diff options
author | Nick Mathewson <nickm@torproject.org> | 2020-09-17 08:42:25 -0400 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2020-09-17 08:42:25 -0400 |
commit | 5d1d7afcd319e1dcdc046b2227a13e0cb2d80534 (patch) | |
tree | 7d866b87c8d8dfbb7a3fa3fec14302f3f902a58b /src/feature | |
parent | 22643272d24fdcd106887b792f2e36dc604029c0 (diff) | |
download | tor-5d1d7afcd319e1dcdc046b2227a13e0cb2d80534.tar.gz tor-5d1d7afcd319e1dcdc046b2227a13e0cb2d80534.zip |
Use the correct SIGNED_KEY_TYPE value for signing->link certs
Our code was using [01] as for the key type of signed->link certs,
which was incorrect. The value should be [03], to indicate that the
value as the SHA256 of an x.509 cert.
Fortunately, nothing cares about this value, so there shouldn't be
compatibility issues.
Fixes bug 40124; bugfix on 0.2.7.2-alpha.
Diffstat (limited to 'src/feature')
-rw-r--r-- | src/feature/nodelist/torcert.c | 10 | ||||
-rw-r--r-- | src/feature/nodelist/torcert.h | 10 | ||||
-rw-r--r-- | src/feature/relay/routerkeys.c | 8 |
3 files changed, 17 insertions, 11 deletions
diff --git a/src/feature/nodelist/torcert.c b/src/feature/nodelist/torcert.c index 603b8bf086..dc36626122 100644 --- a/src/feature/nodelist/torcert.c +++ b/src/feature/nodelist/torcert.c @@ -37,11 +37,11 @@ #include "core/or/or_handshake_certs_st.h" -/** Helper for tor_cert_create_*(): signs any 32 bytes, not just an ed25519 - * key. +/** As tor_cert_create(), but accept an arbitrary signed_key_type as the + * subject key -- not just an ed25519 key. */ -static tor_cert_t * -tor_cert_sign_impl(const ed25519_keypair_t *signing_key, +tor_cert_t * +tor_cert_create_raw(const ed25519_keypair_t *signing_key, uint8_t cert_type, uint8_t signed_key_type, const uint8_t signed_key_info[32], @@ -134,7 +134,7 @@ tor_cert_create_ed25519(const ed25519_keypair_t *signing_key, time_t now, time_t lifetime, uint32_t flags) { - return tor_cert_sign_impl(signing_key, cert_type, + return tor_cert_create_raw(signing_key, cert_type, SIGNED_KEY_TYPE_ED25519, signed_key->pubkey, now, lifetime, flags); } diff --git a/src/feature/nodelist/torcert.h b/src/feature/nodelist/torcert.h index d3b3b6a57b..3314ee2550 100644 --- a/src/feature/nodelist/torcert.h +++ b/src/feature/nodelist/torcert.h @@ -11,7 +11,9 @@ #include "lib/crypt_ops/crypto_ed25519.h" -#define SIGNED_KEY_TYPE_ED25519 0x01 +#define SIGNED_KEY_TYPE_ED25519 0x01 +#define SIGNED_KEY_TYPE_SHA256_OF_RSA 0x02 +#define SIGNED_KEY_TYPE_SHA256_OF_X509 0x03 #define CERT_TYPE_ID_SIGNING 0x04 #define CERT_TYPE_SIGNING_LINK 0x05 @@ -61,6 +63,12 @@ tor_cert_t *tor_cert_create_ed25519(const ed25519_keypair_t *signing_key, const ed25519_public_key_t *signed_key, time_t now, time_t lifetime, uint32_t flags); +tor_cert_t * tor_cert_create_raw(const ed25519_keypair_t *signing_key, + uint8_t cert_type, + uint8_t signed_key_type, + const uint8_t signed_key_info[32], + time_t now, time_t lifetime, + uint32_t flags); tor_cert_t *tor_cert_parse(const uint8_t *cert, size_t certlen); diff --git a/src/feature/relay/routerkeys.c b/src/feature/relay/routerkeys.c index c7adf5b977..116f0b4e3d 100644 --- a/src/feature/relay/routerkeys.c +++ b/src/feature/relay/routerkeys.c @@ -387,12 +387,10 @@ generate_ed_link_cert(const or_options_t *options, time_t now, return 0; } - ed25519_public_key_t dummy_key; - memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN); - - link_cert = tor_cert_create_ed25519(get_master_signing_keypair(), + link_cert = tor_cert_create_raw(get_master_signing_keypair(), CERT_TYPE_SIGNING_LINK, - &dummy_key, + SIGNED_KEY_TYPE_SHA256_OF_X509, + (const uint8_t*)digests->d[DIGEST_SHA256], now, options->TestingLinkCertLifetime, 0); |