[tor-commits] [tor/master] Move "change cert expiration and re-sign" fn into tortls.c
nickm at torproject.org
nickm at torproject.org
Fri Apr 7 13:59:42 UTC 2017
commit 28f9b68e8763b2e5c4e7b0ed9170f41ead15feb1
Author: Nick Mathewson <nickm at torproject.org>
Date: Fri Mar 31 10:04:10 2017 -0400
Move "change cert expiration and re-sign" fn into tortls.c
This lets test_link_handshake stop including openssl headers.
---
src/common/tortls.c | 18 ++++++++++++++++++
src/common/tortls.h | 5 +++++
src/test/test_link_handshake.c | 23 ++++++-----------------
3 files changed, 29 insertions(+), 17 deletions(-)
diff --git a/src/common/tortls.c b/src/common/tortls.c
index aa19140..fadf52f 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -2264,6 +2264,24 @@ check_cert_lifetime_internal(int severity, const X509 *cert,
return 0;
}
+#ifdef TOR_UNIT_TESTS
+/* Testing only: return a new x509 cert with the same contents as <b>inp</b>,
+ but with the expiration time <b>new_expiration_time</b>, signed with
+ <b>signing_key</b>. */
+STATIC tor_x509_cert_t *
+tor_x509_cert_replace_expiration(const tor_x509_cert_t *inp,
+ time_t new_expiration_time,
+ crypto_pk_t *signing_key)
+{
+ X509 *newc = X509_dup(inp->cert);
+ X509_time_adj(X509_get_notAfter(newc), 0, &new_expiration_time);
+ EVP_PKEY *pk = crypto_pk_get_evp_pkey_(signing_key, 1);
+ tor_assert(X509_sign(newc, pk, EVP_sha256()));
+ EVP_PKEY_free(pk);
+ return tor_x509_cert_new(newc);
+}
+#endif
+
/** Return the number of bytes available for reading from <b>tls</b>.
*/
int
diff --git a/src/common/tortls.h b/src/common/tortls.h
index a848039..fd0186c 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -187,6 +187,11 @@ extern tor_tls_context_t *client_tls_context;
extern uint16_t v2_cipher_list[];
extern uint64_t total_bytes_written_over_tls;
extern uint64_t total_bytes_written_by_tls;
+
+STATIC tor_x509_cert_t *tor_x509_cert_replace_expiration(
+ const tor_x509_cert_t *inp,
+ time_t new_expiration_time,
+ crypto_pk_t *signing_key);
#endif
#endif /* endif TORTLS_PRIVATE */
diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c
index 3f2f2b6..217088e 100644
--- a/src/test/test_link_handshake.c
+++ b/src/test/test_link_handshake.c
@@ -10,12 +10,6 @@
#include "compat.h"
-/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
- * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
-DISABLE_GCC_WARNING(redundant-decls)
-#include <openssl/x509.h>
-ENABLE_GCC_WARNING(redundant-decls)
-
#include "or.h"
#include "config.h"
#include "connection.h"
@@ -784,19 +778,14 @@ CERTS_FAIL(expired_rsa_id, /* both */
certs_cell_cert_t *cert = certs_cell_get_certs(d->ccell, 1);
const tor_x509_cert_t *idc;
tor_tls_get_my_certs(1, NULL, &idc);
- X509 *newc = X509_dup(idc->cert);
+ tor_x509_cert_t *newc;
time_t new_end = time(NULL) - 86400 * 10;
- X509_time_adj(X509_get_notAfter(newc), 0, &new_end);
- EVP_PKEY *pk = crypto_pk_get_evp_pkey_(d->key2, 1);
- tt_assert(X509_sign(newc, pk, EVP_sha1()));
- int len = i2d_X509(newc, NULL);
- certs_cell_cert_setlen_body(cert, len);
- uint8_t *body = certs_cell_cert_getarray_body(cert);
- int len2 = i2d_X509(newc, &body);
- tt_int_op(len, ==, len2);
+ newc = tor_x509_cert_replace_expiration(idc, new_end, d->key2);
+ certs_cell_cert_setlen_body(cert, newc->encoded_len);
+ memcpy(certs_cell_cert_getarray_body(cert),
+ newc->encoded, newc->encoded_len);
REENCODE();
- X509_free(newc);
- EVP_PKEY_free(pk);
+ tor_x509_cert_free(newc);
})
CERTS_FAIL(expired_ed_id, /* ed25519 */
{
More information about the tor-commits
mailing list