[tor-commits] [tor/master] More functions to manipulate certs received in cells
nickm at torproject.org
nickm at torproject.org
Tue Oct 11 03:22:15 UTC 2011
commit f4c1fa2a04c310c4e0274129bb2fff2aacb59248
Author: Nick Mathewson <nickm at torproject.org>
Date: Wed Sep 14 13:04:48 2011 -0400
More functions to manipulate certs received in cells
---
src/common/tortls.c | 118 +++++++++++++++++++++++++++++++++++++++++++++------
src/common/tortls.h | 3 +
2 files changed, 108 insertions(+), 13 deletions(-)
diff --git a/src/common/tortls.c b/src/common/tortls.c
index 2b12eea..0ba47ba 100644
--- a/src/common/tortls.c
+++ b/src/common/tortls.c
@@ -207,6 +207,7 @@ static int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
unsigned int key_lifetime);
static tor_tls_context_t *tor_tls_context_new(crypto_pk_env_t *identity,
unsigned int key_lifetime);
+static int check_cert_lifetime_internal(const X509 *cert, int tolerance);
/** Global TLS contexts. We keep them here because nobody else needs
* to touch them. */
@@ -823,6 +824,84 @@ tor_tls_get_my_certs(int server,
return 0;
}
+/** Return true iff <b>a</b> and <b>b</b> represent the same public key. */
+static int
+pkey_eq(EVP_PKEY *a, EVP_PKEY *b)
+{
+ /* We'd like to do this, but openssl 0.9.7 doesn't have it:
+ return EVP_PKEY_cmp(a,b) == 1;
+ */
+ unsigned char *a_enc=NULL, *b_enc=NULL, *a_ptr, *b_ptr;
+ int a_len1, b_len1, a_len2, b_len2, result;
+ a_len1 = i2d_PublicKey(a, NULL);
+ b_len1 = i2d_PublicKey(b, NULL);
+ if (a_len1 != b_len1)
+ return 0;
+ a_ptr = a_enc = tor_malloc(a_len1);
+ b_ptr = b_enc = tor_malloc(b_len1);
+ a_len2 = i2d_PublicKey(a, &a_ptr);
+ b_len2 = i2d_PublicKey(b, &b_ptr);
+ tor_assert(a_len2 == a_len1);
+ tor_assert(b_len2 == b_len1);
+ result = tor_memeq(a_enc, b_enc, a_len1);
+ tor_free(a_enc);
+ tor_free(b_enc);
+ return result;
+}
+
+/** Return true iff the other side of <b>tls</b> has authenticated to us, and
+ * the key certified in <b>cert</b> is the same as the key they used to do it.
+ */
+int
+tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert)
+{
+ X509 *peercert = SSL_get_peer_certificate(tls->ssl);
+ EVP_PKEY *link_key = NULL, *cert_key = NULL;
+ int result;
+
+ if (!peercert)
+ return 0;
+ link_key = X509_get_pubkey(peercert);
+ cert_key = X509_get_pubkey(cert->cert);
+
+ result = link_key && cert_key && pkey_eq(cert_key, link_key);
+
+ X509_free(peercert);
+ if (link_key)
+ EVP_PKEY_free(link_key);
+ if (cert_key)
+ EVP_PKEY_free(cert_key);
+
+ return result;
+}
+
+/** Check wither <b>cert</b> is well-formed, currently live, and correctly
+ * signed by the public key in <b>signing_cert</b>. Return 0 if the cert is
+ * good, and -1 if it's bad or we couldn't check it. */
+int
+tor_tls_cert_is_valid(const tor_cert_t *cert,
+ const tor_cert_t *signing_cert)
+{
+ EVP_PKEY *signing_key = X509_get_pubkey(signing_cert->cert);
+ int r;
+ if (!signing_key)
+ return 0;
+ r = X509_verify(cert->cert, signing_key);
+ EVP_PKEY_free(signing_key);
+ if (r <= 0)
+ return 0;
+
+ /* okay, the signature checked out right. Now let's check the check the
+ * lifetime. */
+ /*XXXX tolerance might be iffy here */
+ if (check_cert_lifetime_internal(cert->cert, 60*60) < 0)
+ return 0;
+
+ /* XXXX compare DNs or anything? */
+
+ return -1;
+}
+
/** Increase the reference count of <b>ctx</b>. */
static void
tor_tls_context_incref(tor_tls_context_t *ctx)
@@ -1709,7 +1788,7 @@ tor_tls_peer_has_cert(tor_tls_t *tls)
/** Warn that a certificate lifetime extends through a certain range. */
static void
-log_cert_lifetime(X509 *cert, const char *problem)
+log_cert_lifetime(const X509 *cert, const char *problem)
{
BIO *bio = NULL;
BUF_MEM *buf;
@@ -1856,25 +1935,14 @@ tor_tls_verify(int severity, tor_tls_t *tls, crypto_pk_env_t **identity_key)
int
tor_tls_check_lifetime(tor_tls_t *tls, int tolerance)
{
- time_t now, t;
X509 *cert;
int r = -1;
- now = time(NULL);
-
if (!(cert = SSL_get_peer_certificate(tls->ssl)))
goto done;
- t = now + tolerance;
- if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
- log_cert_lifetime(cert, "not yet valid");
+ if (check_cert_lifetime_internal(cert, tolerance) < 0)
goto done;
- }
- t = now - tolerance;
- if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
- log_cert_lifetime(cert, "already expired");
- goto done;
- }
r = 0;
done:
@@ -1886,6 +1954,30 @@ tor_tls_check_lifetime(tor_tls_t *tls, int tolerance)
return r;
}
+/** Helper: check whether <b>cert</b> is currently live, give or take
+ * <b>tolerance</b> seconds. If it is live, return 0. If it is not live,
+ * log a message and return -1. */
+static int
+check_cert_lifetime_internal(const X509 *cert, int tolerance)
+{
+ time_t now, t;
+
+ now = time(NULL);
+
+ t = now + tolerance;
+ if (X509_cmp_time(X509_get_notBefore(cert), &t) > 0) {
+ log_cert_lifetime(cert, "not yet valid");
+ return -1;
+ }
+ t = now - tolerance;
+ if (X509_cmp_time(X509_get_notAfter(cert), &t) < 0) {
+ log_cert_lifetime(cert, "already expired");
+ return -1;
+ }
+
+ return 0;
+}
+
/** Return the number of bytes available for reading from <b>tls</b>.
*/
int
diff --git a/src/common/tortls.h b/src/common/tortls.h
index a6aed29..36309af 100644
--- a/src/common/tortls.h
+++ b/src/common/tortls.h
@@ -115,6 +115,9 @@ void tor_cert_get_der(const tor_cert_t *cert,
int tor_tls_get_my_certs(int server,
const tor_cert_t **link_cert_out,
const tor_cert_t **id_cert_out);
+int tor_tls_cert_matches_key(const tor_tls_t *tls, const tor_cert_t *cert);
+int tor_tls_cert_is_valid(const tor_cert_t *cert,
+ const tor_cert_t *signing_cert);
#endif
More information about the tor-commits
mailing list