[or-cvs] Misc small code cleanups; remove exit_server_mode(); change...

Wed Jul 21 00:44:06 UTC 2004

Update of /home/or/cvsroot/src/common
In directory moria.mit.edu:/tmp/cvs-serv17343/src/common

Modified Files:
	tortls.c tortls.h 
Log Message:
Misc small code cleanups; remove exit_server_mode(); change tor_tls_verify behavior

Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.c,v
retrieving revision 1.58
retrieving revision 1.59
diff -u -d -r1.58 -r1.59

--- tortls.c	19 Jul 2004 19:49:03 -0000	1.58
+++ tortls.c	21 Jul 2004 00:44:03 -0000	1.59
@@ -602,19 +602,39 @@
 }
 
 /** If the provided tls connection is authenticated and has a
- * certificate that is currently valid and is correctly signed by
- * <b>identity_key</b>, return 0.  Else, return -1.
+ * certificate that is currently valid and signed, then set
+ * *<b>identity_key</b> to the identity certificate's key and return
+ * 0.  Else, return -1.
  */
 int
-tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity_key)
+tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity_key)
 {
-  X509 *cert = NULL;
+  X509 *cert = NULL, *id_cert = NULL;
+  STACK_OF(X509) *chain = NULL;
   EVP_PKEY *id_pkey = NULL;
+  RSA *rsa;
   time_t now, t;
-  int r = -1;
+  int r = -1, i;
+
+  *identity_key = NULL;
 
   if (!(cert = SSL_get_peer_certificate(tls->ssl)))
-    return -1;
+    goto done;
+  if (!(chain = SSL_get_peer_cert_chain(tls->ssl)))
+    goto done;
+  if (sk_X509_num(chain) != 2) {
+    log_fn(LOG_WARN,"Unexpected number of certificates in chain");
+    goto done;
+  }
+  for (i=0; i<2; ++i) {
+    id_cert = sk_X509_value(chain, i);
+    if (X509_cmp(id_cert, cert) != 0)
+      break;
+  }
+  if (!id_cert) {
+    log_fn(LOG_WARN,"No distinct identity certificate found");
+    goto done;
+  }
 
   now = time(NULL);
   t = now + CERT_ALLOW_SKEW;
@@ -628,14 +648,18 @@
     goto done;
   }
 
-  /* Get the public key. */
-  if (!(id_pkey = _crypto_pk_env_get_evp_pkey(identity_key,0)) ||
+  if (!(id_pkey = X509_get_pubkey(id_cert)) ||
       X509_verify(cert, id_pkey) <= 0) {
     log_fn(LOG_WARN,"X509_verify on cert and pkey returned <= 0");
     tls_log_errors(LOG_WARN,"verifying certificate");
     goto done;
   }
 
+  rsa = EVP_PKEY_get1_RSA(id_pkey);
+  if (!rsa)
+    goto done;
+  *identity_key = _crypto_new_pk_env_rsa(rsa);
+
   r = 0;
 
  done:

Index: tortls.h
===================================================================
RCS file: /home/or/cvsroot/src/common/tortls.h,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -d -r1.16 -r1.17
--- tortls.h	10 May 2004 07:54:13 -0000	1.16
+++ tortls.h	21 Jul 2004 00:44:03 -0000	1.17
@@ -28,7 +28,7 @@
 void tor_tls_free(tor_tls *tls);
 int tor_tls_peer_has_cert(tor_tls *tls);
 int tor_tls_get_peer_cert_nickname(tor_tls *tls, char *buf, int buflen);
-int tor_tls_verify(tor_tls *tls, crypto_pk_env_t *identity);
+int tor_tls_verify(tor_tls *tls, crypto_pk_env_t **identity);
 int tor_tls_read(tor_tls *tls, char *cp, int len);
 int tor_tls_write(tor_tls *tls, char *cp, int n);
 int tor_tls_handshake(tor_tls *tls);

