mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Refactor tor_tls_context_new:
* Make tor_tls_context_new internal to tortls.c, and return the new tor_tls_context_t from it. * Add a public tor_tls_context_init wrapper function to replace it. Conflicts: src/or/main.c src/or/router.c
This commit is contained in:
parent
07ab559a8e
commit
8781640111
@ -184,6 +184,8 @@ static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa,
|
|||||||
const char *cname_sign,
|
const char *cname_sign,
|
||||||
unsigned int lifetime);
|
unsigned int lifetime);
|
||||||
static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
|
static void tor_tls_unblock_renegotiation(tor_tls_t *tls);
|
||||||
|
static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity,
|
||||||
|
unsigned int key_lifetime);
|
||||||
|
|
||||||
/** Global tls context. We keep it here because nobody else needs to
|
/** Global tls context. We keep it here because nobody else needs to
|
||||||
* touch it. */
|
* touch it. */
|
||||||
@ -591,13 +593,38 @@ tor_tls_context_incref(tor_tls_context_t *ctx)
|
|||||||
|
|
||||||
/** Create a new TLS context for use with Tor TLS handshakes.
|
/** Create a new TLS context for use with Tor TLS handshakes.
|
||||||
* <b>identity</b> should be set to the identity key used to sign the
|
* <b>identity</b> should be set to the identity key used to sign the
|
||||||
* certificate, and <b>nickname</b> set to the nickname to use.
|
* certificate.
|
||||||
*
|
*
|
||||||
* You can call this function multiple times. Each time you call it,
|
* You can call this function multiple times. Each time you call it,
|
||||||
* it generates new certificates; all new connections will use
|
* it generates new certificates; all new connections will use
|
||||||
* the new SSL context.
|
* the new SSL context.
|
||||||
*/
|
*/
|
||||||
int
|
int
|
||||||
|
tor_tls_context_init(crypto_pk_env_t *identity, unsigned int key_lifetime)
|
||||||
|
{
|
||||||
|
tor_tls_context_t *new_ctx = tor_tls_context_new(identity,
|
||||||
|
key_lifetime);
|
||||||
|
tor_tls_context_t *old_ctx = global_tls_context;
|
||||||
|
|
||||||
|
if (new_ctx != NULL) {
|
||||||
|
global_tls_context = new_ctx;
|
||||||
|
|
||||||
|
/* Free the old context if one existed. */
|
||||||
|
if (old_ctx != NULL) {
|
||||||
|
/* This is safe even if there are open connections: we reference-
|
||||||
|
* count tor_tls_context_t objects. */
|
||||||
|
tor_tls_context_decref(old_ctx);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return ((new_ctx != NULL) ? 0 : -1);
|
||||||
|
}
|
||||||
|
|
||||||
|
/** Create a new TLS context for use with Tor TLS handshakes.
|
||||||
|
* <b>identity</b> should be set to the identity key used to sign the
|
||||||
|
* certificate.
|
||||||
|
*/
|
||||||
|
static tor_tls_context_t *
|
||||||
tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
|
tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
|
||||||
{
|
{
|
||||||
crypto_pk_env_t *rsa = NULL;
|
crypto_pk_env_t *rsa = NULL;
|
||||||
@ -692,18 +719,12 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
|
|||||||
always_accept_verify_cb);
|
always_accept_verify_cb);
|
||||||
/* let us realloc bufs that we're writing from */
|
/* let us realloc bufs that we're writing from */
|
||||||
SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
SSL_CTX_set_mode(result->ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
|
||||||
/* Free the old context if one exists. */
|
|
||||||
if (global_tls_context) {
|
|
||||||
/* This is safe even if there are open connections: OpenSSL does
|
|
||||||
* reference counting with SSL and SSL_CTX objects. */
|
|
||||||
tor_tls_context_decref(global_tls_context);
|
|
||||||
}
|
|
||||||
global_tls_context = result;
|
|
||||||
if (rsa)
|
if (rsa)
|
||||||
crypto_free_pk_env(rsa);
|
crypto_free_pk_env(rsa);
|
||||||
tor_free(nickname);
|
tor_free(nickname);
|
||||||
tor_free(nn2);
|
tor_free(nn2);
|
||||||
return 0;
|
return result;
|
||||||
|
|
||||||
error:
|
error:
|
||||||
tls_log_errors(NULL, LOG_WARN, "creating TLS context");
|
tls_log_errors(NULL, LOG_WARN, "creating TLS context");
|
||||||
@ -719,7 +740,7 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
|
|||||||
X509_free(cert);
|
X509_free(cert);
|
||||||
if (idcert)
|
if (idcert)
|
||||||
X509_free(idcert);
|
X509_free(idcert);
|
||||||
return -1;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef V2_HANDSHAKE_SERVER
|
#ifdef V2_HANDSHAKE_SERVER
|
||||||
|
@ -50,7 +50,8 @@ typedef struct tor_tls_t tor_tls_t;
|
|||||||
const char *tor_tls_err_to_string(int err);
|
const char *tor_tls_err_to_string(int err);
|
||||||
|
|
||||||
void tor_tls_free_all(void);
|
void tor_tls_free_all(void);
|
||||||
int tor_tls_context_new(crypto_pk_env_t *rsa, unsigned int key_lifetime);
|
int tor_tls_context_init(crypto_pk_env_t *identity,
|
||||||
|
unsigned int key_lifetime);
|
||||||
tor_tls_t *tor_tls_new(int sock, int is_server);
|
tor_tls_t *tor_tls_new(int sock, int is_server);
|
||||||
void tor_tls_set_logged_address(tor_tls_t *tls, const char *address);
|
void tor_tls_set_logged_address(tor_tls_t *tls, const char *address);
|
||||||
void tor_tls_set_renegotiate_callback(tor_tls_t *tls,
|
void tor_tls_set_renegotiate_callback(tor_tls_t *tls,
|
||||||
|
@ -872,8 +872,7 @@ run_scheduled_events(time_t now)
|
|||||||
last_rotated_x509_certificate = now;
|
last_rotated_x509_certificate = now;
|
||||||
if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
|
if (last_rotated_x509_certificate+MAX_SSL_KEY_LIFETIME_INTERNAL < now) {
|
||||||
log_info(LD_GENERAL,"Rotating tls context.");
|
log_info(LD_GENERAL,"Rotating tls context.");
|
||||||
if (tor_tls_context_new(get_identity_key(),
|
if (tor_tls_context_init(get_identity_key(), MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
||||||
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
|
||||||
log_warn(LD_BUG, "Error reinitializing TLS context");
|
log_warn(LD_BUG, "Error reinitializing TLS context");
|
||||||
/* XXX is it a bug here, that we just keep going? -RD */
|
/* XXX is it a bug here, that we just keep going? -RD */
|
||||||
}
|
}
|
||||||
|
@ -458,8 +458,7 @@ init_keys(void)
|
|||||||
}
|
}
|
||||||
set_identity_key(prkey);
|
set_identity_key(prkey);
|
||||||
/* Create a TLS context; default the client nickname to "client". */
|
/* Create a TLS context; default the client nickname to "client". */
|
||||||
if (tor_tls_context_new(get_identity_key(),
|
if (tor_tls_context_init(get_identity_key(), MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
||||||
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
|
||||||
log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
|
log_err(LD_GENERAL,"Error creating TLS context for Tor client.");
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
@ -537,7 +536,7 @@ init_keys(void)
|
|||||||
tor_free(keydir);
|
tor_free(keydir);
|
||||||
|
|
||||||
/* 3. Initialize link key and TLS context. */
|
/* 3. Initialize link key and TLS context. */
|
||||||
if (tor_tls_context_new(get_identity_key(),
|
if (tor_tls_context_init(get_identity_key(),
|
||||||
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
MAX_SSL_KEY_LIFETIME_ADVERTISED) < 0) {
|
||||||
log_err(LD_GENERAL,"Error initializing TLS context");
|
log_err(LD_GENERAL,"Error initializing TLS context");
|
||||||
return -1;
|
return -1;
|
||||||
|
Loading…
Reference in New Issue
Block a user