commit 23ae5b655b9d94d62c6c9296cb8cc2b33ae345d7 Author: Alexander Færøy ahf@torproject.org Date: Fri Mar 10 12:18:52 2017 +0100

Make MIN_ONION_KEY_LIFETIME a consensus parameter defined value.

This patch turns `MIN_ONION_KEY_LIFETIME` into a new function `get_onion_key_lifetime()` which gets its value from a network consensus parameter named "onion-key-rotation-days". This allows us to tune the value at a later point in time with no code modifications.

We also bump the default onion key lifetime from 7 to 28 days as per proposal #274.

See: https://bugs.torproject.org/21641 --- src/or/main.c | 11 ++++++----- src/or/or.h | 11 +++++++++-- src/or/router.c | 29 +++++++++++++++++++++++++++-- src/or/router.h | 1 + src/test/test_dir.c | 2 +- 5 files changed, 44 insertions(+), 10 deletions(-)

diff --git a/src/or/main.c b/src/or/main.c index 475587e..107a484 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -1472,15 +1472,16 @@ run_scheduled_events(time_t now) pt_configure_remaining_proxies(); }

-/* Periodic callback: Every MIN_ONION_KEY_LIFETIME seconds, rotate the onion - * keys, shut down and restart all cpuworkers, and update our descriptor if - * necessary. +/* Periodic callback: rotate the onion keys after the period defined by the + * "onion-key-rotation-days" consensus parameter, shut down and restart all + * cpuworkers, and update our descriptor if necessary. */ static int rotate_onion_key_callback(time_t now, const or_options_t *options) { if (server_mode(options)) { - time_t rotation_time = get_onion_key_set_at()+MIN_ONION_KEY_LIFETIME; + int onion_key_lifetime = get_onion_key_lifetime(); + time_t rotation_time = get_onion_key_set_at()+onion_key_lifetime; if (rotation_time > now) { return safe_timer_diff(now, rotation_time); } @@ -1493,7 +1494,7 @@ rotate_onion_key_callback(time_t now, const or_options_t *options) } if (advertised_server_mode() && !options->DisableNetwork) router_upload_dir_desc_to_dirservers(0); - return MIN_ONION_KEY_LIFETIME; + return onion_key_lifetime; } return PERIODIC_EVENT_NO_UPDATE; } diff --git a/src/or/or.h b/src/or/or.h index 0e2dc24..2903f5e 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -147,8 +147,15 @@ /** Maximum size of a single extrainfo document, as above. */ #define MAX_EXTRAINFO_UPLOAD_SIZE 50000

-/** How often do we rotate onion keys? */ -#define MIN_ONION_KEY_LIFETIME (7*24*60*60) +/** Minimum lifetime for an onion key in days. */ +#define MIN_ONION_KEY_LIFETIME_DAYS (1) + +/** Maximum lifetime for an onion key in days. */ +#define MAX_ONION_KEY_LIFETIME_DAYS (90) + +/** Default lifetime for an onion key in days. */ +#define DEFAULT_ONION_KEY_LIFETIME_DAYS (28) + /** How often do we rotate TLS contexts? */ #define MAX_SSL_KEY_LIFETIME_INTERNAL (2*60*60)

diff --git a/src/or/router.c b/src/or/router.c index e4fa72a..1fa0f10 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -683,6 +683,31 @@ v3_authority_check_key_expiry(void) last_warned = now; }

+/** Get the lifetime of an onion key in days. This value is defined by the + * network consesus parameter "onion-key-rotation-days". Always returns a value + * between <b>MIN_ONION_KEY_LIFETIME_DAYS</b> and + * <b>MAX_ONION_KEY_LIFETIME_DAYS</b>. + */ +static int +get_onion_key_rotation_days_(void) +{ + return networkstatus_get_param(NULL, + "onion-key-rotation-days", + DEFAULT_ONION_KEY_LIFETIME_DAYS, + MIN_ONION_KEY_LIFETIME_DAYS, + MAX_ONION_KEY_LIFETIME_DAYS); +} + +/** Get the current lifetime of an onion key in seconds. This value is defined + * by the network consesus parameter "onion-key-rotation-days", but the value + * is converted to seconds. + */ +int +get_onion_key_lifetime(void) +{ + return get_onion_key_rotation_days_()*24*60*60; +} + /** Set up Tor's TLS contexts, based on our configuration and keys. Return 0 * on success, and -1 on failure. */ int @@ -928,7 +953,7 @@ init_keys(void) /* We have no LastRotatedOnionKey set; either we just created the key * or it's a holdover from 0.1.2.4-alpha-dev or earlier. In either case, * start the clock ticking now so that we will eventually rotate it even - * if we don't stay up for a full MIN_ONION_KEY_LIFETIME. */ + * if we don't stay up for the full lifetime of an onion key. */ state->LastRotatedOnionKey = onionkey_set_at = now; or_state_mark_dirty(state, options->AvoidDiskWrites ? time(NULL)+3600 : 0); @@ -2760,7 +2785,7 @@ router_dump_router_to_string(routerinfo_t *router, make_ntor_onion_key_crosscert(ntor_keypair, &router->cache_info.signing_key_cert->signing_key, router->cache_info.published_on, - MIN_ONION_KEY_LIFETIME, &sign); + get_onion_key_lifetime(), &sign); if (!cert) { log_warn(LD_BUG,"make_ntor_onion_key_crosscert failed!"); goto err; diff --git a/src/or/router.h b/src/or/router.h index c30a030..9060bc2 100644 --- a/src/or/router.h +++ b/src/or/router.h @@ -31,6 +31,7 @@ void rotate_onion_key(void); crypto_pk_t *init_key_from_file(const char *fname, int generate, int severity, int log_greeting); void v3_authority_check_key_expiry(void); +int get_onion_key_lifetime(void);

di_digest256_map_t *construct_ntor_key_map(void); void ntor_key_map_free(di_digest256_map_t *map); diff --git a/src/test/test_dir.c b/src/test/test_dir.c index 3906206..91d6af9 100644 --- a/src/test/test_dir.c +++ b/src/test/test_dir.c @@ -329,7 +329,7 @@ test_dir_formats(void *arg) ntor_cc = make_ntor_onion_key_crosscert(&r2_onion_keypair, &kp1.pubkey, r2->cache_info.published_on, - MIN_ONION_KEY_LIFETIME, + get_onion_key_lifetime(), &ntor_cc_sign); tt_assert(ntor_cc); base64_encode(cert_buf, sizeof(cert_buf),