From 4635f348fa9d92b599e743cb95b6a8b7ea2677c4 Mon Sep 17 00:00:00 2001 From: Pascal Knecht Date: Sun, 1 Nov 2020 17:01:14 +0100 Subject: [PATCH] tls-server: Share trusted public key search between client and server --- src/libtls/tls_peer.c | 43 +++++++------------------------------------ src/libtls/tls_server.c | 31 +++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 36 deletions(-) diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index 4da8914..ec6b64a 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -159,6 +159,7 @@ struct private_tls_peer_t { /* Implemented in tls_server.c */ bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh); +public_key_t *tls_find_public_key(auth_cfg_t *peer_auth); /** * Verify the DH group/key type requested by the server is valid. @@ -599,37 +600,6 @@ static status_t process_certificate(private_tls_peer_t *this, } /** - * Find a trusted public key to encrypt/verify key exchange data - */ -static public_key_t *find_public_key(private_tls_peer_t *this) -{ - public_key_t *public = NULL, *current; - certificate_t *cert, *found; - enumerator_t *enumerator; - auth_cfg_t *auth; - - cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT); - if (cert) - { - enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - KEY_ANY, cert->get_subject(cert), - this->server_auth, TRUE); - while (enumerator->enumerate(enumerator, ¤t, &auth)) - { - found = auth->get(auth, AUTH_RULE_SUBJECT_CERT); - if (found && cert->equals(cert, found)) - { - public = current->get_ref(current); - this->server_auth->merge(this->server_auth, auth, FALSE); - break; - } - } - enumerator->destroy(enumerator); - } - return public; -} - -/** * Process CertificateVerify message */ static status_t process_cert_verify(private_tls_peer_t *this, @@ -638,10 +608,11 @@ static status_t process_cert_verify(private_tls_peer_t *this, public_key_t *public; chunk_t msg; - public = find_public_key(this); + public = tls_find_public_key(this->server_auth); if (!public) { - DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); + DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server", + this->server); this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN); return NEED_MORE; } @@ -686,7 +657,7 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this, this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR); return NEED_MORE; } - public = find_public_key(this); + public = tls_find_public_key(this->server_auth); if (!public) { DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); @@ -793,7 +764,7 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this, return NEED_MORE; } - public = find_public_key(this); + public = tls_find_public_key(this->server_auth); if (!public) { DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); @@ -1510,7 +1481,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this, return NEED_MORE; } - public = find_public_key(this); + public = tls_find_public_key(this->server_auth); if (!public) { DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server); diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index f5e1561..1a87d68 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -170,6 +170,37 @@ struct private_tls_server_t { }; /** + * Find a trusted public key to encrypt/verify key exchange data + */ +public_key_t *tls_find_public_key(auth_cfg_t *peer_auth) +{ + public_key_t *public = NULL, *current; + certificate_t *cert, *found; + enumerator_t *enumerator; + auth_cfg_t *auth; + + cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT); + if (cert) + { + enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, + KEY_ANY, cert->get_subject(cert), + peer_auth, TRUE); + while (enumerator->enumerate(enumerator, ¤t, &auth)) + { + found = auth->get(auth, AUTH_RULE_SUBJECT_CERT); + if (found && cert->equals(cert, found)) + { + public = current->get_ref(current); + peer_auth->merge(peer_auth, auth, FALSE); + break; + } + } + enumerator->destroy(enumerator); + } + return public; +} + +/** * Create an array of an intersection of server and peer supported key types */ static array_t *create_common_key_types(chunk_t hashsig, -- 2.7.4