From: Tobias Brunner Date: Fri, 4 Feb 2022 10:16:14 +0000 (+0100) Subject: tls-peer: Simplify identity check for server certificate X-Git-Tag: 5.9.6rc1~19 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=eccfd27f03491dd1f428d62aab939caefe10d7a4;p=thirdparty%2Fstrongswan.git tls-peer: Simplify identity check for server certificate has_subject() already matches the identity against the subject DN and all the SANs (it actually already did when this check was added with c81147998619 ("Strictly check if the server certificate matches the TLS server identity")). --- diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index 58a36dbd2d..69d4917a8f 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -21,7 +21,6 @@ #include "tls_peer.h" #include -#include #include @@ -509,42 +508,6 @@ static status_t process_encrypted_extensions(private_tls_peer_t *this, return NEED_MORE; } -/** - * Check if a server certificate is acceptable for the given server identity - */ -static bool check_certificate(private_tls_peer_t *this, certificate_t *cert) -{ - identification_t *id; - - if (cert->has_subject(cert, this->server)) - { - return TRUE; - } - id = cert->get_subject(cert); - if (id->matches(id, this->server)) - { - return TRUE; - } - if (cert->get_type(cert) == CERT_X509) - { - x509_t *x509 = (x509_t*)cert; - enumerator_t *enumerator; - - enumerator = x509->create_subjectAltName_enumerator(x509); - while (enumerator->enumerate(enumerator, &id)) - { - if (id->matches(id, this->server)) - { - enumerator->destroy(enumerator); - return TRUE; - } - } - enumerator->destroy(enumerator); - } - DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server); - return FALSE; -} - /** * Process a Certificate message */ @@ -591,8 +554,10 @@ static status_t process_certificate(private_tls_peer_t *this, { if (first) { - if (!check_certificate(this, cert)) + if (!cert->has_subject(cert, this->server)) { + DBG1(DBG_TLS, "server certificate does not match to '%Y'", + this->server); cert->destroy(cert); certs->destroy(certs); this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);