mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-09-21 13:34:59 +02:00
simplify the tortls api: we only support being a "server", that
is, even tor clients do the same sort of handshake. this has been true for years, so it's best to get rid of the stale code. svn:r6557
This commit is contained in:
parent
7512be0b65
commit
0bfef523df
@ -301,11 +301,12 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
|
||||
#define CIPHER_LIST SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA
|
||||
#endif
|
||||
|
||||
/** Create a new TLS context. If we are going to be using it as a
|
||||
* server, it must have isServer set to true, <b>identity</b> set to the
|
||||
* identity key used to sign that certificate, and <b>nickname</b> set to
|
||||
* the server's nickname. If we're only going to be a client,
|
||||
* isServer should be false, identity should be NULL, and nickname
|
||||
/** Create a new TLS context for use with Tor TLS handshakes.
|
||||
* <b>identity</b> should be set to the identity key used to sign the
|
||||
* certificate, and <b>nickname</b> set to the nickname to use.
|
||||
*
|
||||
* XXX to be removed next:
|
||||
* If we're only going to be a client, identity should be NULL, and nickname
|
||||
* should be NULL. Return -1 if failure, else 0.
|
||||
*
|
||||
* You can call this function multiple times. Each time you call it,
|
||||
@ -313,8 +314,7 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
|
||||
* the new SSL context.
|
||||
*/
|
||||
int
|
||||
tor_tls_context_new(crypto_pk_env_t *identity,
|
||||
int isServer, const char *nickname,
|
||||
tor_tls_context_new(crypto_pk_env_t *identity, const char *nickname,
|
||||
unsigned int key_lifetime)
|
||||
{
|
||||
crypto_pk_env_t *rsa = NULL;
|
||||
@ -331,22 +331,20 @@ tor_tls_context_new(crypto_pk_env_t *identity,
|
||||
|
||||
tor_tls_init();
|
||||
|
||||
if (isServer) {
|
||||
/* Generate short-term RSA key. */
|
||||
if (!(rsa = crypto_new_pk_env()))
|
||||
goto error;
|
||||
if (crypto_pk_generate_key(rsa)<0)
|
||||
goto error;
|
||||
/* Create certificate signed by identity key. */
|
||||
cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
|
||||
key_lifetime);
|
||||
/* Create self-signed certificate for identity key. */
|
||||
idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
|
||||
IDENTITY_CERT_LIFETIME);
|
||||
if (!cert || !idcert) {
|
||||
log(LOG_WARN, LD_CRYPTO, "Error creating certificate");
|
||||
goto error;
|
||||
}
|
||||
/* Generate short-term RSA key. */
|
||||
if (!(rsa = crypto_new_pk_env()))
|
||||
goto error;
|
||||
if (crypto_pk_generate_key(rsa)<0)
|
||||
goto error;
|
||||
/* Create certificate signed by identity key. */
|
||||
cert = tor_tls_create_certificate(rsa, identity, nickname, nn2,
|
||||
key_lifetime);
|
||||
/* Create self-signed certificate for identity key. */
|
||||
idcert = tor_tls_create_certificate(identity, identity, nn2, nn2,
|
||||
IDENTITY_CERT_LIFETIME);
|
||||
if (!cert || !idcert) {
|
||||
log(LOG_WARN, LD_CRYPTO, "Error creating certificate");
|
||||
goto error;
|
||||
}
|
||||
|
||||
result = tor_malloc(sizeof(tor_tls_context_t));
|
||||
@ -376,7 +374,7 @@ tor_tls_context_new(crypto_pk_env_t *identity,
|
||||
idcert=NULL; /* The context now owns the reference to idcert */
|
||||
}
|
||||
SSL_CTX_set_session_cache_mode(*ctx, SSL_SESS_CACHE_OFF);
|
||||
if (isServer && !client_only) {
|
||||
if (!client_only) {
|
||||
tor_assert(rsa);
|
||||
if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1)))
|
||||
goto error;
|
||||
|
@ -26,7 +26,7 @@ typedef struct tor_tls_t tor_tls_t;
|
||||
#define TOR_TLS_DONE 0
|
||||
|
||||
void tor_tls_free_all(void);
|
||||
int tor_tls_context_new(crypto_pk_env_t *rsa, int isServer,
|
||||
int tor_tls_context_new(crypto_pk_env_t *rsa,
|
||||
const char *nickname, unsigned int key_lifetime);
|
||||
tor_tls_t *tor_tls_new(int sock, int is_server, int use_no_cert);
|
||||
int tor_tls_is_server(tor_tls_t *tls);
|
||||
|
@ -757,7 +757,7 @@ run_scheduled_events(time_t now)
|
||||
last_rotated_certificate = now;
|
||||
if (last_rotated_certificate+MAX_SSL_KEY_LIFETIME < now) {
|
||||
log_info(LD_GENERAL,"Rotating tls context.");
|
||||
if (tor_tls_context_new(get_identity_key(), 1, options->Nickname,
|
||||
if (tor_tls_context_new(get_identity_key(), options->Nickname,
|
||||
MAX_SSL_KEY_LIFETIME) < 0) {
|
||||
log_warn(LD_BUG, "Error reinitializing TLS context");
|
||||
/* XXX is it a bug here, that we just keep going? */
|
||||
|
@ -260,7 +260,7 @@ init_keys(void)
|
||||
return -1;
|
||||
set_identity_key(prkey);
|
||||
/* Create a TLS context; default the client nickname to "client". */
|
||||
if (tor_tls_context_new(get_identity_key(), 1,
|
||||
if (tor_tls_context_new(get_identity_key(),
|
||||
options->Nickname ? options->Nickname : "client",
|
||||
MAX_SSL_KEY_LIFETIME) < 0) {
|
||||
log_err(LD_GENERAL,"Error creating TLS context for OP.");
|
||||
@ -302,7 +302,7 @@ init_keys(void)
|
||||
}
|
||||
|
||||
/* 3. Initialize link key and TLS context. */
|
||||
if (tor_tls_context_new(get_identity_key(), 1, options->Nickname,
|
||||
if (tor_tls_context_new(get_identity_key(), options->Nickname,
|
||||
MAX_SSL_KEY_LIFETIME) < 0) {
|
||||
log_err(LD_GENERAL,"Error initializing TLS context");
|
||||
return -1;
|
||||
|
Loading…
Reference in New Issue
Block a user