tls-server: Share trusted public key search between client and server
This commit is contained in:
parent
6b23543abd
commit
4635f348fa
|
@ -159,6 +159,7 @@ struct private_tls_peer_t {
|
|||
|
||||
/* Implemented in tls_server.c */
|
||||
bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
|
||||
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth);
|
||||
|
||||
/**
|
||||
* Verify the DH group/key type requested by the server is valid.
|
||||
|
@ -598,37 +599,6 @@ static status_t process_certificate(private_tls_peer_t *this,
|
|||
return NEED_MORE;
|
||||
}
|
||||
|
||||
/**
|
||||
* Find a trusted public key to encrypt/verify key exchange data
|
||||
*/
|
||||
static public_key_t *find_public_key(private_tls_peer_t *this)
|
||||
{
|
||||
public_key_t *public = NULL, *current;
|
||||
certificate_t *cert, *found;
|
||||
enumerator_t *enumerator;
|
||||
auth_cfg_t *auth;
|
||||
|
||||
cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
|
||||
if (cert)
|
||||
{
|
||||
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
|
||||
KEY_ANY, cert->get_subject(cert),
|
||||
this->server_auth, TRUE);
|
||||
while (enumerator->enumerate(enumerator, ¤t, &auth))
|
||||
{
|
||||
found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
|
||||
if (found && cert->equals(cert, found))
|
||||
{
|
||||
public = current->get_ref(current);
|
||||
this->server_auth->merge(this->server_auth, auth, FALSE);
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
return public;
|
||||
}
|
||||
|
||||
/**
|
||||
* Process CertificateVerify message
|
||||
*/
|
||||
|
@ -638,10 +608,11 @@ static status_t process_cert_verify(private_tls_peer_t *this,
|
|||
public_key_t *public;
|
||||
chunk_t msg;
|
||||
|
||||
public = find_public_key(this);
|
||||
public = tls_find_public_key(this->server_auth);
|
||||
if (!public)
|
||||
{
|
||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
||||
DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server",
|
||||
this->server);
|
||||
this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
|
||||
return NEED_MORE;
|
||||
}
|
||||
|
@ -686,7 +657,7 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this,
|
|||
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
|
||||
return NEED_MORE;
|
||||
}
|
||||
public = find_public_key(this);
|
||||
public = tls_find_public_key(this->server_auth);
|
||||
if (!public)
|
||||
{
|
||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
||||
|
@ -793,7 +764,7 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this,
|
|||
return NEED_MORE;
|
||||
}
|
||||
|
||||
public = find_public_key(this);
|
||||
public = tls_find_public_key(this->server_auth);
|
||||
if (!public)
|
||||
{
|
||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
||||
|
@ -1510,7 +1481,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
|
|||
return NEED_MORE;
|
||||
}
|
||||
|
||||
public = find_public_key(this);
|
||||
public = tls_find_public_key(this->server_auth);
|
||||
if (!public)
|
||||
{
|
||||
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
|
||||
|
|
|
@ -169,6 +169,37 @@ struct private_tls_server_t {
|
|||
bool curves_received;
|
||||
};
|
||||
|
||||
/**
|
||||
* Find a trusted public key to encrypt/verify key exchange data
|
||||
*/
|
||||
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
|
||||
{
|
||||
public_key_t *public = NULL, *current;
|
||||
certificate_t *cert, *found;
|
||||
enumerator_t *enumerator;
|
||||
auth_cfg_t *auth;
|
||||
|
||||
cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
|
||||
if (cert)
|
||||
{
|
||||
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
|
||||
KEY_ANY, cert->get_subject(cert),
|
||||
peer_auth, TRUE);
|
||||
while (enumerator->enumerate(enumerator, ¤t, &auth))
|
||||
{
|
||||
found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
|
||||
if (found && cert->equals(cert, found))
|
||||
{
|
||||
public = current->get_ref(current);
|
||||
peer_auth->merge(peer_auth, auth, FALSE);
|
||||
break;
|
||||
}
|
||||
}
|
||||
enumerator->destroy(enumerator);
|
||||
}
|
||||
return public;
|
||||
}
|
||||
|
||||
/**
|
||||
* Create an array of an intersection of server and peer supported key types
|
||||
*/
|
||||
|
|
Loading…
Reference in New Issue