Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

libtls: Enforce client/server identity when looking for public key #4

Closed
wants to merge 1 commit into from
Closed

libtls: Enforce client/server identity when looking for public key #4

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 5 additions & 5 deletions src/libtls/tls_peer.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -165,7 +165,7 @@ struct private_tls_peer_t {

/* Implemented in tls_server.c */
bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth);
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id);

/**
* Verify the DH group/key type requested by the server is valid.
Expand Down Expand Up @@ -641,7 +641,7 @@ static status_t process_cert_verify(private_tls_peer_t *this,
public_key_t *public;
chunk_t msg;

public = tls_find_public_key(this->server_auth);
public = tls_find_public_key(this->server_auth, this->server);
if (!public)
{
DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server",
Expand Down Expand Up @@ -690,7 +690,7 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this,
this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
return NEED_MORE;
}
public = tls_find_public_key(this->server_auth);
public = tls_find_public_key(this->server_auth, this->server);
if (!public)
{
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
Expand Down Expand Up @@ -797,7 +797,7 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this,
return NEED_MORE;
}

public = tls_find_public_key(this->server_auth);
public = tls_find_public_key(this->server_auth, this->server);
if (!public)
{
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
Expand Down Expand Up @@ -1621,7 +1621,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
return NEED_MORE;
}

public = tls_find_public_key(this->server_auth);
public = tls_find_public_key(this->server_auth, this->server);
if (!public)
{
DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
Expand Down
7 changes: 3 additions & 4 deletions src/libtls/tls_server.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -173,7 +173,7 @@ struct private_tls_server_t {
/**
* Find a trusted public key to encrypt/verify key exchange data
*/
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
public_key_t *tls_find_public_key(auth_cfg_t *peer_auth, identification_t *id)
{
public_key_t *public = NULL, *current;
certificate_t *cert, *found;
Expand All @@ -184,8 +184,7 @@ public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
if (cert)
{
enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
KEY_ANY, cert->get_subject(cert),
peer_auth, TRUE);
KEY_ANY, id, peer_auth, TRUE);
while (enumerator->enumerate(enumerator, &current, &auth))
{
found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
Expand Down Expand Up @@ -923,7 +922,7 @@ static status_t process_cert_verify(private_tls_server_t *this,
public_key_t *public;
chunk_t msg;

public = tls_find_public_key(this->peer_auth);
public = tls_find_public_key(this->peer_auth, this->peer);
if (!public)
{
DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS peer",
Expand Down
Loading