diff options
| author | Nick Mathewson <nickm@torproject.org> | 2007-11-06 18:00:07 +0000 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2007-11-06 18:00:07 +0000 |
| commit | e047f7f8652d9c67ed96d4ff6f02fa7e23333c54 (patch) | |
| tree | 1108bb0903409319cd8d49057b6f9c31d7bb7a95 /src/or/command.c | |
| parent | af60d79f5deee3e6b264049dfa8512f381a8cbc6 (diff) | |
| download | tor-e047f7f8652d9c67ed96d4ff6f02fa7e23333c54.tar.gz tor-e047f7f8652d9c67ed96d4ff6f02fa7e23333c54.zip | |
r16455@catbus: nickm | 2007-11-06 12:48:00 -0500
Parse CERT cells and act correctly when we get them.
svn:r12396
Diffstat (limited to 'src/or/command.c')
| -rw-r--r-- | src/or/command.c | 45 |
1 files changed, 31 insertions, 14 deletions
diff --git a/src/or/command.c b/src/or/command.c index 834d47e871..8e8aa4abdc 100644 --- a/src/or/command.c +++ b/src/or/command.c @@ -608,9 +608,10 @@ static void command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) { int n_certs = 0; - uint16_t conn_cert_len, id_cert_len; + uint16_t conn_cert_len = 0, id_cert_len = 0; const char *conn_cert = NULL, *id_cert = NULL; const char *cp, *end; + int authenticated = 0; /*XXXX020 log messages*/ if (conn->_base.state != OR_CONN_STATE_OR_HANDSHAKING) @@ -633,9 +634,11 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) if (end-cp < len) goto err; if (n_certs == 0) { - conn_cert = cp; - conn_cert_len = len; + id_cert = cp; + id_cert_len = len; } else if (n_certs == 1) { + conn_cert = id_cert; + conn_cert_len = id_cert_len; id_cert = cp; id_cert_len = len; } else { @@ -646,20 +649,34 @@ command_process_cert_cell(var_cell_t *cell, or_connection_t *conn) } /* Now we have 0, 1, or 2 certs. */ - - - /* Verify that identity cert has signed peer cert in SSL, or - * peer cert in the cell. */ - /* Verify that identity cert is self-signed. */ - /* Learn ID digest. */ - /* Learn cert digests. */ - /* Remember peer cert public key. */ - /* set received_certs. */ + if (n_certs == 0) { + /* The other side is unauthenticated. */ + } else { + int r; + r = tor_tls_verify_certs_v2(LOG_PROTOCOL_WARN, conn->tls, + conn_cert, conn_cert_len, + id_cert, id_cert_len, + &conn->handshake_state->signing_key, + (conn->handshake_state->started_here ? + conn->handshake_state->server_cert_digest : + conn->handshake_state->client_cert_digest), + conn->handshake_state->cert_id_digest); + if (r < 0) + goto err; + if (r == 1) + authenticated = 1; + } conn->handshake_state->received_certs = 1; + if (authenticated) { + /* XXXX020 make the connection open. */ + } + if (! conn->handshake_state->signing_key) + goto err; + return; err: - ; + /*XXXX020 close the connection */; } #define LINK_AUTH_STRING "Tor initiator certificate verification" @@ -732,7 +749,7 @@ command_process_link_auth_cell(cell_t *cell, or_connection_t *conn) /* Okay, we're authenticated. */ s->authenticated = 1; - /* XXXX020 act on being authenticated: */ + /* XXXX020 act on being authenticated: Open the connection. */ return; err: |