diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-05-15 11:09:10 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2015-05-28 10:47:47 -0400 |
| commit | 8f15423b76557b8401aee28dafca810b512bd0e8 (patch) | |
| tree | 980f5f65c57c08cded0e7377e1203b9996641770 | |
| parent | 3bee74c6d115131f4850a07a5c12db21ae6f3193 (diff) | |
| download | tor-8f15423b76557b8401aee28dafca810b512bd0e8.tar.gz tor-8f15423b76557b8401aee28dafca810b512bd0e8.zip | |
Do not allocate our ed-link crosscert till after tls ctx
We need this to prevent some annoying chutney crash-at-starts
| -rw-r--r-- | src/or/router.c | 10 | ||||
| -rw-r--r-- | src/or/routerkeys.c | 7 | ||||
| -rw-r--r-- | src/test/test_routerkeys.c | 6 |
3 files changed, 17 insertions, 6 deletions
diff --git a/src/or/router.c b/src/or/router.c index 1e433ed469..00cd0578c6 100644 --- a/src/or/router.c +++ b/src/or/router.c @@ -866,8 +866,7 @@ init_keys(void) } /* 1d. Load all ed25519 keys */ - if (load_ed_keys(options,now) < 0 || - generate_ed_link_cert(options,now)) + if (load_ed_keys(options,now) < 0) return -1; /* 2. Read onion key. Make it if none is found. */ @@ -935,6 +934,13 @@ init_keys(void) return -1; } + /* 3b. Get an ed25519 link certificate. Note that we need to do this + * after we set up the TLS context */ + if (generate_ed_link_cert(options, now) < 0) { + log_err(LD_GENERAL,"Couldn't make link cert"); + return -1; + } + /* 4. Build our router descriptor. */ /* Must be called after keys are initialized. */ mydesc = router_get_my_descriptor(); diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index b90cc73fda..556ab45732 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -418,9 +418,6 @@ load_ed_keys(const or_options_t *options, time_t now) SET_CERT(auth_key_cert, auth_cert); } - if (generate_ed_link_cert(options, now) < 0) - FAIL("Couldn't make link cert"); - return 0; err: ed25519_keypair_free(id); @@ -438,8 +435,10 @@ generate_ed_link_cert(const or_options_t *options, time_t now) const tor_x509_cert_t *link = NULL, *id = NULL; tor_cert_t *link_cert = NULL; - if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) + if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) { + log_warn(LD_OR, "Can't get my x509 link cert."); return -1; + } const digests_t *digests = tor_x509_cert_get_cert_digests(link); diff --git a/src/test/test_routerkeys.c b/src/test/test_routerkeys.c index 06fc4ee217..26f9701f49 100644 --- a/src/test/test_routerkeys.c +++ b/src/test/test_routerkeys.c @@ -446,6 +446,7 @@ test_routerkeys_ed_keys_init_all(void *arg) options->DataDirectory = dir; tt_int_op(0, ==, load_ed_keys(options, now)); + tt_int_op(0, ==, generate_ed_link_cert(options, now)); tt_assert(get_master_identity_key()); tt_assert(get_master_identity_key()); tt_assert(get_master_signing_keypair()); @@ -460,6 +461,7 @@ test_routerkeys_ed_keys_init_all(void *arg) /* Call load_ed_keys again, but nothing has changed. */ tt_int_op(0, ==, load_ed_keys(options, now)); + tt_int_op(0, ==, generate_ed_link_cert(options, now)); tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id)); tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign)); tt_mem_op(&auth, ==, get_current_auth_keypair(), sizeof(auth)); @@ -468,6 +470,7 @@ test_routerkeys_ed_keys_init_all(void *arg) /* Force a reload: we make new link/auth keys. */ routerkeys_free_all(); tt_int_op(0, ==, load_ed_keys(options, now)); + tt_int_op(0, ==, generate_ed_link_cert(options, now)); tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id)); tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign)); tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert())); @@ -481,6 +484,7 @@ test_routerkeys_ed_keys_init_all(void *arg) /* Force a link/auth-key regeneration by advancing time. */ tt_int_op(0, ==, load_ed_keys(options, now+3*86400)); + tt_int_op(0, ==, generate_ed_link_cert(options, now+3*86400)); tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id)); tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign)); tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert())); @@ -494,6 +498,7 @@ test_routerkeys_ed_keys_init_all(void *arg) /* Force a signing-key regeneration by advancing time. */ tt_int_op(0, ==, load_ed_keys(options, now+100*86400)); + tt_int_op(0, ==, generate_ed_link_cert(options, now+100*86400)); tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id)); tt_mem_op(&sign, !=, get_master_signing_keypair(), sizeof(sign)); tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert())); @@ -511,6 +516,7 @@ test_routerkeys_ed_keys_init_all(void *arg) unlink(get_fname("test_ed_keys_init_all/keys/" "ed25519_master_id_secret_key")); tt_int_op(0, ==, load_ed_keys(options, now)); + tt_int_op(0, ==, generate_ed_link_cert(options, now)); tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id)); tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign)); tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert())); |