diff options
author | Nick Mathewson <nickm@torproject.org> | 2016-08-30 11:04:44 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2016-11-03 08:39:30 -0400 |
commit | e64bac6eb4a89ae63a2d5c1cb41cac903f1e8e66 (patch) | |
tree | d7e5af3ddb660e5d3cd5baf56563826ed63be9ad | |
parent | b4a5c779014b35d60f4a2ddcec31e7075ad52995 (diff) | |
download | tor-e64bac6eb4a89ae63a2d5c1cb41cac903f1e8e66.tar.gz tor-e64bac6eb4a89ae63a2d5c1cb41cac903f1e8e66.zip |
Increase TLS RSA link key length to 2048 bits
Oddly, nothing broke.
Closes ticket 13752.
-rw-r--r-- | changes/feature13752 | 4 | ||||
-rw-r--r-- | src/common/tortls.c | 8 | ||||
-rw-r--r-- | src/test/test_link_handshake.c | 3 |
3 files changed, 11 insertions, 4 deletions
diff --git a/changes/feature13752 b/changes/feature13752 new file mode 100644 index 0000000000..f318cc29f5 --- /dev/null +++ b/changes/feature13752 @@ -0,0 +1,4 @@ + o Minor features (fingerprinting resistence, authentication): + - Extend the length of RSA keys used for TLS link authentication to + 2048 bits. (These weren't used for forward secrecy; for forward + secrecy, we used P256.) Closes ticket 13752. diff --git a/src/common/tortls.c b/src/common/tortls.c index fd8698128b..33bd334a12 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -775,8 +775,8 @@ tor_tls_context_decref(tor_tls_context_t *ctx) /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate * and ID certificate that we're currently using for our V3 in-protocol * handshake's certificate chain. If <b>server</b> is true, provide the certs - * that we use in server mode; otherwise, provide the certs that we use in - * client mode. */ + * that we use in server mode (auth, ID); otherwise, provide the certs that we + * use in client mode. (link, ID) */ int tor_tls_get_my_certs(int server, const tor_x509_cert_t **link_cert_out, @@ -1026,6 +1026,8 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext, /** The group we should use for ecdhe when none was selected. */ #define NID_tor_default_ecdhe_group NID_X9_62_prime256v1 +#define RSA_LINK_KEY_BITS 2048 + /** Create a new TLS context for use with Tor TLS handshakes. * <b>identity</b> should be set to the identity key used to sign the * certificate. @@ -1051,7 +1053,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, /* Generate short-term RSA key for use with TLS. */ if (!(rsa = crypto_pk_new())) goto error; - if (crypto_pk_generate_key(rsa)<0) + if (crypto_pk_generate_key_with_bits(rsa, RSA_LINK_KEY_BITS)<0) goto error; if (!is_client) { /* Generate short-term RSA key for use in the in-protocol ("v3") diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c index 9a3b57d3a0..05c84000b1 100644 --- a/src/test/test_link_handshake.c +++ b/src/test/test_link_handshake.c @@ -258,7 +258,8 @@ recv_certs_setup(const struct testcase_t *test) const tor_x509_cert_t *a,*b; const uint8_t *enca, *encb; size_t lena, lenb; - tor_tls_get_my_certs(1, &a, &b); + tor_tls_get_my_certs(0, &a, &b); /* Use '0' here to make sure we get + * auth cert */ tor_x509_cert_get_der(a, &enca, &lena); tor_x509_cert_get_der(b, &encb, &lenb); certs_cell_cert_setlen_body(ccc1, lena); |