

Previously we could sometimes change our signing key, but not regenerate the certificates (signing->link and signing->auth) that were signed with it. Also, we would regularly replace our TLS x.509 link certificate (by rotating our TLS context) but not replace our signing->link ed25519 certificate. In both cases, the resulting inconsistency would make other relays reject our link handshakes. Fixes two cases of bug 22460; bugfix on 0.3.0.1-alpha.
author: Nick Mathewson <nickm@torproject.org> 2017-05-31 18:33:38 -0400
committer: Nick Mathewson <nickm@torproject.org> 2017-05-31 18:45:35 -0400
commit: a9be768959c189846178723d5fe44d3b59b0d983 (patch)
tree: 34a4e674f22dd522d339b6c064b075f7db75cd29 /src/or
parent: 5b33d95a3dfe943625d78983bb53be2901a51150 (diff)
download: tor-a9be768959c189846178723d5fe44d3b59b0d983.tar.gz
tor-a9be768959c189846178723d5fe44d3b59b0d983.zip
4 files changed, 47 insertions, 14 deletions
diff --git a/src/or/main.c b/src/or/main.c
index bc7b3db2b9..3139381f30 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -1506,8 +1506,9 @@ check_ed_keys_callback(time_t now, const or_options_t *options)
 {
   if (server_mode(options)) {
     if (should_make_new_ed_keys(options, now)) {
-      if (load_ed_keys(options, now) < 0 ||
-          generate_ed_link_cert(options, now)) {
+      int new_signing_key = load_ed_keys(options, now);
+      if (new_signing_key < 0 ||
+          generate_ed_link_cert(options, now, new_signing_key > 0)) {
         log_err(LD_OR, "Unable to update Ed25519 keys!  Exiting.");
         tor_cleanup();
         exit(0);
@@ -1559,6 +1560,11 @@ rotate_x509_certificate_callback(time_t now, const or_options_t *options)
     log_err(LD_BUG, "Error reinitializing TLS context");
     tor_assert_unreached();
   }
+  if (generate_ed_link_cert(options, now, 1)) {
+    log_err(LD_OR, "Unable to update Ed25519->TLS link certificate for "
+            "new TLS context.");
+    tor_assert_unreached();
+  }
 
   /* We also make sure to rotate the TLS connections themselves if they've
    * been up for too long -- but that's done via is_bad_for_new_circs in
@@ -2298,8 +2304,9 @@ do_hup(void)
     /* Maybe we've been given a new ed25519 key or certificate?
      */
     time_t now = approx_time();
-    if (load_ed_keys(options, now) < 0 ||
-         generate_ed_link_cert(options, now)) {
+    int new_signing_key = load_ed_keys(options, now);
+    if (new_signing_key < 0 ||
+        generate_ed_link_cert(options, now, new_signing_key > 0)) {
       log_warn(LD_OR, "Problem reloading Ed25519 keys; still using old keys.");
     }
 
@@ -3627,7 +3634,7 @@ tor_main(int argc, char *argv[])
     result = do_main_loop();
     break;
   case CMD_KEYGEN:
-    result = load_ed_keys(get_options(), time(NULL));
+    result = load_ed_keys(get_options(), time(NULL)) < 0;
     break;
   case CMD_LIST_FINGERPRINT:
     result = do_list_fingerprint();
diff --git a/src/or/router.c b/src/or/router.c
index e4fa72a283..f6b03cde27 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -906,7 +906,8 @@ init_keys(void)
   }
 
   /* 1d. Load all ed25519 keys */
-  if (load_ed_keys(options,now) < 0)
+  const int new_signing_key = load_ed_keys(options,now);
+  if (new_signing_key < 0)
     return -1;
 
   /* 2. Read onion key.  Make it if none is found. */
@@ -976,7 +977,7 @@ init_keys(void)
 
   /* 3b. Get an ed25519 link certificate.  Note that we need to do this
    * after we set up the TLS context */
-  if (generate_ed_link_cert(options, now) < 0) {
+  if (generate_ed_link_cert(options, now, new_signing_key > 0) < 0) {
     log_err(LD_GENERAL,"Couldn't make link cert");
     return -1;
   }
diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c
index 6259e3f5a0..1f0f82a184 100644
--- a/src/or/routerkeys.c
+++ b/src/or/routerkeys.c
@@ -672,6 +672,9 @@ static size_t rsa_ed_crosscert_len = 0;
 /**
  * Running as a server: load, reload, or refresh our ed25519 keys and
  * certificates, creating and saving new ones as needed.
+ *
+ * Return -1 on failure; 0 on success if the signing key was not replaced;
+ * and 1 on success if the signing key was replaced.
  */
 int
 load_ed_keys(const or_options_t *options, time_t now)
@@ -684,6 +687,7 @@ load_ed_keys(const or_options_t *options, time_t now)
   const tor_cert_t *check_signing_cert = NULL;
   tor_cert_t *sign_cert = NULL;
   tor_cert_t *auth_cert = NULL;
+  int signing_key_changed = 0;
 
 #define FAIL(msg) do {                          \
     log_warn(LD_OR, (msg));                     \
@@ -719,7 +723,23 @@ load_ed_keys(const or_options_t *options, time_t now)
     use_signing = sign;
   }
 
+  if (use_signing) {
+    /* We loaded a signing key with its certificate.  */
+    if (! master_signing_key) {
+      /* We didn't know one before! */
+      signing_key_changed = 1;
+    } else if (! ed25519_pubkey_eq(&use_signing->pubkey,
+                                   &master_signing_key->pubkey) ||
+               ! tor_memeq(use_signing->seckey.seckey,
+                           master_signing_key->seckey.seckey,
+                           ED25519_SECKEY_LEN)) {
+      /* We loaded a different signing key than the one we knew before. */
+      signing_key_changed = 1;
+    }
+  }
+
   if (!use_signing && master_signing_key) {
+    /* We couldn't load a signing key, but we already had one loaded */
     check_signing_cert = signing_key_cert;
     use_signing = master_signing_key;
   }
@@ -879,6 +899,7 @@ load_ed_keys(const or_options_t *options, time_t now)
     if (!sign)
       FAIL("Missing signing key");
     use_signing = sign;
+    signing_key_changed = 1;
 
     tor_assert(sign_cert->signing_key_included);
     tor_assert(ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey));
@@ -910,6 +931,7 @@ load_ed_keys(const or_options_t *options, time_t now)
   }
 
   if (!current_auth_key ||
+      signing_key_changed ||
       EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
     auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
                       now,
@@ -937,7 +959,7 @@ load_ed_keys(const or_options_t *options, time_t now)
     SET_CERT(auth_key_cert, auth_cert);
   }
 
-  return 0;
+  return signing_key_changed;
  err:
   ed25519_keypair_free(id);
   ed25519_keypair_free(sign);
@@ -951,16 +973,18 @@ load_ed_keys(const or_options_t *options, time_t now)
  * Retrieve our currently-in-use Ed25519 link certificate and id certificate,
  * and, if they would expire soon (based on the time <b>now</b>, generate new
  * certificates (without embedding the public part of the signing key inside).
+ * If <b>force</b> is true, always generate a new certificate.
  *
- * The signed_key from the expiring certificate will be used to sign the new
- * key within newly generated X509 certificate.
+ * The signed_key from the current id->signing certificate will be used to
+ * sign the new key within newly generated X509 certificate.
  *
  * Returns -1 upon error.  Otherwise, returns 0 upon success (either when the
  * current certificate is still valid, or when a new certificate was
  * successfully generated).
  */
 int
-generate_ed_link_cert(const or_options_t *options, time_t now)
+generate_ed_link_cert(const or_options_t *options, time_t now,
+                      int force)
 {
   const tor_x509_cert_t *link_ = NULL, *id = NULL;
   tor_cert_t *link_cert = NULL;
@@ -972,7 +996,8 @@ generate_ed_link_cert(const or_options_t *options, time_t now)
 
   const common_digests_t *digests = tor_x509_cert_get_cert_digests(link_);
 
-  if (link_cert_cert &&
+  if (force == 0 &&
+      link_cert_cert &&
       ! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) &&
       fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey,
                  DIGEST256_LEN)) {
@@ -1073,7 +1098,7 @@ init_mock_ed_keys(const crypto_pk_t *rsa_identity_key)
   MAKECERT(auth_key_cert,
            master_signing_key, current_auth_key, CERT_TYPE_SIGNING_AUTH, 0);
 
-  if (generate_ed_link_cert(get_options(), time(NULL)) < 0) {
+  if (generate_ed_link_cert(get_options(), time(NULL), 0) < 0) {
     log_warn(LD_BUG, "Couldn't make link certificate");
     goto err;
   }
diff --git a/src/or/routerkeys.h b/src/or/routerkeys.h
index d2027f4bbe..845abb4c70 100644
--- a/src/or/routerkeys.h
+++ b/src/or/routerkeys.h
@@ -66,7 +66,7 @@ MOCK_DECL(int, check_tap_onion_key_crosscert,(const uint8_t *crosscert,
 int load_ed_keys(const or_options_t *options, time_t now);
 int should_make_new_ed_keys(const or_options_t *options, const time_t now);
 
-int generate_ed_link_cert(const or_options_t *options, time_t now);
+int generate_ed_link_cert(const or_options_t *options, time_t now, int force);
 
 int read_encrypted_secret_key(ed25519_secret_key_t *out,
                               const char *fname);
author	Nick Mathewson <nickm@torproject.org>	2017-05-31 18:33:38 -0400
committer	Nick Mathewson <nickm@torproject.org>	2017-05-31 18:45:35 -0400
commit	a9be768959c189846178723d5fe44d3b59b0d983 (patch)
tree	34a4e674f22dd522d339b6c064b075f7db75cd29 /src/or
parent	5b33d95a3dfe943625d78983bb53be2901a51150 (diff)
download	tor-a9be768959c189846178723d5fe44d3b59b0d983.tar.gz tor-a9be768959c189846178723d5fe44d3b59b0d983.zip