aboutsummaryrefslogtreecommitdiff
path: root/src/common
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2008-02-08 21:13:12 +0000
committerNick Mathewson <nickm@torproject.org>2008-02-08 21:13:12 +0000
commitde827f89df460e5920239a14addd1dd264b76bb5 (patch)
tree9e3dd40f12b8c6847c433fcfb53080bd5b00ac26 /src/common
parent809227a121136d4c48ea09ad96aef5ecb9eb15eb (diff)
downloadtor-de827f89df460e5920239a14addd1dd264b76bb5.tar.gz
tor-de827f89df460e5920239a14addd1dd264b76bb5.zip
r14062@tombo: nickm | 2008-02-08 15:17:07 -0500
Change DNs in x509 certificates to be harder to fingerprint. Raise common code. Refactor random hostname generation into crypto.c svn:r13429
Diffstat (limited to 'src/common')
-rw-r--r--src/common/crypto.c31
-rw-r--r--src/common/crypto.h3
-rw-r--r--src/common/tortls.c57
-rw-r--r--src/common/tortls.h3
4 files changed, 64 insertions, 30 deletions
diff --git a/src/common/crypto.c b/src/common/crypto.c
index 6f640b2843..01e32524c6 100644
--- a/src/common/crypto.c
+++ b/src/common/crypto.c
@@ -1768,6 +1768,37 @@ crypto_rand_uint64(uint64_t max)
}
}
+/** Generate and return a new random hostname starting with prefix, ending
+ * with suffix, and containing between min_rand_len and max_rand_len random
+ * base32 characters between. */
+char *
+crypto_random_hostname(int min_rand_len, int max_rand_len, const char *prefix,
+ const char *suffix)
+{
+ char *result, *rand_bytes;
+ int randlen, resultlen, rand_bytes_len, prefixlen;
+
+ tor_assert(max_rand_len >= min_rand_len);
+ randlen = min_rand_len + crypto_rand_int(max_rand_len - min_rand_len + 1);
+ prefixlen = strlen(prefix);
+ resultlen = prefixlen + strlen(suffix) + randlen + 16;
+
+ rand_bytes_len = ((randlen*5)+7)/8;
+ if (rand_bytes_len % 5)
+ rand_bytes_len += 5 - (rand_bytes_len%5);
+ rand_bytes = tor_malloc(rand_bytes_len);
+ crypto_rand(rand_bytes, rand_bytes_len);
+
+ result = tor_malloc(resultlen);
+ memcpy(result, prefix, prefixlen);
+ base32_encode(result+prefixlen, resultlen-prefixlen,
+ rand_bytes, rand_bytes_len);
+ tor_free(rand_bytes);
+ strlcpy(result+prefixlen+randlen, suffix, resultlen-(prefixlen+randlen));
+
+ return result;
+}
+
/** Return a randomly chosen element of sl; or NULL if sl is empty.
*/
void *
diff --git a/src/common/crypto.h b/src/common/crypto.h
index e02e3df323..aa5cf920c4 100644
--- a/src/common/crypto.h
+++ b/src/common/crypto.h
@@ -171,6 +171,9 @@ int crypto_rand(char *to, size_t n);
int crypto_rand_int(unsigned int max);
uint64_t crypto_rand_uint64(uint64_t max);
+char *crypto_random_hostname(int min_rand_len, int max_rand_len,
+ const char *prefix, const char *suffix);
+
struct smartlist_t;
void *smartlist_choose(const struct smartlist_t *sl);
void smartlist_shuffle(struct smartlist_t *sl);
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 78c8bcaa27..eab3cac072 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -322,6 +322,24 @@ always_accept_verify_cb(int preverify_ok,
return 1;
}
+/** Return a newly allocated X509 name with commonName <b>cname</b> */
+static X509_NAME *
+tor_x509_name_new(const char *cname)
+{
+ int nid;
+ X509_NAME *name;
+ if (!(name = X509_NAME_new()))
+ return NULL;
+ if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
+ if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
+ (unsigned char*)cname, -1, -1, 0)))
+ goto error;
+ return name;
+ error:
+ X509_NAME_free(name);
+ return NULL;
+}
+
/** Generate and sign an X509 certificate with the public key <b>rsa</b>,
* signed by the private key <b>rsa_sign</b>. The commonName of the
* certificate will be <b>cname</b>; the commonName of the issuer will be
@@ -340,7 +358,6 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
X509 *x509 = NULL;
X509_NAME *name = NULL, *name_issuer=NULL;
- int nid;
tor_tls_init();
@@ -361,30 +378,11 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time)))
goto error;
- if (!(name = X509_NAME_new()))
- goto error;
- if ((nid = OBJ_txt2nid("organizationName")) == NID_undef)
- goto error;
- if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
- (unsigned char*)"t o r", -1, -1, 0)))
- goto error;
- if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
- if (!(X509_NAME_add_entry_by_NID(name, nid, MBSTRING_ASC,
- (unsigned char*)cname, -1, -1, 0)))
+ if (!(name = tor_x509_name_new(cname)))
goto error;
if (!(X509_set_subject_name(x509, name)))
goto error;
-
- if (!(name_issuer = X509_NAME_new()))
- goto error;
- if ((nid = OBJ_txt2nid("organizationName")) == NID_undef)
- goto error;
- if (!(X509_NAME_add_entry_by_NID(name_issuer, nid, MBSTRING_ASC,
- (unsigned char*)"t o r", -1, -1, 0)))
- goto error;
- if ((nid = OBJ_txt2nid("commonName")) == NID_undef) goto error;
- if (!(X509_NAME_add_entry_by_NID(name_issuer, nid, MBSTRING_ASC,
- (unsigned char*)cname_sign, -1, -1, 0)))
+ if (!(name_issuer = tor_x509_name_new(cname_sign)))
goto error;
if (!(X509_set_issuer_name(x509, name_issuer)))
goto error;
@@ -509,20 +507,19 @@ tor_tls_context_incref(tor_tls_context_t *ctx)
* the new SSL context.
*/
int
-tor_tls_context_new(crypto_pk_env_t *identity, const char *nickname,
- unsigned int key_lifetime)
+tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime)
{
crypto_pk_env_t *rsa = NULL;
crypto_dh_env_t *dh = NULL;
EVP_PKEY *pkey = NULL;
tor_tls_context_t *result = NULL;
X509 *cert = NULL, *idcert = NULL;
- char nn2[128];
- if (!nickname)
- nickname = "null";
- tor_snprintf(nn2, sizeof(nn2), "%s <signing>", nickname);
+ char *nickname = NULL, *nn2 = NULL;
tor_tls_init();
+ nickname = crypto_random_hostname(8, 20, "www.", ".net");
+ nn2 = crypto_random_hostname(8, 20, "www.", ".net");
+ log_notice(LD_NET, "<%s> <%s>", nickname, nn2);
/* Generate short-term RSA key. */
if (!(rsa = crypto_new_pk_env()))
@@ -594,10 +591,14 @@ tor_tls_context_new(crypto_pk_env_t *identity, const char *nickname,
global_tls_context = result;
if (rsa)
crypto_free_pk_env(rsa);
+ tor_free(nickname);
+ tor_free(nn2);
return 0;
error:
tls_log_errors(LOG_WARN, "creating TLS context");
+ tor_free(nickname);
+ tor_free(nn2);
if (pkey)
EVP_PKEY_free(pkey);
if (rsa)
diff --git a/src/common/tortls.h b/src/common/tortls.h
index f18f7137d5..a41f4dfb27 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -47,8 +47,7 @@ typedef struct tor_tls_t tor_tls_t;
const char *tor_tls_err_to_string(int err);
void tor_tls_free_all(void);
-int tor_tls_context_new(crypto_pk_env_t *rsa,
- const char *nickname, unsigned int key_lifetime);
+int tor_tls_context_new(crypto_pk_env_t *rsa, unsigned int key_lifetime);
tor_tls_t *tor_tls_new(int sock, int is_server);
void tor_tls_set_renegotiate_callback(tor_tls_t *tls,
void (*cb)(tor_tls_t *, void *arg),