From 334de84cbe47944b52b004f0a7e3c4125c8b732b Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 21 Jul 2004 00:44:04 +0000 Subject: Misc small code cleanups; remove exit_server_mode(); change tor_tls_verify behavior svn:r2073 --- src/common/tortls.c | 40 ++++++++++++++++++++++++++++++++-------- src/common/tortls.h | 2 +- 2 files changed, 33 insertions(+), 9 deletions(-) (limited to 'src/common') diff --git a/src/common/tortls.c b/src/common/tortls.c index f2b8ae039..c3ba4ae83 100644 --- a/src/common/tortls.c +++ b/src/common/tortls.c @@ -602,19 +602,39 @@ tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, int buflen) } /** If the provided tls connection is authenticated and has a - * certificate that is currently valid and is correctly signed by - * identity_key, return 0. Else, return -1. + * certificate that is currently valid and signed, then set + * *identity_key to the identity certificate's key and return + * 0. Else, return -1. */ int -tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity_key) +tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity_key) { - X509 *cert = NULL; + X509 *cert = NULL, *id_cert = NULL; + STACK_OF(X509) *chain = NULL; EVP_PKEY *id_pkey = NULL; + RSA *rsa; time_t now, t; - int r = -1; + int r = -1, i; + + *identity_key = NULL; if (!(cert = SSL_get_peer_certificate(tls->ssl))) - return -1; + goto done; + if (!(chain = SSL_get_peer_cert_chain(tls->ssl))) + goto done; + if (sk_X509_num(chain) != 2) { + log_fn(LOG_WARN,"Unexpected number of certificates in chain"); + goto done; + } + for (i=0; i<2; ++i) { + id_cert = sk_X509_value(chain, i); + if (X509_cmp(id_cert, cert) != 0) + break; + } + if (!id_cert) { + log_fn(LOG_WARN,"No distinct identity certificate found"); + goto done; + } now = time(NULL); t = now + CERT_ALLOW_SKEW; @@ -628,14 +648,18 @@ tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity_key) goto done; } - /* Get the public key. */ - if (!(id_pkey = _crypto_pk_env_get_evp_pkey(identity_key,0)) || + if (!(id_pkey = X509_get_pubkey(id_cert)) || X509_verify(cert, id_pkey) <= 0) { log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0"); tls_log_errors(LOG_WARN,"verifying certificate"); goto done; } + rsa = EVP_PKEY_get1_RSA(id_pkey); + if (!rsa) + goto done; + *identity_key = _crypto_new_pk_env_rsa(rsa); + r = 0; done: diff --git a/src/common/tortls.h b/src/common/tortls.h index f9ffb0edc..02dbeb7a7 100644 --- a/src/common/tortls.h +++ b/src/common/tortls.h @@ -28,7 +28,7 @@ tor_tls *tor_tls_new(int sock, int isServer); void tor_tls_free(tor_tls *tls); int tor_tls_peer_has_cert(tor_tls *tls); int tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, int buflen); -int tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity); +int tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity); int tor_tls_read(tor_tls *tls, char *cp, int len); int tor_tls_write(tor_tls *tls, char *cp, int n); int tor_tls_handshake(tor_tls *tls); -- cgit v1.2.3