tls-server: Share trusted public key search between client and server
This commit is contained in:
parent
6b23543abd
commit
4635f348fa
|
@ -159,6 +159,7 @@ struct private_tls_peer_t {
|
||||||
|
|
||||||
/* Implemented in tls_server.c */
|
/* Implemented in tls_server.c */
|
||||||
bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
|
bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
|
||||||
|
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth);
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Verify the DH group/key type requested by the server is valid.
|
* Verify the DH group/key type requested by the server is valid.
|
||||||
|
@ -598,37 +599,6 @@ static status_t process_certificate(private_tls_peer_t *this,
|
||||||
return NEED_MORE;
|
return NEED_MORE;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
|
||||||
* Find a trusted public key to encrypt/verify key exchange data
|
|
||||||
*/
|
|
||||||
static public_key_t *find_public_key(private_tls_peer_t *this)
|
|
||||||
{
|
|
||||||
public_key_t *public = NULL, *current;
|
|
||||||
certificate_t *cert, *found;
|
|
||||||
enumerator_t *enumerator;
|
|
||||||
auth_cfg_t *auth;
|
|
||||||
|
|
||||||
cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
|
|
||||||
if (cert)
|
|
||||||
{
|
|
||||||
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
|
|
||||||
KEY_ANY, cert->get_subject(cert),
|
|
||||||
this->server_auth, TRUE);
|
|
||||||
while (enumerator->enumerate(enumerator, ¤t, &auth))
|
|
||||||
{
|
|
||||||
found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
|
|
||||||
if (found && cert->equals(cert, found))
|
|
||||||
{
|
|
||||||
public = current->get_ref(current);
|
|
||||||
this->server_auth->merge(this->server_auth, auth, FALSE);
|
|
||||||
break;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
enumerator->destroy(enumerator);
|
|
||||||
}
|
|
||||||
return public;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Process CertificateVerify message
|
* Process CertificateVerify message
|
||||||
*/
|
*/
|
||||||
|
@ -638,10 +608,11 @@ static status_t process_cert_verify(private_tls_peer_t *this,
|
||||||
public_key_t *public;
|
public_key_t *public;
|
||||||
chunk_t msg;
|
chunk_t msg;
|
||||||
|
|
||||||
public = find_public_key(this);
|
public = tls_find_public_key(this->server_auth);
|
||||||
if (!public)
|
if (!public)
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server",
|
||||||
|
this->server);
|
||||||
this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
|
this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
|
||||||
return NEED_MORE;
|
return NEED_MORE;
|
||||||
}
|
}
|
||||||
|
@ -686,7 +657,7 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this,
|
||||||
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
|
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
|
||||||
return NEED_MORE;
|
return NEED_MORE;
|
||||||
}
|
}
|
||||||
public = find_public_key(this);
|
public = tls_find_public_key(this->server_auth);
|
||||||
if (!public)
|
if (!public)
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
||||||
|
@ -793,7 +764,7 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this,
|
||||||
return NEED_MORE;
|
return NEED_MORE;
|
||||||
}
|
}
|
||||||
|
|
||||||
public = find_public_key(this);
|
public = tls_find_public_key(this->server_auth);
|
||||||
if (!public)
|
if (!public)
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
||||||
|
@ -1510,7 +1481,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
|
||||||
return NEED_MORE;
|
return NEED_MORE;
|
||||||
}
|
}
|
||||||
|
|
||||||
public = find_public_key(this);
|
public = tls_find_public_key(this->server_auth);
|
||||||
if (!public)
|
if (!public)
|
||||||
{
|
{
|
||||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
||||||
|
|
|
@ -169,6 +169,37 @@ struct private_tls_server_t {
|
||||||
bool curves_received;
|
bool curves_received;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Find a trusted public key to encrypt/verify key exchange data
|
||||||
|
*/
|
||||||
|
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
|
||||||
|
{
|
||||||
|
public_key_t *public = NULL, *current;
|
||||||
|
certificate_t *cert, *found;
|
||||||
|
enumerator_t *enumerator;
|
||||||
|
auth_cfg_t *auth;
|
||||||
|
|
||||||
|
cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
|
||||||
|
if (cert)
|
||||||
|
{
|
||||||
|
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
|
||||||
|
KEY_ANY, cert->get_subject(cert),
|
||||||
|
peer_auth, TRUE);
|
||||||
|
while (enumerator->enumerate(enumerator, ¤t, &auth))
|
||||||
|
{
|
||||||
|
found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
|
||||||
|
if (found && cert->equals(cert, found))
|
||||||
|
{
|
||||||
|
public = current->get_ref(current);
|
||||||
|
peer_auth->merge(peer_auth, auth, FALSE);
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
enumerator->destroy(enumerator);
|
||||||
|
}
|
||||||
|
return public;
|
||||||
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Create an array of an intersection of server and peer supported key types
|
* Create an array of an intersection of server and peer supported key types
|
||||||
*/
|
*/
|
||||||
|
|
Loading…
Reference in New Issue