Ana Sayfa Keşfet Yardım
Giriş Yap
sengler
/
tor-parallel-relay-conn
1
0
Çatalla 0
Dosyalar Sorunlar 0 Değişiklik İstekleri 0 Wiki
Kaynağa Gözat

Increase TLS RSA link key length to 2048 bits

Oddly, nothing broke.

Closes ticket 13752.
Nick Mathewson 8 yıl önce
ebeveyn
b4a5c77901
işleme
e64bac6eb4
3 değiştirilmiş dosya ile 11 ekleme ve 4 silme
Birleşik Görünüm Farklılık Durumunu Göster
  1. 4 0
      changes/feature13752
  2. 5 3
      src/common/tortls.c
  3. 2 1
      src/test/test_link_handshake.c

+ 4 - 0
changes/feature13752
Dosyayı Görüntüle 

@@ -0,0 +1,4 @@
 
+  o Minor features (fingerprinting resistence, authentication):
 
+    - Extend the length of RSA keys used for TLS link authentication to
 
+      2048 bits. (These weren't used for forward secrecy; for forward
 
+      secrecy, we used P256.) Closes ticket 13752.

+ 5 - 3
src/common/tortls.c
Dosyayı Görüntüle 

@@ -775,8 +775,8 @@ tor_tls_context_decref(tor_tls_context_t *ctx)
 
 /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
 
 /** Set *<b>link_cert_out</b> and *<b>id_cert_out</b> to the link certificate
 
  * and ID certificate that we're currently using for our V3 in-protocol
 
  * and ID certificate that we're currently using for our V3 in-protocol
 
  * handshake's certificate chain.  If <b>server</b> is true, provide the certs
 
  * handshake's certificate chain.  If <b>server</b> is true, provide the certs
 
- * that we use in server mode; otherwise, provide the certs that we use in
 
+ * that we use in server mode (auth, ID); otherwise, provide the certs that we
 
- * client mode. */
 
+ * use in client mode. (link, ID) */
 
 int
 
 int
 
 tor_tls_get_my_certs(int server,
 
 tor_tls_get_my_certs(int server,
 
                      const tor_x509_cert_t **link_cert_out,
 
                      const tor_x509_cert_t **link_cert_out,
 
@@ -1026,6 +1026,8 @@ tor_tls_context_init_one(tor_tls_context_t **ppcontext,
 
 /** The group we should use for ecdhe when none was selected. */
 
 /** The group we should use for ecdhe when none was selected. */
 
 #define  NID_tor_default_ecdhe_group NID_X9_62_prime256v1
 
 #define  NID_tor_default_ecdhe_group NID_X9_62_prime256v1
 
 
 
+#define RSA_LINK_KEY_BITS 2048
 
+
 
 /** Create a new TLS context for use with Tor TLS handshakes.
 
 /** Create a new TLS context for use with Tor TLS handshakes.
 
  * <b>identity</b> should be set to the identity key used to sign the
 
  * <b>identity</b> should be set to the identity key used to sign the
 
  * certificate.
 
  * certificate.
 
@@ -1051,7 +1053,7 @@ tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime,
 
   /* Generate short-term RSA key for use with TLS. */
 
   /* Generate short-term RSA key for use with TLS. */
 
   if (!(rsa = crypto_pk_new()))
 
   if (!(rsa = crypto_pk_new()))
 
     goto error;
 
     goto error;
 
-  if (crypto_pk_generate_key(rsa)<0)
 
+  if (crypto_pk_generate_key_with_bits(rsa, RSA_LINK_KEY_BITS)<0)
 
     goto error;
 
     goto error;
 
   if (!is_client) {
 
   if (!is_client) {
 
     /* Generate short-term RSA key for use in the in-protocol ("v3")
 
     /* Generate short-term RSA key for use in the in-protocol ("v3")

+ 2 - 1
src/test/test_link_handshake.c
Dosyayı Görüntüle 

@@ -258,7 +258,8 @@ recv_certs_setup(const struct testcase_t *test)
 
   const tor_x509_cert_t *a,*b;
 
   const tor_x509_cert_t *a,*b;
 
   const uint8_t *enca, *encb;
 
   const uint8_t *enca, *encb;
 
   size_t lena, lenb;
 
   size_t lena, lenb;
 
-  tor_tls_get_my_certs(1, &a, &b);
 
+  tor_tls_get_my_certs(0, &a, &b); /* Use '0' here to make sure we get
 
+                                    * auth cert */
 
   tor_x509_cert_get_der(a, &enca, &lena);
 
   tor_x509_cert_get_der(a, &enca, &lena);
 
   tor_x509_cert_get_der(b, &encb, &lenb);
 
   tor_x509_cert_get_der(b, &encb, &lenb);
 
   certs_cell_cert_setlen_body(ccc1, lena);
 
   certs_cell_cert_setlen_body(ccc1, lena);