mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-20 10:12:15 +01:00
Do not allocate our ed-link crosscert till after tls ctx
We need this to prevent some annoying chutney crash-at-starts
This commit is contained in:
Nick Mathewson
parent
3bee74c6d1
commit
8f15423b76
@ -866,8 +866,7 @@ init_keys(void)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* 1d. Load all ed25519 keys */
|
/* 1d. Load all ed25519 keys */
|
||||||
if (load_ed_keys(options,now) < 0 ||
|
if (load_ed_keys(options,now) < 0)
|
||||||
generate_ed_link_cert(options,now))
|
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
/* 2. Read onion key. Make it if none is found. */
|
/* 2. Read onion key. Make it if none is found. */
|
||||||
@ -935,6 +934,13 @@ init_keys(void)
|
|||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* 3b. Get an ed25519 link certificate. Note that we need to do this
|
||||||
|
* after we set up the TLS context */
|
||||||
|
if (generate_ed_link_cert(options, now) < 0) {
|
||||||
|
log_err(LD_GENERAL,"Couldn't make link cert");
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
/* 4. Build our router descriptor. */
|
/* 4. Build our router descriptor. */
|
||||||
/* Must be called after keys are initialized. */
|
/* Must be called after keys are initialized. */
|
||||||
mydesc = router_get_my_descriptor();
|
mydesc = router_get_my_descriptor();
|
||||||
|
|||||||
@ -418,9 +418,6 @@ load_ed_keys(const or_options_t *options, time_t now)
|
|||||||
SET_CERT(auth_key_cert, auth_cert);
|
SET_CERT(auth_key_cert, auth_cert);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (generate_ed_link_cert(options, now) < 0)
|
|
||||||
FAIL("Couldn't make link cert");
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
err:
|
err:
|
||||||
ed25519_keypair_free(id);
|
ed25519_keypair_free(id);
|
||||||
@ -438,8 +435,10 @@ generate_ed_link_cert(const or_options_t *options, time_t now)
|
|||||||
const tor_x509_cert_t *link = NULL, *id = NULL;
|
const tor_x509_cert_t *link = NULL, *id = NULL;
|
||||||
tor_cert_t *link_cert = NULL;
|
tor_cert_t *link_cert = NULL;
|
||||||
|
|
||||||
if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL)
|
if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) {
|
||||||
|
log_warn(LD_OR, "Can't get my x509 link cert.");
|
||||||
return -1;
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
const digests_t *digests = tor_x509_cert_get_cert_digests(link);
|
const digests_t *digests = tor_x509_cert_get_cert_digests(link);
|
||||||
|
|
||||||
|
|||||||
@ -446,6 +446,7 @@ test_routerkeys_ed_keys_init_all(void *arg)
|
|||||||
options->DataDirectory = dir;
|
options->DataDirectory = dir;
|
||||||
|
|
||||||
tt_int_op(0, ==, load_ed_keys(options, now));
|
tt_int_op(0, ==, load_ed_keys(options, now));
|
||||||
|
tt_int_op(0, ==, generate_ed_link_cert(options, now));
|
||||||
tt_assert(get_master_identity_key());
|
tt_assert(get_master_identity_key());
|
||||||
tt_assert(get_master_identity_key());
|
tt_assert(get_master_identity_key());
|
||||||
tt_assert(get_master_signing_keypair());
|
tt_assert(get_master_signing_keypair());
|
||||||
@ -460,6 +461,7 @@ test_routerkeys_ed_keys_init_all(void *arg)
|
|||||||
|
|
||||||
/* Call load_ed_keys again, but nothing has changed. */
|
/* Call load_ed_keys again, but nothing has changed. */
|
||||||
tt_int_op(0, ==, load_ed_keys(options, now));
|
tt_int_op(0, ==, load_ed_keys(options, now));
|
||||||
|
tt_int_op(0, ==, generate_ed_link_cert(options, now));
|
||||||
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
||||||
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
||||||
tt_mem_op(&auth, ==, get_current_auth_keypair(), sizeof(auth));
|
tt_mem_op(&auth, ==, get_current_auth_keypair(), sizeof(auth));
|
||||||
@ -468,6 +470,7 @@ test_routerkeys_ed_keys_init_all(void *arg)
|
|||||||
/* Force a reload: we make new link/auth keys. */
|
/* Force a reload: we make new link/auth keys. */
|
||||||
routerkeys_free_all();
|
routerkeys_free_all();
|
||||||
tt_int_op(0, ==, load_ed_keys(options, now));
|
tt_int_op(0, ==, load_ed_keys(options, now));
|
||||||
|
tt_int_op(0, ==, generate_ed_link_cert(options, now));
|
||||||
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
||||||
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
||||||
tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
tt_assert(tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
||||||
@ -481,6 +484,7 @@ test_routerkeys_ed_keys_init_all(void *arg)
|
|||||||
|
|
||||||
/* Force a link/auth-key regeneration by advancing time. */
|
/* Force a link/auth-key regeneration by advancing time. */
|
||||||
tt_int_op(0, ==, load_ed_keys(options, now+3*86400));
|
tt_int_op(0, ==, load_ed_keys(options, now+3*86400));
|
||||||
|
tt_int_op(0, ==, generate_ed_link_cert(options, now+3*86400));
|
||||||
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
||||||
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
||||||
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
||||||
@ -494,6 +498,7 @@ test_routerkeys_ed_keys_init_all(void *arg)
|
|||||||
|
|
||||||
/* Force a signing-key regeneration by advancing time. */
|
/* Force a signing-key regeneration by advancing time. */
|
||||||
tt_int_op(0, ==, load_ed_keys(options, now+100*86400));
|
tt_int_op(0, ==, load_ed_keys(options, now+100*86400));
|
||||||
|
tt_int_op(0, ==, generate_ed_link_cert(options, now+100*86400));
|
||||||
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
||||||
tt_mem_op(&sign, !=, get_master_signing_keypair(), sizeof(sign));
|
tt_mem_op(&sign, !=, get_master_signing_keypair(), sizeof(sign));
|
||||||
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
||||||
@ -511,6 +516,7 @@ test_routerkeys_ed_keys_init_all(void *arg)
|
|||||||
unlink(get_fname("test_ed_keys_init_all/keys/"
|
unlink(get_fname("test_ed_keys_init_all/keys/"
|
||||||
"ed25519_master_id_secret_key"));
|
"ed25519_master_id_secret_key"));
|
||||||
tt_int_op(0, ==, load_ed_keys(options, now));
|
tt_int_op(0, ==, load_ed_keys(options, now));
|
||||||
|
tt_int_op(0, ==, generate_ed_link_cert(options, now));
|
||||||
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
tt_mem_op(&id, ==, get_master_identity_key(), sizeof(id));
|
||||||
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
tt_mem_op(&sign, ==, get_master_signing_keypair(), sizeof(sign));
|
||||||
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
tt_assert(! tor_cert_eq(link_cert, get_current_link_cert_cert()));
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user