diff options
author | Nick Mathewson <nickm@torproject.org> | 2004-07-21 00:44:04 +0000 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2004-07-21 00:44:04 +0000 |
commit | 334de84cbe47944b52b004f0a7e3c4125c8b732b (patch) | |
tree | d7c23fcdec965e096178abf945214914d4c6e4c7 /src/common | |
parent | 99926813b1a8b29f712f0e9ea3c8c3bfa0aba56b (diff) | |
download | tor-334de84cbe47944b52b004f0a7e3c4125c8b732b.tar.gz tor-334de84cbe47944b52b004f0a7e3c4125c8b732b.zip |
Misc small code cleanups; remove exit_server_mode(); change tor_tls_verify behavior
svn:r2073
Diffstat (limited to 'src/common')
-rw-r--r-- | src/common/tortls.c | 40 | ||||
-rw-r--r-- | src/common/tortls.h | 2 |
2 files changed, 33 insertions, 9 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index f2b8ae0394..c3ba4ae83c 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -602,19 +602,39 @@ tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, int buflen) } /** If the provided tls connection is authenticated and has a - * certificate that is currently valid and is correctly signed by - * <b>identity_key</b>, return 0. Else, return -1. + * certificate that is currently valid and signed, then set + * *<b>identity_key</b> to the identity certificate's key and return + * 0. Else, return -1. */ int -tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity_key) +tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity_key) { - X509 *cert = NULL; + X509 *cert = NULL, *id_cert = NULL; + STACK_OF(X509) *chain = NULL; EVP_PKEY *id_pkey = NULL; + RSA *rsa; time_t now, t; - int r = -1; + int r = -1, i; + + *identity_key = NULL; if (!(cert = SSL_get_peer_certificate(tls->ssl))) - return -1; + goto done; + if (!(chain = SSL_get_peer_cert_chain(tls->ssl))) + goto done; + if (sk_X509_num(chain) != 2) { + log_fn(LOG_WARN,"Unexpected number of certificates in chain"); + goto done; + } + for (i=0; i<2; ++i) { + id_cert = sk_X509_value(chain, i); + if (X509_cmp(id_cert, cert) != 0) + break; + } + if (!id_cert) { + log_fn(LOG_WARN,"No distinct identity certificate found"); + goto done; + } now = time(NULL); t = now + CERT_ALLOW_SKEW; @@ -628,14 +648,18 @@ tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity_key) goto done; } - /* Get the public key. */ - if (!(id_pkey = _crypto_pk_env_get_evp_pkey(identity_key,0)) || + if (!(id_pkey = X509_get_pubkey(id_cert)) || X509_verify(cert, id_pkey) <= 0) { log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0"); tls_log_errors(LOG_WARN,"verifying certificate"); goto done; } + rsa = EVP_PKEY_get1_RSA(id_pkey); + if (!rsa) + goto done; + *identity_key = _crypto_new_pk_env_rsa(rsa); + r = 0; done: diff --git a/src/common/tortls.h b/src/common/tortls.h index f9ffb0edc0..02dbeb7a7d 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -28,7 +28,7 @@ tor_tls *tor_tls_new(int sock, int isServer); void tor_tls_free(tor_tls *tls); int tor_tls_peer_has_cert(tor_tls *tls); int tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, int buflen); -int tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity); +int tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity); int tor_tls_read(tor_tls *tls, char *cp, int len); int tor_tls_write(tor_tls *tls, char *cp, int n); int tor_tls_handshake(tor_tls *tls); |