(Note that if the seccomp2 Sandbox feature is enabled,
it is not possible to change the key filenames while Tor is running.)
+[[FamilyIdStar]] **FamilyId** ** * **::
+ Configure this relay to be part of _every_ family
+ identified by any family ID key found in the family key directory.
+ Specifying family IDs in this way makes it unnecessary to adjust the
+ configuration file if the family key is rotated,
+ but it increases the likelihood of accidentally using a different
+ set of family keys than the ones you had expected.
+
[[FamilyKeyDirectory]] **FamilyKeyDirectory** __directory__:
Configure a directory to use, in place of the key directory,
when searching for family ID keys.
* to certify this OR's membership. */
struct smartlist_t *FamilyIds; /**< FamilyIds, parsed and converted
* to a list of ed25519_public_key_t */
+ bool AllFamilyIdsExpected; /**< If true, we should accept all the
+ * FamilyIds in the FamilyKeyDirectory. */
+
struct config_line_t *NodeFamilies; /**< List of config lines for
* node families */
/** List of parsed NodeFamilies values. */
options->FamilyIds = smartlist_new();
config_line_t *line;
for (line = options->FamilyId_lines; line; line = line->next) {
+ if (!strcmp(line->value, "*")) {
+ options->AllFamilyIdsExpected = true;
+ continue;
+ }
+
ed25519_public_key_t pk;
if (ed25519_public_from_base64(&pk, line->value) < 0) {
tor_asprintf(msg, "Invalid FamilyId %s", line->value);
family_key_id_is_expected(const or_options_t *options,
const ed25519_public_key_t *id)
{
+ if (options->AllFamilyIdsExpected)
+ return true;
+
SMARTLIST_FOREACH(options->FamilyIds, const ed25519_public_key_t *, k, {
if (ed25519_pubkey_eq(k, id))
return true;
projects / thirdparty / tor.git / commitdiff
