router.c

/* Copyright (c) 2001 Matej Pfajfar.
 * Copyright (c) 2001-2004, Roger Dingledine.
 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
 * Copyright (c) 2007-2016, The Tor Project, Inc. */
/* See LICENSE for licensing information */

#define ROUTER_PRIVATE

#include "or.h"
#include "circuitbuild.h"
#include "circuitlist.h"
#include "circuituse.h"
#include "config.h"
#include "connection.h"
#include "control.h"
#include "crypto_curve25519.h"
#include "directory.h"
#include "dirserv.h"
#include "dns.h"
#include "geoip.h"
#include "hibernate.h"
#include "main.h"
#include "networkstatus.h"
#include "nodelist.h"
#include "policies.h"
#include "protover.h"
#include "relay.h"
#include "rephist.h"
#include "router.h"
#include "routerkeys.h"
#include "routerlist.h"
#include "routerparse.h"
#include "statefile.h"
#include "torcert.h"
#include "transports.h"
#include "routerset.h"

/**
 * \file router.c
 * \brief Miscellaneous relay functionality, including RSA key maintenance,
 * generating and uploading server descriptors, picking an address to
 * advertise, and so on.
 *
 * This module handles the job of deciding whether we are a Tor relay, and if
 * so what kind. (Mostly through functions like server_mode() that inspect an
 * or_options_t, but in some cases based on our own capabilities, such as when
 * we are deciding whether to be a directory cache in
 * router_has_bandwidth_to_be_dirserver().)
 *
 * Also in this module are the functions to generate our own routerinfo_t and
 * extrainfo_t, and to encode those to signed strings for upload to the
 * directory authorities.
 *
 * This module also handles key maintenance for RSA and Curve25519-ntor keys,
 * and for our TLS context. (These functions should eventually move to
 * routerkeys.c along with the code that handles Ed25519 keys now.)
 **/

/************************************************************/

/*****
 * Key management: ORs only.
 *****/

/** Private keys for this OR.  There is also an SSL key managed by tortls.c.
 */
static tor_mutex_t *key_lock=NULL;
static time_t onionkey_set_at=0; /**< When was onionkey last changed? */
/** Current private onionskin decryption key: used to decode CREATE cells. */
static crypto_pk_t *onionkey=NULL;
/** Previous private onionskin decryption key: used to decode CREATE cells
 * generated by clients that have an older version of our descriptor. */
static crypto_pk_t *lastonionkey=NULL;
/** Current private ntor secret key: used to perform the ntor handshake. */
static curve25519_keypair_t curve25519_onion_key;
/** Previous private ntor secret key: used to perform the ntor handshake
 * with clients that have an older version of our descriptor. */
static curve25519_keypair_t last_curve25519_onion_key;
/** Private server "identity key": used to sign directory info and TLS
 * certificates. Never changes. */
static crypto_pk_t *server_identitykey=NULL;
/** Digest of server_identitykey. */
static char server_identitykey_digest[DIGEST_LEN];
/** Private client "identity key": used to sign bridges' and clients'
 * outbound TLS certificates. Regenerated on startup and on IP address
 * change. */
static crypto_pk_t *client_identitykey=NULL;
/** Signing key used for v3 directory material; only set for authorities. */
static crypto_pk_t *authority_signing_key = NULL;
/** Key certificate to authenticate v3 directory material; only set for
 * authorities. */
static authority_cert_t *authority_key_certificate = NULL;

/** For emergency V3 authority key migration: An extra signing key that we use
 * with our old (obsolete) identity key for a while. */
static crypto_pk_t *legacy_signing_key = NULL;
/** For emergency V3 authority key migration: An extra certificate to
 * authenticate legacy_signing_key with our obsolete identity key.*/
static authority_cert_t *legacy_key_certificate = NULL;

/* (Note that v3 authorities also have a separate "authority identity key",
 * but this key is never actually loaded by the Tor process.  Instead, it's
 * used by tor-gencert to sign new signing keys and make new key
 * certificates. */

/** Replace the current onion key with <b>k</b>.  Does not affect
 * lastonionkey; to update lastonionkey correctly, call rotate_onion_key().
 */
static void
set_onion_key(crypto_pk_t *k)
{
  if (onionkey && crypto_pk_eq_keys(onionkey, k)) {
    /* k is already our onion key; free it and return */
    crypto_pk_free(k);
    return;
  }
  tor_mutex_acquire(key_lock);
  crypto_pk_free(onionkey);
  onionkey = k;
  tor_mutex_release(key_lock);
  mark_my_descriptor_dirty("set onion key");
}

/** Return the current onion key.  Requires that the onion key has been
 * loaded or generated. */
crypto_pk_t *
get_onion_key(void)
{
  tor_assert(onionkey);
  return onionkey;
}

/** Store a full copy of the current onion key into *<b>key</b>, and a full
 * copy of the most recent onion key into *<b>last</b>.
 */
void
dup_onion_keys(crypto_pk_t **key, crypto_pk_t **last)
{
  tor_assert(key);
  tor_assert(last);
  tor_mutex_acquire(key_lock);
  tor_assert(onionkey);
  *key = crypto_pk_copy_full(onionkey);
  if (lastonionkey)
    *last = crypto_pk_copy_full(lastonionkey);
  else
    *last = NULL;
  tor_mutex_release(key_lock);
}

/** Return the current secret onion key for the ntor handshake. Must only
 * be called from the main thread. */
static const curve25519_keypair_t *
get_current_curve25519_keypair(void)
{
  return &curve25519_onion_key;
}
/** Return a map from KEYID (the key itself) to keypairs for use in the ntor
 * handshake. Must only be called from the main thread. */
di_digest256_map_t *
construct_ntor_key_map(void)
{
  di_digest256_map_t *m = NULL;

  dimap_add_entry(&m,
                  curve25519_onion_key.pubkey.public_key,
                  tor_memdup(&curve25519_onion_key,
                             sizeof(curve25519_keypair_t)));
  if (!tor_mem_is_zero((const char*)
                          last_curve25519_onion_key.pubkey.public_key,
                       CURVE25519_PUBKEY_LEN)) {
    dimap_add_entry(&m,
                    last_curve25519_onion_key.pubkey.public_key,
                    tor_memdup(&last_curve25519_onion_key,
                               sizeof(curve25519_keypair_t)));
  }

  return m;
}
/** Helper used to deallocate a di_digest256_map_t returned by
 * construct_ntor_key_map. */
static void
ntor_key_map_free_helper(void *arg)
{
  curve25519_keypair_t *k = arg;
  memwipe(k, 0, sizeof(*k));
  tor_free(k);
}
/** Release all storage from a keymap returned by construct_ntor_key_map. */
void
ntor_key_map_free(di_digest256_map_t *map)
{
  if (!map)
    return;
  dimap_free(map, ntor_key_map_free_helper);
}

/** Return the time when the onion key was last set.  This is either the time
 * when the process launched, or the time of the most recent key rotation since
 * the process launched.
 */
time_t
get_onion_key_set_at(void)
{
  return onionkey_set_at;
}

/** Set the current server identity key to <b>k</b>.
 */
void
set_server_identity_key(crypto_pk_t *k)
{
  crypto_pk_free(server_identitykey);
  server_identitykey = k;
  crypto_pk_get_digest(server_identitykey, server_identitykey_digest);
}

/** Make sure that we have set up our identity keys to match or not match as
 * appropriate, and die with an assertion if we have not. */
static void
assert_identity_keys_ok(void)
{
  if (1)
    return;
  tor_assert(client_identitykey);
  if (public_server_mode(get_options())) {
    /* assert that we have set the client and server keys to be equal */
    tor_assert(server_identitykey);
    tor_assert(crypto_pk_eq_keys(client_identitykey, server_identitykey));
  } else {
    /* assert that we have set the client and server keys to be unequal */
    if (server_identitykey)
      tor_assert(!crypto_pk_eq_keys(client_identitykey, server_identitykey));
  }
}

/** Returns the current server identity key; requires that the key has
 * been set, and that we are running as a Tor server.
 */
crypto_pk_t *
get_server_identity_key(void)
{
  tor_assert(server_identitykey);
  tor_assert(server_mode(get_options()));
  assert_identity_keys_ok();
  return server_identitykey;
}

/** Return true iff we are a server and the server identity key
 * has been set. */
int
server_identity_key_is_set(void)
{
  return server_mode(get_options()) && server_identitykey != NULL;
}

/** Set the current client identity key to <b>k</b>.
 */
void
set_client_identity_key(crypto_pk_t *k)
{
  crypto_pk_free(client_identitykey);
  client_identitykey = k;
}

/** Returns the current client identity key for use on outgoing TLS
 * connections; requires that the key has been set.
 */
crypto_pk_t *
get_tlsclient_identity_key(void)
{
  tor_assert(client_identitykey);
  assert_identity_keys_ok();
  return client_identitykey;
}

/** Return true iff the client identity key has been set. */
int
client_identity_key_is_set(void)
{
  return client_identitykey != NULL;
}

/** Return the key certificate for this v3 (voting) authority, or NULL
 * if we have no such certificate. */
MOCK_IMPL(authority_cert_t *,
get_my_v3_authority_cert, (void))
{
  return authority_key_certificate;
}

/** Return the v3 signing key for this v3 (voting) authority, or NULL
 * if we have no such key. */
crypto_pk_t *
get_my_v3_authority_signing_key(void)
{
  return authority_signing_key;
}

/** If we're an authority, and we're using a legacy authority identity key for
 * emergency migration purposes, return the certificate associated with that
 * key. */
authority_cert_t *
get_my_v3_legacy_cert(void)
{
  return legacy_key_certificate;
}

/** If we're an authority, and we're using a legacy authority identity key for
 * emergency migration purposes, return that key. */
crypto_pk_t *
get_my_v3_legacy_signing_key(void)
{
  return legacy_signing_key;
}

/** Replace the previous onion key with the current onion key, and generate
 * a new previous onion key.  Immediately after calling this function,
 * the OR should:
 *   - schedule all previous cpuworkers to shut down _after_ processing
 *     pending work.  (This will cause fresh cpuworkers to be generated.)
 *   - generate and upload a fresh routerinfo.
 */
void
rotate_onion_key(void)
{
  char *fname, *fname_prev;
  crypto_pk_t *prkey = NULL;
  or_state_t *state = get_or_state();
  curve25519_keypair_t new_curve25519_keypair;
  time_t now;
  fname = get_datadir_fname2("keys", "secret_onion_key");
  fname_prev = get_datadir_fname2("keys", "secret_onion_key.old");
  /* There isn't much point replacing an old key with an empty file */
  if (file_status(fname) == FN_FILE) {
    if (replace_file(fname, fname_prev))
      goto error;
  }
  if (!(prkey = crypto_pk_new())) {
    log_err(LD_GENERAL,"Error constructing rotated onion key");
    goto error;
  }
  if (crypto_pk_generate_key(prkey)) {
    log_err(LD_BUG,"Error generating onion key");
    goto error;
  }
  if (crypto_pk_write_private_key_to_filename(prkey, fname)) {
    log_err(LD_FS,"Couldn't write generated onion key to \"%s\".", fname);
    goto error;
  }
  tor_free(fname);
  tor_free(fname_prev);
  fname = get_datadir_fname2("keys", "secret_onion_key_ntor");
  fname_prev = get_datadir_fname2("keys", "secret_onion_key_ntor.old");
  if (curve25519_keypair_generate(&new_curve25519_keypair, 1) < 0)
    goto error;
  /* There isn't much point replacing an old key with an empty file */
  if (file_status(fname) == FN_FILE) {
    if (replace_file(fname, fname_prev))
      goto error;
  }
  if (curve25519_keypair_write_to_file(&new_curve25519_keypair, fname,
                                       "onion") < 0) {
    log_err(LD_FS,"Couldn't write curve25519 onion key to \"%s\".",fname);
    goto error;
  }
  log_info(LD_GENERAL, "Rotating onion key");
  tor_mutex_acquire(key_lock);
  crypto_pk_free(lastonionkey);
  lastonionkey = onionkey;
  onionkey = prkey;
  memcpy(&last_curve25519_onion_key, &curve25519_onion_key,
         sizeof(curve25519_keypair_t));
  memcpy(&curve25519_onion_key, &new_curve25519_keypair,
         sizeof(curve25519_keypair_t));
  now = time(NULL);
  state->LastRotatedOnionKey = onionkey_set_at = now;
  tor_mutex_release(key_lock);
  mark_my_descriptor_dirty("rotated onion key");
  or_state_mark_dirty(state, get_options()->AvoidDiskWrites ? now+3600 : 0);
  goto done;
 error:
  log_warn(LD_GENERAL, "Couldn't rotate onion key.");
  if (prkey)
    crypto_pk_free(prkey);
 done:
  memwipe(&new_curve25519_keypair, 0, sizeof(new_curve25519_keypair));
  tor_free(fname);
  tor_free(fname_prev);
}

/** Log greeting message that points to new relay lifecycle document the
 * first time this function has been called.
 */
static void
log_new_relay_greeting(void)
{
  static int already_logged = 0;

  if (already_logged)
    return;

  tor_log(LOG_NOTICE, LD_GENERAL, "You are running a new relay. "
         "Thanks for helping the Tor network! If you wish to know "
         "what will happen in the upcoming weeks regarding its usage, "
         "have a look at https://blog.torproject.org/blog/lifecycle-of"
         "-a-new-relay");

  already_logged = 1;
}

/** Try to read an RSA key from <b>fname</b>.  If <b>fname</b> doesn't exist
 * and <b>generate</b> is true, create a new RSA key and save it in
 * <b>fname</b>.  Return the read/created key, or NULL on error.  Log all
 * errors at level <b>severity</b>. If <b>log_greeting</b> is non-zero and a
 * new key was created, log_new_relay_greeting() is called.
 */
crypto_pk_t *
init_key_from_file(const char *fname, int generate, int severity,
                   int log_greeting)
{
  crypto_pk_t *prkey = NULL;

  if (!(prkey = crypto_pk_new())) {
    tor_log(severity, LD_GENERAL,"Error constructing key");
    goto error;
  }

  switch (file_status(fname)) {
    case FN_DIR:
    case FN_ERROR:
      tor_log(severity, LD_FS,"Can't read key from \"%s\"", fname);
      goto error;
    /* treat empty key files as if the file doesn't exist, and,
     * if generate is set, replace the empty file in
     * crypto_pk_write_private_key_to_filename() */
    case FN_NOENT:
    case FN_EMPTY:
      if (generate) {
        if (!have_lockfile()) {
          if (try_locking(get_options(), 0)<0) {
            /* Make sure that --list-fingerprint only creates new keys
             * if there is no possibility for a deadlock. */
            tor_log(severity, LD_FS, "Another Tor process has locked \"%s\". "
                    "Not writing any new keys.", fname);
            /*XXXX The 'other process' might make a key in a second or two;
             * maybe we should wait for it. */
            goto error;
          }
        }
        log_info(LD_GENERAL, "No key found in \"%s\"; generating fresh key.",
                 fname);
        if (crypto_pk_generate_key(prkey)) {
          tor_log(severity, LD_GENERAL,"Error generating onion key");
          goto error;
        }
        if (crypto_pk_check_key(prkey) <= 0) {
          tor_log(severity, LD_GENERAL,"Generated key seems invalid");
          goto error;
        }
        log_info(LD_GENERAL, "Generated key seems valid");
        if (log_greeting) {
            log_new_relay_greeting();
        }
        if (crypto_pk_write_private_key_to_filename(prkey, fname)) {
          tor_log(severity, LD_FS,
              "Couldn't write generated key to \"%s\".", fname);
          goto error;
        }
      } else {
        tor_log(severity, LD_GENERAL, "No key found in \"%s\"", fname);
        goto error;
      }
      return prkey;
    case FN_FILE:
      if (crypto_pk_read_private_key_from_filename(prkey, fname)) {
        tor_log(severity, LD_GENERAL,"Error loading private key.");
        goto error;
      }
      return prkey;
    default:
      tor_assert(0);
  }

 error:
  if (prkey)
    crypto_pk_free(prkey);
  return NULL;
}

/** Load a curve25519 keypair from the file <b>fname</b>, writing it into
 * <b>keys_out</b>.  If the file isn't found, or is empty, and <b>generate</b>
 * is true, create a new keypair and write it into the file.  If there are
 * errors, log them at level <b>severity</b>. Generate files using <b>tag</b>
 * in their ASCII wrapper. */
static int
init_curve25519_keypair_from_file(curve25519_keypair_t *keys_out,
                                  const char *fname,
                                  int generate,
                                  int severity,
                                  const char *tag)
{
  switch (file_status(fname)) {
    case FN_DIR:
    case FN_ERROR:
      tor_log(severity, LD_FS,"Can't read key from \"%s\"", fname);
      goto error;
    /* treat empty key files as if the file doesn't exist, and, if generate
     * is set, replace the empty file in curve25519_keypair_write_to_file() */
    case FN_NOENT:
    case FN_EMPTY:
      if (generate) {
        if (!have_lockfile()) {
          if (try_locking(get_options(), 0)<0) {
            /* Make sure that --list-fingerprint only creates new keys
             * if there is no possibility for a deadlock. */
            tor_log(severity, LD_FS, "Another Tor process has locked \"%s\". "
                    "Not writing any new keys.", fname);
            /*XXXX The 'other process' might make a key in a second or two;
             * maybe we should wait for it. */
            goto error;
          }
        }
        log_info(LD_GENERAL, "No key found in \"%s\"; generating fresh key.",
                 fname);
        if (curve25519_keypair_generate(keys_out, 1) < 0)
          goto error;
        if (curve25519_keypair_write_to_file(keys_out, fname, tag)<0) {
          tor_log(severity, LD_FS,
              "Couldn't write generated key to \"%s\".", fname);
          memwipe(keys_out, 0, sizeof(*keys_out));
          goto error;
        }
      } else {
        log_info(LD_GENERAL, "No key found in \"%s\"", fname);
      }
      return 0;
    case FN_FILE:
      {
        char *tag_in=NULL;
        if (curve25519_keypair_read_from_file(keys_out, &tag_in, fname) < 0) {
          tor_log(severity, LD_GENERAL,"Error loading private key.");
          tor_free(tag_in);
          goto error;
        }
        if (!tag_in || strcmp(tag_in, tag)) {
          tor_log(severity, LD_GENERAL,"Unexpected tag %s on private key.",
              escaped(tag_in));
          tor_free(tag_in);
          goto error;
        }
        tor_free(tag_in);
        return 0;
      }
    default:
      tor_assert(0);
  }

 error:
  return -1;
}

/** Try to load the vote-signing private key and certificate for being a v3
 * directory authority, and make sure they match.  If <b>legacy</b>, load a
 * legacy key/cert set for emergency key migration; otherwise load the regular
 * key/cert set.  On success, store them into *<b>key_out</b> and
 * *<b>cert_out</b> respectively, and return 0.  On failure, return -1. */
static int
load_authority_keyset(int legacy, crypto_pk_t **key_out,
                      authority_cert_t **cert_out)
{
  int r = -1;
  char *fname = NULL, *cert = NULL;
  const char *eos = NULL;
  crypto_pk_t *signing_key = NULL;
  authority_cert_t *parsed = NULL;

  fname = get_datadir_fname2("keys",
                 legacy ? "legacy_signing_key" : "authority_signing_key");
  signing_key = init_key_from_file(fname, 0, LOG_ERR, 0);
  if (!signing_key) {
    log_warn(LD_DIR, "No version 3 directory key found in %s", fname);
    goto done;
  }
  tor_free(fname);
  fname = get_datadir_fname2("keys",
               legacy ? "legacy_certificate" : "authority_certificate");
  cert = read_file_to_str(fname, 0, NULL);
  if (!cert) {
    log_warn(LD_DIR, "Signing key found, but no certificate found in %s",
               fname);
    goto done;
  }
  parsed = authority_cert_parse_from_string(cert, &eos);
  if (!parsed) {
    log_warn(LD_DIR, "Unable to parse certificate in %s", fname);
    goto done;
  }
  if (!crypto_pk_eq_keys(signing_key, parsed->signing_key)) {
    log_warn(LD_DIR, "Stored signing key does not match signing key in "
             "certificate");
    goto done;
  }

  crypto_pk_free(*key_out);
  authority_cert_free(*cert_out);

  *key_out = signing_key;
  *cert_out = parsed;
  r = 0;
  signing_key = NULL;
  parsed = NULL;

 done:
  tor_free(fname);
  tor_free(cert);
  crypto_pk_free(signing_key);
  authority_cert_free(parsed);
  return r;
}

/** Load the v3 (voting) authority signing key and certificate, if they are
 * present.  Return -1 if anything is missing, mismatched, or unloadable;
 * return 0 on success. */
static int
init_v3_authority_keys(void)
{
  if (load_authority_keyset(0, &authority_signing_key,
                            &authority_key_certificate)<0)
    return -1;

  if (get_options()->V3AuthUseLegacyKey &&
      load_authority_keyset(1, &legacy_signing_key,
                            &legacy_key_certificate)<0)
    return -1;

  return 0;
}

/** If we're a v3 authority, check whether we have a certificate that's
 * likely to expire soon.  Warn if we do, but not too often. */
void
v3_authority_check_key_expiry(void)
{
  time_t now, expires;
  static time_t last_warned = 0;
  int badness, time_left, warn_interval;
  if (!authdir_mode_v3(get_options()) || !authority_key_certificate)
    return;

  now = time(NULL);
  expires = authority_key_certificate->expires;
  time_left = (int)( expires - now );
  if (time_left <= 0) {
    badness = LOG_ERR;
    warn_interval = 60*60;
  } else if (time_left <= 24*60*60) {
    badness = LOG_WARN;
    warn_interval = 60*60;
  } else if (time_left <= 24*60*60*7) {
    badness = LOG_WARN;
    warn_interval = 24*60*60;
  } else if (time_left <= 24*60*60*30) {
    badness = LOG_WARN;
    warn_interval = 24*60*60*5;
  } else {
    return;
  }

  if (last_warned + warn_interval > now)
    return;

  if (time_left <= 0) {
    tor_log(badness, LD_DIR, "Your v3 authority certificate has expired."
            " Generate a new one NOW.");
  } else if (time_left <= 24*60*60) {
    tor_log(badness, LD_DIR, "Your v3 authority certificate expires in %d "
            "hours; Generate a new one NOW.", time_left/(60*60));
  } else {
    tor_log(badness, LD_DIR, "Your v3 authority certificate expires in %d "
            "days; Generate a new one soon.", time_left/(24*60*60));
  }
  last_warned = now;
}

/** Set up Tor's TLS contexts, based on our configuration and keys. Return 0
 * on success, and -1 on failure. */
int
router_initialize_tls_context(void)
{
  unsigned int flags = 0;
  const or_options_t *options = get_options();
  int lifetime = options->SSLKeyLifetime;
  if (public_server_mode(options))
    flags |= TOR_TLS_CTX_IS_PUBLIC_SERVER;
  if (options->TLSECGroup) {
    if (!strcasecmp(options->TLSECGroup, "P256"))
      flags |= TOR_TLS_CTX_USE_ECDHE_P256;
    else if (!strcasecmp(options->TLSECGroup, "P224"))
      flags |= TOR_TLS_CTX_USE_ECDHE_P224;
  }
  if (!lifetime) { /* we should guess a good ssl cert lifetime */

    /* choose between 5 and 365 days, and round to the day */
    unsigned int five_days = 5*24*3600;
    unsigned int one_year = 365*24*3600;
    lifetime = crypto_rand_int_range(five_days, one_year);
    lifetime -= lifetime % (24*3600);

    if (crypto_rand_int(2)) {
      /* Half the time we expire at midnight, and half the time we expire
       * one second before midnight. (Some CAs wobble their expiry times a
       * bit in practice, perhaps to reduce collision attacks; see ticket
       * 8443 for details about observed certs in the wild.) */
      lifetime--;
    }
  }

  /* It's ok to pass lifetime in as an unsigned int, since
   * config_parse_interval() checked it. */
  return tor_tls_context_init(flags,
                              get_tlsclient_identity_key(),
                              server_mode(options) ?
                              get_server_identity_key() : NULL,
                              (unsigned int)lifetime);
}

/** Compute fingerprint (or hashed fingerprint if hashed is 1) and write
 * it to 'fingerprint' (or 'hashed-fingerprint'). Return 0 on success, or
 * -1 if Tor should die,
 */
STATIC int
router_write_fingerprint(int hashed)
{
  char *keydir = NULL, *cp = NULL;
  const char *fname = hashed ? "hashed-fingerprint" :
                               "fingerprint";
  char fingerprint[FINGERPRINT_LEN+1];
  const or_options_t *options = get_options();
  char *fingerprint_line = NULL;
  int result = -1;

  keydir = get_datadir_fname(fname);
  log_info(LD_GENERAL,"Dumping %sfingerprint to \"%s\"...",
           hashed ? "hashed " : "", keydir);
  if (!hashed) {
    if (crypto_pk_get_fingerprint(get_server_identity_key(),
                                  fingerprint, 0) < 0) {
      log_err(LD_GENERAL,"Error computing fingerprint");
      goto done;
    }
  } else {
    if (crypto_pk_get_hashed_fingerprint(get_server_identity_key(),
                                         fingerprint) < 0) {
      log_err(LD_GENERAL,"Error computing hashed fingerprint");
      goto done;
    }
  }

  tor_asprintf(&fingerprint_line, "%s %s\n", options->Nickname, fingerprint);

  /* Check whether we need to write the (hashed-)fingerprint file. */

  cp = read_file_to_str(keydir, RFTS_IGNORE_MISSING, NULL);
  if (!cp || strcmp(cp, fingerprint_line)) {
    if (write_str_to_file(keydir, fingerprint_line, 0)) {
      log_err(LD_FS, "Error writing %sfingerprint line to file",
              hashed ? "hashed " : "");
      goto done;
    }
  }

  log_notice(LD_GENERAL, "Your Tor %s identity key fingerprint is '%s %s'",
             hashed ? "bridge's hashed" : "server's", options->Nickname,
             fingerprint);

  result = 0;
 done:
  tor_free(cp);
  tor_free(keydir);
  tor_free(fingerprint_line);
  return result;
}

static int
init_keys_common(void)
{
  if (!key_lock)
    key_lock = tor_mutex_new();

  /* There are a couple of paths that put us here before we've asked
   * openssl to initialize itself. */
  if (crypto_global_init(get_options()->HardwareAccel,
                         get_options()->AccelName,
                         get_options()->AccelDir)) {
    log_err(LD_BUG, "Unable to initialize OpenSSL. Exiting.");
    return -1;
  }

  return 0;
}

int
init_keys_client(void)
{
  crypto_pk_t *prkey;
  if (init_keys_common() < 0)
    return -1;

  if (!(prkey = crypto_pk_new()))
    return -1;
  if (crypto_pk_generate_key(prkey)) {
    crypto_pk_free(prkey);
    return -1;
  }
  set_client_identity_key(prkey);
  /* Create a TLS context. */
  if (router_initialize_tls_context() < 0) {
    log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
    return -1;
  }
  return 0;
}

/** Initialize all OR private keys, and the TLS context, as necessary.
 * On OPs, this only initializes the tls context. Return 0 on success,
 * or -1 if Tor should die.
 */
int
init_keys(void)
{
  char *keydir;
  const char *mydesc;
  crypto_pk_t *prkey;
  char digest[DIGEST_LEN];
  char v3_digest[DIGEST_LEN];
  const or_options_t *options = get_options();
  dirinfo_type_t type;
  time_t now = time(NULL);
  dir_server_t *ds;
  int v3_digest_set = 0;
  authority_cert_t *cert = NULL;

  /* OP's don't need persistent keys; just make up an identity and
   * initialize the TLS context. */
  if (!server_mode(options)) {
    return init_keys_client();
  }
  if (init_keys_common() < 0)
    return -1;
  /* Make sure DataDirectory exists, and is private. */
  if (check_private_dir(options->DataDirectory, CPD_CREATE, options->User)) {
    return -1;
  }
  /* Check the key directory. */
  keydir = get_datadir_fname("keys");
  if (check_private_dir(keydir, CPD_CREATE, options->User)) {
    tor_free(keydir);
    return -1;
  }
  tor_free(keydir);

  /* 1a. Read v3 directory authority key/cert information. */
  memset(v3_digest, 0, sizeof(v3_digest));
  if (authdir_mode_v3(options)) {
    if (init_v3_authority_keys()<0) {
      log_err(LD_GENERAL, "We're configured as a V3 authority, but we "
              "were unable to load our v3 authority keys and certificate! "
              "Use tor-gencert to generate them. Dying.");
      return -1;
    }
    cert = get_my_v3_authority_cert();
    if (cert) {
      crypto_pk_get_digest(get_my_v3_authority_cert()->identity_key,
                           v3_digest);
      v3_digest_set = 1;
    }
  }

  /* 1b. Read identity key. Make it if none is found. */
  keydir = get_datadir_fname2("keys", "secret_id_key");
  log_info(LD_GENERAL,"Reading/making identity key \"%s\"...",keydir);
  prkey = init_key_from_file(keydir, 1, LOG_ERR, 1);
  tor_free(keydir);
  if (!prkey) return -1;
  set_server_identity_key(prkey);

  /* 1c. If we are configured as a bridge, generate a client key;
   * otherwise, set the server identity key as our client identity
   * key. */
  if (public_server_mode(options)) {
    set_client_identity_key(crypto_pk_dup_key(prkey)); /* set above */
  } else {
    if (!(prkey = crypto_pk_new()))
      return -1;
    if (crypto_pk_generate_key(prkey)) {
      crypto_pk_free(prkey);
      return -1;
    }
    set_client_identity_key(prkey);
  }

  /* 1d. Load all ed25519 keys */
  if (load_ed_keys(options,now) < 0)
    return -1;

  /* 2. Read onion key.  Make it if none is found. */
  keydir = get_datadir_fname2("keys", "secret_onion_key");
  log_info(LD_GENERAL,"Reading/making onion key \"%s\"...",keydir);
  prkey = init_key_from_file(keydir, 1, LOG_ERR, 1);
  tor_free(keydir);
  if (!prkey) return -1;
  set_onion_key(prkey);
  if (options->command == CMD_RUN_TOR) {
    /* only mess with the state file if we're actually running Tor */
    or_state_t *state = get_or_state();
    if (state->LastRotatedOnionKey > 100 && state->LastRotatedOnionKey < now) {
      /* We allow for some parsing slop, but we don't want to risk accepting
       * values in the distant future.  If we did, we might never rotate the
       * onion key. */
      onionkey_set_at = state->LastRotatedOnionKey;
    } else {
      /* We have no LastRotatedOnionKey set; either we just created the key
       * or it's a holdover from 0.1.2.4-alpha-dev or earlier.  In either case,
       * start the clock ticking now so that we will eventually rotate it even
       * if we don't stay up for a full MIN_ONION_KEY_LIFETIME. */
      state->LastRotatedOnionKey = onionkey_set_at = now;
      or_state_mark_dirty(state, options->AvoidDiskWrites ?
                                   time(NULL)+3600 : 0);
    }
  }

  keydir = get_datadir_fname2("keys", "secret_onion_key.old");
  if (!lastonionkey && file_status(keydir) == FN_FILE) {
    /* Load keys from non-empty files only.
     * Missing old keys won't be replaced with freshly generated keys. */
    prkey = init_key_from_file(keydir, 0, LOG_ERR, 0);
    if (prkey)
      lastonionkey = prkey;
  }
  tor_free(keydir);

  {
    /* 2b. Load curve25519 onion keys. */
    int r;
    keydir = get_datadir_fname2("keys", "secret_onion_key_ntor");
    r = init_curve25519_keypair_from_file(&curve25519_onion_key,
                                          keydir, 1, LOG_ERR, "onion");
    tor_free(keydir);
    if (r<0)
      return -1;

    keydir = get_datadir_fname2("keys", "secret_onion_key_ntor.old");
    if (tor_mem_is_zero((const char *)
                           last_curve25519_onion_key.pubkey.public_key,
                        CURVE25519_PUBKEY_LEN) &&
        file_status(keydir) == FN_FILE) {
      /* Load keys from non-empty files only.
       * Missing old keys won't be replaced with freshly generated keys. */
      init_curve25519_keypair_from_file(&last_curve25519_onion_key,
                                        keydir, 0, LOG_ERR, "onion");
    }
    tor_free(keydir);
  }

  /* 3. Initialize link key and TLS context. */
  if (router_initialize_tls_context() < 0) {
    log_err(LD_GENERAL,"Error initializing TLS context");
    return -1;
  }

  /* 3b. Get an ed25519 link certificate.  Note that we need to do this
   * after we set up the TLS context */
  if (generate_ed_link_cert(options, now) < 0) {
    log_err(LD_GENERAL,"Couldn't make link cert");
    return -1;
  }

  /* 4. Build our router descriptor. */
  /* Must be called after keys are initialized. */
  mydesc = router_get_my_descriptor();
  if (authdir_mode_handles_descs(options, ROUTER_PURPOSE_GENERAL)) {
    const char *m = NULL;
    routerinfo_t *ri;
    /* We need to add our own fingerprint so it gets recognized. */
    if (dirserv_add_own_fingerprint(get_server_identity_key())) {
      log_err(LD_GENERAL,"Error adding own fingerprint to set of relays");
      return -1;
    }
    if (mydesc) {
      was_router_added_t added;
      ri = router_parse_entry_from_string(mydesc, NULL, 1, 0, NULL, NULL);
      if (!ri) {
        log_err(LD_GENERAL,"Generated a routerinfo we couldn't parse.");
        return -1;
      }
      added = dirserv_add_descriptor(ri, &m, "self");
      if (!WRA_WAS_ADDED(added)) {
        if (!WRA_WAS_OUTDATED(added)) {
          log_err(LD_GENERAL, "Unable to add own descriptor to directory: %s",