diff options
author | Nick Mathewson <nickm@torproject.org> | 2015-05-21 13:43:34 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2016-11-03 08:37:21 -0400 |
commit | e23389841c7797615b09ee6457e841b4ed13ea75 (patch) | |
tree | 5303cc276c4888567b883f3fec70209a2b5de2fa | |
parent | 4ef42e7c529a95b69d3e830e115e5d0453d38dfb (diff) | |
download | tor-e23389841c7797615b09ee6457e841b4ed13ea75.tar.gz tor-e23389841c7797615b09ee6457e841b4ed13ea75.zip |
Migrate certificates into a sub-structure of or_handshake_state
This will help us do cert-checking in the background in the future,
perhaps.
-rw-r--r-- | src/or/channeltls.c | 16 | ||||
-rw-r--r-- | src/or/connection_or.c | 10 | ||||
-rw-r--r-- | src/or/or.h | 19 | ||||
-rw-r--r-- | src/or/torcert.c | 20 | ||||
-rw-r--r-- | src/or/torcert.h | 3 | ||||
-rw-r--r-- | src/test/test_link_handshake.c | 32 |
6 files changed, 62 insertions, 38 deletions
diff --git a/src/or/channeltls.c b/src/or/channeltls.c index 9e92aadfb1..fbe784c77c 100644 --- a/src/or/channeltls.c +++ b/src/or/channeltls.c @@ -1947,7 +1947,7 @@ channel_tls_process_certs_cell(var_cell_t *cell, channel_tls_t *chan) "Got some good certificates from %s:%d: Authenticated it.", safe_str(chan->conn->base_.address), chan->conn->base_.port); - chan->conn->handshake_state->id_cert = id_cert; + chan->conn->handshake_state->certs->id_cert = id_cert; x509_certs[OR_CERT_TYPE_ID_1024] = NULL; if (!public_server_mode(get_options())) { @@ -1973,8 +1973,8 @@ channel_tls_process_certs_cell(var_cell_t *cell, channel_tls_t *chan) chan->conn->base_.port); /* XXXX check more stuff? */ - chan->conn->handshake_state->id_cert = id_cert; - chan->conn->handshake_state->auth_cert = auth_cert; + chan->conn->handshake_state->certs->id_cert = id_cert; + chan->conn->handshake_state->certs->auth_cert = auth_cert; x509_certs[OR_CERT_TYPE_ID_1024] = x509_certs[OR_CERT_TYPE_AUTH_1024] = NULL; } @@ -2147,9 +2147,9 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) } if (!(chan->conn->handshake_state->received_certs_cell)) ERR("We never got a certs cell"); - if (chan->conn->handshake_state->auth_cert == NULL) + if (chan->conn->handshake_state->certs->auth_cert == NULL) ERR("We never got an authentication certificate"); - if (chan->conn->handshake_state->id_cert == NULL) + if (chan->conn->handshake_state->certs->id_cert == NULL) ERR("We never got an identity certificate"); if (cell->payload_len < 4) ERR("Cell was way too short"); @@ -2195,7 +2195,7 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) { crypto_pk_t *pk = tor_tls_cert_get_key( - chan->conn->handshake_state->auth_cert); + chan->conn->handshake_state->certs->auth_cert); char d[DIGEST256_LEN]; char *signed_data; size_t keysize; @@ -2234,9 +2234,9 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan) chan->conn->handshake_state->digest_received_data = 0; { crypto_pk_t *identity_rcvd = - tor_tls_cert_get_key(chan->conn->handshake_state->id_cert); + tor_tls_cert_get_key(chan->conn->handshake_state->certs->id_cert); const common_digests_t *id_digests = - tor_x509_cert_get_id_digests(chan->conn->handshake_state->id_cert); + tor_x509_cert_get_id_digests(chan->conn->handshake_state->certs->id_cert); /* This must exist; we checked key type when reading the cert. */ tor_assert(id_digests); diff --git a/src/or/connection_or.c b/src/or/connection_or.c index ed91595504..5a9c597772 100644 --- a/src/or/connection_or.c +++ b/src/or/connection_or.c @@ -1764,6 +1764,7 @@ connection_init_or_handshake_state(or_connection_t *conn, int started_here) s->started_here = started_here ? 1 : 0; s->digest_sent_data = 1; s->digest_received_data = 1; + s->certs = or_handshake_certs_new(); return 0; } @@ -1775,8 +1776,7 @@ or_handshake_state_free(or_handshake_state_t *state) return; crypto_digest_free(state->digest_sent); crypto_digest_free(state->digest_received); - tor_x509_cert_free(state->auth_cert); - tor_x509_cert_free(state->id_cert); + or_handshake_certs_free(state->certs); memwipe(state, 0xBE, sizeof(or_handshake_state_t)); tor_free(state); } @@ -2356,7 +2356,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, goto err; my_digests = tor_x509_cert_get_id_digests(id_cert); their_digests = - tor_x509_cert_get_id_digests(conn->handshake_state->id_cert); + tor_x509_cert_get_id_digests(conn->handshake_state->certs->id_cert); tor_assert(my_digests); tor_assert(their_digests); my_id = (uint8_t*)my_digests->d[DIGEST_SHA256]; @@ -2374,10 +2374,10 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn, if (is_ed) { const ed25519_public_key_t *my_ed_id, *their_ed_id; - if (!conn->handshake_state->ed_id_sign_cert) + if (!conn->handshake_state->certs->ed_id_sign_cert) goto err; my_ed_id = get_master_identity_key(); - their_ed_id = &conn->handshake_state->ed_id_sign_cert->signing_key; + their_ed_id = &conn->handshake_state->certs->ed_id_sign_cert->signing_key; const uint8_t *cid_ed = (server ? their_ed_id : my_ed_id)->pubkey; const uint8_t *sid_ed = (server ? my_ed_id : their_ed_id)->pubkey; diff --git a/src/or/or.h b/src/or/or.h index 9e9b1bf3a6..cdde448bc9 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1386,6 +1386,15 @@ typedef struct listener_connection_t { * signs. */ #define V3_AUTH_BODY_LEN (V3_AUTH_FIXED_PART_LEN + 8 + 16) +typedef struct or_handshake_certs_t { + /** The cert for the key that's supposed to sign the AUTHENTICATE cell */ + tor_x509_cert_t *auth_cert; + /** A self-signed identity certificate */ + tor_x509_cert_t *id_cert; + /** DOCDOC */ + struct tor_cert_st *ed_id_sign_cert; +} or_handshake_certs_t; + /** Stores flags and information related to the portion of a v2/v3 Tor OR * connection handshake that happens after the TLS handshake is finished. */ @@ -1438,16 +1447,8 @@ typedef struct or_handshake_state_t { /** Certificates that a connection initiator sent us in a CERTS cell; we're * holding on to them until we get an AUTHENTICATE cell. - * - * @{ */ - /** The cert for the key that's supposed to sign the AUTHENTICATE cell */ - tor_x509_cert_t *auth_cert; - /** A self-signed identity certificate */ - tor_x509_cert_t *id_cert; - /** DOCDOC */ - struct tor_cert_st *ed_id_sign_cert; - /**@}*/ + or_handshake_certs_t *certs; } or_handshake_state_t; /** Length of Extended ORPort connection identifier. */ diff --git a/src/or/torcert.c b/src/or/torcert.c index a6a33c675a..e8bee54d52 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -8,6 +8,7 @@ * protocol. */ +#include "or.h" #include "crypto.h" #include "torcert.h" #include "ed25519_cert.h" @@ -295,3 +296,22 @@ tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, return sz; } +or_handshake_certs_t * +or_handshake_certs_new(void) +{ + return tor_malloc_zero(sizeof(or_handshake_certs_t)); +} + +/** DODCDOC */ +void +or_handshake_certs_free(or_handshake_certs_t *certs) +{ + if (!certs) + return; + + tor_x509_cert_free(certs->auth_cert); + tor_x509_cert_free(certs->id_cert); + + memwipe(certs, 0xBD, sizeof(*certs)); + tor_free(certs); +} diff --git a/src/or/torcert.h b/src/or/torcert.h index 9c819c0abb..3f81fcdd81 100644 --- a/src/or/torcert.h +++ b/src/or/torcert.h @@ -72,5 +72,8 @@ ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key, time_t expires, uint8_t **cert); +or_handshake_certs_t *or_handshake_certs_new(void); +void or_handshake_certs_free(or_handshake_certs_t *certs); + #endif diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c index 6c0567098f..3314880785 100644 --- a/src/test/test_link_handshake.c +++ b/src/test/test_link_handshake.c @@ -147,8 +147,8 @@ test_link_handshake_certs_ok(void *arg) channel_tls_process_certs_cell(cell2, chan1); tt_assert(c1->handshake_state->received_certs_cell); - tt_assert(c1->handshake_state->auth_cert == NULL); - tt_assert(c1->handshake_state->id_cert); + tt_assert(c1->handshake_state->certs->auth_cert == NULL); + tt_assert(c1->handshake_state->certs->id_cert); tt_assert(! tor_mem_is_zero( (char*)c1->handshake_state->authenticated_peer_id, 20)); @@ -165,8 +165,8 @@ test_link_handshake_certs_ok(void *arg) channel_tls_process_certs_cell(cell1, chan2); tt_assert(c2->handshake_state->received_certs_cell); - tt_assert(c2->handshake_state->auth_cert); - tt_assert(c2->handshake_state->id_cert); + tt_assert(c2->handshake_state->certs->auth_cert); + tt_assert(c2->handshake_state->certs->id_cert); tt_assert(tor_mem_is_zero( (char*)c2->handshake_state->authenticated_peer_id, 20)); @@ -303,8 +303,8 @@ test_link_handshake_recv_certs_ok(void *arg) tt_int_op(0, ==, mock_close_called); tt_int_op(d->c->handshake_state->authenticated, ==, 1); tt_int_op(d->c->handshake_state->received_certs_cell, ==, 1); - tt_assert(d->c->handshake_state->id_cert != NULL); - tt_assert(d->c->handshake_state->auth_cert == NULL); + tt_assert(d->c->handshake_state->certs->id_cert != NULL); + tt_assert(d->c->handshake_state->certs->auth_cert == NULL); done: ; @@ -324,8 +324,8 @@ test_link_handshake_recv_certs_ok_server(void *arg) tt_int_op(0, ==, mock_close_called); tt_int_op(d->c->handshake_state->authenticated, ==, 0); tt_int_op(d->c->handshake_state->received_certs_cell, ==, 1); - tt_assert(d->c->handshake_state->id_cert != NULL); - tt_assert(d->c->handshake_state->auth_cert != NULL); + tt_assert(d->c->handshake_state->certs->id_cert != NULL); + tt_assert(d->c->handshake_state->certs->auth_cert != NULL); done: ; @@ -767,15 +767,15 @@ authenticate_data_setup(const struct testcase_t *test) const uint8_t *der; size_t sz; tor_x509_cert_get_der(id_cert, &der, &sz); - d->c1->handshake_state->id_cert = tor_x509_cert_decode(der, sz); - d->c2->handshake_state->id_cert = tor_x509_cert_decode(der, sz); + d->c1->handshake_state->certs->id_cert = tor_x509_cert_decode(der, sz); + d->c2->handshake_state->certs->id_cert = tor_x509_cert_decode(der, sz); tor_x509_cert_get_der(link_cert, &der, &sz); mock_peer_cert = tor_x509_cert_decode(der, sz); tt_assert(mock_peer_cert); tt_assert(! tor_tls_get_my_certs(0, &auth_cert, &id_cert)); tor_x509_cert_get_der(auth_cert, &der, &sz); - d->c2->handshake_state->auth_cert = tor_x509_cert_decode(der, sz); + d->c2->handshake_state->certs->auth_cert = tor_x509_cert_decode(der, sz); /* Make an authenticate cell ... */ tt_int_op(0, ==, connection_or_send_authenticate_cell(d->c1, @@ -825,7 +825,7 @@ test_link_handshake_auth_cell(void *arg) uint8_t sig[128]; uint8_t digest[32]; - auth_pubkey = tor_tls_cert_get_key(d->c2->handshake_state->auth_cert); + auth_pubkey = tor_tls_cert_get_key(d->c2->handshake_state->certs->auth_cert); int n = crypto_pk_public_checksig( auth_pubkey, (char*)sig, sizeof(sig), (char*)auth1_getarray_sig(auth1), @@ -898,13 +898,13 @@ AUTHENTICATE_FAIL(nocerts, AUTHENTICATE_FAIL(noidcert, require_failure_message = "We never got an identity " "certificate"; - tor_x509_cert_free(d->c2->handshake_state->id_cert); - d->c2->handshake_state->id_cert = NULL) + tor_x509_cert_free(d->c2->handshake_state->certs->id_cert); + d->c2->handshake_state->certs->id_cert = NULL) AUTHENTICATE_FAIL(noauthcert, require_failure_message = "We never got an authentication " "certificate"; - tor_x509_cert_free(d->c2->handshake_state->auth_cert); - d->c2->handshake_state->auth_cert = NULL) + tor_x509_cert_free(d->c2->handshake_state->certs->auth_cert); + d->c2->handshake_state->certs->auth_cert = NULL) AUTHENTICATE_FAIL(tooshort, require_failure_message = "Cell was way too short"; d->cell->payload_len = 3) |