diff options
| author | Nick Mathewson <nickm@torproject.org> | 2015-05-21 14:28:12 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2016-11-03 08:37:22 -0400 |
| commit | 348b90a915a5867bc0d8888e0fd12e8ec2319628 (patch) | |
| tree | 3c42aaa4ea9eef11eedfdcd62bf023628e2f9a85 /src/or/torcert.c | |
| parent | e94f1b4e0d4b31ed80e2eefb8700f2671817f561 (diff) | |
| download | tor-348b90a915a5867bc0d8888e0fd12e8ec2319628.tar.gz tor-348b90a915a5867bc0d8888e0fd12e8ec2319628.zip | |
Refactor RSA certificate checking into its own function.
Diffstat (limited to 'src/or/torcert.c')
| -rw-r--r-- | src/or/torcert.c | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/src/or/torcert.c b/src/or/torcert.c index e8bee54d52..2f0cc5381f 100644 --- a/src/or/torcert.c +++ b/src/or/torcert.c @@ -9,6 +9,7 @@ */ #include "or.h" +#include "config.h" #include "crypto.h" #include "torcert.h" #include "ed25519_cert.h" @@ -315,3 +316,49 @@ or_handshake_certs_free(or_handshake_certs_t *certs) memwipe(certs, 0xBD, sizeof(*certs)); tor_free(certs); } + +#define ERR(s) \ + do { \ + log_fn(severity, LD_PROTOCOL, \ + "Received a bad CERTS cell: %s", \ + (s)); \ + return 0; \ + } while (0) + +int +or_handshake_certs_rsa_ok(int severity, + or_handshake_certs_t *certs, + tor_tls_t *tls) +{ + tor_x509_cert_t *link_cert = certs->link_cert; + tor_x509_cert_t *auth_cert = certs->auth_cert; + tor_x509_cert_t *id_cert = certs->id_cert; + + if (certs->started_here) { + if (! (id_cert && link_cert)) + ERR("The certs we wanted were missing"); + if (! tor_tls_cert_matches_key(tls, link_cert)) + ERR("The link certificate didn't match the TLS public key"); + if (! tor_tls_cert_is_valid(severity, link_cert, id_cert, 0)) + ERR("The link certificate was not valid"); + if (! tor_tls_cert_is_valid(severity, id_cert, id_cert, 1)) + ERR("The ID certificate was not valid"); + } else { + if (! (id_cert && auth_cert)) + ERR("The certs we wanted were missing"); + /* Remember these certificates so we can check an AUTHENTICATE cell */ + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, auth_cert, id_cert, 1)) + ERR("The authentication certificate was not valid"); + if (! tor_tls_cert_is_valid(LOG_PROTOCOL_WARN, id_cert, id_cert, 1)) + ERR("The ID certificate was not valid"); + } + + return 1; +} + +int +or_handshake_certs_ed25519_ok(or_handshake_certs_t *certs) +{ + (void) certs; + return 0; +} |