diff options
| author | Sebastian Hahn <sebastian@torproject.org> | 2011-10-27 00:15:25 +0200 |
|---|---|---|
| committer | Sebastian Hahn <sebastian@torproject.org> | 2011-10-27 00:38:45 +0200 |
| commit | 2dec6597af4014eb731d8caac55a8a87964ce371 (patch) | |
| tree | bb2b9020ab2d67f46a619026530c57ec607c07bb /src/common | |
| parent | 2c4e89b86703f188f45f9edfc0fd3e4bbeac3511 (diff) | |
| parent | 4684ced1b3fced0543fa65bf01f75c5d81eaf464 (diff) | |
| download | tor-2dec6597af4014eb731d8caac55a8a87964ce371.tar.gz tor-2dec6597af4014eb731d8caac55a8a87964ce371.zip | |
Merge branch 'maint-0.2.2_secfix' into master_secfix
Conflicts:
src/common/tortls.c
src/or/connection_or.c
src/or/dirserv.c
src/or/or.h
Diffstat (limited to 'src/common')
| -rw-r--r-- | src/common/tortls.c | 119 |
1 files changed, 67 insertions, 52 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c index a8b60850b4..7aaa4e0894 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -207,9 +207,11 @@ static X509* tor_tls_create_certificate(crypto_pk_env_t *rsa, static int tor_tls_context_init_one(tor_tls_context_t **ppcontext, crypto_pk_env_t *identity, - unsigned int key_lifetime); + unsigned int key_lifetime, + int is_client); static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity, - unsigned int key_lifetime); + unsigned int key_lifetime, + int is_client); static int check_cert_lifetime_internal(const X509 *cert, int tolerance); /** Global TLS contexts. We keep them here because nobody else needs @@ -1017,7 +1019,7 @@ tor_tls_context_init(int is_public_server, rv1 = tor_tls_context_init_one(&server_tls_context, server_identity, - key_lifetime); + key_lifetime, 0); if (rv1 >= 0) { new_ctx = server_tls_context; @@ -1033,7 +1035,8 @@ tor_tls_context_init(int is_public_server, if (server_identity != NULL) { rv1 = tor_tls_context_init_one(&server_tls_context, server_identity, - key_lifetime); + key_lifetime, + 0); } else { tor_tls_context_t *old_ctx = server_tls_context; server_tls_context = NULL; @@ -1045,7 +1048,8 @@ tor_tls_context_init(int is_public_server, rv2 = tor_tls_context_init_one(&client_tls_context, client_identity, - key_lifetime); + key_lifetime, + 1); } return MIN(rv1, rv2); @@ -1060,10 +1064,12 @@ tor_tls_context_init(int is_public_server, static int tor_tls_context_init_one(tor_tls_context_t **ppcontext, crypto_pk_env_t *identity, - unsigned int key_lifetime) + unsigned int key_lifetime, + int is_client) { tor_tls_context_t *new_ctx = tor_tls_context_new(identity, - key_lifetime); + key_lifetime, + is_client); tor_tls_context_t *old_ctx = *ppcontext; if (new_ctx != NULL) { @@ -1085,7 +1091,8 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext, * certificate. */ static tor_tls_context_t * -tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) +tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime, + int is_client) { crypto_pk_env_t *rsa = NULL, *rsa_auth = NULL; EVP_PKEY *pkey = NULL; @@ -1106,35 +1113,39 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) goto error; if (crypto_pk_generate_key(rsa)<0) goto error; - /* Generate short-term RSA key for use in the in-protocol ("v3") - * authentication handshake. */ - if (!(rsa_auth = crypto_new_pk_env())) - goto error; - if (crypto_pk_generate_key(rsa_auth)<0) - goto error; - /* Create a link certificate signed by identity key. */ - cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, - key_lifetime); - /* Create self-signed certificate for identity key. */ - idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, - IDENTITY_CERT_LIFETIME); - /* Create an authentication certificate signed by identity key. */ - authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2, - key_lifetime); - if (!cert || !idcert || !authcert) { - log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); - goto error; + if (!is_client) { + /* Generate short-term RSA key for use in the in-protocol ("v3") + * authentication handshake. */ + if (!(rsa_auth = crypto_new_pk_env())) + goto error; + if (crypto_pk_generate_key(rsa_auth)<0) + goto error; + /* Create a link certificate signed by identity key. */ + cert = tor_tls_create_certificate(rsa, identity, nickname, nn2, + key_lifetime); + /* Create self-signed certificate for identity key. */ + idcert = tor_tls_create_certificate(identity, identity, nn2, nn2, + IDENTITY_CERT_LIFETIME); + /* Create an authentication certificate signed by identity key. */ + authcert = tor_tls_create_certificate(rsa_auth, identity, nickname, nn2, + key_lifetime); + if (!cert || !idcert || !authcert) { + log(LOG_WARN, LD_CRYPTO, "Error creating certificate"); + goto error; + } } result = tor_malloc_zero(sizeof(tor_tls_context_t)); result->refcnt = 1; - result->my_link_cert = tor_cert_new(X509_dup(cert)); - result->my_id_cert = tor_cert_new(X509_dup(idcert)); - result->my_auth_cert = tor_cert_new(X509_dup(authcert)); - if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert) - goto error; - result->link_key = crypto_pk_dup_key(rsa); - result->auth_key = crypto_pk_dup_key(rsa_auth); + if (!is_client) { + result->my_link_cert = tor_cert_new(X509_dup(cert)); + result->my_id_cert = tor_cert_new(X509_dup(idcert)); + result->my_auth_cert = tor_cert_new(X509_dup(authcert)); + if (!result->my_link_cert || !result->my_id_cert || !result->my_auth_cert) + goto error; + result->link_key = crypto_pk_dup_key(rsa); + result->auth_key = crypto_pk_dup_key(rsa_auth); + } #ifdef EVERYONE_HAS_AES /* Tell OpenSSL to only use TLS1 */ @@ -1166,27 +1177,31 @@ tor_tls_context_new(crypto_pk_env_t *identity, unsigned int key_lifetime) #ifdef SSL_MODE_RELEASE_BUFFERS SSL_CTX_set_mode(result->ctx, SSL_MODE_RELEASE_BUFFERS); #endif - if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) - goto error; - X509_free(cert); /* We just added a reference to cert. */ - cert=NULL; - if (idcert) { - X509_STORE *s = SSL_CTX_get_cert_store(result->ctx); - tor_assert(s); - X509_STORE_add_cert(s, idcert); - X509_free(idcert); /* The context now owns the reference to idcert */ - idcert = NULL; + if (! is_client) { + if (cert && !SSL_CTX_use_certificate(result->ctx,cert)) + goto error; + X509_free(cert); /* We just added a reference to cert. */ + cert=NULL; + if (idcert) { + X509_STORE *s = SSL_CTX_get_cert_store(result->ctx); + tor_assert(s); + X509_STORE_add_cert(s, idcert); + X509_free(idcert); /* The context now owns the reference to idcert */ + idcert = NULL; + } } SSL_CTX_set_session_cache_mode(result->ctx, SSL_SESS_CACHE_OFF); - tor_assert(rsa); - if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1))) - goto error; - if (!SSL_CTX_use_PrivateKey(result->ctx, pkey)) - goto error; - EVP_PKEY_free(pkey); - pkey = NULL; - if (!SSL_CTX_check_private_key(result->ctx)) - goto error; + if (!is_client) { + tor_assert(rsa); + if (!(pkey = _crypto_pk_env_get_evp_pkey(rsa,1))) + goto error; + if (!SSL_CTX_use_PrivateKey(result->ctx, pkey)) + goto error; + EVP_PKEY_free(pkey); + pkey = NULL; + if (!SSL_CTX_check_private_key(result->ctx)) + goto error; + } { crypto_dh_env_t *dh = crypto_dh_new(DH_TYPE_TLS); tor_assert(dh); |