[tor-commits] [tor/master] Simply initialize TLS context if DynamicDHGroups change.

nickm at torproject.org nickm at torproject.org
Tue Nov 29 23:33:59 UTC 2011 

commit e3cee8bc2e8df6b39a4122829649e3f9ab920aa6
Author: George Kadianakis <desnacked at gmail.com>
Date:   Thu Nov 24 06:40:02 2011 +0100

    Simply initialize TLS context if DynamicDHGroups change.
    
    We used to do init_keys() if DynamicDHGroups changed after a HUP, so
    that the dynamic DH modulus was stored on the disk. Since we are now
    doing dynamic DH modulus storing in crypto.c, we can simply initialize
    the TLS context and be good with it.
    
    Introduce a new function router_initialize_tls_context() which
    initializes the TLS context and use it appropriately.
---
 src/or/config.c |   26 +++++++++++++++++++++++++-
 src/or/main.c   |    5 +----
 src/or/router.c |   21 +++++++++++++--------
 src/or/router.h |    1 +
 4 files changed, 40 insertions(+), 13 deletions(-)

diff --git a/src/or/config.c b/src/or/config.c
index a846ca9..f8c4ab3 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1267,6 +1267,24 @@ get_effective_bwburst(const or_options_t *options)
   return (uint32_t)bw;
 }
 
+/** Return True if any changes from <b>old_options</b> to
+ * <b>new_options</b> needs us to refresh our TLS context. */
+static int
+options_transition_requires_fresh_tls_context(const or_options_t *old_options,
+                                              const or_options_t *new_options)
+{
+  tor_assert(new_options);
+
+  if (!old_options)
+    return 0;
+
+  if ((old_options->DynamicDHGroups != new_options->DynamicDHGroups)) {
+    return 1;
+  }
+
+  return 0;
+}
+
 /** Fetch the active option list, and take actions based on it. All of the
  * things we do should survive being done repeatedly.  If present,
  * <b>old_options</b> contains the previous value of the options.
@@ -1394,6 +1412,13 @@ options_act(const or_options_t *old_options)
       log_warn(LD_BUG,"Error initializing keys; exiting");
       return -1;
     }
+  } else if (old_options &&
+             options_transition_requires_fresh_tls_context(old_options,
+                                                           options)) {
+    if (router_initialize_tls_context() < 0) {
+      log_warn(LD_BUG,"Error initializing TLS context.");
+      return -1;
+    }
   }
 
   /* Write our PID to the PID file. If we do not have write permissions we
@@ -4075,7 +4100,6 @@ options_transition_affects_workers(const or_options_t *old_options,
 {
   if (!opt_streq(old_options->DataDirectory, new_options->DataDirectory) ||
       old_options->NumCPUs != new_options->NumCPUs ||
-      old_options->DynamicDHGroups != new_options->DynamicDHGroups ||
       old_options->ORPort != new_options->ORPort ||
       old_options->ServerDNSSearchDomains !=
                                        new_options->ServerDNSSearchDomains ||
diff --git a/src/or/main.c b/src/or/main.c
index 7008d38..95f9958 100644
--- a/src/or/main.c
+++ b/src/or/main.c
@@ -1161,10 +1161,7 @@ run_scheduled_events(time_t now)
     last_rotated_x509_certificate = now;
   if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
     log_info(LD_GENERAL,"Rotating tls context.");
-    if (tor_tls_context_init(public_server_mode(options),
-                             get_tlsclient_identity_key(),
-                             is_server ? get_server_identity_key() : NULL,
-                             MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
+    if (router_initialize_tls_context() < 0) {
       log_warn(LD_BUG, "Error reinitializing TLS context");
       /* XXX is it a bug here, that we just keep going? -RD */
     }
diff --git a/src/or/router.c b/src/or/router.c
index fdc83f5..67e98da 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -484,6 +484,17 @@ v3_authority_check_key_expiry(void)
   last_warned = now;
 }
 
+
+int
+router_initialize_tls_context(void)
+{
+  return tor_tls_context_init(public_server_mode(get_options()),
+                              get_tlsclient_identity_key(),
+                              server_mode(get_options()) ?
+                              get_server_identity_key() : NULL,
+                              MAX_SSL_KEY_LIFETIME_ADVERTISED);
+}
+
 /** Initialize all OR private keys, and the TLS context, as necessary.
  * On OPs, this only initializes the tls context. Return 0 on success,
  * or -1 if Tor should die.
@@ -530,10 +541,7 @@ init_keys(void)
     }
     set_client_identity_key(prkey);
     /* Create a TLS context. */
-    if (tor_tls_context_init(0,
-                             get_tlsclient_identity_key(),
-                             NULL,
-                             MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
+    if (router_initialize_tls_context() < 0) {
       log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
       return -1;
     }
@@ -626,10 +634,7 @@ init_keys(void)
   tor_free(keydir);
 
   /* 3. Initialize link key and TLS context. */
-  if (tor_tls_context_init(public_server_mode(options),
-                           get_tlsclient_identity_key(),
-                           get_server_identity_key(),
-                           MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
+  if (router_initialize_tls_context() < 0) {
     log_err(LD_GENERAL,"Error initializing TLS context");
     return -1;
   }
diff --git a/src/or/router.h b/src/or/router.h
index f9d156c..68eadbf 100644
--- a/src/or/router.h
+++ b/src/or/router.h
@@ -30,6 +30,7 @@ crypto_pk_env_t *init_key_from_file(const char *fname, int generate,
                                     int severity);
 void v3_authority_check_key_expiry(void);
 
+int router_initialize_tls_context(void);
 int init_keys(void);
 
 int check_whether_orport_reachable(void);

More information about the tor-commits mailing list