aboutsummaryrefslogtreecommitdiff
path: root/src/common/tortls.c
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2008-02-05 19:40:26 +0000
committerNick Mathewson <nickm@torproject.org>2008-02-05 19:40:26 +0000
commita51deb9a9c7bf33ba353e008724c150bddde144b (patch)
tree5797a9e4129ba027269bb48f4e3d4571f98fe473 /src/common/tortls.c
parent2866c53eec8cd592955f15cec1a317e04aaafc7f (diff)
downloadtor-a51deb9a9c7bf33ba353e008724c150bddde144b.tar.gz
tor-a51deb9a9c7bf33ba353e008724c150bddde144b.zip
r17903@catbus: nickm | 2008-02-05 14:40:03 -0500
Remove some dead code; fix some XXX020s; turn some XXX020s into XXXX_IP6s (i.e., "needs to be fixed when we add ipv6 support"). svn:r13382
Diffstat (limited to 'src/common/tortls.c')
-rw-r--r--src/common/tortls.c107
1 files changed, 1 insertions, 106 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 171bb80e42..b2369c7c47 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -889,7 +889,7 @@ tor_tls_handshake(tor_tls_t *tls)
} else {
#ifdef V2_HANDSHAKE_CLIENT
/* If we got no ID cert, we're a v2 handshake. */
- X509 *cert = SSL_get_peer_certificate(tls->ssl);/*XXXX020 refcnt?*/
+ X509 *cert = SSL_get_peer_certificate(tls->ssl);
STACK_OF(X509) *chain = SSL_get_peer_cert_chain(tls->ssl);
int n_certs = sk_X509_num(chain);
if (n_certs > 1 || (n_certs == 1 && cert != sk_X509_value(chain, 0)))
@@ -1198,111 +1198,6 @@ tor_tls_verify_v1(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key)
return r;
}
-#if 0
-/** DOCDOC
- *
- * Returns 1 on "verification is done", 0 on "still need LINK_AUTH."
- */
-int
-tor_tls_verify_certs_v2(int severity, tor_tls_t *tls,
- const char *cert_str, size_t cert_len,
- const char *id_cert_str, size_t id_cert_len,
- crypto_pk_env_t **cert_key_out,
- char *conn_cert_digest_out,
- crypto_pk_env_t **id_key_out,
- char *id_digest_out)
-{
- X509 *cert = NULL, *id_cert = NULL;
- EVP_PKEY *id_pkey = NULL, *cert_pkey = NULL;
- int free_id_cert = 0, peer_used_tls_cert = 0;
- int r = -1;
-
- tor_assert(cert_key_out);
- tor_assert(conn_cert_digest_out);
- tor_assert(id_key_out);
- tor_assert(id_digest_out);
-
- *cert_key_out = NULL;
-
- if (cert_str && cert_len) {
- /*XXXX020 warn on error. */
- const unsigned char *cp = (const unsigned char*) cert_str;
- cert = d2i_X509(NULL, &cp, cert_len);
- }
- if (id_cert_str && id_cert_len) {
- /*XXXX020 warn on error. */
- const unsigned char *cp = (const unsigned char*) id_cert_str;
- id_cert = d2i_X509(NULL, &cp, id_cert_len);
- if (id_cert)
- free_id_cert = 1;
- }
-
- if (cert) {
- int cmp = 0;
- X509 *cert_tmp = SSL_get_peer_certificate(tls->ssl);
- if (cert_tmp) {
- peer_used_tls_cert = 1;
- cmp = X509_cmp(cert, cert_tmp);
- X509_free(cert_tmp);
- }
- if (cmp != 0) {
- log_fn(severity, LD_PROTOCOL,
- "Certificate in CERT cell didn't match TLS cert.");
- goto done;
- }
- }
-
- if (!cert || !id_cert) {
- X509 *c=NULL, *id=NULL;
- try_to_extract_certs_from_tls(severity, tls, &c, &id);
- if (c) {
- if (!cert)
- cert = c;
- else
- X509_free(c);
- }
- if (id && !id_cert)
- id_cert = id;
- }
- if (!id_cert || !cert)
- goto done;
-
- if (!(id_pkey = X509_get_pubkey(id_cert)) ||
- X509_verify(cert, id_pkey) <= 0) {
- log_fn(severity,LD_PROTOCOL,"X509_verify on cert and pkey returned <= 0");
- tls_log_errors(severity,"verifying certificate");
- goto done;
- }
-
- if (!(*id_key_out = _crypto_new_pk_env_evp_pkey(id_pkey)))
- goto done;
- crypto_pk_get_digest(*id_key_out, id_digest_out);
- if (!(cert_pkey = X509_get_pubkey(cert)))
- goto done;
- if (!(*cert_key_out = _crypto_new_pk_env_evp_pkey(cert_pkey)))
- goto done;
-
- {
- unsigned int len = 0;
- X509_digest(cert, EVP_sha1(), (unsigned char*)conn_cert_digest_out, &len);
- tor_assert(len == DIGEST_LEN);
- }
-
- r = peer_used_tls_cert ? 1 : 0;
- done:
- if (cert)
- X509_free(cert);
- if (id_cert && free_id_cert)
- X509_free(id_cert);
- if (id_pkey)
- EVP_PKEY_free(id_pkey);
- if (cert_pkey)
- EVP_PKEY_free(cert_pkey);
-
- return r;
-}
-#endif
-
/** Check whether the certificate set on the connection <b>tls</b> is
* expired or not-yet-valid, give or take <b>tolerance</b>
* seconds. Return 0 for valid, -1 for failure.