commit 7b60f0129a12543cf08a2cef5c13b8bfa6691459 Author: Nick Mathewson nickm@torproject.org Date: Fri Mar 31 10:57:48 2017 -0400
Remove tor-checkkey as obsolete
CVE-2008-0166 is long gone, and we no longer need a helper tool to dump out public key moduli so folks can detect it.
Closes ticket 21842. --- changes/ticket21842 | 6 ++++ src/common/crypto.c | 2 +- src/tools/include.am | 11 ------ src/tools/tor-checkkey.c | 89 ------------------------------------------------ 4 files changed, 7 insertions(+), 101 deletions(-)
diff --git a/changes/ticket21842 b/changes/ticket21842 new file mode 100644 index 0000000..4b039c6 --- /dev/null +++ b/changes/ticket21842 @@ -0,0 +1,6 @@ + o Removed features: + - We've removed the tor-checkkey tool from src/tools. Long ago, we + used it to help people detect RSA keys that were generated by + versions of Debian affected by CVE-2008-0166. But those keys + have been out of circulation for ages, and this tool is no + longer required. Closes ticket 21842. diff --git a/src/common/crypto.c b/src/common/crypto.c index a5eb7b5..6519719 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -467,7 +467,7 @@ crypto_new_pk_from_rsa_(RSA *rsa) return env; }
-/** Helper, used by tor-checkkey.c and tor-gencert.c. Return the RSA from a +/** Helper, used by tor-gencert.c. Return the RSA from a * crypto_pk_t. */ RSA * crypto_pk_get_rsa_(crypto_pk_t *env) diff --git a/src/tools/include.am b/src/tools/include.am index d0185b5..5eadb03 100644 --- a/src/tools/include.am +++ b/src/tools/include.am @@ -1,5 +1,4 @@ bin_PROGRAMS+= src/tools/tor-resolve src/tools/tor-gencert -noinst_PROGRAMS+= src/tools/tor-checkkey
if COVERAGE_ENABLED noinst_PROGRAMS+= src/tools/tor-cov-resolve src/tools/tor-cov-gencert @@ -43,14 +42,4 @@ src_tools_tor_cov_gencert_LDADD = src/common/libor-testing.a \ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ endif
-src_tools_tor_checkkey_SOURCES = src/tools/tor-checkkey.c -src_tools_tor_checkkey_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ -src_tools_tor_checkkey_LDADD = src/common/libor.a \ - src/common/libor-ctime.a \ - src/common/libor-crypto.a \ - $(LIBKECCAK_TINY) \ - $(LIBDONNA) \ - @TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ @TOR_OPENSSL_LIBS@ \ - @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ - EXTRA_DIST += src/tools/tor-fw-helper/README diff --git a/src/tools/tor-checkkey.c b/src/tools/tor-checkkey.c deleted file mode 100644 index f2f709d..0000000 --- a/src/tools/tor-checkkey.c +++ /dev/null @@ -1,89 +0,0 @@ -/* Copyright (c) 2008-2017, The Tor Project, Inc. */ -/* See LICENSE for licensing information */ - -#include "orconfig.h" - -#include <stdio.h> -#include <stdlib.h> -#include "crypto.h" -#include "torlog.h" -#include "util.h" -#include "compat.h" -#include "compat_openssl.h" -#include <openssl/bn.h> -#include <openssl/rsa.h> - -int -main(int c, char **v) -{ - crypto_pk_t *env; - char *str; - RSA *rsa; - int wantdigest=0; - int fname_idx; - char *fname=NULL; - init_logging(1); - - if (c < 2) { - fprintf(stderr, "Hi. I'm tor-checkkey. Tell me a filename that " - "has a PEM-encoded RSA public key (like in a cert) and I'll " - "dump the modulus. Use the --digest option too and I'll " - "dump the digest.\n"); - return 1; - } - - if (crypto_global_init(0, NULL, NULL)) { - fprintf(stderr, "Couldn't initialize crypto library.\n"); - return 1; - } - - if (!strcmp(v[1], "--digest")) { - wantdigest = 1; - fname_idx = 2; - if (c<3) { - fprintf(stderr, "too few arguments"); - return 1; - } - } else { - wantdigest = 0; - fname_idx = 1; - } - - fname = expand_filename(v[fname_idx]); - str = read_file_to_str(fname, 0, NULL); - tor_free(fname); - if (!str) { - fprintf(stderr, "Couldn't read %s\n", v[fname_idx]); - return 1; - } - - env = crypto_pk_new(); - if (crypto_pk_read_public_key_from_string(env, str, strlen(str))<0) { - fprintf(stderr, "Couldn't parse key.\n"); - return 1; - } - tor_free(str); - - if (wantdigest) { - char digest[HEX_DIGEST_LEN+1]; - if (crypto_pk_get_fingerprint(env, digest, 0)<0) - return 1; - printf("%s\n",digest); - } else { - rsa = crypto_pk_get_rsa_(env); - - const BIGNUM *rsa_n; -#ifdef OPENSSL_1_1_API - const BIGNUM *rsa_e, *rsa_d; - RSA_get0_key(rsa, &rsa_n, &rsa_e, &rsa_d); -#else - rsa_n = rsa->n; -#endif - str = BN_bn2hex(rsa_n); - - printf("%s\n", str); - } - - return 0; -} -