[tor-bugs] #16790 [Tor]: Tor should reload keys from disk when receiving a SIGHUP

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 2 00:08:48 UTC 2015 

#16790: Tor should reload keys from disk when receiving a SIGHUP
-------------------------+-------------------------------------------------
     Reporter:  s7r      |      Owner:  nickm
         Type:  defect   |     Status:  needs_revision
     Priority:  normal   |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor      |    Version:  Tor: 0.2.7.2-alpha
   Resolution:           |   Keywords:  ed25519, identity, keys,
Actual Points:           |  TorCoreTeam201509, PostFreeze027
       Points:           |  Parent ID:
-------------------------+-------------------------------------------------

Comment (by s7r):

 A proper behavior would be for Tor to do at every SIGHUP the same thing it
 does when starting, related to ed25519 router identity.

 That is why it is a little bit tricky to implement - we want to keep the
 'reload'/SIGHUP function which is sent very often (log rotation) without
 turning it into a 'restart' where uptime counter is reset, etc.

 I don't think it should try to reload the medium term signing key, don't
 think it can tell if this one is expired. Isn't the cert the one which
 states for how long the medium term signing key is valid?

 Here is a crazy idea.
 Remove the code in `ed25519_hup` / `ed25519_hup_v2` which tries to reload
 keys from disk when receiving a SIGHUP and do something like:

 When Tor runs as a relay, do a sha256sum of ed25519_signing_cert and
 ed25519_signing_secret_key and then another sha256sum of the 2 sums
 (cert|key - this order), so we have one value (one line). Add it to
 'state' file under some name.

 Whenever we receive a SIGHUP, calculate again the sha256sum of
 ed25519_signing_cert and ed25519_signing_secret_key and then another
 sha256sum of the 2 sums (cert|key - this order), and check the result
 against what we have in our state file. If different, turn the 'reload'
 into a 'restart', where we cover all the cases related to ed25519 identity
 keys.

 This means uptime counter reset, etc. but if the user changes the medium
 term signing key and certificate this is expected and wanted action anyway
 and even if it's not desired, can we call routerkeys function on the fly
 without losing uptime? If we can, let's call it on the fly. I want it to
 cover all the cases from fresh start at every SIGHUP because an operator
 can make same mistakes here, it's no different.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16790#comment:12>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list