diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-09-10 10:37:13 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-09-10 10:37:13 -0400 |
| commit | 41891cbf93c32282ed6136d29375b5863efcf727 (patch) | |
| tree | 2fa0359d3d9e7ce8d5adc66badbb0a86e295b884 /src | |
| parent | 901732a1bc62b1d8455e13bc989d1f0196432943 (diff) | |
| parent | 037e8763a7cb6358b4622ebef30bda6e11bb2ce5 (diff) | |
| download | tor-41891cbf93c32282ed6136d29375b5863efcf727.tar.gz tor-41891cbf93c32282ed6136d29375b5863efcf727.zip | |
Merge remote-tracking branch 'public/ed25519_hup_v2'
Diffstat (limited to 'src')
| -rw-r--r-- | src/or/main.c | 8 | ||||
| -rw-r--r-- | src/or/routerkeys.c | 16 |
2 files changed, 18 insertions, 6 deletions
diff --git a/src/or/main.c b/src/or/main.c index 5dca9bce1d..693d13cd13 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -2019,6 +2019,14 @@ do_hup(void) * force a retry there. */ if (server_mode(options)) { + /* Maybe we've been given a new ed25519 key or certificate? + */ + time_t now = approx_time(); + if (load_ed_keys(options, now) < 0 || + generate_ed_link_cert(options, now)) { + log_warn(LD_OR, "Problem reloading Ed25519 keys; still using old keys."); + } + /* Update cpuworker and dnsworker processes, so they get up-to-date * configuration options. */ cpuworkers_rotate_keyinfo(); diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 50659fcb69..1120578c28 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -638,11 +638,13 @@ load_ed_keys(const or_options_t *options, time_t now) goto err; \ } while (0) #define SET_KEY(key, newval) do { \ - ed25519_keypair_free(key); \ + if ((key) != (newval)) \ + ed25519_keypair_free(key); \ key = (newval); \ } while (0) #define SET_CERT(cert, newval) do { \ - tor_cert_free(cert); \ + if ((cert) != (newval)) \ + tor_cert_free(cert); \ cert = (newval); \ } while (0) #define EXPIRES_SOON(cert, interval) \ @@ -651,10 +653,7 @@ load_ed_keys(const or_options_t *options, time_t now) /* XXXX support encrypted identity keys fully */ /* First try to get the signing key to see how it is. */ - if (master_signing_key) { - check_signing_cert = signing_key_cert; - use_signing = master_signing_key; - } else { + { char *fname = options_get_datadir_fname2(options, "keys", "ed25519_signing"); sign = ed_key_init_from_file( @@ -668,6 +667,11 @@ load_ed_keys(const or_options_t *options, time_t now) use_signing = sign; } + if (!use_signing && master_signing_key) { + check_signing_cert = signing_key_cert; + use_signing = master_signing_key; + } + const int need_new_signing_key = NULL == use_signing || EXPIRES_SOON(check_signing_cert, 0) || |