VAR("ServerTransportPlugin", LINELIST, ServerTransportPlugin, NULL),
V(ServerTransportListenAddr, LINELIST, NULL),
V(ServerTransportOptions, LINELIST, NULL),
+ V(SigningKeyLifetime, INTERVAL, "30 days"),
V(Socks4Proxy, STRING, NULL),
V(Socks5Proxy, STRING, NULL),
V(Socks5ProxyUsername, STRING, NULL),
V(TestingTorNetwork, BOOL, "0"),
V(TestingMinExitFlagThreshold, MEMUNIT, "0"),
V(TestingMinFastFlagThreshold, MEMUNIT, "0"),
+
+ V(TestingLinkKeyLifetime, INTERVAL, "2 days"),
+ V(TestingAuthKeyLifetime, INTERVAL, "2 days"),
+ V(TestingLinkKeySlop, INTERVAL, "3 hours"),
+ V(TestingAuthKeySlop, INTERVAL, "3 hours"),
+ V(TestingSigningKeySlop, INTERVAL, "1 day"),
+
V(OptimisticData, AUTOBOOL, "auto"),
V(PortForwarding, BOOL, "0"),
V(PortForwardingHelper, FILENAME, "tor-fw-helper"),
CHECK_DEFAULT(TestingDescriptorMaxDownloadTries);
CHECK_DEFAULT(TestingMicrodescMaxDownloadTries);
CHECK_DEFAULT(TestingCertMaxDownloadTries);
+ CHECK_DEFAULT(TestingAuthKeyLifetime);
+ CHECK_DEFAULT(TestingLinkKeyLifetime);
+ CHECK_DEFAULT(TestingSigningKeySlop);
+ CHECK_DEFAULT(TestingAuthKeySlop);
+ CHECK_DEFAULT(TestingLinkKeySlop);
#undef CHECK_DEFAULT
+ if (options->SigningKeyLifetime < options->TestingSigningKeySlop*2)
+ REJECT("SigningKeyLifetime is too short.");
+ if (options->TestingLinkKeyLifetime < options->TestingAuthKeySlop*2)
+ REJECT("LinkKeyLifetime is too short.");
+ if (options->TestingAuthKeyLifetime < options->TestingLinkKeySlop*2)
+ REJECT("AuthKeyLifetime is too short.");
+
if (options->TestingV3AuthInitialVotingInterval
< MIN_VOTE_INTERVAL_TESTING_INITIAL) {
REJECT("TestingV3AuthInitialVotingInterval is insanely low.");
long stats_n_seconds_working = 0;
/** When do we next launch DNS wildcarding checks? */
static time_t time_to_check_for_correct_dns = 0;
+/** When do we next make sure our Ed25519 keys aren't about to expire? */
+static time_t time_to_check_ed_keys = 0;
/** How often will we honor SIGNEWNYM requests? */
#define MAX_SIGNEWNYM_RATE 10
router_upload_dir_desc_to_dirservers(0);
}
+ if (is_server && time_to_check_ed_keys < now) {
+ if (should_make_new_ed_keys(options, now)) {
+ if (load_ed_keys(options, now) < 0) {
+ log_err(LD_OR, "Unable to update Ed25519 keys! Exiting.");
+ tor_cleanup();
+ exit(0);
+ }
+ }
+ time_to_check_ed_keys = now + 30;
+ }
+
if (!should_delay_dir_fetches(options, NULL) &&
time_to_try_getting_descriptors < now) {
update_all_descriptor_downloads(now);
* XXXX Eventually, the default will be 0. */
int ExitRelay;
+
+ /** For how long (seconds) do we declare our singning keys to be valid? */
+ int SigningKeyLifetime;
+ /** For how long (seconds) do we declare our link keys to be valid? */
+ int TestingLinkKeyLifetime;
+ /** For how long (seconds) do we declare our auth keys to be valid? */
+ int TestingAuthKeyLifetime;
+
+ /** How long before signing keys expire will we try to make a new one? */
+ int TestingSigningKeySlop;
+ /** How long before link keys expire will we try to make a new one? */
+ int TestingLinkKeySlop;
+ /** How long before auth keys expire will we try to make a new one? */
+ int TestingAuthKeySlop;
+
} or_options_t;
/** Persistent state for an onion router, as saved to disk. */
/* XXXX support encrypted identity keys fully */
- /* XXXX use options. */
- (void) options;
-
/* First try to get the signing key to see how it is. */
if (master_signing_key) {
check_signing_cert = signing_key_cert;
EXPIRES_SOON(check_signing_cert, 0);
const int want_new_signing_key =
need_new_signing_key ||
- EXPIRES_SOON(check_signing_cert, 86400/*???*/);
+ EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
{
uint32_t flags =
options_get_datadir_fname2(options, "keys", "ed25519_signing"),
flags, LOG_WARN,
sign_signing_key_with_id, now,
- 30*86400/*XXX option*/,
+ options->SigningKeyLifetime,
CERT_TYPE_ID_SIGNING, &sign_cert);
if (!sign)
FAIL("Missing signing key");
* it, if we loaded it in the first place. */
memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
- if (!current_link_key || EXPIRES_SOON(link_key_cert, 7200/*???*/)) {
+ if (!current_link_key ||
+ EXPIRES_SOON(link_key_cert, options->TestingLinkKeySlop)) {
link = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
- now, 2*86400/*XXX option??*/,
+ now,
+ options->TestingLinkKeyLifetime,
CERT_TYPE_SIGNING_LINK, &link_cert);
if (!link)
FAIL("Can't create link key");
}
- if (!current_auth_key || EXPIRES_SOON(auth_key_cert, 7200)/*???*/) {
+ if (!current_auth_key ||
+ EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
- now, 2*86400/*XXX option??*/,
+ now,
+ options->TestingAuthKeyLifetime,
CERT_TYPE_SIGNING_AUTH, &auth_cert);
if (!auth)
#undef FAIL
#undef SET_KEY
#undef SET_CERT
-#undef EXPIRES_SOON
}
+int
+should_make_new_ed_keys(const or_options_t *options, const time_t now)
+{
+ return (!master_identity_key ||
+ !master_signing_key ||
+ !current_link_key ||
+ !current_auth_key ||
+ EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) ||
+ EXPIRES_SOON(link_key_cert, options->TestingLinkKeySlop) ||
+ EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop));
+}
+
+#undef EXPIRES_SOON
+
const ed25519_public_key_t *
get_master_identity_key(void)
{
const uint8_t *rsa_id_digest);
int load_ed_keys(const or_options_t *options, time_t now);
+int should_make_new_ed_keys(const or_options_t *options, const time_t now);
+
void routerkeys_free_all(void);
#endif
ed25519_keypair_t sign, link, auth;
// tor_cert_t *cert_is, *cert_sl, *cert_auth;
+ options->SigningKeyLifetime = 30*86400;
+ options->TestingAuthKeyLifetime = 2*86400;
+ options->TestingLinkKeyLifetime = 2*86400;
+ options->TestingSigningKeySlop = 2*86400;
+ options->TestingAuthKeySlop = 2*3600;
+ options->TestingLinkKeySlop = 2*3600;
+
#ifdef _WIN32
mkdir(dir);
mkdir(get_fname("test_ed_keys_init_all/keys"));
projects / thirdparty / tor.git / commitdiff
