mirrors/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2025-02-25 07:07:52 +01:00
Code Issues Projects Releases Wiki Activity

Regenerate RSA->ed25519 identity crosscertificate as needed

Browse source
This commit is contained in:
Nick Mathewson 2017-06-01 10:04:52 -04:00
parent 5b33d95a3d
commit 41ed9e978b
2 changed files with 20 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
changes/bug22466_regenerate Normal file
View file

@ -0,0 +1,8 @@
o Minor bugfixes (link handshake):
- Lower the lifetime of the RSA->Ed25519 cross-certificate to
six months, and regenerate it when it is within one month of expiring.
Previously, we had generated this certificate at startup with
a ten-year lifetime, but that could lead to weird behavior when
Tor was started with a grossly inaccurate clock. Mitigates
bug 22466; mitigation on 0.3.0.1-alpha.

15
src/or/routerkeys.c
View file

@ -668,6 +668,7 @@ static tor_cert_t *auth_key_cert = NULL;
static uint8_t *rsa_ed_crosscert = NULL; static uint8_t *rsa_ed_crosscert = NULL;
static size_t rsa_ed_crosscert_len = 0; static size_t rsa_ed_crosscert_len = 0;
static time_t rsa_ed_crosscert_expiration = 0;
/** /**
* Running as a server: load, reload, or refresh our ed25519 keys and * Running as a server: load, reload, or refresh our ed25519 keys and
@ -699,8 +700,10 @@ load_ed_keys(const or_options_t *options, time_t now)
tor_cert_free(cert); \ tor_cert_free(cert); \
cert = (newval); \ cert = (newval); \
} while (0) } while (0)
#define HAPPENS_SOON(when, interval) \
((when) < now + (interval))
#define EXPIRES_SOON(cert, interval) \ #define EXPIRES_SOON(cert, interval) \
(!(cert) || (cert)->valid_until < now + (interval)) (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval)))
/* XXXX support encrypted identity keys fully */ /* XXXX support encrypted identity keys fully */
@ -899,14 +902,19 @@ load_ed_keys(const or_options_t *options, time_t now)
if (options->command == CMD_KEYGEN) if (options->command == CMD_KEYGEN)
goto end; goto end;
if (!rsa_ed_crosscert && server_mode(options)) { if (server_mode(options) &&
(!rsa_ed_crosscert ||
HAPPENS_SOON(rsa_ed_crosscert_expiration, 30*86400))) {
uint8_t *crosscert; uint8_t *crosscert;
time_t expiration = now+6*30*86400; /* 6 months in the future. */
ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey, ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey,
get_server_identity_key(), get_server_identity_key(),
now+10*365*86400,/*XXXX*/ expiration,
&crosscert); &crosscert);
tor_free(rsa_ed_crosscert);
rsa_ed_crosscert_len = crosscert_len; rsa_ed_crosscert_len = crosscert_len;
rsa_ed_crosscert = crosscert; rsa_ed_crosscert = crosscert;
rsa_ed_crosscert_expiration = expiration;
} }
if (!current_auth_key || if (!current_auth_key ||
@ -1038,6 +1046,7 @@ should_make_new_ed_keys(const or_options_t *options, const time_t now)
} }
#undef EXPIRES_SOON #undef EXPIRES_SOON
#undef HAPPENS_SOON
#ifdef TOR_UNIT_TESTS #ifdef TOR_UNIT_TESTS
/* Helper for unit tests: populate the ed25519 keys without saving or /* Helper for unit tests: populate the ed25519 keys without saving or