From: Nick Mathewson Date: Thu, 27 Mar 2025 19:11:53 +0000 (-0400) Subject: New 'FamilyId *' to say "use all the family IDs you find." X-Git-Tag: tor-0.4.9.2-alpha~4^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ba0cc2e418eaa6deddb11e281c19a687e89f8370;p=thirdparty%2Ftor.git New 'FamilyId *' to say "use all the family IDs you find." --- diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index eb1b105202..dc8e6875ce 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -2502,6 +2502,14 @@ is non-zero): (Note that if the seccomp2 Sandbox feature is enabled, it is not possible to change the key filenames while Tor is running.) +[[FamilyIdStar]] **FamilyId** ** * **:: + Configure this relay to be part of _every_ family + identified by any family ID key found in the family key directory. + Specifying family IDs in this way makes it unnecessary to adjust the + configuration file if the family key is rotated, + but it increases the likelihood of accidentally using a different + set of family keys than the ones you had expected. + [[FamilyKeyDirectory]] **FamilyKeyDirectory** __directory__: Configure a directory to use, in place of the key directory, when searching for family ID keys. diff --git a/src/app/config/or_options_st.h b/src/app/config/or_options_st.h index c36cb7331a..c9dd258811 100644 --- a/src/app/config/or_options_st.h +++ b/src/app/config/or_options_st.h @@ -501,6 +501,9 @@ struct or_options_t { * to certify this OR's membership. */ struct smartlist_t *FamilyIds; /**< FamilyIds, parsed and converted * to a list of ed25519_public_key_t */ + bool AllFamilyIdsExpected; /**< If true, we should accept all the + * FamilyIds in the FamilyKeyDirectory. */ + struct config_line_t *NodeFamilies; /**< List of config lines for * node families */ /** List of parsed NodeFamilies values. */ diff --git a/src/feature/relay/relay_config.c b/src/feature/relay/relay_config.c index bc5fab5f03..9733246566 100644 --- a/src/feature/relay/relay_config.c +++ b/src/feature/relay/relay_config.c @@ -1185,6 +1185,11 @@ options_validate_relay_mode(const or_options_t *old_options, options->FamilyIds = smartlist_new(); config_line_t *line; for (line = options->FamilyId_lines; line; line = line->next) { + if (!strcmp(line->value, "*")) { + options->AllFamilyIdsExpected = true; + continue; + } + ed25519_public_key_t pk; if (ed25519_public_from_base64(&pk, line->value) < 0) { tor_asprintf(msg, "Invalid FamilyId %s", line->value); diff --git a/src/feature/relay/routerkeys.c b/src/feature/relay/routerkeys.c index fc5a5376d4..9f956ee6b4 100644 --- a/src/feature/relay/routerkeys.c +++ b/src/feature/relay/routerkeys.c @@ -704,6 +704,9 @@ static bool family_key_id_is_expected(const or_options_t *options, const ed25519_public_key_t *id) { + if (options->AllFamilyIdsExpected) + return true; + SMARTLIST_FOREACH(options->FamilyIds, const ed25519_public_key_t *, k, { if (ed25519_pubkey_eq(k, id)) return true;