tls-server: Share trusted public key search between client and server

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 4da8914f46537fb8011ce80a6e1206cd83923983..ec6b64a551a995f5afebb1fb075e2080fe62b943 100644 (file)
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -159,6 +159,7 @@ struct private_tls_peer_t {
 
 /* Implemented in tls_server.c */
 bool tls_write_key_share(bio_writer_t **key_share, diffie_hellman_t *dh);
+public_key_t *tls_find_public_key(auth_cfg_t *peer_auth);
 
 /**
  * Verify the DH group/key type requested by the server is valid.
@@ -598,37 +599,6 @@ static status_t process_certificate(private_tls_peer_t *this,
        return NEED_MORE;
 }
 
-/**
- * Find a trusted public key to encrypt/verify key exchange data
- */
-static public_key_t *find_public_key(private_tls_peer_t *this)
-{
-       public_key_t *public = NULL, *current;
-       certificate_t *cert, *found;
-       enumerator_t *enumerator;
-       auth_cfg_t *auth;
-
-       cert = this->server_auth->get(this->server_auth, AUTH_HELPER_SUBJECT_CERT);
-       if (cert)
-       {
-               enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                                       KEY_ANY, cert->get_subject(cert),
-                                                                                       this->server_auth, TRUE);
-               while (enumerator->enumerate(enumerator, &current, &auth))
-               {
-                       found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
-                       if (found && cert->equals(cert, found))
-                       {
-                               public = current->get_ref(current);
-                               this->server_auth->merge(this->server_auth, auth, FALSE);
-                               break;
-                       }
-               }
-               enumerator->destroy(enumerator);
-       }
-       return public;
-}
-
 /**
  *  Process CertificateVerify message
  */
@@ -638,10 +608,11 @@ static status_t process_cert_verify(private_tls_peer_t *this,
        public_key_t *public;
        chunk_t msg;
 
-       public = find_public_key(this);
+       public = tls_find_public_key(this->server_auth);
        if (!public)
        {
-               DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
+               DBG1(DBG_TLS, "no trusted certificate found for '%Y' to verify TLS server",
+                        this->server);
                this->alert->add(this->alert, TLS_FATAL, TLS_CERTIFICATE_UNKNOWN);
                return NEED_MORE;
        }
@@ -686,7 +657,7 @@ static status_t process_modp_key_exchange(private_tls_peer_t *this,
                this->alert->add(this->alert, TLS_FATAL, TLS_INTERNAL_ERROR);
                return NEED_MORE;
        }
-       public = find_public_key(this);
+       public = tls_find_public_key(this->server_auth);
        if (!public)
        {
                DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
@@ -793,7 +764,7 @@ static status_t process_ec_key_exchange(private_tls_peer_t *this,
                return NEED_MORE;
        }
 
-       public = find_public_key(this);
+       public = tls_find_public_key(this->server_auth);
        if (!public)
        {
                DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);
@@ -1510,7 +1481,7 @@ static status_t send_key_exchange_encrypt(private_tls_peer_t *this,
                return NEED_MORE;
        }
 
-       public = find_public_key(this);
+       public = tls_find_public_key(this->server_auth);
        if (!public)
        {
                DBG1(DBG_TLS, "no TLS public key found for server '%Y'", this->server);

diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c
index f5e15615bbe01daabd332aabe6e01f6828ce6f4e..1a87d6834e65a41bc05220d4090a1ac02a2292f6 100644 (file)
--- a/src/libtls/tls_server.c
+++ b/src/libtls/tls_server.c
@@ -169,6 +169,37 @@ struct private_tls_server_t {
        bool curves_received;
 };
 
+/**
+ * Find a trusted public key to encrypt/verify key exchange data
+ */
+public_key_t *tls_find_public_key(auth_cfg_t *peer_auth)
+{
+       public_key_t *public = NULL, *current;
+       certificate_t *cert, *found;
+       enumerator_t *enumerator;
+       auth_cfg_t *auth;
+
+       cert = peer_auth->get(peer_auth, AUTH_HELPER_SUBJECT_CERT);
+       if (cert)
+       {
+               enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
+                                                                                       KEY_ANY, cert->get_subject(cert),
+                                                                                       peer_auth, TRUE);
+               while (enumerator->enumerate(enumerator, &current, &auth))
+               {
+                       found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+                       if (found && cert->equals(cert, found))
+                       {
+                               public = current->get_ref(current);
+                               peer_auth->merge(peer_auth, auth, FALSE);
+                               break;
+                       }
+               }
+               enumerator->destroy(enumerator);
+       }
+       return public;
+}
+
 /**
  * Create an array of an intersection of server and peer supported key types
  */