summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--src/lib/tls/x509.c79
-rw-r--r--src/lib/tls/x509.h2
-rw-r--r--src/lib/tls/x509_internal.h7
-rw-r--r--src/lib/tls/x509_nss.c35
-rw-r--r--src/lib/tls/x509_openssl.c82
-rw-r--r--src/test/test_link_handshake.c8
6 files changed, 127 insertions, 86 deletions
diff --git a/src/lib/tls/x509.c b/src/lib/tls/x509.c
index fc6139aceb..d2270f9108 100644
--- a/src/lib/tls/x509.c
+++ b/src/lib/tls/x509.c
@@ -14,6 +14,7 @@
#include "lib/tls/x509_internal.h"
#include "lib/log/util_bug.h"
#include "lib/crypt_ops/crypto_rand.h"
+#include "lib/crypt_ops/crypto_util.h"
/** Choose the start and end times for a certificate */
void
@@ -51,19 +52,6 @@ tor_tls_pick_certificate_lifetime(time_t now,
*end_time_out = end_time;
}
-/** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
- * representation and length, respectively. */
-void
-tor_x509_cert_get_der(const tor_x509_cert_t *cert,
- const uint8_t **encoded_out, size_t *size_out)
-{
- tor_assert(cert);
- tor_assert(encoded_out);
- tor_assert(size_out);
- *encoded_out = cert->encoded;
- *size_out = cert->encoded_len;
-}
-
/** Return the underlying implementation for <b>cert</b> */
const tor_x509_cert_impl_t *
tor_x509_cert_get_impl(const tor_x509_cert_t *cert)
@@ -90,3 +78,68 @@ tor_x509_cert_get_cert_digests(const tor_x509_cert_t *cert)
return &cert->cert_digests;
}
+/** Free all storage held in <b>cert</b> */
+void
+tor_x509_cert_free_(tor_x509_cert_t *cert)
+{
+ if (! cert)
+ return;
+ if (cert->cert)
+ tor_x509_cert_impl_free_(cert->cert);
+#ifdef ENABLE_OPENSSL
+ tor_free(cert->encoded);
+#endif
+ memwipe(cert, 0x03, sizeof(*cert));
+ /* LCOV_EXCL_BR_START since cert will never be NULL here */
+ tor_free(cert);
+ /* LCOV_EXCL_BR_STOP */
+}
+
+/**
+ * Allocate a new tor_x509_cert_t to hold the certificate "x509_cert".
+ *
+ * Steals a reference to x509_cert.
+ */
+MOCK_IMPL(tor_x509_cert_t *,
+tor_x509_cert_new,(tor_x509_cert_impl_t *x509_cert))
+{
+ tor_x509_cert_t *cert;
+
+ if (!x509_cert)
+ return NULL;
+
+ cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
+ cert->cert = x509_cert;
+
+ if (tor_x509_cert_set_cached_der_encoding(cert) < 0)
+ goto err;
+
+ {
+ const uint8_t *encoded=NULL;
+ size_t encoded_len=0;
+ tor_x509_cert_get_der(cert, &encoded, &encoded_len);
+ tor_assert(encoded);
+ crypto_common_digests(&cert->cert_digests, (char *)encoded, encoded_len);
+ }
+
+ {
+ crypto_pk_t *pk = tor_tls_cert_get_key(cert);
+ if (pk) {
+ if (crypto_pk_get_common_digests(pk, &cert->pkey_digests) < 0) {
+ crypto_pk_free(pk);
+ goto err;
+ }
+ }
+ cert->pkey_digests_set = 1;
+ crypto_pk_free(pk);
+ }
+
+ return cert;
+ err:
+ /* LCOV_EXCL_START for the same reason as the exclusion above */
+ tor_free(cert);
+ log_err(LD_CRYPTO, "Couldn't wrap encoded X509 certificate.");
+ tor_x509_cert_impl_free_(x509_cert);
+ return NULL;
+ /* LCOV_EXCL_STOP */
+}
diff --git a/src/lib/tls/x509.h b/src/lib/tls/x509.h
index ccaa92184e..8316df75a3 100644
--- a/src/lib/tls/x509.h
+++ b/src/lib/tls/x509.h
@@ -27,8 +27,10 @@ typedef struct x509_st tor_x509_cert_impl_t;
/** Structure that we use for a single certificate. */
struct tor_x509_cert_t {
tor_x509_cert_impl_t *cert;
+#ifdef ENABLE_OPENSSL
uint8_t *encoded;
size_t encoded_len;
+#endif
unsigned pkey_digests_set : 1;
common_digests_t cert_digests;
common_digests_t pkey_digests;
diff --git a/src/lib/tls/x509_internal.h b/src/lib/tls/x509_internal.h
index 2cca393d21..86f5a0de59 100644
--- a/src/lib/tls/x509_internal.h
+++ b/src/lib/tls/x509_internal.h
@@ -25,4 +25,11 @@ MOCK_DECL(tor_x509_cert_t *, tor_x509_cert_new,
const tor_x509_cert_impl_t *tor_x509_cert_get_impl(
const tor_x509_cert_t *cert);
+void tor_x509_cert_impl_free_(tor_x509_cert_impl_t *cert);
+#ifdef ENABLE_OPENSSL
+int tor_x509_cert_set_cached_der_encoding(tor_x509_cert_t *cert);
+#else
+#define tor_x509_cert_set_cached_der_encoding(cert) (0)
+#endif
+
#endif
diff --git a/src/lib/tls/x509_nss.c b/src/lib/tls/x509_nss.c
index e0087eae6c..ac9e6658d8 100644
--- a/src/lib/tls/x509_nss.c
+++ b/src/lib/tls/x509_nss.c
@@ -17,6 +17,9 @@
#include "lib/crypt_ops/crypto_util.h"
#include "lib/log/util_bug.h"
+#include <pk11pub.h>
+#include <cert.h>
+
MOCK_IMPL(tor_x509_cert_impl_t *,
tor_tls_create_certificate,(crypto_pk_t *rsa,
crypto_pk_t *rsa_sign,
@@ -33,12 +36,27 @@ tor_tls_create_certificate,(crypto_pk_t *rsa,
return NULL;
}
-MOCK_IMPL(tor_x509_cert_t *,
-tor_x509_cert_new,(tor_x509_cert_impl_t *x509_cert))
+/** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
+ * representation and length, respectively. */
+void
+tor_x509_cert_get_der(const tor_x509_cert_t *cert,
+ const uint8_t **encoded_out, size_t *size_out)
{
- tor_assert(x509_cert);
- // XXXX
- return NULL;
+ tor_assert(cert);
+ tor_assert(cert->cert);
+ tor_assert(encoded_out);
+ tor_assert(size_out);
+
+ const SECItem *item = &cert->cert->derCert;
+ *encoded_out = item->data;
+ *size_out = (size_t)item->len;
+}
+
+void
+tor_x509_cert_impl_free_(tor_x509_cert_impl_t *cert)
+{
+ if (cert)
+ CERT_DestroyCertificate(cert);
}
tor_x509_cert_t *
@@ -49,13 +67,6 @@ tor_x509_cert_dup(const tor_x509_cert_t *cert)
return NULL;
}
-void
-tor_x509_cert_free_(tor_x509_cert_t *cert)
-{
- (void)cert;
- // XXXX
-}
-
tor_x509_cert_t *
tor_x509_cert_decode(const uint8_t *certificate,
size_t certificate_len)
diff --git a/src/lib/tls/x509_openssl.c b/src/lib/tls/x509_openssl.c
index 43d33d781f..43bd6b4d48 100644
--- a/src/lib/tls/x509_openssl.c
+++ b/src/lib/tls/x509_openssl.c
@@ -182,75 +182,41 @@ tor_tls_create_certificate,(crypto_pk_t *rsa,
#undef SERIAL_NUMBER_SIZE
}
-/** Free all storage held in <b>cert</b> */
-void
-tor_x509_cert_free_(tor_x509_cert_t *cert)
-{
- if (! cert)
- return;
- if (cert->cert)
- X509_free(cert->cert);
- tor_free(cert->encoded);
- memwipe(cert, 0x03, sizeof(*cert));
- /* LCOV_EXCL_BR_START since cert will never be NULL here */
- tor_free(cert);
- /* LCOV_EXCL_BR_STOP */
-}
-
-/**
- * Allocate a new tor_x509_cert_t to hold the certificate "x509_cert".
- *
- * Steals a reference to x509_cert.
- */
-MOCK_IMPL(tor_x509_cert_t *,
-tor_x509_cert_new,(X509 *x509_cert))
+/** Set the 'encoded' and 'encoded_len' fields of "cert" from cert->cert. */
+int
+tor_x509_cert_set_cached_der_encoding(tor_x509_cert_t *cert)
{
- tor_x509_cert_t *cert;
- EVP_PKEY *pkey;
- RSA *rsa;
- int length;
unsigned char *buf = NULL;
+ int length = i2d_X509(cert->cert, &buf);
- if (!x509_cert)
- return NULL;
-
- length = i2d_X509(x509_cert, &buf);
- cert = tor_malloc_zero(sizeof(tor_x509_cert_t));
if (length <= 0 || buf == NULL) {
- goto err;
+ return -1;
}
cert->encoded_len = (size_t) length;
cert->encoded = tor_malloc(length);
memcpy(cert->encoded, buf, length);
OPENSSL_free(buf);
+ return 0;
+}
- cert->cert = x509_cert;
-
- crypto_common_digests(&cert->cert_digests,
- (char*)cert->encoded, cert->encoded_len);
-
- if ((pkey = X509_get_pubkey(x509_cert)) &&
- (rsa = EVP_PKEY_get1_RSA(pkey))) {
- crypto_pk_t *pk = crypto_new_pk_from_openssl_rsa_(rsa);
- if (crypto_pk_get_common_digests(pk, &cert->pkey_digests) < 0) {
- crypto_pk_free(pk);
- EVP_PKEY_free(pkey);
- goto err;
- }
-
- cert->pkey_digests_set = 1;
- crypto_pk_free(pk);
- EVP_PKEY_free(pkey);
- }
+void
+tor_x509_cert_impl_free_(tor_x509_cert_impl_t *cert)
+{
+ if (cert)
+ X509_free(cert);
+}
- return cert;
- err:
- /* LCOV_EXCL_START for the same reason as the exclusion above */
- tor_free(cert);
- log_err(LD_CRYPTO, "Couldn't wrap encoded X509 certificate.");
- X509_free(x509_cert);
- return NULL;
- /* LCOV_EXCL_STOP */
+/** Set *<b>encoded_out</b> and *<b>size_out</b> to <b>cert</b>'s encoded DER
+ * representation and length, respectively. */
+void
+tor_x509_cert_get_der(const tor_x509_cert_t *cert,
+ const uint8_t **encoded_out, size_t *size_out)
+{
+ tor_assert(cert);
+ tor_assert(encoded_out);
+ tor_assert(size_out);
+ *encoded_out = cert->encoded;
+ *size_out = cert->encoded_len;
}
/** Return a new copy of <b>cert</b>. */
diff --git a/src/test/test_link_handshake.c b/src/test/test_link_handshake.c
index e4722b4dfc..6772765993 100644
--- a/src/test/test_link_handshake.c
+++ b/src/test/test_link_handshake.c
@@ -811,9 +811,11 @@ CERTS_FAIL(expired_rsa_id, /* both */
tor_x509_cert_t *newc;
time_t new_end = time(NULL) - 86400 * 10;
newc = tor_x509_cert_replace_expiration(idc, new_end, d->key2);
- certs_cell_cert_setlen_body(cert, newc->encoded_len);
- memcpy(certs_cell_cert_getarray_body(cert),
- newc->encoded, newc->encoded_len);
+ const uint8_t *encoded;
+ size_t encoded_len;
+ tor_x509_cert_get_der(newc, &encoded, &encoded_len);
+ certs_cell_cert_setlen_body(cert, encoded_len);
+ memcpy(certs_cell_cert_getarray_body(cert), encoded, encoded_len);
REENCODE();
tor_x509_cert_free(newc);
})