31
31
/** Previous private onionskin decryption key: used to decode CREATE cells
32
32
* generated by clients that have an older version of our descriptor. */
33
33
static crypto_pk_env_t *lastonionkey=NULL;
34
/** Private "identity key": used to sign directory info and TLS
34
/** Private server "identity key": used to sign directory info and TLS
35
35
* certificates. Never changes. */
36
static crypto_pk_env_t *identitykey=NULL;
37
/** Digest of identitykey. */
38
static char identitykey_digest[DIGEST_LEN];
36
static crypto_pk_env_t *server_identitykey=NULL;
37
/** Digest of server_identitykey. */
38
static char server_identitykey_digest[DIGEST_LEN];
39
/** Private client "identity key": used to sign bridges' and clients'
40
* outbound TLS certificates. Regenerated on startup and on IP address
42
static crypto_pk_env_t *client_identitykey=NULL;
39
43
/** Signing key used for v3 directory material; only set for authorities. */
40
44
static crypto_pk_env_t *authority_signing_key = NULL;
41
45
/** Key certificate to authenticate v3 directory material; only set for
106
110
return onionkey_set_at;
109
/** Set the current identity key to k.
112
set_identity_key(crypto_pk_env_t *k)
115
crypto_free_pk_env(identitykey);
117
crypto_pk_get_digest(identitykey, identitykey_digest);
120
/** Returns the current identity key; requires that the identity key has been
124
get_identity_key(void)
126
tor_assert(identitykey);
130
/** Return true iff the identity key has been set. */
132
identity_key_is_set(void)
134
return identitykey != NULL;
113
/** Set the current server identity key to <b>k</b>.
116
set_server_identity_key(crypto_pk_env_t *k)
118
if (server_identitykey)
119
crypto_free_pk_env(server_identitykey);
120
server_identitykey = k;
121
crypto_pk_get_digest(server_identitykey, server_identitykey_digest);
124
/** Make sure that we have set up our identity keys to match or not match as
125
* appropriate, and die with an assertion if we have not. */
127
assert_identity_keys_ok(void)
129
tor_assert(client_identitykey);
130
if (public_server_mode(get_options())) {
131
/* assert that we have set the client and server keys to be equal */
132
tor_assert(server_identitykey);
133
tor_assert(0==crypto_pk_cmp_keys(client_identitykey, server_identitykey));
135
/* assert that we have set the client and server keys to be unequal */
136
if (server_identitykey)
137
tor_assert(0!=crypto_pk_cmp_keys(client_identitykey, server_identitykey));
141
/** Returns the current server identity key; requires that the key has
142
* been set, and that we are running as a Tor server.
145
get_server_identity_key(void)
147
tor_assert(server_identitykey);
148
tor_assert(server_mode(get_options()));
149
assert_identity_keys_ok();
150
return server_identitykey;
153
/** Return true iff the server identity key has been set. */
155
server_identity_key_is_set(void)
157
return server_identitykey != NULL;
160
/** Set the current client identity key to <b>k</b>.
163
set_client_identity_key(crypto_pk_env_t *k)
165
if (client_identitykey)
166
crypto_free_pk_env(client_identitykey);
167
client_identitykey = k;
170
/** Returns the current client identity key for use on outgoing TLS
171
* connections; requires that the key has been set.
174
get_tlsclient_identity_key(void)
176
tor_assert(client_identitykey);
177
assert_identity_keys_ok();
178
return client_identitykey;
181
/** Return true iff the client identity key has been set. */
183
client_identity_key_is_set(void)
185
return client_identitykey != NULL;
137
188
/** Return the key certificate for this v3 (voting) authority, or NULL
456
507
crypto_free_pk_env(prkey);
459
set_identity_key(prkey);
460
/* Create a TLS context; default the client nickname to "client". */
461
if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
510
set_client_identity_key(prkey);
511
/* Create a TLS context. */
512
if (tor_tls_context_init(0,
513
get_tlsclient_identity_key(),
515
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
462
516
log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
496
/* 1. Read identity key. Make it if none is found. */
550
/* 1b. Read identity key. Make it if none is found. */
497
551
keydir = get_datadir_fname2("keys", "secret_id_key");
498
552
log_info(LD_GENERAL,"Reading/making identity key \"%s\"...",keydir);
499
553
prkey = init_key_from_file(keydir, 1, LOG_ERR);
500
554
tor_free(keydir);
501
555
if (!prkey) return -1;
502
set_identity_key(prkey);
556
set_server_identity_key(prkey);
558
/* 1c. If we are configured as a bridge, generate a client key;
559
* otherwise, set the server identity key as our client identity
561
if (public_server_mode(options)) {
562
set_client_identity_key(crypto_pk_dup_key(prkey)); /* set above */
564
if (!(prkey = crypto_new_pk_env()))
566
if (crypto_pk_generate_key(prkey)) {
567
crypto_free_pk_env(prkey);
570
set_client_identity_key(prkey);
504
573
/* 2. Read onion key. Make it if none is found. */
505
574
keydir = get_datadir_fname2("keys", "secret_onion_key");
536
605
tor_free(keydir);
538
607
/* 3. Initialize link key and TLS context. */
539
if (tor_tls_context_new(get_identity_key(), MAX_SSL_KEY_LIFETIME) < 0) {
608
if (tor_tls_context_init(public_server_mode(options),
609
get_tlsclient_identity_key(),
610
get_server_identity_key(),
611
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
540
612
log_err(LD_GENERAL,"Error initializing TLS context");
543
615
/* 4. Build our router descriptor. */
544
616
/* Must be called after keys are initialized. */
545
617
mydesc = router_get_my_descriptor();
546
if (authdir_mode(options)) {
618
if (authdir_mode_handles_descs(options, ROUTER_PURPOSE_GENERAL)) {
547
619
const char *m = NULL;
548
620
routerinfo_t *ri;
549
621
/* We need to add our own fingerprint so it gets recognized. */
550
if (dirserv_add_own_fingerprint(options->Nickname, get_identity_key())) {
622
if (dirserv_add_own_fingerprint(options->Nickname,
623
get_server_identity_key())) {
551
624
log_err(LD_GENERAL,"Error adding own fingerprint to approved set");
568
641
/* 5. Dump fingerprint to 'fingerprint' */
569
642
keydir = get_datadir_fname("fingerprint");
570
643
log_info(LD_GENERAL,"Dumping fingerprint to \"%s\"...",keydir);
571
if (crypto_pk_get_fingerprint(get_identity_key(), fingerprint, 0)<0) {
644
if (crypto_pk_get_fingerprint(get_server_identity_key(),
645
fingerprint, 0) < 0) {
572
646
log_err(LD_GENERAL,"Error computing fingerprint");
573
647
tor_free(keydir);
608
682
/* 6b. [authdirserver only] add own key to approved directories. */
609
crypto_pk_get_digest(get_identity_key(), digest);
683
crypto_pk_get_digest(get_server_identity_key(), digest);
610
684
type = ((options->V1AuthoritativeDir ? V1_AUTHORITY : NO_AUTHORITY) |
611
685
(options->V2AuthoritativeDir ? V2_AUTHORITY : NO_AUTHORITY) |
612
686
(options->V3AuthoritativeDir ? V3_AUTHORITY : NO_AUTHORITY) |
636
710
if (v3_digest_set && (ds->type & V3_AUTHORITY) &&
637
memcmp(v3_digest, ds->v3_identity_digest, DIGEST_LEN)) {
711
tor_memneq(v3_digest, ds->v3_identity_digest, DIGEST_LEN)) {
638
712
log_warn(LD_DIR, "V3 identity key does not match identity declared in "
639
713
"DirServer line. Adjusting.");
640
714
memcpy(ds->v3_identity_digest, v3_digest, DIGEST_LEN);
794
868
router_orport_found_reachable(void)
796
if (!can_reach_or_port) {
797
routerinfo_t *me = router_get_my_routerinfo();
870
routerinfo_t *me = router_get_my_routerinfo();
871
if (!can_reach_or_port && me) {
798
872
log_notice(LD_OR,"Self-testing indicates your ORPort is reachable from "
799
873
"the outside. Excellent.%s",
800
874
get_options()->_PublishServerDescriptor != NO_AUTHORITY ?
801
875
" Publishing server descriptor." : "");
802
876
can_reach_or_port = 1;
803
877
mark_my_descriptor_dirty();
804
if (!me) { /* should never happen */
805
log_warn(LD_BUG, "ORPort found reachable, but I have no routerinfo "
806
"yet. Failing to inform controller of success.");
809
878
control_event_server_status(LOG_NOTICE,
810
879
"REACHABILITY_SUCCEEDED ORADDRESS=%s:%d",
811
880
me->address, me->or_port);
817
886
router_dirport_found_reachable(void)
819
if (!can_reach_dir_port) {
820
routerinfo_t *me = router_get_my_routerinfo();
888
routerinfo_t *me = router_get_my_routerinfo();
889
if (!can_reach_dir_port && me) {
821
890
log_notice(LD_DIRSERV,"Self-testing indicates your DirPort is reachable "
822
891
"from the outside. Excellent.");
823
892
can_reach_dir_port = 1;
824
if (!me || decide_to_advertise_dirport(get_options(), me->dir_port))
893
if (decide_to_advertise_dirport(get_options(), me->dir_port))
825
894
mark_my_descriptor_dirty();
826
if (!me) { /* should never happen */
827
log_warn(LD_BUG, "DirPort found reachable, but I have no routerinfo "
828
"yet. Failing to inform controller of success.");
831
895
control_event_server_status(LOG_NOTICE,
832
896
"REACHABILITY_SUCCEEDED DIRADDRESS=%s:%d",
833
897
me->address, me->dir_port);
962
1026
return (options->ORPort != 0 || options->ORListenAddress);
1029
/** Return true iff we are trying to be a non-bridge server.
1032
public_server_mode(or_options_t *options)
1034
if (!server_mode(options)) return 0;
1035
return (!options->BridgeRelay);
965
1038
/** Remember if we've advertised ourselves to the dirservers. */
966
1039
static int server_is_advertised=0;
1127
1200
/** Return true iff I'm a server and <b>digest</b> is equal to
1128
* my identity digest. */
1201
* my server identity key digest. */
1130
1203
router_digest_is_me(const char *digest)
1132
return identitykey && !memcmp(identitykey_digest, digest, DIGEST_LEN);
1205
return (server_identitykey &&
1206
tor_memeq(server_identitykey_digest, digest, DIGEST_LEN));
1135
1209
/** Return true iff I'm a server and <b>digest</b> is equal to
1266
1340
ri->cache_info.published_on = time(NULL);
1267
1341
ri->onion_pkey = crypto_pk_dup_key(get_onion_key()); /* must invoke from
1268
1342
* main thread */
1269
ri->identity_pkey = crypto_pk_dup_key(get_identity_key());
1343
ri->identity_pkey = crypto_pk_dup_key(get_server_identity_key());
1270
1344
if (crypto_pk_get_digest(ri->identity_pkey,
1271
1345
ri->cache_info.identity_digest)<0) {
1272
1346
routerinfo_free(ri);
1359
1433
ei->cache_info.signed_descriptor_body = tor_malloc(8192);
1360
1434
if (extrainfo_dump_to_string(ei->cache_info.signed_descriptor_body, 8192,
1361
ei, get_identity_key()) < 0) {
1435
ei, get_server_identity_key()) < 0) {
1362
1436
log_warn(LD_BUG, "Couldn't generate extra-info descriptor.");
1363
1437
routerinfo_free(ri);
1364
1438
extrainfo_free(ei);
1376
1450
ri->cache_info.signed_descriptor_body = tor_malloc(8192);
1377
1451
if (router_dump_router_to_string(ri->cache_info.signed_descriptor_body, 8192,
1378
ri, get_identity_key())<0) {
1452
ri, get_server_identity_key()) < 0) {
1379
1453
log_warn(LD_BUG, "Couldn't generate router descriptor.");
1380
1454
routerinfo_free(ri);
1381
1455
extrainfo_free(ei);