#include "tls_peer.h"
#include <debug.h>
+#include <credentials/certificates/x509.h>
#include <time.h>
return NEED_MORE;
}
+/**
+ * Check if a server certificate is acceptable for the given server identity
+ */
+static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
+{
+ identification_t *id;
+
+ if (cert->has_subject(cert, this->server))
+ {
+ return TRUE;
+ }
+ id = cert->get_subject(cert);
+ if (id->matches(id, this->server))
+ {
+ return TRUE;
+ }
+ if (cert->get_type(cert) == CERT_X509)
+ {
+ x509_t *x509 = (x509_t*)cert;
+ enumerator_t *enumerator;
+
+ enumerator = x509->create_subjectAltName_enumerator(x509);
+ while (enumerator->enumerate(enumerator, &id))
+ {
+ if (id->matches(id, this->server))
+ {
+ enumerator->destroy(enumerator);
+ return TRUE;
+ }
+ }
+ enumerator->destroy(enumerator);
+ }
+ DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
+ return FALSE;
+}
+
/**
* Process a Certificate message
*/
{
if (first)
{
+ if (!check_certificate(this, cert))
+ {
+ cert->destroy(cert);
+ certs->destroy(certs);
+ this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
+ return NEED_MORE;
+ }
this->server_auth->add(this->server_auth,
AUTH_HELPER_SUBJECT_CERT, cert);
DBG1(DBG_TLS, "received TLS server certificate '%Y'",
projects / people / ms / strongswan.git / commitdiff
