diff options
author | Nick Mathewson <nickm@torproject.org> | 2003-09-10 00:47:39 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2003-09-10 00:47:39 +0000 |
commit | e22b2718955ef0409c63a82a506193d1a63b090d (patch) | |
tree | ba09777974dd5173ad3e97bf01b01fe035b2c838 /src/common/tortls.c | |
parent | 9955b265ab77c712861f33411e521c9761184226 (diff) | |
download | tor-e22b2718955ef0409c63a82a506193d1a63b090d.tar.gz tor-e22b2718955ef0409c63a82a506193d1a63b090d.zip |
Add certificate verification functions
svn:r438
Diffstat (limited to 'src/common/tortls.c')
-rw-r--r-- | src/common/tortls.c | 69 |
1 files changed, 65 insertions, 4 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index 5eeadbb391..14424986c5 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -38,6 +38,11 @@ static tor_tls_context *global_tls_context=NULL; #define _TOR_TLS_SYSCALL -6 #define _TOR_TLS_ZERORETURN -5 + +/* These functions are declared in crypto.c but not exported. */ +RSA *_crypto_pk_env_get_rsa(crypto_pk_env_t *env); +crypto_pk_env_t *_crypto_new_pk_env_rsa(RSA *rsa); + static int tor_tls_get_error(tor_tls *tls, int r, int extra) { @@ -83,8 +88,8 @@ tor_tls_write_certificate(char *certfile, crypto_pk_env_t *rsa, char *nickname) start_time = time(NULL); - assert(rsa && rsa->type == CRYPTO_PK_RSA); - if (!(_rsa = RSAPrivateKey_dup((RSA*)rsa->key))) + assert(rsa); + if (!(_rsa = RSAPrivateKey_dup(_crypto_pk_env_get_rsa(rsa)))) /* XXX we have a crypto_pk_dup_key(), it's a shame we can't use it here */ return -1; if (!(pkey = EVP_PKEY_new())) @@ -144,7 +149,6 @@ tor_tls_context_new(char *certfile, crypto_pk_env_t *rsa, int isServer) EVP_PKEY *pkey = NULL; tor_tls_context *result; - assert(!rsa || rsa->type == CRYPTO_PK_RSA); assert((certfile && rsa) || (!certfile && !rsa)); result = tor_malloc(sizeof(tor_tls_context)); @@ -159,7 +163,7 @@ tor_tls_context_new(char *certfile, crypto_pk_env_t *rsa, int isServer) return -1; SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF); if (rsa) { - if (!(_rsa = RSAPrivateKey_dup((RSA*)rsa->key))) + if (!(_rsa = RSAPrivateKey_dup(_crypto_pk_env_get_rsa(rsa)))) return -1; if (!(pkey = EVP_PKEY_new())) return -1; @@ -329,3 +333,60 @@ tor_tls_shutdown(tor_tls *tls) } } +/* Return true iff this TLS connection is authenticated. + */ +int +tor_tls_peer_has_cert(tor_tls *tls) +{ + X509 *cert; + if (!(cert = SSL_get_peer_certificate(tls->ssl))) + return 0; + X509_free(cert); + return 1; +} + +/* If the provided tls connection is authenticated and has a + * certificate that is currently valid and is correctly self-signed, + * return its public key. Otherwise return NULL. + */ +crypto_pk_env_t * +tor_tls_verify(tor_tls *tls) +{ + X509 *cert = NULL; + EVP_PKEY *pkey = NULL; + RSA *rsa = NULL; + time_t now; + crypto_pk_env_t *r = NULL; + if (!(cert = SSL_get_peer_certificate(tls->ssl))) + return 0; + + now = time(NULL); + if (X509_cmp_time(X509_get_notBefore(cert), &now) > 0) + goto done; + if (X509_cmp_time(X509_get_notAfter(cert), &now) < 0) + goto done; + + /* Get the public key. */ + if (!(pkey = X509_get_pubkey(cert))) + goto done; + if (X509_verify(cert, pkey) <= 0) + goto done; + + rsa = EVP_PKEY_get1_RSA(pkey); + EVP_PKEY_free(pkey); + pkey = NULL; + if (!rsa) + goto done; + + r = _crypto_new_pk_env_rsa(rsa); + rsa = NULL; + + done: + if (cert) + X509_free(cert); + if (pkey) + EVP_PKEY_free(pkey); + if (rsa) + RSA_free(rsa); + return r; +} |