[tor/master] Move "change cert expiration and re-sign" fn into tortls.c - tor-commits

7 Apr 2017

commit 28f9b68e8763b2e5c4e7b0ed9170f41ead15feb1
Author: Nick Mathewson nickm@torproject.org
Date:   Fri Mar 31 10:04:10 2017 -0400
Move "change cert expiration and re-sign" fn into tortls.c
This lets test_link_handshake stop including openssl headers.
---
 src/common/tortls.c            | 18 ++++++++++++++++++
 src/common/tortls.h            |  5 +++++
 src/test/test_link_handshake.c | 23 ++++++-----------------
 3 files changed, 29 insertions(+), 17 deletions(-)

diff --git a/src/common/tortls.c b/src/common/tortls.c
index aa19140..fadf52f 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -2264,6 +2264,24 @@ check_cert_lifetime_internal(int severity, const X509 *cert,
   return 0;
 }
+#ifdef TOR_UNIT_TESTS
+/* Testing only: return a new x509 cert with the same contents as <b>inp</b>,
+   but with the expiration time <b>new_expiration_time</b>, signed with
+   <b>signing_key</b>. */
+STATIC tor_x509_cert_t *
+tor_x509_cert_replace_expiration(const tor_x509_cert_t *inp,
+                                 time_t new_expiration_time,
+                                 crypto_pk_t *signing_key)
+{
+  X509 *newc = X509_dup(inp->cert);
+  X509_time_adj(X509_get_notAfter(newc), 0, &new_expiration_time);
+  EVP_PKEY *pk = crypto_pk_get_evp_pkey_(signing_key, 1);
+  tor_assert(X509_sign(newc, pk, EVP_sha256()));
+  EVP_PKEY_free(pk);
+  return tor_x509_cert_new(newc);
+}
+#endif
+
 /** Return the number of bytes available for reading from <b>tls</b>.
  */
 int
diff --git a/src/common/tortls.h b/src/common/tortls.h
index a848039..fd0186c 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -187,6 +187,11 @@ extern tor_tls_context_t *client_tls_context;
 extern uint16_t v2_cipher_list[];
 extern uint64_t total_bytes_written_over_tls;
 extern uint64_t total_bytes_written_by_tls;
+
+STATIC tor_x509_cert_t *tor_x509_cert_replace_expiration(
+                                               const tor_x509_cert_t *inp,
+                                               time_t new_expiration_time,
+                                               crypto_pk_t *signing_key);
 #endif
#endif /* endif TORTLS_PRIVATE */
diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c
index 3f2f2b6..217088e 100644
--- a/src/test/test_link_handshake.c
+++ b/src/test/test_link_handshake.c
@@ -10,12 +10,6 @@
#include "compat.h"
-/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
- * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
-DISABLE_GCC_WARNING(redundant-decls)
-#include <openssl/x509.h>
-ENABLE_GCC_WARNING(redundant-decls)
-
 #include "or.h"
 #include "config.h"
 #include "connection.h"
@@ -784,19 +778,14 @@ CERTS_FAIL(expired_rsa_id, /* both */
     certs_cell_cert_t *cert = certs_cell_get_certs(d->ccell, 1);
     const tor_x509_cert_t *idc;
     tor_tls_get_my_certs(1, NULL, &idc);
-    X509 *newc = X509_dup(idc->cert);
+    tor_x509_cert_t *newc;
     time_t new_end = time(NULL) - 86400 * 10;
-    X509_time_adj(X509_get_notAfter(newc), 0, &new_end);
-    EVP_PKEY *pk = crypto_pk_get_evp_pkey_(d->key2, 1);
-    tt_assert(X509_sign(newc, pk, EVP_sha1()));
-    int len = i2d_X509(newc, NULL);
-    certs_cell_cert_setlen_body(cert, len);
-    uint8_t *body = certs_cell_cert_getarray_body(cert);
-    int len2 = i2d_X509(newc, &body);
-    tt_int_op(len, ==, len2);
+    newc = tor_x509_cert_replace_expiration(idc, new_end, d->key2);
+    certs_cell_cert_setlen_body(cert, newc->encoded_len);
+    memcpy(certs_cell_cert_getarray_body(cert),
+           newc->encoded, newc->encoded_len);
     REENCODE();
-    X509_free(newc);
-    EVP_PKEY_free(pk);
+    tor_x509_cert_free(newc);
   })
 CERTS_FAIL(expired_ed_id, /* ed25519 */
   {

    