From 2c7e660c628c52a3487bcd4dc1701fa88c2d3cec Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Wed, 7 May 2003 22:40:03 +0000 Subject: [PATCH] sign directories with the signing key svn:r274 --- src/or/command.c | 1 - src/or/config.c | 11 +++++++++-- src/or/connection_op.c | 2 +- src/or/connection_or.c | 6 +++--- src/or/main.c | 37 ++++++++++++++++++++++++++++++------- src/or/onion.c | 2 +- src/or/or.h | 7 +++++-- 7 files changed, 49 insertions(+), 17 deletions(-) diff --git a/src/or/command.c b/src/or/command.c index fc1396ca92..b619356a2b 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -52,7 +52,6 @@ void command_process_cell(cell_t *cell, connection_t *conn) { current_second = now.tv_sec; } - log(LOG_DEBUG,"command_process_cell(): Examining cell type %d.", cell->command); switch(cell->command) { case CELL_PADDING: /* do nothing */ diff --git a/src/or/config.c b/src/or/config.c index 54209db480..745b76d8c8 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -176,6 +176,7 @@ void config_assign(or_options_t *options, struct config_line *list) { /* string options */ config_compare(list, "LogLevel", CONFIG_TYPE_STRING, &options->LogLevel) || config_compare(list, "PrivateKeyFile", CONFIG_TYPE_STRING, &options->PrivateKeyFile) || + config_compare(list, "SigningPrivateKeyFile", CONFIG_TYPE_STRING, &options->SigningPrivateKeyFile) || config_compare(list, "RouterFile", CONFIG_TYPE_STRING, &options->RouterFile) || /* int options */ @@ -271,9 +272,10 @@ int getconfig(int argc, char **argv, or_options_t *options) { if (options->loglevel == LOG_DEBUG) { printf("LogLevel=%s\n", options->LogLevel); - printf("RouterFile=%s, PrivateKeyFile=%s\n", + printf("RouterFile=%s, PrivateKeyFile=%s, SigningPrivateKeyFile=%s\n", options->RouterFile ? options->RouterFile : "(undefined)", - options->PrivateKeyFile ? options->PrivateKeyFile : "(undefined)"); + options->PrivateKeyFile ? options->PrivateKeyFile : "(undefined)", + options->SigningPrivateKeyFile ? options->SigningPrivateKeyFile : "(undefined)"); printf("ORPort=%d, OPPort=%d, APPort=%d DirPort=%d\n", options->ORPort,options->OPPort, options->APPort,options->DirPort); @@ -328,6 +330,11 @@ int getconfig(int argc, char **argv, or_options_t *options) { result = -1; } + if(options->DirPort > 0 && options->SigningPrivateKeyFile == NULL) { + log(LOG_ERR,"SigningPrivateKeyFile option required for DirServer, but not found."); + result = -1; + } + if(options->OPPort < 0) { log(LOG_ERR,"OPPort option can't be negative."); result = -1; diff --git a/src/or/connection_op.c b/src/or/connection_op.c index 3f39e430d1..38f334d6dd 100644 --- a/src/or/connection_op.c +++ b/src/or/connection_op.c @@ -51,7 +51,7 @@ int op_handshake_process_keys(connection_t *conn) { log(LOG_DEBUG,"op_handshake_process_keys() : Received auth."); /* decrypt response */ - retval = crypto_pk_private_decrypt(getprivatekey(), auth_cipher, 128, auth_plain,RSA_PKCS1_PADDING); + retval = crypto_pk_private_decrypt(get_privatekey(), auth_cipher, 128, auth_plain,RSA_PKCS1_PADDING); if (retval == -1) { log(LOG_ERR,"Decrypting keys from new OP failed."); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index 15ad3839d6..d2446014c8 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -464,7 +464,7 @@ int or_handshake_client_process_auth(connection_t *conn) { log(LOG_DEBUG,"or_handshake_client_process_auth() : Received auth."); /* decrypt response */ - retval = crypto_pk_private_decrypt(getprivatekey(), cipher, 128, buf, RSA_PKCS1_PADDING); + retval = crypto_pk_private_decrypt(get_privatekey(), cipher, 128, buf, RSA_PKCS1_PADDING); if (retval == -1) { log(LOG_ERR,"Public-key decryption failed during authentication to %s:%u.", @@ -572,7 +572,7 @@ int or_handshake_server_process_auth(connection_t *conn) { log(LOG_DEBUG,"or_handshake_server_process_auth() : Received auth."); /* decrypt response */ - retval = crypto_pk_private_decrypt(getprivatekey(), cipher, 128, buf, RSA_PKCS1_PADDING); + retval = crypto_pk_private_decrypt(get_privatekey(), cipher, 128, buf, RSA_PKCS1_PADDING); if (retval == -1) { log(LOG_ERR,"or_handshake_server_process_auth: Public-key decryption failed."); @@ -691,7 +691,7 @@ int or_handshake_server_process_nonce(connection_t *conn) { log(LOG_DEBUG,"or_handshake_server_process_nonce() : Received auth."); /* decrypt response */ - retval = crypto_pk_private_decrypt(getprivatekey(), cipher, 128, buf,RSA_PKCS1_PADDING); + retval = crypto_pk_private_decrypt(get_privatekey(), cipher, 128, buf,RSA_PKCS1_PADDING); if (retval == -1) { log(LOG_ERR,"Public-key decryption failed during authentication to %s:%u.", diff --git a/src/or/main.c b/src/or/main.c index 20c5faddc2..7d200b558f 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -19,21 +19,31 @@ static int please_dumpstats=0; /* whether we should dump stats during the loop * static int please_fetch_directory=0; /* whether we should fetch a new directory */ /* private key */ -static crypto_pk_env_t *privatekey; +static crypto_pk_env_t *privatekey=NULL; +static crypto_pk_env_t *signing_privatekey=NULL; routerinfo_t *my_routerinfo=NULL; /********* END VARIABLES ************/ -void setprivatekey(crypto_pk_env_t *k) { +void set_privatekey(crypto_pk_env_t *k) { privatekey = k; } -crypto_pk_env_t *getprivatekey(void) { +crypto_pk_env_t *get_privatekey(void) { assert(privatekey); return privatekey; } +void set_signing_privatekey(crypto_pk_env_t *k) { + signing_privatekey = k; +} + +crypto_pk_env_t *get_signing_privatekey(void) { + assert(signing_privatekey); + return signing_privatekey; +} + /**************************************************************************** * * This section contains accessors and other methods on the connection_array @@ -431,12 +441,25 @@ int do_main_loop(void) { log(LOG_ERR,"Error creating a crypto environment."); return -1; } - if (crypto_pk_read_private_key_from_filename(prkey, options.PrivateKeyFile)) - { + if (crypto_pk_read_private_key_from_filename(prkey, options.PrivateKeyFile)) { log(LOG_ERR,"Error loading private key."); return -1; } - setprivatekey(prkey); + set_privatekey(prkey); + } + + /* load the private key, if we're supposed to have one */ + if(options.DirPort) { + prkey = crypto_new_pk_env(CRYPTO_PK_RSA); + if (!prkey) { + log(LOG_ERR,"Error creating a crypto environment."); + return -1; + } + if (crypto_pk_read_private_key_from_filename(prkey, options.SigningPrivateKeyFile)) { + log(LOG_ERR,"Error loading private key."); + return -1; + } + set_signing_privatekey(prkey); } /* start up the necessary connections based on which ports are @@ -684,7 +707,7 @@ dump_signed_directory_to_string_impl(char *s, int maxlen, directory_t *dir, if (crypto_SHA_digest(s, i, digest)) return -1; - if (crypto_pk_private_sign(private_key, digest, 20, signature) < 0) + if (crypto_pk_private_sign(get_signing_privatekey(), digest, 20, signature) < 0) return -1; strncpy(cp, diff --git a/src/or/onion.c b/src/or/onion.c index db9acf5d02..942eed81fb 100644 --- a/src/or/onion.c +++ b/src/or/onion.c @@ -190,7 +190,7 @@ static int onionskin_process(circuit_t *circ) { log(LOG_DEBUG,"onionskin_process(): Entering."); - if(onion_skin_server_handshake(circ->onionskin, getprivatekey(), + if(onion_skin_server_handshake(circ->onionskin, get_privatekey(), cell.payload, keys, 32) < 0) { log(LOG_ERR,"onionskin_process(): onion_skin_server_handshake failed."); return -1; diff --git a/src/or/or.h b/src/or/or.h index 8268c381ca..911c29d8d0 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -406,6 +406,7 @@ struct onion_queue_t { typedef struct { char *LogLevel; char *RouterFile; + char *SigningPrivateKeyFile; char *PrivateKeyFile; double CoinWeight; int Daemon; @@ -711,8 +712,10 @@ int dns_master_start(void); /********************************* main.c ***************************/ -void setprivatekey(crypto_pk_env_t *k); -crypto_pk_env_t *getprivatekey(void); +void set_privatekey(crypto_pk_env_t *k); +crypto_pk_env_t *get_privatekey(void); +void set_signing_privatekey(crypto_pk_env_t *k); +crypto_pk_env_t *get_signing_privatekey(void); int connection_add(connection_t *conn); int connection_remove(connection_t *conn); void connection_set_poll_socket(connection_t *conn);