summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorNick Mathewson <nickm@torproject.org>2016-08-30 11:04:44 -0400
committerNick Mathewson <nickm@torproject.org>2016-11-03 08:39:30 -0400
commite64bac6eb4a89ae63a2d5c1cb41cac903f1e8e66 (patch)
treed7e5af3ddb660e5d3cd5baf56563826ed63be9ad /src
parentb4a5c779014b35d60f4a2ddcec31e7075ad52995 (diff)
downloadtor-e64bac6eb4a89ae63a2d5c1cb41cac903f1e8e66.tar.gz
tor-e64bac6eb4a89ae63a2d5c1cb41cac903f1e8e66.zip
Increase TLS RSA link key length to 2048 bits
Oddly, nothing broke. Closes ticket 13752.
Diffstat (limited to 'src')
-rw-r--r--src/common/tortls.c8
-rw-r--r--src/test/test_link_handshake.c3
2 files changed, 7 insertions, 4 deletions
diff --git a/src/common/tortls.c b/src/common/tortls.c
index fd8698128b..33bd334a12 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -775,8 +775,8 @@ tor_tls_context_decref(tor_tls_context_t *ctx)
/** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
* and ID certificate that we're currently using for our V3 in-protocol
* handshake's certificate chain. If <b>server</b> is true, provide the certs
- * that we use in server mode; otherwise, provide the certs that we use in
- * client mode. */
+ * that we use in server mode (auth, ID); otherwise, provide the certs that we
+ * use in client mode. (link, ID) */
int
tor_tls_get_my_certs(int server,
const tor_x509_cert_t **link_cert_out,
@@ -1026,6 +1026,8 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext,
/** The group we should use for ecdhe when none was selected. */
#define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
+#define RSA_LINK_KEY_BITS 2048
+
/** Create a new TLS context for use with Tor TLS handshakes.
* <b>identity</b> should be set to the identity key used to sign the
* certificate.
@@ -1051,7 +1053,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
/* Generate short-term RSA key for use with TLS. */
if (!(rsa = crypto_pk_new()))
goto error;
- if (crypto_pk_generate_key(rsa)<0)
+ if (crypto_pk_generate_key_with_bits(rsa, RSA_LINK_KEY_BITS)<0)
goto error;
if (!is_client) {
/* Generate short-term RSA key for use in the in-protocol ("v3")
diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c
index 9a3b57d3a0..05c84000b1 100644
--- a/src/test/test_link_handshake.c
+++ b/src/test/test_link_handshake.c
@@ -258,7 +258,8 @@ recv_certs_setup(const struct testcase_t *test)
const tor_x509_cert_t *a,*b;
const uint8_t *enca, *encb;
size_t lena, lenb;
- tor_tls_get_my_certs(1, &a, &b);
+ tor_tls_get_my_certs(0, &a, &b); /* Use '0' here to make sure we get
+ * auth cert */
tor_x509_cert_get_der(a, &enca, &lena);
tor_x509_cert_get_der(b, &encb, &lenb);
certs_cell_cert_setlen_body(ccc1, lena);