narenas
/
opengnsys_ipxe
mirror of https://github.com/ipxe/ipxe.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[tls] Include root of trust within definition of TLS session 

Signed-off-by: Michael Brown <mcb30@ipxe.org>
pull/182/head
Michael Brown 2020-12-15 16:28:33 +00:00
parent 3475f9162b
commit 6a8664d9ec
2 changed files with 11 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/include/ipxe/tls.h
View File

@ -255,6 +255,9 @@ struct tls_session {
/** Server name */
const char *name;
/** Root of trust */
struct x509_root *root;
/** Session ID */
uint8_t id[32];
/** Length of session ID */
@ -326,7 +329,7 @@ struct tls_connection {
/** Verification data */
struct tls_verify_data verify;
/** Root of trust (or NULL to use default) */
/** Root of trust */
struct x509_root *root;
/** Server certificate chain */
struct x509_chain *chain;

10
src/net/tls.c
View File

@ -45,6 +45,7 @@ FILE_LICENCE ( GPL2_OR_LATER );
#include <ipxe/x509.h>
#include <ipxe/privkey.h>
#include <ipxe/certstore.h>
#include <ipxe/rootcert.h>
#include <ipxe/rbg.h>
#include <ipxe/validator.h>
#include <ipxe/job.h>
@ -349,7 +350,8 @@ static void free_tls_session ( struct refcnt *refcnt ) {
/* Remove from list of sessions */
list_del ( &session->list );
/* Free session ticket */
/* Free dynamically-allocated resources */
x509_root_put ( session->root );
free ( session->ticket );
/* Free session */
@ -3097,7 +3099,8 @@ static int tls_session ( struct tls_connection *tls, const char *name ) {
/* Find existing matching session, if any */
list_for_each_entry ( session, &tls_sessions, list ) {
if ( strcmp ( name, session->name ) == 0 ) {
if ( ( strcmp ( name, session->name ) == 0 ) &&
( tls->root == session->root ) ) {
ref_get ( &session->refcnt );
tls->session = session;
DBGC ( tls, "TLS %p joining session %s\n", tls, name );
@ -3116,6 +3119,7 @@ static int tls_session ( struct tls_connection *tls, const char *name ) {
name_copy = ( ( ( void * ) session ) + sizeof ( *session ) );
strcpy ( name_copy, name );
session->name = name_copy;
session->root = x509_root_get ( tls->root );
INIT_LIST_HEAD ( &session->conn );
list_add ( &session->list, &tls_sessions );
@ -3164,7 +3168,7 @@ int add_tls ( struct interface *xfer, const char *name,
intf_init ( &tls->validator, &tls_validator_desc, &tls->refcnt );
process_init_stopped ( &tls->process, &tls_process_desc,
&tls->refcnt );
tls->root = x509_root_get ( root );
tls->root = x509_root_get ( root ? root : &root_certificates );
tls->version = TLS_VERSION_TLS_1_2;
tls_clear_cipher ( tls, &tls->tx_cipherspec );
tls_clear_cipher ( tls, &tls->tx_cipherspec_pending );