summaryrefslogtreecommitdiff
path: root/src/or
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2015-05-21 13:43:34 -0400
committerNick Mathewson <nickm@torproject.org>2016-11-03 08:37:21 -0400
commite23389841c7797615b09ee6457e841b4ed13ea75 (patch)
tree5303cc276c4888567b883f3fec70209a2b5de2fa /src/or
parent4ef42e7c529a95b69d3e830e115e5d0453d38dfb (diff)
downloadtor-e23389841c7797615b09ee6457e841b4ed13ea75.tar.gz
tor-e23389841c7797615b09ee6457e841b4ed13ea75.zip
Migrate certificates into a sub-structure of or_handshake_state
This will help us do cert-checking in the background in the future, perhaps.
Diffstat (limited to 'src/or')
-rw-r--r--src/or/channeltls.c16
-rw-r--r--src/or/connection_or.c10
-rw-r--r--src/or/or.h19
-rw-r--r--src/or/torcert.c20
-rw-r--r--src/or/torcert.h3
5 files changed, 46 insertions, 22 deletions
diff --git a/src/or/channeltls.c b/src/or/channeltls.c
index 9e92aadfb1..fbe784c77c 100644
--- a/src/or/channeltls.c
+++ b/src/or/channeltls.c
@@ -1947,7 +1947,7 @@ channel_tls_process_certs_cell(var_cell_t *cell, channel_tls_t *chan)
"Got some good certificates from %s:%d: Authenticated it.",
safe_str(chan->conn->base_.address), chan->conn->base_.port);
- chan->conn->handshake_state->id_cert = id_cert;
+ chan->conn->handshake_state->certs->id_cert = id_cert;
x509_certs[OR_CERT_TYPE_ID_1024] = NULL;
if (!public_server_mode(get_options())) {
@@ -1973,8 +1973,8 @@ channel_tls_process_certs_cell(var_cell_t *cell, channel_tls_t *chan)
chan->conn->base_.port);
/* XXXX check more stuff? */
- chan->conn->handshake_state->id_cert = id_cert;
- chan->conn->handshake_state->auth_cert = auth_cert;
+ chan->conn->handshake_state->certs->id_cert = id_cert;
+ chan->conn->handshake_state->certs->auth_cert = auth_cert;
x509_certs[OR_CERT_TYPE_ID_1024] = x509_certs[OR_CERT_TYPE_AUTH_1024]
= NULL;
}
@@ -2147,9 +2147,9 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan)
}
if (!(chan->conn->handshake_state->received_certs_cell))
ERR("We never got a certs cell");
- if (chan->conn->handshake_state->auth_cert == NULL)
+ if (chan->conn->handshake_state->certs->auth_cert == NULL)
ERR("We never got an authentication certificate");
- if (chan->conn->handshake_state->id_cert == NULL)
+ if (chan->conn->handshake_state->certs->id_cert == NULL)
ERR("We never got an identity certificate");
if (cell->payload_len < 4)
ERR("Cell was way too short");
@@ -2195,7 +2195,7 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan)
{
crypto_pk_t *pk = tor_tls_cert_get_key(
- chan->conn->handshake_state->auth_cert);
+ chan->conn->handshake_state->certs->auth_cert);
char d[DIGEST256_LEN];
char *signed_data;
size_t keysize;
@@ -2234,9 +2234,9 @@ channel_tls_process_authenticate_cell(var_cell_t *cell, channel_tls_t *chan)
chan->conn->handshake_state->digest_received_data = 0;
{
crypto_pk_t *identity_rcvd =
- tor_tls_cert_get_key(chan->conn->handshake_state->id_cert);
+ tor_tls_cert_get_key(chan->conn->handshake_state->certs->id_cert);
const common_digests_t *id_digests =
- tor_x509_cert_get_id_digests(chan->conn->handshake_state->id_cert);
+ tor_x509_cert_get_id_digests(chan->conn->handshake_state->certs->id_cert);
/* This must exist; we checked key type when reading the cert. */
tor_assert(id_digests);
diff --git a/src/or/connection_or.c b/src/or/connection_or.c
index ed91595504..5a9c597772 100644
--- a/src/or/connection_or.c
+++ b/src/or/connection_or.c
@@ -1764,6 +1764,7 @@ connection_init_or_handshake_state(or_connection_t *conn, int started_here)
s->started_here = started_here ? 1 : 0;
s->digest_sent_data = 1;
s->digest_received_data = 1;
+ s->certs = or_handshake_certs_new();
return 0;
}
@@ -1775,8 +1776,7 @@ or_handshake_state_free(or_handshake_state_t *state)
return;
crypto_digest_free(state->digest_sent);
crypto_digest_free(state->digest_received);
- tor_x509_cert_free(state->auth_cert);
- tor_x509_cert_free(state->id_cert);
+ or_handshake_certs_free(state->certs);
memwipe(state, 0xBE, sizeof(or_handshake_state_t));
tor_free(state);
}
@@ -2356,7 +2356,7 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn,
goto err;
my_digests = tor_x509_cert_get_id_digests(id_cert);
their_digests =
- tor_x509_cert_get_id_digests(conn->handshake_state->id_cert);
+ tor_x509_cert_get_id_digests(conn->handshake_state->certs->id_cert);
tor_assert(my_digests);
tor_assert(their_digests);
my_id = (uint8_t*)my_digests->d[DIGEST_SHA256];
@@ -2374,10 +2374,10 @@ connection_or_compute_authenticate_cell_body(or_connection_t *conn,
if (is_ed) {
const ed25519_public_key_t *my_ed_id, *their_ed_id;
- if (!conn->handshake_state->ed_id_sign_cert)
+ if (!conn->handshake_state->certs->ed_id_sign_cert)
goto err;
my_ed_id = get_master_identity_key();
- their_ed_id = &conn->handshake_state->ed_id_sign_cert->signing_key;
+ their_ed_id = &conn->handshake_state->certs->ed_id_sign_cert->signing_key;
const uint8_t *cid_ed = (server ? their_ed_id : my_ed_id)->pubkey;
const uint8_t *sid_ed = (server ? my_ed_id : their_ed_id)->pubkey;
diff --git a/src/or/or.h b/src/or/or.h
index 9e9b1bf3a6..cdde448bc9 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1386,6 +1386,15 @@ typedef struct listener_connection_t {
* signs. */
#define V3_AUTH_BODY_LEN (V3_AUTH_FIXED_PART_LEN + 8 + 16)
+typedef struct or_handshake_certs_t {
+ /** The cert for the key that's supposed to sign the AUTHENTICATE cell */
+ tor_x509_cert_t *auth_cert;
+ /** A self-signed identity certificate */
+ tor_x509_cert_t *id_cert;
+ /** DOCDOC */
+ struct tor_cert_st *ed_id_sign_cert;
+} or_handshake_certs_t;
+
/** Stores flags and information related to the portion of a v2/v3 Tor OR
* connection handshake that happens after the TLS handshake is finished.
*/
@@ -1438,16 +1447,8 @@ typedef struct or_handshake_state_t {
/** Certificates that a connection initiator sent us in a CERTS cell; we're
* holding on to them until we get an AUTHENTICATE cell.
- *
- * @{
*/
- /** The cert for the key that's supposed to sign the AUTHENTICATE cell */
- tor_x509_cert_t *auth_cert;
- /** A self-signed identity certificate */
- tor_x509_cert_t *id_cert;
- /** DOCDOC */
- struct tor_cert_st *ed_id_sign_cert;
- /**@}*/
+ or_handshake_certs_t *certs;
} or_handshake_state_t;
/** Length of Extended ORPort connection identifier. */
diff --git a/src/or/torcert.c b/src/or/torcert.c
index a6a33c675a..e8bee54d52 100644
--- a/src/or/torcert.c
+++ b/src/or/torcert.c
@@ -8,6 +8,7 @@
* protocol.
*/
+#include "or.h"
#include "crypto.h"
#include "torcert.h"
#include "ed25519_cert.h"
@@ -295,3 +296,22 @@ tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key,
return sz;
}
+or_handshake_certs_t *
+or_handshake_certs_new(void)
+{
+ return tor_malloc_zero(sizeof(or_handshake_certs_t));
+}
+
+/** DODCDOC */
+void
+or_handshake_certs_free(or_handshake_certs_t *certs)
+{
+ if (!certs)
+ return;
+
+ tor_x509_cert_free(certs->auth_cert);
+ tor_x509_cert_free(certs->id_cert);
+
+ memwipe(certs, 0xBD, sizeof(*certs));
+ tor_free(certs);
+}
diff --git a/src/or/torcert.h b/src/or/torcert.h
index 9c819c0abb..3f81fcdd81 100644
--- a/src/or/torcert.h
+++ b/src/or/torcert.h
@@ -72,5 +72,8 @@ ssize_t tor_make_rsa_ed25519_crosscert(const ed25519_public_key_t *ed_key,
time_t expires,
uint8_t **cert);
+or_handshake_certs_t *or_handshake_certs_new(void);
+void or_handshake_certs_free(or_handshake_certs_t *certs);
+
#endif