From: Nick Mathewson Date: Mon, 28 Apr 2025 15:10:55 +0000 (-0400) Subject: Remove tor_tls_verify X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=762bf91ebf4e98b1cee593ad5548cdb184a32656;p=thirdparty%2Ftor.git Remove tor_tls_verify Despite its name, it was only used for the v1 handshake. --- diff --git a/src/lib/tls/tortls.c b/src/lib/tls/tortls.c index 9fe28cf96e..2a9bcc5f7b 100644 --- a/src/lib/tls/tortls.c +++ b/src/lib/tls/tortls.c @@ -393,48 +393,6 @@ tor_tls_free_(tor_tls_t *tls) tor_free(tls); } -/** If the provided tls connection is authenticated and has a - * certificate chain that is currently valid and signed, then set - * *identity_key to the identity certificate's key and return - * 0. Else, return -1 and log complaints with log-level severity. - */ -int -tor_tls_verify(int severity, tor_tls_t *tls, time_t now, - crypto_pk_t **identity) -{ - tor_x509_cert_impl_t *cert = NULL, *id_cert = NULL; - tor_x509_cert_t *peer_x509 = NULL, *id_x509 = NULL; - tor_assert(tls); - tor_assert(identity); - int rv = -1; - - try_to_extract_certs_from_tls(severity, tls, &cert, &id_cert); - if (!cert) - goto done; - if (!id_cert) { - log_fn(severity,LD_PROTOCOL,"No distinct identity certificate found"); - goto done; - } - peer_x509 = tor_x509_cert_new(cert); - id_x509 = tor_x509_cert_new(id_cert); - cert = id_cert = NULL; /* Prevent double-free */ - - if (! tor_tls_cert_is_valid(severity, peer_x509, id_x509, now, 0)) { - goto done; - } - - *identity = tor_tls_cert_get_key(id_x509); - rv = 0; - - done: - tor_x509_cert_impl_free(cert); - tor_x509_cert_impl_free(id_cert); - tor_x509_cert_free(peer_x509); - tor_x509_cert_free(id_x509); - - return rv; -} - static void subsys_tortls_shutdown(void) { diff --git a/src/lib/tls/tortls.h b/src/lib/tls/tortls.h index 9cf25ae28d..6c22633eac 100644 --- a/src/lib/tls/tortls.h +++ b/src/lib/tls/tortls.h @@ -96,8 +96,6 @@ void tor_tls_free_(tor_tls_t *tls); int tor_tls_peer_has_cert(tor_tls_t *tls); MOCK_DECL(struct tor_x509_cert_t *,tor_tls_get_peer_cert,(tor_tls_t *tls)); MOCK_DECL(struct tor_x509_cert_t *,tor_tls_get_own_cert,(tor_tls_t *tls)); -int tor_tls_verify(int severity, tor_tls_t *tls, time_t now, - crypto_pk_t **identity); MOCK_DECL(int, tor_tls_read, (tor_tls_t *tls, char *cp, size_t len)); int tor_tls_write(tor_tls_t *tls, const char *cp, size_t n); int tor_tls_handshake(tor_tls_t *tls); diff --git a/src/lib/tls/tortls_internal.h b/src/lib/tls/tortls_internal.h index ca7df45e2a..7718c42298 100644 --- a/src/lib/tls/tortls_internal.h +++ b/src/lib/tls/tortls_internal.h @@ -18,10 +18,6 @@ int tor_errno_to_tls_error(int e); int tor_tls_get_error(tor_tls_t *tls, int r, int extra, const char *doing, int severity, int domain); #endif -MOCK_DECL(void, try_to_extract_certs_from_tls, - (int severity, tor_tls_t *tls, - tor_x509_cert_impl_t **cert_out, - tor_x509_cert_impl_t **id_cert_out)); tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, unsigned flags, int is_client); diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c index 87c950dd26..40e74117e0 100644 --- a/src/lib/tls/tortls_nss.c +++ b/src/lib/tls/tortls_nss.c @@ -46,34 +46,6 @@ ENABLE_GCC_WARNING("-Wstrict-prototypes") static SECStatus always_accept_cert_cb(void *, PRFileDesc *, PRBool, PRBool); -MOCK_IMPL(void, -try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls, - tor_x509_cert_impl_t **cert_out, - tor_x509_cert_impl_t **id_cert_out)) -{ - tor_assert(tls); - tor_assert(cert_out); - tor_assert(id_cert_out); - (void) severity; - - *cert_out = *id_cert_out = NULL; - - CERTCertificate *peer = SSL_PeerCertificate(tls->ssl); - if (!peer) - return; - *cert_out = peer; /* Now owns pointer. */ - - CERTCertList *chain = SSL_PeerCertificateChain(tls->ssl); - CERTCertListNode *c = CERT_LIST_HEAD(chain); - for (; !CERT_LIST_END(c, chain); c = CERT_LIST_NEXT(c)) { - if (CERT_CompareCerts(c->cert, peer) == PR_FALSE) { - *id_cert_out = CERT_DupCertificate(c->cert); - break; - } - } - CERT_DestroyCertList(chain); -} - static bool we_like_ssl_cipher(SSLCipherAlgorithm ca) { diff --git a/src/lib/tls/tortls_openssl.c b/src/lib/tls/tortls_openssl.c index 05a8bfc0a4..ea5929fd71 100644 --- a/src/lib/tls/tortls_openssl.c +++ b/src/lib/tls/tortls_openssl.c @@ -1017,44 +1017,6 @@ tor_tls_get_own_cert,(tor_tls_t *tls)) return tor_x509_cert_new(duplicate); } -/** Helper function: try to extract a link certificate and an identity - * certificate from tls, and store them in *cert_out and - * *id_cert_out respectively. Log all messages at level - * severity. - * - * Note that a reference is added both of the returned certificates. */ -MOCK_IMPL(void, -try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls, - X509 **cert_out, X509 **id_cert_out)) -{ - X509 *cert = NULL, *id_cert = NULL; - STACK_OF(X509) *chain = NULL; - int num_in_chain, i; - *cert_out = *id_cert_out = NULL; - if (!(cert = SSL_get_peer_certificate(tls->ssl))) - return; - *cert_out = cert; - if (!(chain = SSL_get_peer_cert_chain(tls->ssl))) - return; - num_in_chain = sk_X509_num(chain); - /* 1 means we're receiving (server-side), and it's just the id_cert. - * 2 means we're connecting (client-side), and it's both the link - * cert and the id_cert. - */ - if (num_in_chain < 1) { - log_fn(severity,LD_PROTOCOL, - "Unexpected number of certificates in chain (%d)", - num_in_chain); - return; - } - for (i=0; itls. */ int diff --git a/src/test/test_tortls.c b/src/test/test_tortls.c index 9c27b3f95a..4589f92b02 100644 --- a/src/test/test_tortls.c +++ b/src/test/test_tortls.c @@ -154,24 +154,6 @@ read_cert_from(const char *str) return res; } -static tor_x509_cert_impl_t * - fixed_try_to_extract_certs_from_tls_cert_out_result = NULL; -static tor_x509_cert_impl_t * - fixed_try_to_extract_certs_from_tls_id_cert_out_result = NULL; - -static void -fixed_try_to_extract_certs_from_tls(int severity, tor_tls_t *tls, - tor_x509_cert_impl_t **cert_out, - tor_x509_cert_impl_t **id_cert_out) -{ - (void) severity; - (void) tls; - *cert_out = tor_x509_cert_impl_dup_( - fixed_try_to_extract_certs_from_tls_cert_out_result); - *id_cert_out = tor_x509_cert_impl_dup_( - fixed_try_to_extract_certs_from_tls_id_cert_out_result); -} - static void test_tortls_errno_to_tls_error(void *data) { @@ -453,58 +435,6 @@ test_tortls_is_server(void *arg) crypto_pk_free(pk2); } -static void -test_tortls_verify(void *ignored) -{ - (void)ignored; - int ret; - tor_tls_t *tls; - crypto_pk_t *k = NULL; - tor_x509_cert_impl_t *cert1 = NULL, *cert2 = NULL, *invalidCert = NULL, - *validCert = NULL, *caCert = NULL; - time_t now = cert_strings_valid_at; - - validCert = read_cert_from(validCertString); - caCert = read_cert_from(caCertString); - invalidCert = read_cert_from(notCompletelyValidCertString); - - tls = tor_malloc_zero(sizeof(tor_tls_t)); - - MOCK(try_to_extract_certs_from_tls, fixed_try_to_extract_certs_from_tls); - - fixed_try_to_extract_certs_from_tls_cert_out_result = cert1; - ret = tor_tls_verify(LOG_WARN, tls, now, &k); - tt_int_op(ret, OP_EQ, -1); - - fixed_try_to_extract_certs_from_tls_id_cert_out_result = cert2; - ret = tor_tls_verify(LOG_WARN, tls, now, &k); - tt_int_op(ret, OP_EQ, -1); - - fixed_try_to_extract_certs_from_tls_cert_out_result = invalidCert; - fixed_try_to_extract_certs_from_tls_id_cert_out_result = invalidCert; - - ret = tor_tls_verify(LOG_WARN, tls, now, &k); - tt_int_op(ret, OP_EQ, -1); - - fixed_try_to_extract_certs_from_tls_cert_out_result = validCert; - fixed_try_to_extract_certs_from_tls_id_cert_out_result = caCert; - - ret = tor_tls_verify(LOG_WARN, tls, now, &k); - tt_int_op(ret, OP_EQ, 0); - tt_assert(k); - - done: - UNMOCK(try_to_extract_certs_from_tls); - tor_x509_cert_impl_free(cert1); - tor_x509_cert_impl_free(cert2); - tor_x509_cert_impl_free(validCert); - tor_x509_cert_impl_free(invalidCert); - tor_x509_cert_impl_free(caCert); - - tor_free(tls); - crypto_pk_free(k); -} - static void test_tortls_cert_matches_key(void *ignored) { @@ -583,7 +513,6 @@ struct testcase_t tortls_tests[] = { LOCAL_TEST_CASE(address, TT_FORK), LOCAL_TEST_CASE(is_server, 0), LOCAL_TEST_CASE(bridge_init, TT_FORK), - LOCAL_TEST_CASE(verify, TT_FORK), LOCAL_TEST_CASE(cert_matches_key, 0), END_OF_TESTCASES }; diff --git a/src/test/test_tortls_openssl.c b/src/test/test_tortls_openssl.c index 285c331fb3..eebaf5451e 100644 --- a/src/test/test_tortls_openssl.c +++ b/src/test/test_tortls_openssl.c @@ -748,76 +748,6 @@ test_tortls_get_buffer_sizes(void *ignored) } #endif /* !defined(OPENSSL_OPAQUE) */ -#ifndef OPENSSL_OPAQUE -typedef struct cert_pkey_st_local -{ - X509 *x509; - EVP_PKEY *privatekey; - const EVP_MD *digest; -} CERT_PKEY_local; - -typedef struct sess_cert_st_local -{ - STACK_OF(X509) *cert_chain; - int peer_cert_type; - CERT_PKEY_local *peer_key; - CERT_PKEY_local peer_pkeys[8]; - int references; -} SESS_CERT_local; - -static void -test_tortls_try_to_extract_certs_from_tls(void *ignored) -{ - (void)ignored; - tor_tls_t *tls; - X509 *cert = NULL, *id_cert = NULL, *c1 = NULL, *c2 = NULL; - SESS_CERT_local *sess = NULL; - - c1 = read_cert_from(validCertString); - c2 = read_cert_from(caCertString); - - tls = tor_malloc_zero(sizeof(tor_tls_t)); - tls->ssl = tor_malloc_zero(sizeof(SSL)); - tls->ssl->session = tor_malloc_zero(sizeof(SSL_SESSION)); - sess = tor_malloc_zero(sizeof(SESS_CERT_local)); - tls->ssl->session->sess_cert = (void *)sess; - - try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert); - tt_assert(!cert); - tt_assert(!id_cert); - - tls->ssl->session->peer = c1; - try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert); - tt_assert(cert == c1); - tt_assert(!id_cert); - X509_free(cert); /* decrease refcnt */ - - sess->cert_chain = sk_X509_new_null(); - try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert); - tt_assert(cert == c1); - tt_assert(!id_cert); - X509_free(cert); /* decrease refcnt */ - - sk_X509_push(sess->cert_chain, c1); - sk_X509_push(sess->cert_chain, c2); - - try_to_extract_certs_from_tls(LOG_WARN, tls, &cert, &id_cert); - tt_assert(cert == c1); - tt_assert(id_cert); - X509_free(cert); /* decrease refcnt */ - X509_free(id_cert); /* decrease refcnt */ - - done: - sk_X509_free(sess->cert_chain); - tor_free(sess); - tor_free(tls->ssl->session); - tor_free(tls->ssl); - tor_free(tls); - X509_free(c1); - X509_free(c2); -} -#endif /* !defined(OPENSSL_OPAQUE) */ - #ifndef OPENSSL_OPAQUE static void test_tortls_get_peer_cert(void *ignored) @@ -2064,7 +1994,6 @@ struct testcase_t tortls_openssl_tests[] = { INTRUSIVE_TEST_CASE(classify_client_ciphers, 0), INTRUSIVE_TEST_CASE(get_pending_bytes, 0), INTRUSIVE_TEST_CASE(get_buffer_sizes, 0), - INTRUSIVE_TEST_CASE(try_to_extract_certs_from_tls, 0), INTRUSIVE_TEST_CASE(get_peer_cert, 0), INTRUSIVE_TEST_CASE(peer_has_cert, 0), INTRUSIVE_TEST_CASE(finish_handshake, 0),