commit 28f9b68e8763b2e5c4e7b0ed9170f41ead15feb1 Author: Nick Mathewson <nickm@torproject.org> Date: Fri Mar 31 10:04:10 2017 -0400 Move "change cert expiration and re-sign" fn into tortls.c This lets test_link_handshake stop including openssl headers. --- src/common/tortls.c | 18 ++++++++++++++++++ src/common/tortls.h | 5 +++++ src/test/test_link_handshake.c | 23 ++++++----------------- 3 files changed, 29 insertions(+), 17 deletions(-) diff --git a/src/common/tortls.c b/src/common/tortls.c index aa19140..fadf52f 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -2264,6 +2264,24 @@ check_cert_lifetime_internal(int severity, const X509 *cert, return 0; } +#ifdef TOR_UNIT_TESTS +/* Testing only: return a new x509 cert with the same contents as <b>inp</b>, + but with the expiration time <b>new_expiration_time</b>, signed with + <b>signing_key</b>. */ +STATIC tor_x509_cert_t * +tor_x509_cert_replace_expiration(const tor_x509_cert_t *inp, + time_t new_expiration_time, + crypto_pk_t *signing_key) +{ + X509 *newc = X509_dup(inp->cert); + X509_time_adj(X509_get_notAfter(newc), 0, &new_expiration_time); + EVP_PKEY *pk = crypto_pk_get_evp_pkey_(signing_key, 1); + tor_assert(X509_sign(newc, pk, EVP_sha256())); + EVP_PKEY_free(pk); + return tor_x509_cert_new(newc); +} +#endif + /** Return the number of bytes available for reading from <b>tls</b>. */ int diff --git a/src/common/tortls.h b/src/common/tortls.h index a848039..fd0186c 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -187,6 +187,11 @@ extern tor_tls_context_t *client_tls_context; extern uint16_t v2_cipher_list[]; extern uint64_t total_bytes_written_over_tls; extern uint64_t total_bytes_written_by_tls; + +STATIC tor_x509_cert_t *tor_x509_cert_replace_expiration( + const tor_x509_cert_t *inp, + time_t new_expiration_time, + crypto_pk_t *signing_key); #endif #endif /* endif TORTLS_PRIVATE */ diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c index 3f2f2b6..217088e 100644 --- a/src/test/test_link_handshake.c +++ b/src/test/test_link_handshake.c @@ -10,12 +10,6 @@ #include "compat.h" -/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in - * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */ -DISABLE_GCC_WARNING(redundant-decls) -#include <openssl/x509.h> -ENABLE_GCC_WARNING(redundant-decls) - #include "or.h" #include "config.h" #include "connection.h" @@ -784,19 +778,14 @@ CERTS_FAIL(expired_rsa_id, /* both */ certs_cell_cert_t *cert = certs_cell_get_certs(d->ccell, 1); const tor_x509_cert_t *idc; tor_tls_get_my_certs(1, NULL, &idc); - X509 *newc = X509_dup(idc->cert); + tor_x509_cert_t *newc; time_t new_end = time(NULL) - 86400 * 10; - X509_time_adj(X509_get_notAfter(newc), 0, &new_end); - EVP_PKEY *pk = crypto_pk_get_evp_pkey_(d->key2, 1); - tt_assert(X509_sign(newc, pk, EVP_sha1())); - int len = i2d_X509(newc, NULL); - certs_cell_cert_setlen_body(cert, len); - uint8_t *body = certs_cell_cert_getarray_body(cert); - int len2 = i2d_X509(newc, &body); - tt_int_op(len, ==, len2); + newc = tor_x509_cert_replace_expiration(idc, new_end, d->key2); + certs_cell_cert_setlen_body(cert, newc->encoded_len); + memcpy(certs_cell_cert_getarray_body(cert), + newc->encoded, newc->encoded_len); REENCODE(); - X509_free(newc); - EVP_PKEY_free(pk); + tor_x509_cert_free(newc); }) CERTS_FAIL(expired_ed_id, /* ed25519 */ {