summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2011-11-27 09:18:55 -0500
committerNick Mathewson <nickm@torproject.org>2011-11-27 09:18:55 -0500
commite665ec6409c253ebbbf7ae0ef2601fe7c8afba7b (patch)
treed0dbfdaca6e570f5f87bd045c025ec0b0ebe34a5
parent617617e21a2d30a86cea9c8f7043333078f2e8f8 (diff)
parentefba71b03c5a8361352a4fac22bd7261b643bb7b (diff)
downloadtor-e665ec6409c253ebbbf7ae0ef2601fe7c8afba7b.tar.gz
tor-e665ec6409c253ebbbf7ae0ef2601fe7c8afba7b.zip
Merge remote-tracking branch 'asn/bug4584'
-rw-r--r--changes/bug45844
-rw-r--r--src/common/tortls.c17
2 files changed, 20 insertions, 1 deletions
diff --git a/changes/bug4584 b/changes/bug4584
new file mode 100644
index 0000000000..38cf2d6da6
--- /dev/null
+++ b/changes/bug4584
@@ -0,0 +1,4 @@
+ o Privacy/anonymity features (bridge detection):
+ - Make bridge SSL certificates a bit more stealthy by using random
+ serial numbers, in the same fashion as OpenSSL when generating
+ self-signed certificates. Implements ticket 4584.
diff --git a/src/common/tortls.c b/src/common/tortls.c
index e052c85eb2..9ac5c34f26 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -585,7 +585,11 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
const char *cname_sign,
unsigned int cert_lifetime)
{
+#define SERIAL_NUMBER_SIZE 8
+
time_t start_time, end_time;
+ BIGNUM *serial_number = NULL;
+ unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
X509 *x509 = NULL;
X509_NAME *name = NULL, *name_issuer=NULL;
@@ -606,8 +610,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
goto error;
if (!(X509_set_version(x509, 2)))
goto error;
- if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time)))
+
+ { /* our serial number is 8 random bytes. */
+ if (crypto_rand((char *)serial_tmp, sizeof(serial_tmp)) < 0)
+ goto error;
+ if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
goto error;
+ if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
+ goto error;
+ }
if (!(name = tor_x509_name_new(cname)))
goto error;
@@ -640,11 +651,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
EVP_PKEY_free(sign_pkey);
if (pkey)
EVP_PKEY_free(pkey);
+ if (serial_number)
+ BN_free(serial_number);
if (name)
X509_NAME_free(name);
if (name_issuer)
X509_NAME_free(name_issuer);
return x509;
+
+#undef SERIAL_NUMBER_SIZE
}
/** List of ciphers that servers should select from.*/