[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] Misc small code cleanups; remove exit_server_mode(); change...
- To: or-cvs@freehaven.net
- Subject: [or-cvs] Misc small code cleanups; remove exit_server_mode(); change...
- From: nickm@seul.org (Nick Mathewson)
- Date: Tue, 20 Jul 2004 20:44:06 -0400 (EDT)
- Delivered-to: archiver@seul.org
- Delivered-to: or-cvs-outgoing@seul.org
- Delivered-to: or-cvs@seul.org
- Delivery-date: Tue, 20 Jul 2004 20:44:19 -0400
- Reply-to: or-dev@freehaven.net
- Sender: owner-or-cvs@freehaven.net
Update of /home/or/cvsroot/src/common
In directory moria.mit.edu:/tmp/cvs-serv17343/src/common
Modified Files:
tortls.c tortls.h
Log Message:
Misc small code cleanups; remove exit_server_mode(); change tor_tls_verify behavior
Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.c,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -d -r1.58 -r1.59
--- tortls.c 19 Jul 2004 19:49:03 -0000 1.58
+++ tortls.c 21 Jul 2004 00:44:03 -0000 1.59
@@ -602,19 +602,39 @@
}
/** If the provided tls connection is authenticated and has a
- * certificate that is currently valid and is correctly signed by
- * <b>identity_key</b>, return 0. Else, return -1.
+ * certificate that is currently valid and signed, then set
+ * *<b>identity_key</b> to the identity certificate's key and return
+ * 0. Else, return -1.
*/
int
-tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity_key)
+tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity_key)
{
- X509 *cert = NULL;
+ X509 *cert = NULL, *id_cert = NULL;
+ STACK_OF(X509) *chain = NULL;
EVP_PKEY *id_pkey = NULL;
+ RSA *rsa;
time_t now, t;
- int r = -1;
+ int r = -1, i;
+
+ *identity_key = NULL;
if (!(cert = SSL_get_peer_certificate(tls->ssl)))
- return -1;
+ goto done;
+ if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
+ goto done;
+ if (sk_X509_num(chain) != 2) {
+ log_fn(LOG_WARN,"Unexpected number of certificates in chain");
+ goto done;
+ }
+ for (i=0; i<2; ++i) {
+ id_cert = sk_X509_value(chain, i);
+ if (X509_cmp(id_cert, cert) != 0)
+ break;
+ }
+ if (!id_cert) {
+ log_fn(LOG_WARN,"No distinct identity certificate found");
+ goto done;
+ }
now = time(NULL);
t = now + CERT_ALLOW_SKEW;
@@ -628,14 +648,18 @@
goto done;
}
- /* Get the public key. */
- if (!(id_pkey = _crypto_pk_env_get_evp_pkey(identity_key,0)) ||
+ if (!(id_pkey = X509_get_pubkey(id_cert)) ||
X509_verify(cert, id_pkey) <= 0) {
log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0");
tls_log_errors(LOG_WARN,"verifying certificate");
goto done;
}
+ rsa = EVP_PKEY_get1_RSA(id_pkey);
+ if (!rsa)
+ goto done;
+ *identity_key = _crypto_new_pk_env_rsa(rsa);
+
r = 0;
done:
Index: tortls.h
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.h,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- tortls.h 10 May 2004 07:54:13 -0000 1.16
+++ tortls.h 21 Jul 2004 00:44:03 -0000 1.17
@@ -28,7 +28,7 @@
void tor_tls_free(tor_tls *tls);
int tor_tls_peer_has_cert(tor_tls *tls);
int tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, int buflen);
-int tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity);
+int tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity);
int tor_tls_read(tor_tls *tls, char *cp, int len);
int tor_tls_write(tor_tls *tls, char *cp, int n);
int tor_tls_handshake(tor_tls *tls);