From 0bfef523dfe4c4dc83ba2a444045c118ca5ac2b6 Mon Sep 17 00:00:00 2001 From: Roger Dingledine Date: Wed, 7 Jun 2006 06:10:54 +0000 Subject: [PATCH] simplify the tortls api: we only support being a "server", that is, even tor clients do the same sort of handshake. this has been true for years, so it's best to get rid of the stale code. svn:r6557 --- src/common/tortls.c | 46 ++++++++++++++++++++++----------------------- src/common/tortls.h | 2 +- src/or/main.c | 2 +- src/or/router.c | 4 ++-- 4 files changed, 26 insertions(+), 28 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index c9f3e67a7c..8b94494539 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -301,11 +301,12 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa, #define CIPHER_LIST SSL3_TXT_EDH_RSA_DES_192_CBC3_SHA #endif -/** Create a new TLS context. If we are going to be using it as a - * server, it must have isServer set to true, identity set to the - * identity key used to sign that certificate, and nickname set to - * the server's nickname. If we're only going to be a client, - * isServer should be false, identity should be NULL, and nickname +/** Create a new TLS context for use with Tor TLS handshakes. + * identity should be set to the identity key used to sign the + * certificate, and nickname set to the nickname to use. + * + * XXX to be removed next: + * If we're only going to be a client, identity should be NULL, and nickname * should be NULL. Return -1 if failure, else 0. * * You can call this function multiple times. Each time you call it, @@ -313,8 +314,7 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa, * the new SSL context. */ int -tor_tls_context_new(crypto_pk_env_t *identity, - int isServer, const char *nickname, +tor_tls_context_new(crypto_pk_env_t *identity, const char *nickname, unsigned int key_lifetime) { crypto_pk_env_t *rsa = NULL; @@ -331,22 +331,20 @@ tor_tls_context_new(crypto_pk_env_t *identity, tor_tls_init(); - if (isServer) { - /* Generate short-term RSA key. */ - if (!(rsa = crypto_new_pk_env())) - goto error; - if (crypto_pk_generate_key(rsa)<0) - goto error; - /* Create certificate signed by identity key. */ - cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, - key_lifetime); - /* Create self-signed certificate for identity key. */ - idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, - IDENTITY_CERT_LIFETIME); - if (!cert || !idcert) { - log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); - goto error; - } + /* Generate short-term RSA key. */ + if (!(rsa = crypto_new_pk_env())) + goto error; + if (crypto_pk_generate_key(rsa)<0) + goto error; + /* Create certificate signed by identity key. */ + cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, + key_lifetime); + /* Create self-signed certificate for identity key. */ + idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, + IDENTITY_CERT_LIFETIME); + if (!cert || !idcert) { + log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); + goto error; } result = tor_malloc(sizeof(tor_tls_context_t)); @@ -376,7 +374,7 @@ tor_tls_context_new(crypto_pk_env_t *identity, idcert=NULL; /* The context now owns the reference to idcert */ } SSL_CTX_set_session_cache_mode(*ctx, SSL_SESS_CACHE_OFF); - if (isServer && !client_only) { + if (!client_only) { tor_assert(rsa); if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1))) goto error; diff --git a/src/common/tortls.h b/src/common/tortls.h index 82a64cb97a..0416044d9e 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -26,7 +26,7 @@ typedef struct tor_tls_t tor_tls_t; #define TOR_TLS_DONE 0 void tor_tls_free_all(void); -int tor_tls_context_new(crypto_pk_env_t *rsa, int isServer, +int tor_tls_context_new(crypto_pk_env_t *rsa, const char *nickname, unsigned int key_lifetime); tor_tls_t *tor_tls_new(int sock, int is_server, int use_no_cert); int tor_tls_is_server(tor_tls_t *tls); diff --git a/src/or/main.c b/src/or/main.c index 2ff5d5e27f..03173ca044 100644 --- a/src/or/main.c +++ b/src/or/main.c @@ -757,7 +757,7 @@ run_scheduled_events(time_t now) last_rotated_certificate = now; if (last_rotated_certificate+MAX_SSL_KEY_LIFETIME < now) { log_info(LD_GENERAL,"Rotating tls context."); - if (tor_tls_context_new(get_identity_key(), 1, options->Nickname, + if (tor_tls_context_new(get_identity_key(), options->Nickname, MAX_SSL_KEY_LIFETIME) < 0) { log_warn(LD_BUG, "Error reinitializing TLS context"); /* XXX is it a bug here, that we just keep going? */ diff --git a/src/or/router.c b/src/or/router.c index d9186adc1e..ee4cba30cf 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -260,7 +260,7 @@ init_keys(void) return -1; set_identity_key(prkey); /* Create a TLS context; default the client nickname to "client". */ - if (tor_tls_context_new(get_identity_key(), 1, + if (tor_tls_context_new(get_identity_key(), options->Nickname ? options->Nickname : "client", MAX_SSL_KEY_LIFETIME) < 0) { log_err(LD_GENERAL,"Error creating TLS context for OP."); @@ -302,7 +302,7 @@ init_keys(void) } /* 3. Initialize link key and TLS context. */ - if (tor_tls_context_new(get_identity_key(), 1, options->Nickname, + if (tor_tls_context_new(get_identity_key(), options->Nickname, MAX_SSL_KEY_LIFETIME) < 0) { log_err(LD_GENERAL,"Error initializing TLS context"); return -1;