mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 12:23:32 +01:00
Use random bytes as our certificate serial numbers.
Instead of using time(NULL) in our certificate serial numbers, use eight random bytes as suggested in proposal 179.
This commit is contained in:
parent
58d1aa4402
commit
b42ff6545a
@ -585,7 +585,11 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
|
||||
const char *cname_sign,
|
||||
unsigned int cert_lifetime)
|
||||
{
|
||||
#define SERIAL_NUMBER_SIZE 8
|
||||
|
||||
time_t start_time, end_time;
|
||||
BIGNUM *serial_number = NULL;
|
||||
unsigned char serial_tmp[SERIAL_NUMBER_SIZE];
|
||||
EVP_PKEY *sign_pkey = NULL, *pkey=NULL;
|
||||
X509 *x509 = NULL;
|
||||
X509_NAME *name = NULL, *name_issuer=NULL;
|
||||
@ -606,8 +610,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
|
||||
goto error;
|
||||
if (!(X509_set_version(x509, 2)))
|
||||
goto error;
|
||||
if (!(ASN1_INTEGER_set(X509_get_serialNumber(x509), (long)start_time)))
|
||||
|
||||
{ /* our serial number is 8 random bytes. */
|
||||
if (crypto_rand((char *)serial_tmp, sizeof(serial_tmp)) < 0)
|
||||
goto error;
|
||||
if (!(serial_number = BN_bin2bn(serial_tmp, sizeof(serial_tmp), NULL)))
|
||||
goto error;
|
||||
if (!(BN_to_ASN1_INTEGER(serial_number, X509_get_serialNumber(x509))))
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (!(name = tor_x509_name_new(cname)))
|
||||
goto error;
|
||||
@ -640,11 +651,15 @@ tor_tls_create_certificate(crypto_pk_env_t *rsa,
|
||||
EVP_PKEY_free(sign_pkey);
|
||||
if (pkey)
|
||||
EVP_PKEY_free(pkey);
|
||||
if (serial_number)
|
||||
BN_free(serial_number);
|
||||
if (name)
|
||||
X509_NAME_free(name);
|
||||
if (name_issuer)
|
||||
X509_NAME_free(name_issuer);
|
||||
return x509;
|
||||
|
||||
#undef SERIAL_NUMBER_SIZE
|
||||
}
|
||||
|
||||
/** List of ciphers that servers should select from.*/
|
||||
|
Loading…
Reference in New Issue
Block a user