[or-cvs] fix our tls handshake chain cert bug

Roger Dingledine arma at seul.org
Wed Jul 21 22:11:13 UTC 2004


Update of /home/or/cvsroot/src/common
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/common

Modified Files:
	tortls.c 
Log Message:
fix our tls handshake chain cert bug


Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.c,v
retrieving revision 1.61
retrieving revision 1.62
diff -u -d -r1.61 -r1.62
--- tortls.c	21 Jul 2004 17:59:24 -0000	1.61
+++ tortls.c	21 Jul 2004 22:11:11 -0000	1.62
@@ -277,8 +277,8 @@
  * should be NULL.  Return -1 if failure, else 0.
  *
  * You can call this function multiple times.  Each time you call it,
- * it generates new certificates; all new connections will be begin
- * with the new SSL context.
+ * it generates new certificates; all new connections will use
+ * the new SSL context.
  */
 int
 tor_tls_context_new(crypto_pk_env_t *identity,
@@ -652,6 +652,7 @@
   STACK_OF(X509) *chain = NULL;
   EVP_PKEY *id_pkey = NULL;
   RSA *rsa;
+  int num_in_chain;
   time_t now, t;
   int r = -1, i;
 
@@ -661,12 +662,18 @@
     goto done;
   if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
     goto done;
-  if (sk_X509_num(chain) != 2) {
+  num_in_chain = sk_X509_num(chain);
+  log_fn(LOG_DEBUG,"Number of certs in chain: %d", num_in_chain);
+  /* 1 means we're receiving (server-side), and it's just the id_cert.
+   * 2 means we're connecting (client-side), and it's both the link
+   * cert and the id_cert.
+   */
+  if (num_in_chain < 1) {
     log_fn(LOG_WARN,"Unexpected number of certificates in chain (%d)",
-           sk_X509_num(chain));
+           num_in_chain);
     goto done;
   }
-  for (i=0; i<2; ++i) {
+  for (i=0; i<num_in_chain; ++i) {
     id_cert = sk_X509_value(chain, i);
     if (X509_cmp(id_cert, cert) != 0)
       break;



More information about the tor-commits mailing list