Tor 0.4.9.2-alpha-dev
All Data Structures Files Functions Variables Typedefs Enumerations Enumerator Macros Modules Pages
routerkeys.c
Go to the documentation of this file.
1/* Copyright (c) 2014-2021, The Tor Project, Inc. */
2/* See LICENSE for licensing information */
3
4/**
5 * \file routerkeys.c
6 *
7 * \brief Functions and structures to handle generating and maintaining the
8 * set of keypairs necessary to be an OR.
9 *
10 * The keys handled here now are the Ed25519 keys that Tor relays use to sign
11 * descriptors, authenticate themselves on links, and identify one another
12 * uniquely. Other keys are maintained in router.c and rendservice.c.
13 *
14 * (TODO: The keys in router.c should go here too.)
15 */
16
17#define ROUTERKEYS_PRIVATE
18
19#include "core/or/or.h"
20#include "app/config/config.h"
28
31#include "lib/tls/tortls.h"
32#include "lib/tls/x509.h"
33
34#define ENC_KEY_HEADER "Boxed Ed25519 key"
35#define ENC_KEY_TAG "master"
36
37#ifdef HAVE_UNISTD_H
38#include <unistd.h>
39#endif
40
41static ed25519_keypair_t *master_identity_key = NULL;
42static ed25519_keypair_t *master_signing_key = NULL;
43static ed25519_keypair_t *current_auth_key = NULL;
44static tor_cert_t *signing_key_cert = NULL;
45static tor_cert_t *link_cert_cert = NULL;
46static tor_cert_t *auth_key_cert = NULL;
47
48static uint8_t *rsa_ed_crosscert = NULL;
49static size_t rsa_ed_crosscert_len = 0;
50static time_t rsa_ed_crosscert_expiration = 0;
51
52// list of ed25519_keypair_t
53static smartlist_t *family_id_keys = NULL;
54
55/**
56 * Running as a server: load, reload, or refresh our ed25519 keys and
57 * certificates, creating and saving new ones as needed.
58 *
59 * Return -1 on failure; 0 on success if the signing key was not replaced;
60 * and 1 on success if the signing key was replaced.
61 */
62int
63load_ed_keys(const or_options_t *options, time_t now)
64{
65 ed25519_keypair_t *id = NULL;
66 ed25519_keypair_t *sign = NULL;
67 ed25519_keypair_t *auth = NULL;
68 const ed25519_keypair_t *sign_signing_key_with_id = NULL;
69 const ed25519_keypair_t *use_signing = NULL;
70 const tor_cert_t *check_signing_cert = NULL;
71 tor_cert_t *sign_cert = NULL;
72 tor_cert_t *auth_cert = NULL;
73 int signing_key_changed = 0;
74
75 // It is later than 1972, since otherwise there would be no C compilers.
76 // (Try to diagnose #22466.)
77 tor_assert_nonfatal(now >= 2 * 365 * 86400);
78
79#define FAIL(msg) do { \
80 log_warn(LD_OR, (msg)); \
81 goto err; \
82 } while (0)
83#define SET_KEY(key, newval) do { \
84 if ((key) != (newval)) \
85 ed25519_keypair_free(key); \
86 key = (newval); \
87 } while (0)
88#define SET_CERT(cert, newval) do { \
89 if ((cert) != (newval)) \
90 tor_cert_free(cert); \
91 cert = (newval); \
92 } while (0)
93#define HAPPENS_SOON(when, interval) \
94 ((when) < now + (interval))
95#define EXPIRES_SOON(cert, interval) \
96 (!(cert) || HAPPENS_SOON((cert)->valid_until, (interval)))
97
98 /* XXXX support encrypted identity keys fully */
99
100 /* First try to get the signing key to see how it is. */
101 {
102 char *fname =
103 options_get_keydir_fname(options, "ed25519_signing");
105 fname,
106 INIT_ED_KEY_NEEDCERT|
107 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT,
108 LOG_INFO,
109 NULL, 0, 0, CERT_TYPE_ID_SIGNING, &sign_cert, options);
110 tor_free(fname);
111 check_signing_cert = sign_cert;
112 use_signing = sign;
113 }
114
115 if (use_signing) {
116 /* We loaded a signing key with its certificate. */
117 if (! master_signing_key) {
118 /* We didn't know one before! */
119 signing_key_changed = 1;
120 } else if (! ed25519_pubkey_eq(&use_signing->pubkey,
121 &master_signing_key->pubkey) ||
122 ! tor_memeq(use_signing->seckey.seckey,
123 master_signing_key->seckey.seckey,
125 /* We loaded a different signing key than the one we knew before. */
126 signing_key_changed = 1;
127 }
128 }
129
130 if (!use_signing && master_signing_key) {
131 /* We couldn't load a signing key, but we already had one loaded */
132 check_signing_cert = signing_key_cert;
133 use_signing = master_signing_key;
134 }
135
136 const int offline_master =
137 options->OfflineMasterKey && options->command != CMD_KEYGEN;
138 const int need_new_signing_key =
139 NULL == use_signing ||
140 EXPIRES_SOON(check_signing_cert, 0) ||
141 (options->command == CMD_KEYGEN && ! options->change_key_passphrase);
142 const int want_new_signing_key =
143 need_new_signing_key ||
144 EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
145
146 /* We can only create a master key if we haven't been told that the
147 * master key will always be offline. Also, if we have a signing key,
148 * then we shouldn't make a new master ID key. */
149 const int can_make_master_id_key = !offline_master &&
150 NULL == use_signing;
151
152 if (need_new_signing_key) {
153 log_notice(LD_OR, "It looks like I need to generate and sign a new "
154 "medium-term signing key, because %s. To do that, I "
155 "need to load%s the permanent master identity key. "
156 "If the master identity key was not moved or encrypted "
157 "with a passphrase, this will be done automatically and "
158 "no further action is required. Otherwise, provide the "
159 "necessary data using 'tor --keygen' to do it manually.",
160 (NULL == use_signing) ? "I don't have one" :
161 EXPIRES_SOON(check_signing_cert, 0) ? "the one I have is expired" :
162 "you asked me to make one with --keygen",
163 can_make_master_id_key ? " (or create)" : "");
164 } else if (want_new_signing_key && !offline_master) {
165 log_notice(LD_OR, "It looks like I should try to generate and sign a "
166 "new medium-term signing key, because the one I have is "
167 "going to expire soon. To do that, I'm going to have to "
168 "try to load the permanent master identity key. "
169 "If the master identity key was not moved or encrypted "
170 "with a passphrase, this will be done automatically and "
171 "no further action is required. Otherwise, provide the "
172 "necessary data using 'tor --keygen' to do it manually.");
173 } else if (want_new_signing_key) {
174 log_notice(LD_OR, "It looks like I should try to generate and sign a "
175 "new medium-term signing key, because the one I have is "
176 "going to expire soon. But OfflineMasterKey is set, so I "
177 "won't try to load a permanent master identity key. You "
178 "will need to use 'tor --keygen' to make a new signing "
179 "key and certificate.");
180 }
181
182 {
183 uint32_t flags =
184 (INIT_ED_KEY_SPLIT|
185 INIT_ED_KEY_EXTRA_STRONG|INIT_ED_KEY_NO_REPAIR);
186 if (can_make_master_id_key)
187 flags |= INIT_ED_KEY_CREATE;
188 if (! need_new_signing_key)
189 flags |= INIT_ED_KEY_MISSING_SECRET_OK;
190 if (! want_new_signing_key || offline_master)
191 flags |= INIT_ED_KEY_OMIT_SECRET;
192 if (offline_master)
193 flags |= INIT_ED_KEY_OFFLINE_SECRET;
194 if (options->command == CMD_KEYGEN)
195 flags |= INIT_ED_KEY_TRY_ENCRYPTED;
196
197 /* Check/Create the key directory */
198 if (create_keys_directory(options) < 0)
199 goto err;
200
201 char *fname;
202 if (options->master_key_fname) {
203 fname = tor_strdup(options->master_key_fname);
204 flags |= INIT_ED_KEY_EXPLICIT_FNAME;
205 } else {
206 fname = options_get_keydir_fname(options, "ed25519_master_id");
207 }
209 fname,
210 flags,
211 LOG_WARN, NULL, 0, 0, 0, NULL, options);
212 tor_free(fname);
213 if (!id) {
214 if (need_new_signing_key) {
215 if (offline_master)
216 FAIL("Can't load master identity key; OfflineMasterKey is set.");
217 else
218 FAIL("Missing identity key");
219 } else {
220 log_warn(LD_OR, "Master public key was absent; inferring from "
221 "public key in signing certificate and saving to disk.");
222 tor_assert(check_signing_cert);
223 id = tor_malloc_zero(sizeof(*id));
224 memcpy(&id->pubkey, &check_signing_cert->signing_key,
225 sizeof(ed25519_public_key_t));
226 fname = options_get_keydir_fname(options,
227 "ed25519_master_id_public_key");
228 if (ed25519_pubkey_write_to_file(&id->pubkey, fname, "type0") < 0) {
229 log_warn(LD_OR, "Error while attempting to write master public key "
230 "to disk");
231 tor_free(fname);
232 goto err;
233 }
234 tor_free(fname);
235 }
236 }
237 if (safe_mem_is_zero((char*)id->seckey.seckey, sizeof(id->seckey)))
238 sign_signing_key_with_id = NULL;
239 else
240 sign_signing_key_with_id = id;
241 }
242
243 if (master_identity_key &&
244 !ed25519_pubkey_eq(&id->pubkey, &master_identity_key->pubkey)) {
245 FAIL("Identity key on disk does not match key we loaded earlier!");
246 }
247
248 if (need_new_signing_key && NULL == sign_signing_key_with_id)
249 FAIL("Can't load master key make a new signing key.");
250
251 if (sign_cert) {
252 if (! sign_cert->signing_key_included)
253 FAIL("Loaded a signing cert with no key included!");
254 if (! ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey))
255 FAIL("The signing cert we have was not signed with the master key "
256 "we loaded!");
257 if (tor_cert_checksig(sign_cert, &id->pubkey, 0) < 0) {
258 log_warn(LD_OR, "The signing cert we loaded was not signed "
259 "correctly: %s!",
261 goto err;
262 }
263 }
264
265 if (want_new_signing_key && sign_signing_key_with_id) {
266 uint32_t flags = (INIT_ED_KEY_CREATE|
267 INIT_ED_KEY_REPLACE|
268 INIT_ED_KEY_EXTRA_STRONG|
269 INIT_ED_KEY_NEEDCERT|
270 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT);
271 char *fname =
272 options_get_keydir_fname(options, "ed25519_signing");
273 ed25519_keypair_free(sign);
274 tor_cert_free(sign_cert);
275 sign = ed_key_init_from_file(fname,
276 flags, LOG_WARN,
277 sign_signing_key_with_id, now,
278 options->SigningKeyLifetime,
279 CERT_TYPE_ID_SIGNING, &sign_cert, options);
280 tor_free(fname);
281 if (!sign)
282 FAIL("Missing signing key");
283 use_signing = sign;
284 signing_key_changed = 1;
285
287 tor_assert(ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey));
288 tor_assert(ed25519_pubkey_eq(&sign_cert->signed_key, &sign->pubkey));
289 } else if (want_new_signing_key) {
290 static ratelim_t missing_master = RATELIM_INIT(3600);
291 log_fn_ratelim(&missing_master, LOG_WARN, LD_OR,
292 "Signing key will expire soon, but I can't load the "
293 "master key to sign a new one!");
294 }
295
296 tor_assert(use_signing);
297
298 /* At this point we no longer need our secret identity key. So wipe
299 * it, if we loaded it in the first place. */
300 memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
301
302 if (options->command == CMD_KEYGEN)
303 goto end;
304
305 if (server_mode(options) &&
306 (!rsa_ed_crosscert ||
307 HAPPENS_SOON(rsa_ed_crosscert_expiration, 30*86400))) {
308 uint8_t *crosscert;
309 time_t expiration = now+6*30*86400; /* 6 months in the future. */
310 ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey,
311 get_server_identity_key(),
312 expiration,
313 &crosscert);
314 tor_free(rsa_ed_crosscert);
315 rsa_ed_crosscert_len = crosscert_len;
316 rsa_ed_crosscert = crosscert;
317 rsa_ed_crosscert_expiration = expiration;
318 }
319
320 if (!current_auth_key ||
321 signing_key_changed ||
322 EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
323 auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
324 now,
325 options->TestingAuthKeyLifetime,
326 CERT_TYPE_SIGNING_AUTH, &auth_cert);
327
328 if (!auth)
329 FAIL("Can't create auth key");
330 }
331
332 /* We've generated or loaded everything. Put them in memory. */
333
334 end:
335 if (! master_identity_key) {
336 SET_KEY(master_identity_key, id);
337 } else {
338 tor_free(id);
339 }
340 if (sign) {
341 SET_KEY(master_signing_key, sign);
342 SET_CERT(signing_key_cert, sign_cert);
343 }
344 if (auth) {
345 SET_KEY(current_auth_key, auth);
346 SET_CERT(auth_key_cert, auth_cert);
347 }
348
349 return signing_key_changed;
350 err:
351 ed25519_keypair_free(id);
352 ed25519_keypair_free(sign);
353 ed25519_keypair_free(auth);
354 tor_cert_free(sign_cert);
355 tor_cert_free(auth_cert);
356 return -1;
357}
358
359/**
360 * Retrieve our currently-in-use Ed25519 link certificate and id certificate,
361 * and, if they would expire soon (based on the time <b>now</b>, generate new
362 * certificates (without embedding the public part of the signing key inside).
363 * If <b>force</b> is true, always generate a new certificate.
364 *
365 * The signed_key from the current id->signing certificate will be used to
366 * sign the new key within newly generated X509 certificate.
367 *
368 * Returns -1 upon error. Otherwise, returns 0 upon success (either when the
369 * current certificate is still valid, or when a new certificate was
370 * successfully generated, or no certificate was needed).
371 */
372int
373generate_ed_link_cert(const or_options_t *options, time_t now,
374 int force)
375{
376 const tor_x509_cert_t *link_ = NULL, *id = NULL;
377 tor_cert_t *link_cert = NULL;
378
379 if (tor_tls_get_my_certs(1, &link_, &id) < 0 || link_ == NULL) {
380 if (!server_mode(options)) {
381 /* No need to make an Ed25519->Link cert: we are a client */
382 return 0;
383 }
384 log_warn(LD_OR, "Can't get my x509 link cert.");
385 return -1;
386 }
387
388 const common_digests_t *digests = tor_x509_cert_get_cert_digests(link_);
389
390 if (force == 0 &&
391 link_cert_cert &&
392 ! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) &&
393 fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey,
394 DIGEST256_LEN)) {
395 return 0;
396 }
397
398 link_cert = tor_cert_create_raw(get_master_signing_keypair(),
399 CERT_TYPE_SIGNING_LINK,
400 SIGNED_KEY_TYPE_SHA256_OF_X509,
401 (const uint8_t*)digests->d[DIGEST_SHA256],
402 now,
403 options->TestingLinkCertLifetime, 0);
404
405 if (link_cert) {
406 SET_CERT(link_cert_cert, link_cert);
407 }
408 return 0;
409}
410
411#undef FAIL
412#undef SET_KEY
413#undef SET_CERT
414
415/**
416 * Return 1 if any of the following are true:
417 *
418 * - if one of our Ed25519 signing, auth, or link certificates would expire
419 * soon w.r.t. the time <b>now</b>,
420 * - if we do not currently have a link certificate, or
421 * - if our cached Ed25519 link certificate is not same as the one we're
422 * currently using.
423 *
424 * Otherwise, returns 0.
425 */
426int
427should_make_new_ed_keys(const or_options_t *options, const time_t now)
428{
429 if (!master_identity_key ||
430 !master_signing_key ||
431 !current_auth_key ||
432 !link_cert_cert ||
433 EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) ||
434 EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop) ||
435 EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop))
436 return 1;
437
438 const tor_x509_cert_t *link_ = NULL, *id = NULL;
439
440 if (tor_tls_get_my_certs(1, &link_, &id) < 0 || link_ == NULL)
441 return 1;
442
443 const common_digests_t *digests = tor_x509_cert_get_cert_digests(link_);
444
445 if (!fast_memeq(digests->d[DIGEST_SHA256],
446 link_cert_cert->signed_key.pubkey,
447 DIGEST256_LEN)) {
448 return 1;
449 }
450
451 return 0;
452}
453
454#undef EXPIRES_SOON
455#undef HAPPENS_SOON
456
457#ifdef TOR_UNIT_TESTS
458/* Helper for unit tests: populate the ed25519 keys without saving or
459 * loading */
460void
461init_mock_ed_keys(const crypto_pk_t *rsa_identity_key)
462{
463 routerkeys_free_all();
464
465#define MAKEKEY(k) \
466 k = tor_malloc_zero(sizeof(*k)); \
467 if (ed25519_keypair_generate(k, 0) < 0) { \
468 log_warn(LD_BUG, "Couldn't make a keypair"); \
469 goto err; \
470 }
471 MAKEKEY(master_identity_key);
472 MAKEKEY(master_signing_key);
473 MAKEKEY(current_auth_key);
474#define MAKECERT(cert, signing, signed_, type, flags) \
475 cert = tor_cert_create_ed25519(signing, \
476 type, \
477 &signed_->pubkey, \
478 time(NULL), 86400, \
479 flags); \
480 if (!cert) { \
481 log_warn(LD_BUG, "Couldn't make a %s certificate!", #cert); \
482 goto err; \
483 }
484
485 MAKECERT(signing_key_cert,
486 master_identity_key, master_signing_key, CERT_TYPE_ID_SIGNING,
487 CERT_FLAG_INCLUDE_SIGNING_KEY);
488 MAKECERT(auth_key_cert,
489 master_signing_key, current_auth_key, CERT_TYPE_SIGNING_AUTH, 0);
490
491 if (generate_ed_link_cert(get_options(), time(NULL), 0) < 0) {
492 log_warn(LD_BUG, "Couldn't make link certificate");
493 goto err;
494 }
495
496 rsa_ed_crosscert_len = tor_make_rsa_ed25519_crosscert(
497 &master_identity_key->pubkey,
498 rsa_identity_key,
499 time(NULL)+86400,
500 &rsa_ed_crosscert);
501
502 return;
503
504 err:
505 routerkeys_free_all();
507}
508#undef MAKEKEY
509#undef MAKECERT
510#endif /* defined(TOR_UNIT_TESTS) */
511
512/**
513 * Print the ISO8601-formated <b>expiration</b> for a certificate with
514 * some <b>description</b> to stdout.
515 *
516 * For example, for a signing certificate, this might print out:
517 * signing-cert-expiry: 2017-07-25 08:30:15 UTC
518 */
519static void
520print_cert_expiration(const char *expiration,
521 const char *description)
522{
523 fprintf(stderr, "%s-cert-expiry: %s\n", description, expiration);
524}
525
526/**
527 * Log when a certificate, <b>cert</b>, with some <b>description</b> and
528 * stored in a file named <b>fname</b>, is going to expire. Formats the expire
529 * time according to <b>time_format</b>.
530 */
531static void
533 const char *description,
534 const char *fname,
535 key_expiration_format_t time_format) {
536 if (BUG(!cert)) { /* If the specified key hasn't been loaded */
537 log_warn(LD_OR, "No %s key loaded; can't get certificate expiration.",
538 description);
539 } else {
540 char expiration[ISO_TIME_LEN+1];
541 switch (time_format) {
542 case KEY_EXPIRATION_FORMAT_ISO8601:
543 format_local_iso_time(expiration, cert->valid_until);
544 break;
545
546 case KEY_EXPIRATION_FORMAT_TIMESTAMP:
547 tor_snprintf(expiration, sizeof(expiration), "%"PRId64,
548 (int64_t) cert->valid_until);
549 break;
550
551 default:
552 log_err(LD_BUG, "Unknown time format value: %d.", time_format);
553 return;
554 }
555 log_notice(LD_OR, "The %s certificate stored in %s is valid until %s.",
556 description, fname, expiration);
557 print_cert_expiration(expiration, description);
558 }
559}
560
561/**
562 * Log when our master signing key certificate expires. Used when tor is given
563 * the --key-expiration command-line option.
564 *
565 * Returns 0 on success and 1 on failure.
566 */
567static int
569{
570 const tor_cert_t *signing_key;
571 char *fn = NULL;
572 int failed = 0;
573 time_t now = approx_time();
574
575 fn = options_get_keydir_fname(options, "ed25519_signing_cert");
576
577 /* Try to grab our cached copy of the key. */
578 signing_key = get_master_signing_key_cert();
579
581
582 /* Load our keys from disk, if necessary. */
583 if (!signing_key) {
584 failed = load_ed_keys(options, now) < 0;
585 signing_key = get_master_signing_key_cert();
586 }
587
588 /* If we do have a signing key, log the expiration time. */
589 if (signing_key) {
590 key_expiration_format_t time_format = options->key_expiration_format;
591 log_ed_cert_expiration(signing_key, "signing", fn, time_format);
592 } else {
593 log_warn(LD_OR, "Could not load signing key certificate from %s, so " \
594 "we couldn't learn anything about certificate expiration.", fn);
595 }
596
597 tor_free(fn);
598
599 return failed;
600}
601
602/**
603 * Log when a key certificate expires. Used when tor is given the
604 * --key-expiration command-line option.
605 *
606 * If an command argument is given, which should specify the type of
607 * key to get expiry information about (currently supported arguments
608 * are "sign"), get info about that type of certificate. Otherwise,
609 * print info about the supported arguments.
610 *
611 * Returns 0 on success and -1 on failure.
612 */
613int
615{
616 const or_options_t *options = get_options();
617 const char *arg = options->command_arg;
618
619 if (!strcmp(arg, "sign")) {
621 } else {
622 fprintf(stderr, "No valid argument to --key-expiration found!\n");
623 fprintf(stderr, "Currently recognised arguments are: 'sign'\n");
624
625 return -1;
626 }
627}
628
630get_master_identity_key(void)
631{
632 if (!master_identity_key)
633 return NULL;
634 return &master_identity_key->pubkey;
635}
636
637/** Return true iff <b>id</b> is our Ed25519 master identity key. */
638int
640{
641 return id && master_identity_key &&
642 ed25519_pubkey_eq(id, &master_identity_key->pubkey);
643}
644
645#ifdef TOR_UNIT_TESTS
646/* only exists for the unit tests, since otherwise the identity key
647 * should be used to sign nothing but the signing key. */
648const ed25519_keypair_t *
649get_master_identity_keypair(void)
650{
651 return master_identity_key;
652}
653#endif /* defined(TOR_UNIT_TESTS) */
654
656get_master_signing_keypair,(void))
657{
658 return master_signing_key;
659}
660
661MOCK_IMPL(const struct tor_cert_st *,
662get_master_signing_key_cert,(void))
663{
664 return signing_key_cert;
665}
666
667const ed25519_keypair_t *
668get_current_auth_keypair(void)
669{
670 return current_auth_key;
671}
672
673const tor_cert_t *
674get_current_link_cert_cert(void)
675{
676 return link_cert_cert;
677}
678
679const tor_cert_t *
680get_current_auth_key_cert(void)
681{
682 return auth_key_cert;
683}
684
685/**
686 * Suffix for the filenames in which we expect to find a family ID key.
687 */
688#define FAMILY_KEY_SUFFIX ".secret_family_key"
689
690/**
691 * Return true if `fname` is a possible filename of a family ID key.
692 *
693 * Family ID key filenames are FAMILY_KEY_FNAME, followed optionally
694 * by "." and a positive integer.
695 */
696STATIC bool
697is_family_key_fname(const char *fname)
698{
699 return 0 == strcmpend(fname, FAMILY_KEY_SUFFIX);
700}
701
702/** Return true if `id` is configured in `options`. */
703static bool
705 const ed25519_public_key_t *id)
706{
707 if (options->AllFamilyIdsExpected)
708 return true;
709
710 SMARTLIST_FOREACH(options->FamilyIds, const ed25519_public_key_t *, k, {
711 if (ed25519_pubkey_eq(k, id))
712 return true;
713 });
714 return false;
715}
716
717/** Return true if the key for `id` has been loaded. */
718static bool
720{
721 if (!family_id_keys)
722 return false;
723
724 SMARTLIST_FOREACH(family_id_keys, const ed25519_keypair_t *, kp, {
725 if (ed25519_pubkey_eq(&kp->pubkey, id))
726 return true;
727 });
728 return false;
729}
730
731/**
732 * Tag to use on family key files.
733 */
734#define FAMILY_KEY_FILE_TAG "fmly-id"
735
736/** Return a list of all the possible family-key files in `keydir`.
737 * Return NULL on error.
738 *
739 * (Unlike list_family_key_files, this function does not use a cached
740 * list when the seccomp2 sandbox is enabled.) */
741static smartlist_t *
742list_family_key_files_impl(const char *keydir)
743{
744 smartlist_t *files = tor_listdir(keydir);
745 smartlist_t *result = smartlist_new();
746
747 if (!files) {
748 log_warn(LD_OR, "Unable to list contents of directory %s", keydir);
749 goto err;
750 }
751
752 SMARTLIST_FOREACH_BEGIN(files, const char *, fn) {
753 if (!is_family_key_fname(fn))
754 continue;
755
756 smartlist_add_asprintf(result, "%s%s%s", keydir, PATH_SEPARATOR, fn);
757 } SMARTLIST_FOREACH_END(fn);
758
759 goto done;
760 err:
761 SMARTLIST_FOREACH(result, char *, cp, tor_free(cp));
762 smartlist_free(result); // sets result to NULL.
763 done:
764 if (files) {
765 SMARTLIST_FOREACH(files, char *, cp, tor_free(cp));
766 smartlist_free(files);
767 }
768
769 return result;
770}
771
772/**
773 * A list of files returned by list_family_key_files_impl.
774 * Used when the seccomp2 sandbox is enabled.
775 */
777
778/** Return a list of all the possible family-key files in `keydir`.
779 * Return NULL on error.
780 */
783 const char *keydir)
784{
785 if (options->Sandbox) {
789 return NULL;
790
791 smartlist_t *result = smartlist_new();
793 smartlist_add_strdup(result, fn));
794 return result;
795 }
796
797 return list_family_key_files_impl(keydir);
798}
799
800/**
801 * Look for all the family keys in `keydir`, load them into
802 * family_id_keys.
803 */
804STATIC int
806 const char *keydir)
807{
808 if (BUG(!options) || BUG(!keydir))
809 return -1;
810
811 smartlist_t *key_files = list_family_key_files(options, keydir);
812 smartlist_t *new_keys = NULL;
813 ed25519_keypair_t *kp_tmp = NULL;
814 char *tag_tmp = NULL;
815 int r = -1;
816
817 if (key_files == NULL) {
818 goto end; // already warned.
819 }
820
821 new_keys = smartlist_new();
822 SMARTLIST_FOREACH_BEGIN(key_files, const char *, fn) {
823 kp_tmp = tor_malloc_zero(sizeof(*kp_tmp));
824 // TODO: If we ever allow cert provisioning here,
825 // use ed_key_init_from_file() instead.
826 if (ed25519_seckey_read_from_file(&kp_tmp->seckey, &tag_tmp, fn) < 0) {
827 log_warn(LD_OR, "%s was not an ed25519 secret key.", fn);
828 goto end;
829 }
830 if (0 != strcmp(tag_tmp, FAMILY_KEY_FILE_TAG)) {
831 log_warn(LD_OR, "%s was not a family ID key.", fn);
832 goto end;
833 }
834 if (ed25519_public_key_generate(&kp_tmp->pubkey, &kp_tmp->seckey) < 0) {
835 log_warn(LD_OR, "Unable to generate public key for %s", fn);
836 goto end;
837 }
838
839 if (family_key_id_is_expected(options, &kp_tmp->pubkey)) {
840 smartlist_add(new_keys, kp_tmp);
841 kp_tmp = NULL; // prevent double-free
842 } else {
843 log_warn(LD_OR, "Found secret family key in %s "
844 "with unexpected FamilyID %s",
845 fn, ed25519_fmt(&kp_tmp->pubkey));
846 }
847
848 ed25519_keypair_free(kp_tmp);
849 tor_free(tag_tmp);
850 } SMARTLIST_FOREACH_END(fn);
851
852 set_family_id_keys(new_keys);
853 new_keys = NULL; // prevent double-free
854 r = 0;
855 end:
856 if (key_files) {
857 SMARTLIST_FOREACH(key_files, char *, cp, tor_free(cp));
858 smartlist_free(key_files);
859 }
860 if (new_keys) {
861 SMARTLIST_FOREACH(new_keys, ed25519_keypair_t *, kp,
862 ed25519_keypair_free(kp));
863 smartlist_free(new_keys);
864 }
865 tor_free(tag_tmp);
866 ed25519_keypair_free(kp_tmp);
867 return r;
868}
869
870/**
871 * Create a new family ID key, and store it in `fname`.
872 *
873 * If pk_out is provided, set it to the generated public key.
874 **/
875int
877{
878 int r = -1;
879 ed25519_keypair_t *kp = tor_malloc_zero(sizeof(ed25519_keypair_t));
880 if (ed25519_keypair_generate(kp, 1) < 0) {
881 log_warn(LD_BUG, "Can't generate ed25519 key!");
882 goto done;
883 }
884
885 if (ed25519_seckey_write_to_file(&kp->seckey,
886 fname, FAMILY_KEY_FILE_TAG)<0) {
887 log_warn(LD_BUG, "Can't write key to file.");
888 goto done;
889 }
890
891 if (pk_out) {
892 ed25519_pubkey_copy(pk_out, &kp->pubkey);
893 }
894
895 r = 0;
896
897 done:
898 ed25519_keypair_free(kp);
899 return r;
900}
901
902/**
903 * If configured to do so, load our family keys from the key directory.
904 * Otherwise, clear the family keys.
905 *
906 * Additionally, warn about inconsistencies between family options.
907 * If `ns` is provided, provide additional warnings.
908 *
909 * `options` is required; `ns` may be NULL.
910 */
911int
913 const networkstatus_t *ns)
914{
915 if (options->FamilyIds) {
916 if (load_family_id_keys_impl(options, options->FamilyKeyDirectory) < 0)
917 return -1;
918
919 bool any_missing = false;
921 const ed25519_public_key_t *, id) {
922 if (!family_key_is_present(id)) {
923 log_err(LD_OR, "No key was found for listed FamilyID %s",
924 ed25519_fmt(id));
925 any_missing = true;
926 }
927 } SMARTLIST_FOREACH_END(id);
928 if (any_missing)
929 return -1;
930
931 log_info(LD_OR, "Found %d family ID keys",
932 smartlist_len(get_current_family_id_keys()));
933 } else {
934 set_family_id_keys(NULL);
935 }
936 warn_about_family_id_config(options, ns);
937 return 0;
938}
939
940#define FAMILY_INFO_URL \
941 "https://community.torproject.org/relay/setup/post-install/family-ids/"
942
943/** Generate warnings as appropriate about our family ID configuration.
944 *
945 * `options` is required; `ns` may be NULL.
946 */
947void
949 const networkstatus_t *ns)
950{
951 static int have_warned_absent_myfamily = 0;
952 static int have_warned_absent_familykeys = 0;
953
954 if (options->FamilyIds) {
955 if (!have_warned_absent_myfamily &&
956 !options->MyFamily && ns && should_publish_family_list(ns)) {
957 log_warn(LD_OR,
958 "FamilyId was configured, but MyFamily was not. "
959 "FamilyId is good, but the Tor network still requires "
960 "MyFamily while clients are migrating to use family "
961 "keys instead.");
962 have_warned_absent_myfamily = 1;
963 }
964 } else {
965 if (!have_warned_absent_familykeys &&
966 options->MyFamily &&
968 log_notice(LD_OR,
969 "MyFamily was configured, but FamilyId was not. "
970 "It's a good time to start migrating your relays "
971 "to use family keys. "
972 "See "FAMILY_INFO_URL " for instructions.");
973 have_warned_absent_familykeys = 1;
974 }
975 }
976}
977
978/**
979 * Return a list of our current family id keypairs,
980 * as a list of `ed25519_keypair_t`.
981 *
982 * Never returns NULL.
983 *
984 * TODO PROP321: Right now this is only used in testing;
985 * when we add relay support we'll need a way to actually
986 * read these keys from disk.
987 **/
988const smartlist_t *
990{
991 if (family_id_keys == NULL)
992 family_id_keys = smartlist_new();
993 return family_id_keys;
994}
995
996/**
997 * Replace our list of family ID keys with `family_id_keys`,
998 * which must be a list of `ed25519_keypair_t`.
999 *
1000 * Takes ownership of its input.
1001 */
1002STATIC void
1004{
1005 if (family_id_keys) {
1006 SMARTLIST_FOREACH(family_id_keys, ed25519_keypair_t *, kp,
1007 ed25519_keypair_free(kp));
1008 smartlist_free(family_id_keys);
1009 }
1010 family_id_keys = keys;
1011}
1012
1013void
1014get_master_rsa_crosscert(const uint8_t **cert_out,
1015 size_t *size_out)
1016{
1017 *cert_out = rsa_ed_crosscert;
1018 *size_out = rsa_ed_crosscert_len;
1019}
1020
1021/** Construct cross-certification for the master identity key with
1022 * the ntor onion key. Store the sign of the corresponding ed25519 public key
1023 * in *<b>sign_out</b>. */
1024tor_cert_t *
1026 const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime,
1027 int *sign_out)
1028{
1029 tor_cert_t *cert = NULL;
1030 ed25519_keypair_t ed_onion_key;
1031
1032 if (ed25519_keypair_from_curve25519_keypair(&ed_onion_key, sign_out,
1033 onion_key) < 0)
1034 goto end;
1035
1036 cert = tor_cert_create_ed25519(&ed_onion_key, CERT_TYPE_ONION_ID,
1037 master_id_key, now, lifetime, 0);
1038
1039 end:
1040 memwipe(&ed_onion_key, 0, sizeof(ed_onion_key));
1041 return cert;
1042}
1043
1044/** Construct and return an RSA signature for the TAP onion key to
1045 * cross-certify the RSA and Ed25519 identity keys. Set <b>len_out</b> to its
1046 * length. */
1047uint8_t *
1049 const ed25519_public_key_t *master_id_key,
1050 const crypto_pk_t *rsa_id_key,
1051 int *len_out)
1052{
1053 uint8_t signature[PK_BYTES];
1054 uint8_t signed_data[DIGEST_LEN + ED25519_PUBKEY_LEN];
1055
1056 *len_out = 0;
1057 if (crypto_pk_get_digest(rsa_id_key, (char*)signed_data) < 0) {
1058 log_info(LD_OR, "crypto_pk_get_digest failed in "
1059 "make_tap_onion_key_crosscert!");
1060 return NULL;
1061 }
1062 memcpy(signed_data + DIGEST_LEN, master_id_key->pubkey, ED25519_PUBKEY_LEN);
1063
1064 int r = crypto_pk_private_sign(onion_key,
1065 (char*)signature, sizeof(signature),
1066 (const char*)signed_data, sizeof(signed_data));
1067 if (r < 0) {
1068 /* It's probably missing the private key */
1069 log_info(LD_OR, "crypto_pk_private_sign failed in "
1070 "make_tap_onion_key_crosscert!");
1071 return NULL;
1072 }
1073
1074 *len_out = r;
1075
1076 return tor_memdup(signature, r);
1077}
1078
1079void
1080routerkeys_free_all(void)
1081{
1082 ed25519_keypair_free(master_identity_key);
1083 ed25519_keypair_free(master_signing_key);
1084 ed25519_keypair_free(current_auth_key);
1085 set_family_id_keys(NULL);
1086
1087 tor_cert_free(signing_key_cert);
1088 tor_cert_free(link_cert_cert);
1089 tor_cert_free(auth_key_cert);
1090 tor_free(rsa_ed_crosscert);
1091
1094 smartlist_free(cached_family_key_file_list);
1095 }
1096
1097 master_identity_key = master_signing_key = NULL;
1098 current_auth_key = NULL;
1099 signing_key_cert = link_cert_cert = auth_key_cert = NULL;
1100 rsa_ed_crosscert = NULL; // redundant
1101 rsa_ed_crosscert_len = 0;
1102}
time_t approx_time(void)
Definition: approx_time.c:32
int create_keys_directory(const or_options_t *options)
Definition: config.c:1410
const or_options_t * get_options(void)
Definition: config.c:947
Header file for config.c.
#define options_get_keydir_fname(options, sub1)
Definition: config.h:130
void ed25519_pubkey_copy(ed25519_public_key_t *dest, const ed25519_public_key_t *src)
int ed25519_public_key_generate(ed25519_public_key_t *pubkey_out, const ed25519_secret_key_t *seckey)
int ed25519_seckey_read_from_file(ed25519_secret_key_t *seckey_out, char **tag_out, const char *filename)
int ed25519_keypair_generate(ed25519_keypair_t *keypair_out, int extra_strong)
int ed25519_pubkey_write_to_file(const ed25519_public_key_t *pubkey, const char *filename, const char *tag)
int ed25519_seckey_write_to_file(const ed25519_secret_key_t *seckey, const char *filename, const char *tag)
int ed25519_keypair_from_curve25519_keypair(ed25519_keypair_t *out, int *signbit_out, const curve25519_keypair_t *inp)
int ed25519_pubkey_eq(const ed25519_public_key_t *key1, const ed25519_public_key_t *key2)
const char * ed25519_fmt(const ed25519_public_key_t *pkey)
Header for crypto_format.c.
int crypto_pk_get_digest(const crypto_pk_t *pk, char *digest_out)
Definition: crypto_rsa.c:356
#define PK_BYTES
Definition: crypto_rsa.h:24
int crypto_pk_private_sign(const crypto_pk_t *env, char *to, size_t tolen, const char *from, size_t fromlen)
void memwipe(void *mem, uint8_t byte, size_t sz)
Definition: crypto_util.c:55
Common functions for cryptographic routines.
int tor_memeq(const void *a, const void *b, size_t sz)
Definition: di_ops.c:107
int safe_mem_is_zero(const void *mem, size_t sz)
Definition: di_ops.c:224
#define fast_memeq(a, b, c)
Definition: di_ops.h:35
#define DIGEST_LEN
Definition: digest_sizes.h:20
#define DIGEST256_LEN
Definition: digest_sizes.h:23
smartlist_t * tor_listdir(const char *dirname)
Definition: dir.c:307
Header file for dirvote.c.
#define MIN_METHOD_FOR_FAMILY_IDS
Definition: dirvote.h:74
ed25519_keypair_t * ed_key_new(const ed25519_keypair_t *signing_key, uint32_t flags, time_t now, time_t lifetime, uint8_t cert_type, struct tor_cert_st **cert_out)
Definition: loadkey.c:719
ed25519_keypair_t * ed_key_init_from_file(const char *fname, uint32_t flags, int severity, const ed25519_keypair_t *signing_key, time_t now, time_t lifetime, uint8_t cert_type, struct tor_cert_st **cert_out, const or_options_t *options)
Definition: loadkey.c:379
Header file for loadkey.c.
#define log_fn_ratelim(ratelim, severity, domain, args,...)
Definition: log.h:288
#define LD_OR
Definition: log.h:92
#define LD_BUG
Definition: log.h:86
#define LOG_WARN
Definition: log.h:53
#define LOG_INFO
Definition: log.h:45
#define tor_free(p)
Definition: malloc.h:56
Networkstatus consensus/vote structure.
Master header file for Tor-specific functionality.
key_expiration_format_t
Definition: or_options_st.h:58
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
bool should_publish_family_list(const networkstatus_t *ns)
Definition: router.c:2549
int server_identity_key_is_set(void)
Definition: router.c:436
Header file for router.c.
static bool family_key_id_is_expected(const or_options_t *options, const ed25519_public_key_t *id)
Definition: routerkeys.c:704
STATIC void set_family_id_keys(smartlist_t *keys)
Definition: routerkeys.c:1003
int load_ed_keys(const or_options_t *options, time_t now)
Definition: routerkeys.c:63
int should_make_new_ed_keys(const or_options_t *options, const time_t now)
Definition: routerkeys.c:427
int router_ed25519_id_is_me(const ed25519_public_key_t *id)
Definition: routerkeys.c:639
static smartlist_t * cached_family_key_file_list
Definition: routerkeys.c:776
STATIC int load_family_id_keys_impl(const or_options_t *options, const char *keydir)
Definition: routerkeys.c:805
static int log_master_signing_key_cert_expiration(const or_options_t *options)
Definition: routerkeys.c:568
STATIC bool is_family_key_fname(const char *fname)
Definition: routerkeys.c:697
void warn_about_family_id_config(const or_options_t *options, const networkstatus_t *ns)
Definition: routerkeys.c:948
uint8_t * make_tap_onion_key_crosscert(const crypto_pk_t *onion_key, const ed25519_public_key_t *master_id_key, const crypto_pk_t *rsa_id_key, int *len_out)
Definition: routerkeys.c:1048
smartlist_t * list_family_key_files(const or_options_t *options, const char *keydir)
Definition: routerkeys.c:782
static bool family_key_is_present(const ed25519_public_key_t *id)
Definition: routerkeys.c:719
static void log_ed_cert_expiration(const tor_cert_t *cert, const char *description, const char *fname, key_expiration_format_t time_format)
Definition: routerkeys.c:532
const smartlist_t * get_current_family_id_keys(void)
Definition: routerkeys.c:989
#define FAMILY_KEY_FILE_TAG
Definition: routerkeys.c:734
static void print_cert_expiration(const char *expiration, const char *description)
Definition: routerkeys.c:520
tor_cert_t * make_ntor_onion_key_crosscert(const curve25519_keypair_t *onion_key, const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime, int *sign_out)
Definition: routerkeys.c:1025
static smartlist_t * list_family_key_files_impl(const char *keydir)
Definition: routerkeys.c:742
int create_family_id_key(const char *fname, ed25519_public_key_t *pk_out)
Definition: routerkeys.c:876
int log_cert_expiration(void)
Definition: routerkeys.c:614
int generate_ed_link_cert(const or_options_t *options, time_t now, int force)
Definition: routerkeys.c:373
#define FAMILY_KEY_SUFFIX
Definition: routerkeys.c:688
int load_family_id_keys(const or_options_t *options, const networkstatus_t *ns)
Definition: routerkeys.c:912
Header for routerkeys.c.
int server_mode(const or_options_t *options)
Definition: routermode.c:34
Header file for routermode.c.
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
smartlist_t * smartlist_new(void)
void smartlist_add(smartlist_t *sl, void *element)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
char d[N_COMMON_DIGEST_ALGORITHMS][DIGEST256_LEN]
Definition: crypto_digest.h:89
uint8_t seckey[ED25519_SECKEY_LEN]
struct config_line_t * MyFamily
char * command_arg
Definition: or_options_st.h:69
char * FamilyKeyDirectory
Definition: or_options_st.h:94
int TestingAuthKeyLifetime
bool AllFamilyIdsExpected
int TestingLinkCertLifetime
int SigningKeyLifetime
int TestingSigningKeySlop
tor_cmdline_mode_t command
Definition: or_options_st.h:68
struct smartlist_t * FamilyIds
ed25519_public_key_t signing_key
Definition: torcert.h:36
time_t valid_until
Definition: torcert.h:38
ed25519_public_key_t signed_key
Definition: torcert.h:33
unsigned signing_key_included
Definition: torcert.h:48
#define STATIC
Definition: testsupport.h:32
#define MOCK_IMPL(rv, funcname, arglist)
Definition: testsupport.h:133
void format_local_iso_time(char *buf, time_t t)
Definition: time_fmt.c:316
@ CMD_KEYGEN
ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, const crypto_pk_t *rsa_key, time_t expires, uint8_t **cert)
Definition: torcert.c:331
int tor_cert_checksig(tor_cert_t *cert, const ed25519_public_key_t *pubkey, time_t now)
Definition: torcert.c:244
tor_cert_t * tor_cert_create_ed25519(const ed25519_keypair_t *signing_key, uint8_t cert_type, const ed25519_public_key_t *signed_key, time_t now, time_t lifetime, uint32_t flags)
Definition: torcert.c:131
const char * tor_cert_describe_signature_status(const tor_cert_t *cert)
Definition: torcert.c:279
tor_cert_t * tor_cert_create_raw(const ed25519_keypair_t *signing_key, uint8_t cert_type, uint8_t signed_key_type, const uint8_t signed_key_info[32], time_t now, time_t lifetime, uint32_t flags)
Definition: torcert.c:44
Header for torcert.c.
int tor_tls_get_my_certs(int server, const tor_x509_cert_t **link_cert_out, const tor_x509_cert_t **id_cert_out)
Definition: tortls.c:76
Headers for tortls.c.
#define tor_assert_nonfatal_unreached()
Definition: util_bug.h:177
#define tor_assert(expr)
Definition: util_bug.h:103
int strcmpend(const char *s1, const char *s2)
Definition: util_string.c:253
#define ED25519_SECKEY_LEN
Definition: x25519_sizes.h:29
#define ED25519_PUBKEY_LEN
Definition: x25519_sizes.h:27
Headers for tortls.c.
const common_digests_t * tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
Definition: x509.c:69