[tor/master] Extract tortls structures into a new header; clean up a little - tor-commits

5 Sep 2018

commit 598bc78bfa62e0879497c0ef03999d3700a5cd16
Author: Nick Mathewson nickm@torproject.org
Date:   Sat Aug 11 19:38:07 2018 -0400
Extract tortls structures into a new header; clean up a little
---
 src/lib/tls/tortls.c           |  5 ++--
 src/lib/tls/tortls.h           | 58 +-----------------------------------
 src/lib/tls/tortls_st.h        | 67 ++++++++++++++++++++++++++++++++++++++++++
 src/lib/tls/x509.c             | 11 ++++++-
 src/lib/tls/x509.h             | 24 ++++++++-------
 src/test/test_link_handshake.c |  1 +
 src/test/test_tortls.c         |  3 ++
 7 files changed, 99 insertions(+), 70 deletions(-)

diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c
index 20e432081..cb507057e 100644
--- a/src/lib/tls/tortls.c
+++ b/src/lib/tls/tortls.c
@@ -28,6 +28,7 @@
 #include "lib/crypt_ops/crypto_rand.h"
 #include "lib/crypt_ops/crypto_dh.h"
 #include "lib/crypt_ops/crypto_util.h"
+#include "lib/crypt_ops/compat_openssl.h"
 #include "lib/tls/x509.h"
/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
@@ -51,8 +52,8 @@ DISABLE_GCC_WARNING(redundant-decls)
ENABLE_GCC_WARNING(redundant-decls)
-#define TORTLS_PRIVATE
 #include "lib/tls/tortls.h"
+#include "lib/tls/tortls_st.h"
 #include "lib/log/log.h"
 #include "lib/log/util_bug.h"
 #include "lib/container/smartlist.h"
@@ -599,7 +600,7 @@ tor_tls_cert_matches_key,(const tor_tls_t *tls, const tor_x509_cert_t *cert))
   if (!peercert)
     return 0;
   link_key = X509_get_pubkey(peercert);
-  cert_key = X509_get_pubkey(cert->cert);
+  cert_key = X509_get_pubkey((X509 *)tor_x509_cert_get_impl(cert));
result = link_key && cert_key && EVP_PKEY_cmp(cert_key, link_key) == 1;
diff --git a/src/lib/tls/tortls.h b/src/lib/tls/tortls.h
index a1d90c16b..f46e73267 100644
--- a/src/lib/tls/tortls.h
+++ b/src/lib/tls/tortls.h
@@ -12,7 +12,6 @@
  **/
#include "lib/crypt_ops/crypto_rsa.h"
-#include "lib/crypt_ops/compat_openssl.h"
 #include "lib/testsupport/testsupport.h"
/* Opaque structure to hold a TLS connection. */
@@ -52,14 +51,6 @@ struct tor_x509_cert_t;
 #define TOR_TLS_IS_ERROR(rv) ((rv) < TOR_TLS_CLOSE)
#ifdef TORTLS_PRIVATE
-#define TOR_TLS_MAGIC 0x71571571
-
-typedef enum {
-    TOR_TLS_ST_HANDSHAKE, TOR_TLS_ST_OPEN, TOR_TLS_ST_GOTCLOSE,
-    TOR_TLS_ST_SENTCLOSE, TOR_TLS_ST_CLOSED, TOR_TLS_ST_RENEGOTIATE,
-    TOR_TLS_ST_BUFFEREVENT
-} tor_tls_state_t;
-#define tor_tls_state_bitfield_t ENUM_BF(tor_tls_state_t)
#ifdef ENABLE_OPENSSL
 struct ssl_st;
@@ -70,54 +61,7 @@ struct ssl_session_st;
 /** Holds a SSL_CTX object and related state used to configure TLS
  * connections.
  */
-typedef struct tor_tls_context_t {
-  int refcnt;
-  struct ssl_ctx_st *ctx;
-  struct tor_x509_cert_t *my_link_cert;
-  struct tor_x509_cert_t *my_id_cert;
-  struct tor_x509_cert_t *my_auth_cert;
-  crypto_pk_t *link_key;
-  crypto_pk_t *auth_key;
-} tor_tls_context_t;
-
-/** Holds a SSL object and its associated data.  Members are only
- * accessed from within tortls.c.
- */
-struct tor_tls_t {
-  uint32_t magic;
-  tor_tls_context_t *context; /** A link to the context object for this tls. */
-  struct ssl_st *ssl; /**< An OpenSSL SSL object. */
-  int socket; /**< The underlying file descriptor for this TLS connection. */
-  char *address; /**< An address to log when describing this connection. */
-  tor_tls_state_bitfield_t state : 3; /**< The current SSL state,
-                                       * depending on which operations
-                                       * have completed successfully. */
-  unsigned int isServer:1; /**< True iff this is a server-side connection */
-  unsigned int wasV2Handshake:1; /**< True iff the original handshake for
-                                  * this connection used the updated version
-                                  * of the connection protocol (client sends
-                                  * different cipher list, server sends only
-                                  * one certificate). */
-  /** True iff we should call negotiated_callback when we're done reading. */
-  unsigned int got_renegotiate:1;
-  /** Return value from tor_tls_classify_client_ciphers, or 0 if we haven't
-   * called that function yet. */
-  int8_t client_cipher_list_type;
-  /** Incremented every time we start the server side of a handshake. */
-  uint8_t server_handshake_count;
-  size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last
-                       * time. */
-  /** Last values retrieved from BIO_number_read()/write(); see
-   * tor_tls_get_n_raw_bytes() for usage.
-   */
-  unsigned long last_write_count;
-  unsigned long last_read_count;
-  /** If set, a callback to invoke whenever the client tries to renegotiate
-   * the handshake. */
-  void (*negotiated_callback)(tor_tls_t *tls, void *arg);
-  /** Argument to pass to negotiated_callback. */
-  void *callback_arg;
-};
+typedef struct tor_tls_context_t tor_tls_context_t;
STATIC int tor_errno_to_tls_error(int e);
 STATIC int tor_tls_get_error(tor_tls_t *tls, int r, int extra,
diff --git a/src/lib/tls/tortls_st.h b/src/lib/tls/tortls_st.h
new file mode 100644
index 000000000..897be497e
--- /dev/null
+++ b/src/lib/tls/tortls_st.h
@@ -0,0 +1,67 @@
+/* Copyright (c) 2003, Roger Dingledine
+ * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
+ * Copyright (c) 2007-2018, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#ifndef TOR_TORTLS_ST_H
+#define TOR_TORTLS_ST_H
+
+#define TOR_TLS_MAGIC 0x71571571
+
+typedef enum {
+    TOR_TLS_ST_HANDSHAKE, TOR_TLS_ST_OPEN, TOR_TLS_ST_GOTCLOSE,
+    TOR_TLS_ST_SENTCLOSE, TOR_TLS_ST_CLOSED, TOR_TLS_ST_RENEGOTIATE,
+    TOR_TLS_ST_BUFFEREVENT
+} tor_tls_state_t;
+#define tor_tls_state_bitfield_t ENUM_BF(tor_tls_state_t)
+
+struct tor_tls_context_t {
+  int refcnt;
+  struct ssl_ctx_st *ctx;
+  struct tor_x509_cert_t *my_link_cert;
+  struct tor_x509_cert_t *my_id_cert;
+  struct tor_x509_cert_t *my_auth_cert;
+  crypto_pk_t *link_key;
+  crypto_pk_t *auth_key;
+};
+
+/** Holds a SSL object and its associated data.  Members are only
+ * accessed from within tortls.c.
+ */
+struct tor_tls_t {
+  uint32_t magic;
+  tor_tls_context_t *context; /** A link to the context object for this tls. */
+  struct ssl_st *ssl; /**< An OpenSSL SSL object. */
+  int socket; /**< The underlying file descriptor for this TLS connection. */
+  char *address; /**< An address to log when describing this connection. */
+  tor_tls_state_bitfield_t state : 3; /**< The current SSL state,
+                                       * depending on which operations
+                                       * have completed successfully. */
+  unsigned int isServer:1; /**< True iff this is a server-side connection */
+  unsigned int wasV2Handshake:1; /**< True iff the original handshake for
+                                  * this connection used the updated version
+                                  * of the connection protocol (client sends
+                                  * different cipher list, server sends only
+                                  * one certificate). */
+  /** True iff we should call negotiated_callback when we're done reading. */
+  unsigned int got_renegotiate:1;
+  /** Return value from tor_tls_classify_client_ciphers, or 0 if we haven't
+   * called that function yet. */
+  int8_t client_cipher_list_type;
+  /** Incremented every time we start the server side of a handshake. */
+  uint8_t server_handshake_count;
+  size_t wantwrite_n; /**< 0 normally, >0 if we returned wantwrite last
+                       * time. */
+  /** Last values retrieved from BIO_number_read()/write(); see
+   * tor_tls_get_n_raw_bytes() for usage.
+   */
+  unsigned long last_write_count;
+  unsigned long last_read_count;
+  /** If set, a callback to invoke whenever the client tries to renegotiate
+   * the handshake. */
+  void (*negotiated_callback)(tor_tls_t *tls, void *arg);
+  /** Argument to pass to negotiated_callback. */
+  void *callback_arg;
+};
+
+#endif
diff --git a/src/lib/tls/x509.c b/src/lib/tls/x509.c
index feded3473..27cba1be6 100644
--- a/src/lib/tls/x509.c
+++ b/src/lib/tls/x509.c
@@ -9,11 +9,12 @@
  * X.509 functions from OpenSSL.
  **/
+#define TOR_X509_PRIVATE
 #include "lib/tls/x509.h"
 #include "lib/tls/tortls.h"
-//#include "lib/crypt_ops/crypto_cipher.h"
 #include "lib/crypt_ops/crypto_rand.h"
 #include "lib/crypt_ops/crypto_util.h"
+#include "lib/crypt_ops/compat_openssl.h"
/* Some versions of OpenSSL declare SSL_get_selected_srtp_profile twice in
  * srtp.h. Suppress the GCC warning so we can build with -Wredundant-decl. */
@@ -332,6 +333,14 @@ tor_x509_cert_get_der(const tor_x509_cert_t *cert,
   *size_out = cert->encoded_len;
 }
+/** Return the underlying implementation for <b>cert</b> */
+const tor_x509_cert_impl_t *
+tor_x509_cert_get_impl(const tor_x509_cert_t *cert)
+{
+  tor_assert(cert);
+  return cert->cert;
+}
+
 /** Return a set of digests for the public key in <b>cert</b>, or NULL if this
  * cert's public key is not one we know how to take the digest of. */
 const common_digests_t *
diff --git a/src/lib/tls/x509.h b/src/lib/tls/x509.h
index 2f3f3a410..4dadba06d 100644
--- a/src/lib/tls/x509.h
+++ b/src/lib/tls/x509.h
@@ -12,36 +12,35 @@
  **/
#include "lib/crypt_ops/crypto_rsa.h"
-#include "lib/crypt_ops/compat_openssl.h"
 #include "lib/testsupport/testsupport.h"
/* Opaque structure to hold an X509 certificate. */
 typedef struct tor_x509_cert_t tor_x509_cert_t;
#ifdef ENABLE_OPENSSL
-struct x509_st;
+typedef struct x509_st tor_x509_cert_impl_t;
 #endif
+#ifdef TOR_X509_PRIVATE
 /** Structure that we use for a single certificate. */
 struct tor_x509_cert_t {
-#ifdef ENABLE_OPENSSL
-  struct x509_st *cert;
-#endif
+  tor_x509_cert_impl_t *cert;
   uint8_t *encoded;
   size_t encoded_len;
   unsigned pkey_digests_set : 1;
   common_digests_t cert_digests;
   common_digests_t pkey_digests;
 };
+#endif
-MOCK_DECL(struct x509_st *, tor_tls_create_certificate,
+MOCK_DECL(tor_x509_cert_impl_t *, tor_tls_create_certificate,
                                                    (crypto_pk_t *rsa,
                                                     crypto_pk_t *rsa_sign,
                                                     const char *cname,
                                                     const char *cname_sign,
                                                   unsigned int cert_lifetime));
 MOCK_DECL(tor_x509_cert_t *, tor_x509_cert_new,
-          (struct x509_st *x509_cert));
+          (tor_x509_cert_impl_t *x509_cert));
#ifdef TOR_UNIT_TESTS
 tor_x509_cert_t *tor_x509_cert_replace_expiration(
@@ -57,22 +56,27 @@ void tor_x509_cert_free_(tor_x509_cert_t *cert);
   FREE_AND_NULL(tor_x509_cert_t, tor_x509_cert_free_, (c))
 tor_x509_cert_t *tor_x509_cert_decode(const uint8_t *certificate,
                             size_t certificate_len);
+const tor_x509_cert_impl_t *tor_x509_cert_get_impl(
+                                           const tor_x509_cert_t *cert);
 void tor_x509_cert_get_der(const tor_x509_cert_t *cert,
                       const uint8_t **encoded_out, size_t *size_out);
+
 const common_digests_t *tor_x509_cert_get_id_digests(
                       const tor_x509_cert_t *cert);
 const common_digests_t *tor_x509_cert_get_cert_digests(
                       const tor_x509_cert_t *cert);
crypto_pk_t *tor_tls_cert_get_key(tor_x509_cert_t *cert);
+
 int tor_tls_cert_is_valid(int severity,
                           const tor_x509_cert_t *cert,
                           const tor_x509_cert_t *signing_cert,
                           time_t now,
                           int check_rsa_1024);
-int check_cert_lifetime_internal(int severity, const X509 *cert,
-                                   time_t now,
-                                   int past_tolerance, int future_tolerance);
+int check_cert_lifetime_internal(int severity,
+                                 const tor_x509_cert_impl_t *cert,
+                                 time_t now,
+                                 int past_tolerance, int future_tolerance);
#endif
diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c
index c1ede5420..e4722b4df 100644
--- a/src/test/test_link_handshake.c
+++ b/src/test/test_link_handshake.c
@@ -24,6 +24,7 @@
 #include "core/or/or_handshake_state_st.h"
 #include "core/or/var_cell_st.h"
+#define TOR_X509_PRIVATE
 #include "lib/tls/tortls.h"
 #include "lib/tls/x509.h"
diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c
index f5b11d4f2..ec197ba99 100644
--- a/src/test/test_tortls.c
+++ b/src/test/test_tortls.c
@@ -3,6 +3,7 @@
#define TORTLS_PRIVATE
 #define TORTLS_OPENSSL_PRIVATE
+#define TOR_X509_PRIVATE
 #define LOG_PRIVATE
 #include "orconfig.h"
@@ -33,7 +34,9 @@ ENABLE_GCC_WARNING(redundant-decls)
 #include "core/or/or.h"
 #include "lib/log/log.h"
 #include "app/config/config.h"
+#include "lib/crypt_ops/compat_openssl.h"
 #include "lib/tls/tortls.h"
+#include "lib/tls/tortls_st.h"
 #include "lib/tls/x509.h"
 #include "app/config/or_state_st.h"

    