diff options
author | Nick Mathewson <nickm@torproject.org> | 2011-11-27 09:18:55 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2011-11-27 09:18:55 -0500 |
commit | e665ec6409c253ebbbf7ae0ef2601fe7c8afba7b (patch) | |
tree | d0dbfdaca6e570f5f87bd045c025ec0b0ebe34a5 | |
parent | 617617e21a2d30a86cea9c8f7043333078f2e8f8 (diff) | |
parent | efba71b03c5a8361352a4fac22bd7261b643bb7b (diff) | |
download | tor-e665ec6409c253ebbbf7ae0ef2601fe7c8afba7b.tar.gz tor-e665ec6409c253ebbbf7ae0ef2601fe7c8afba7b.zip |
Merge remote-tracking branch 'asn/bug4584'
-rw-r--r-- | changes/bug4584 | 4 | ||||
-rw-r--r-- | src/common/tortls.c | 17 |
2 files changed, 20 insertions, 1 deletions
diff --git a/changes/bug4584 b/changes/bug4584 new file mode 100644 index 0000000000..38cf2d6da6 --- /dev/null +++ b/changes/bug4584 @@ -0,0 +1,4 @@ + o Privacy/anonymity features (bridge detection): + - Make bridge SSL certificates a bit more stealthy by using random + serial numbers, in the same fashion as OpenSSL when generating + self-signed certificates. Implements ticket 4584. diff --git a/src/common/tortls.c b/src/common/tortls.c index e052c85eb2..9ac5c34f26 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -585,7 +585,11 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa, const char *cname_sign, unsigned int cert_lifetime) { +#define SERIAL_NUMBER_SIZE 8 + time_t start_time, end_time; + BIGNUM *serial_number = NULL; + unsigned char serial_tmp[SERIAL_NUMBER_SIZE]; EVP_PKEY *sign_pkey = NULL, *pkey=NULL; X509 *x509 = NULL; X509_NAME *name = NULL, *name_issuer=NULL; @@ -606,8 +610,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa, goto error; if (!(X509_set_version(x509, 2))) goto error; - if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time))) + + { /* our serial number is 8 random bytes. */ + if (crypto_rand((char *)serial_tmp, sizeof(serial_tmp)) < 0) + goto error; + if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL))) goto error; + if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509)))) + goto error; + } if (!(name = tor_x509_name_new(cname))) goto error; @@ -640,11 +651,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa, EVP_PKEY_free(sign_pkey); if (pkey) EVP_PKEY_free(pkey); + if (serial_number) + BN_free(serial_number); if (name) X509_NAME_free(name); if (name_issuer) X509_NAME_free(name_issuer); return x509; + +#undef SERIAL_NUMBER_SIZE } /** List of ciphers that servers should select from.*/ |