[or-cvs] r12046: Encode address in certificates. Also, make it possible to cr (in tor/trunk: . doc doc/spec src/or src/tools)
nickm at seul.org
nickm at seul.org
Fri Oct 19 16:28:11 UTC 2007
Author: nickm
Date: 2007-10-19 12:28:10 -0400 (Fri, 19 Oct 2007)
New Revision: 12046
Modified:
tor/trunk/
tor/trunk/ChangeLog
tor/trunk/doc/TODO
tor/trunk/doc/spec/dir-spec.txt
tor/trunk/src/or/or.h
tor/trunk/src/or/routerparse.c
tor/trunk/src/tools/tor-gencert.c
Log:
r15956 at catbus: nickm | 2007-10-19 11:18:14 -0400
Encode address in certificates. Also, make it possible to create certs reusing an old key.
Property changes on: tor/trunk
___________________________________________________________________
svk:merge ticket from /tor/trunk [r15956] on 8246c3cf-6607-4228-993b-4d95d33730f1
Modified: tor/trunk/ChangeLog
===================================================================
--- tor/trunk/ChangeLog 2007-10-19 08:54:47 UTC (rev 12045)
+++ tor/trunk/ChangeLog 2007-10-19 16:28:10 UTC (rev 12046)
@@ -17,6 +17,11 @@
clear all the flags for routers that fall out of the networkstatus
consensus. Fixes bug 529.
+ o Minor features (v3 directory protocol):
+ - Allow tor-gencert to generate a new certificate without replacing the
+ signing key.
+ - Allow certificates to include an address.
+
o Minor features (router descriptor cache):
- If we find a cached-routers file that's been sitting around for more
than 28 days unmodified, then most likely it's a leftover from when we
Modified: tor/trunk/doc/TODO
===================================================================
--- tor/trunk/doc/TODO 2007-10-19 08:54:47 UTC (rev 12045)
+++ tor/trunk/doc/TODO 2007-10-19 16:28:10 UTC (rev 12046)
@@ -56,7 +56,7 @@
- Make new download types comply with should_delay_dir_fetches()
- When DownloadExtraInfo is turned on for the first time, don't flip
out and download the ancient history of the universe.
- - List IP addresses in certificates?
+ o List IP addresses in certificates?
- Make the address in votes be an actual IP address.
- Proposals:
Modified: tor/trunk/doc/spec/dir-spec.txt
===================================================================
--- tor/trunk/doc/spec/dir-spec.txt 2007-10-19 08:54:47 UTC (rev 12045)
+++ tor/trunk/doc/spec/dir-spec.txt 2007-10-19 16:28:10 UTC (rev 12046)
@@ -655,7 +655,7 @@
the protocol described in this document. Implementations MUST
reject formats they don't understand.
- "address" IP NL
+ "dir-address" IP NL
[Once or more]
An IP:Port for this authority's directory port.
Modified: tor/trunk/src/or/or.h
===================================================================
--- tor/trunk/src/or/or.h 2007-10-19 08:54:47 UTC (rev 12045)
+++ tor/trunk/src/or/or.h 2007-10-19 16:28:10 UTC (rev 12046)
@@ -1475,6 +1475,8 @@
crypto_pk_env_t *signing_key;
char signing_key_digest[DIGEST_LEN];
time_t expires;
+ uint32_t addr;
+ uint16_t dir_port;
} authority_cert_t;
/** Bitfield enum type listing types of directory authority/directory
Modified: tor/trunk/src/or/routerparse.c
===================================================================
--- tor/trunk/src/or/routerparse.c 2007-10-19 08:54:47 UTC (rev 12045)
+++ tor/trunk/src/or/routerparse.c 2007-10-19 16:28:10 UTC (rev 12046)
@@ -63,6 +63,7 @@
K_DIR_KEY_PUBLISHED,
K_DIR_KEY_EXPIRES,
K_DIR_KEY_CERTIFICATION,
+ K_DIR_ADDRESS,
K_VOTE_STATUS,
K_VALID_AFTER,
@@ -280,8 +281,6 @@
END_OF_TABLE
};
-/** List of tokens allowable in the footer of v1/v2 directory/networkstatus
- * footers. */
#define CERTIFICATE_MEMBERS \
T1("dir-key-certificate-version", K_DIR_KEY_CERTIFICATE_VERSION, \
GE(1), NO_OBJ ), \
@@ -290,7 +289,8 @@
T1("dir-key-expires", K_DIR_KEY_EXPIRES, CONCAT_ARGS, NO_OBJ), \
T1("dir-signing-key", K_DIR_SIGNING_KEY, NO_ARGS, NEED_KEY ),\
T1("dir-key-certification", K_DIR_KEY_CERTIFICATION, \
- NO_ARGS, NEED_OBJ),
+ NO_ARGS, NEED_OBJ), \
+ T01("dir-address", K_DIR_ADDRESS, GE(1), NO_OBJ),
static token_rule_t dir_key_certificate_table[] = {
CERTIFICATE_MEMBERS
@@ -346,6 +346,8 @@
END_OF_TABLE
};
+/** List of tokens allowable in the footer of v1/v2 directory/networkstatus
+ * footers. */
static token_rule_t networkstatus_vote_footer_token_table[] = {
T( "directory-signature", K_DIRECTORY_SIGNATURE, GE(2), NEED_OBJ ),
END_OF_TABLE
@@ -1438,6 +1440,16 @@
goto err;
}
+ tok = find_first_by_keyword(tokens, K_DIR_ADDRESS);
+ if (tok) {
+ tor_assert(tok->n_args);
+ if (parse_addr_port(LOG_WARN, tok->args[0], NULL, &cert->addr,
+ &cert->dir_port)<0) {
+ log_warn(LD_DIR, "Couldn't parse dir-address in certificate");
+ goto err;
+ }
+ }
+
tok = find_first_by_keyword(tokens, K_DIR_KEY_PUBLISHED);
tor_assert(tok);
if (parse_iso_time(tok->args[0], &cert->cache_info.published_on) < 0) {
Modified: tor/trunk/src/tools/tor-gencert.c
===================================================================
--- tor/trunk/src/tools/tor-gencert.c 2007-10-19 08:54:47 UTC (rev 12045)
+++ tor/trunk/src/tools/tor-gencert.c 2007-10-19 16:28:10 UTC (rev 12046)
@@ -39,9 +39,11 @@
char *identity_key_file = NULL;
char *signing_key_file = NULL;
char *certificate_file = NULL;
+int reuse_signing_key = 0;
int verbose = 0;
int make_new_id = 0;
int months_lifetime = DEFAULT_LIFETIME;
+char *address = NULL;
EVP_PKEY *identity_key = NULL;
EVP_PKEY *signing_key = NULL;
@@ -53,7 +55,8 @@
fprintf(stderr, "Syntax:\n"
"tor-gencert [-h|--help] [-v] [--create-identity-key] "
"[-i identity_key_file]\n"
- " [-s signing_key_file] [-c certificate_file]\n");
+ " [-s signing_key_file] [-c certificate_file] "
+ "[--reuse-signing-key]\n");
}
/* XXXX copied from crypto.c */
@@ -109,8 +112,25 @@
fprintf(stderr, "Lifetime (in months) was out of range.");
return 1;
}
+ } else if (!strcmp(argv[i], "-r") || !strcmp(argv[i], "--reuse")) {
+ reuse_signing_key = 1;
} else if (!strcmp(argv[i], "-v")) {
verbose = 1;
+ } else if (!strcmp(argv[i], "-a")) {
+ uint32_t addr;
+ uint16_t port;
+ char b[INET_NTOA_BUF_LEN];
+ struct in_addr in;
+ if (i+1>=argc) {
+ fprintf(stderr, "No argument to -a\n");
+ return 1;
+ }
+ if (parse_addr_port(LOG_ERR, argv[++i], NULL, &addr, &port)<0)
+ return 1;
+ in.s_addr = htonl(addr);
+ tor_inet_ntoa(&in, b, sizeof(b));
+ address = tor_malloc(INET_NTOA_BUF_LEN+32);
+ tor_snprintf(address, INET_NTOA_BUF_LEN+32, "%s:%d", b, (int)port);
} else if (!strcmp(argv[i], "--create-identity-key")) {
make_new_id = 1;
} else {
@@ -215,6 +235,24 @@
/** DOCDOC */
static int
+load_signing_key(void)
+{
+ FILE *f;
+ if (!(f = fopen(signing_key_file, "r"))) {
+ log_err(LD_GENERAL, "Couldn't open %s for reading: %s",
+ signing_key_file, strerror(errno));
+ return 1;
+ }
+ if (!(signing_key = PEM_read_PrivateKey(f, NULL, NULL, NULL))) {
+ log_err(LD_GENERAL, "Couldn't read siging key from %s", signing_key_file);
+ return 1;
+ }
+ fclose(f);
+ return 0;
+}
+
+/** DOCDOC */
+static int
generate_signing_key(void)
{
open_file_t *open_file;
@@ -315,13 +353,15 @@
format_iso_time(expires, mktime(&tm));
tor_snprintf(buf, sizeof(buf),
- "dir-key-certificate-version 3\n"
- "fingerprint %s\n"
+ "dir-key-certificate-version 3"
+ "%s%s"
+ "\nfingerprint %s\n"
"dir-key-published %s\n"
"dir-key-expires %s\n"
"dir-identity-key\n%s"
"dir-signing-key\n%s"
"dir-key-certification\n",
+ address?"\ndir-address ":"", address?address:"",
fingerprint, published, expires, ident, signing);
signed_len = strlen(buf);
SHA1((const unsigned char*)buf,signed_len,(unsigned char*)digest);
@@ -368,8 +408,13 @@
goto done;
if (load_identity_key())
goto done;
- if (generate_signing_key())
- goto done;
+ if (reuse_signing_key) {
+ if (load_signing_key())
+ goto done;
+ } else {
+ if (generate_signing_key())
+ goto done;
+ }
if (generate_certificate())
goto done;
@@ -379,6 +424,7 @@
EVP_PKEY_free(identity_key);
if (signing_key)
EVP_PKEY_free(signing_key);
+ tor_free(address);
crypto_global_cleanup();
return r;
More information about the tor-commits
mailing list