mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-24 04:13:28 +01:00
Increase TLS RSA link key length to 2048 bits
Oddly, nothing broke. Closes ticket 13752.
This commit is contained in:
parent
b4a5c77901
commit
e64bac6eb4
4
changes/feature13752
Normal file
4
changes/feature13752
Normal file
@ -0,0 +1,4 @@
|
||||
o Minor features (fingerprinting resistence, authentication):
|
||||
- Extend the length of RSA keys used for TLS link authentication to
|
||||
2048 bits. (These weren't used for forward secrecy; for forward
|
||||
secrecy, we used P256.) Closes ticket 13752.
|
@ -775,8 +775,8 @@ tor_tls_context_decref(tor_tls_context_t *ctx)
|
||||
/** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
|
||||
* and ID certificate that we're currently using for our V3 in-protocol
|
||||
* handshake's certificate chain. If <b>server</b> is true, provide the certs
|
||||
* that we use in server mode; otherwise, provide the certs that we use in
|
||||
* client mode. */
|
||||
* that we use in server mode (auth, ID); otherwise, provide the certs that we
|
||||
* use in client mode. (link, ID) */
|
||||
int
|
||||
tor_tls_get_my_certs(int server,
|
||||
const tor_x509_cert_t **link_cert_out,
|
||||
@ -1026,6 +1026,8 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext,
|
||||
/** The group we should use for ecdhe when none was selected. */
|
||||
#define NID_tor_default_ecdhe_group NID_X9_62_prime256v1
|
||||
|
||||
#define RSA_LINK_KEY_BITS 2048
|
||||
|
||||
/** Create a new TLS context for use with Tor TLS handshakes.
|
||||
* <b>identity</b> should be set to the identity key used to sign the
|
||||
* certificate.
|
||||
@ -1051,7 +1053,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
|
||||
/* Generate short-term RSA key for use with TLS. */
|
||||
if (!(rsa = crypto_pk_new()))
|
||||
goto error;
|
||||
if (crypto_pk_generate_key(rsa)<0)
|
||||
if (crypto_pk_generate_key_with_bits(rsa, RSA_LINK_KEY_BITS)<0)
|
||||
goto error;
|
||||
if (!is_client) {
|
||||
/* Generate short-term RSA key for use in the in-protocol ("v3")
|
||||
|
@ -258,7 +258,8 @@ recv_certs_setup(const struct testcase_t *test)
|
||||
const tor_x509_cert_t *a,*b;
|
||||
const uint8_t *enca, *encb;
|
||||
size_t lena, lenb;
|
||||
tor_tls_get_my_certs(1, &a, &b);
|
||||
tor_tls_get_my_certs(0, &a, &b); /* Use '0' here to make sure we get
|
||||
* auth cert */
|
||||
tor_x509_cert_get_der(a, &enca, &lena);
|
||||
tor_x509_cert_get_der(b, &encb, &lenb);
|
||||
certs_cell_cert_setlen_body(ccc1, lena);
|
||||
|
Loading…
Reference in New Issue
Block a user