diff options
| author | Michael Brown | 2014-03-25 16:01:32 +0100 |
|---|---|---|
| committer | Michael Brown | 2014-03-25 17:30:43 +0100 |
| commit | 01fa7efa38060c010103d444b47a2cd3ff684f82 (patch) | |
| tree | aa9eaf98352260b208691559165696b71fb05812 /src/net/tls.c | |
| parent | [ocsp] Handle OCSP responses that don't provide certificates (diff) | |
| download | ipxe-01fa7efa38060c010103d444b47a2cd3ff684f82.tar.gz ipxe-01fa7efa38060c010103d444b47a2cd3ff684f82.tar.xz ipxe-01fa7efa38060c010103d444b47a2cd3ff684f82.zip | |
[crypto] Remove dynamically-allocated storage for certificate name
iPXE currently allocates a copy the certificate's common name as a
string. This string is used by the TLS and CMS code to check
certificate names against an expected name, and also appears in
debugging messages.
Provide a function x509_check_name() to centralise certificate name
checking (in preparation for adding subjectAlternativeName support),
and a function x509_name() to provide a name to be used in debugging
messages, and remove the dynamically allocated string.
Signed-off-by: Michael Brown <mcb30@ipxe.org>
Diffstat (limited to 'src/net/tls.c')
| -rw-r--r-- | src/net/tls.c | 14 |
1 files changed, 4 insertions, 10 deletions
diff --git a/src/net/tls.c b/src/net/tls.c index 5e18f726..742a7c0b 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -49,10 +49,6 @@ FILE_LICENCE ( GPL2_OR_LATER ); #include <ipxe/tls.h> /* Disambiguate the various error causes */ -#define EACCES_WRONG_NAME __einfo_error ( EINFO_EACCES_WRONG_NAME ) -#define EINFO_EACCES_WRONG_NAME \ - __einfo_uniqify ( EINFO_EACCES, 0x02, \ - "Incorrect server name" ) #define EINVAL_CHANGE_CIPHER __einfo_error ( EINFO_EINVAL_CHANGE_CIPHER ) #define EINFO_EINVAL_CHANGE_CIPHER \ __einfo_uniqify ( EINFO_EINVAL, 0x01, \ @@ -1479,7 +1475,7 @@ static int tls_parse_chain ( struct tls_session *tls, } cert = x509_last ( tls->chain ); DBGC ( tls, "TLS %p found certificate %s\n", - tls, cert->subject.name ); + tls, x509_name ( cert ) ); /* Move to next certificate in list */ data = next; @@ -2454,11 +2450,9 @@ static void tls_validator_done ( struct tls_session *tls, int rc ) { assert ( cert != NULL ); /* Verify server name */ - if ( ( cert->subject.name == NULL ) || - ( strcmp ( cert->subject.name, tls->name ) != 0 ) ) { - DBGC ( tls, "TLS %p server name incorrect (expected %s, got " - "%s)\n", tls, tls->name, cert->subject.name ); - rc = -EACCES_WRONG_NAME; + if ( ( rc = x509_check_name ( cert, tls->name ) ) != 0 ) { + DBGC ( tls, "TLS %p server certificate does not match %s: %s\n", + tls, tls->name, strerror ( rc ) ); goto err; } |