diff options
Diffstat (limited to 'src/common')
| -rw-r--r-- | src/common/sandbox.c | 4 | ||||
| -rw-r--r-- | src/common/tortls.c | 30 | ||||
| -rw-r--r-- | src/common/tortls.h | 2 |
3 files changed, 35 insertions, 1 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index ebc843e130..da96ad8248 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -136,6 +136,9 @@ static int filter_nopar_gen[] = { #ifdef HAVE_PIPE SCMP_SYS(pipe), #endif +#ifdef __NR_fchmod + SCMP_SYS(fchmod), +#endif SCMP_SYS(fcntl), SCMP_SYS(fstat), #ifdef __NR_fstat64 @@ -155,6 +158,7 @@ static int filter_nopar_gen[] = { #ifdef __NR_getgid32 SCMP_SYS(getgid32), #endif + SCMP_SYS(getpid), #ifdef __NR_getrlimit SCMP_SYS(getrlimit), #endif diff --git a/src/common/tortls.c b/src/common/tortls.c index 62ed5be344..d61cc2e58a 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -677,6 +677,15 @@ MOCK_IMPL(STATIC tor_x509_cert_t *, return cert; } +/** Return a new copy of <b>cert</b>. */ +tor_x509_cert_t * +tor_x509_cert_dup(const tor_x509_cert_t *cert) +{ + tor_assert(cert); + X509 *x509 = cert->cert; + return tor_x509_cert_new(X509_dup(x509)); +} + /** Read a DER-encoded X509 cert, of length exactly <b>certificate_len</b>, * from a <b>certificate</b>. Return a newly allocated tor_x509_cert_t on * success and NULL on failure. */ @@ -2009,7 +2018,8 @@ tor_tls_peer_has_cert(tor_tls_t *tls) return 1; } -/** Return the peer certificate, or NULL if there isn't one. */ +/** Return a newly allocated copy of the peer certificate, or NULL if there + * isn't one. */ MOCK_IMPL(tor_x509_cert_t *, tor_tls_get_peer_cert,(tor_tls_t *tls)) { @@ -2021,6 +2031,24 @@ tor_tls_get_peer_cert,(tor_tls_t *tls)) return tor_x509_cert_new(cert); } +/** Return a newly allocated copy of the cerficate we used on the connection, + * or NULL if somehow we didn't use one. */ +MOCK_IMPL(tor_x509_cert_t *, +tor_tls_get_own_cert,(tor_tls_t *tls)) +{ + X509 *cert = SSL_get_certificate(tls->ssl); + tls_log_errors(tls, LOG_WARN, LD_HANDSHAKE, + "getting own-connection certificate"); + if (!cert) + return NULL; + /* Fun inconsistency: SSL_get_peer_certificate increments the reference + * count, but SSL_get_certificate does not. */ + X509 *duplicate = X509_dup(cert); + if (BUG(duplicate == NULL)) + return NULL; + return tor_x509_cert_new(duplicate); +} + /** Warn that a certificate lifetime extends through a certain range. */ static void log_cert_lifetime(int severity, const X509 *cert, const char *problem) diff --git a/src/common/tortls.h b/src/common/tortls.h index 7c035a2cd5..f018c45c82 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -197,7 +197,9 @@ void tor_tls_set_renegotiate_callback(tor_tls_t *tls, int tor_tls_is_server(tor_tls_t *tls); void tor_tls_free(tor_tls_t *tls); int tor_tls_peer_has_cert(tor_tls_t *tls); +tor_x509_cert_t *tor_x509_cert_dup(const tor_x509_cert_t *cert); MOCK_DECL(tor_x509_cert_t *,tor_tls_get_peer_cert,(tor_tls_t *tls)); +MOCK_DECL(tor_x509_cert_t *,tor_tls_get_own_cert,(tor_tls_t *tls)); int tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_t **identity); int tor_tls_check_lifetime(int severity, tor_tls_t *tls, int past_tolerance, |