diff options
| author | Michael Brown <mcb30@ipxe.org> | 2020-12-15 16:28:33 +0000 |
|---|---|---|
| committer | Michael Brown <mcb30@ipxe.org> | 2020-12-15 16:28:33 +0000 |
| commit | 6a8664d9ec8010a717855ca92173c63c3c166c4e (patch) | |
| tree | 6ddd0f709bdbd174fdf561207075099c0d04741b | |
| parent | 3475f9162b84ce21327244ebce20ae29db6d7ac8 (diff) | |
| download | ipxe-6a8664d9ec8010a717855ca92173c63c3c166c4e.tar.gz | |
[tls] Include root of trust within definition of TLS session
Signed-off-by: Michael Brown <mcb30@ipxe.org>
| -rw-r--r-- | src/include/ipxe/tls.h | 5 | ||||
| -rw-r--r-- | src/net/tls.c | 10 |
2 files changed, 11 insertions, 4 deletions
diff --git a/src/include/ipxe/tls.h b/src/include/ipxe/tls.h index 1e1093fde..8345c9a26 100644 --- a/src/include/ipxe/tls.h +++ b/src/include/ipxe/tls.h @@ -255,6 +255,9 @@ struct tls_session { /** Server name */ const char *name; + /** Root of trust */ + struct x509_root *root; + /** Session ID */ uint8_t id[32]; /** Length of session ID */ @@ -326,7 +329,7 @@ struct tls_connection { /** Verification data */ struct tls_verify_data verify; - /** Root of trust (or NULL to use default) */ + /** Root of trust */ struct x509_root *root; /** Server certificate chain */ struct x509_chain *chain; diff --git a/src/net/tls.c b/src/net/tls.c index f5459a2af..046378392 100644 --- a/src/net/tls.c +++ b/src/net/tls.c @@ -45,6 +45,7 @@ FILE_LICENCE ( GPL2_OR_LATER ); #include <ipxe/x509.h> #include <ipxe/privkey.h> #include <ipxe/certstore.h> +#include <ipxe/rootcert.h> #include <ipxe/rbg.h> #include <ipxe/validator.h> #include <ipxe/job.h> @@ -349,7 +350,8 @@ static void free_tls_session ( struct refcnt *refcnt ) { /* Remove from list of sessions */ list_del ( &session->list ); - /* Free session ticket */ + /* Free dynamically-allocated resources */ + x509_root_put ( session->root ); free ( session->ticket ); /* Free session */ @@ -3097,7 +3099,8 @@ static int tls_session ( struct tls_connection *tls, const char *name ) { /* Find existing matching session, if any */ list_for_each_entry ( session, &tls_sessions, list ) { - if ( strcmp ( name, session->name ) == 0 ) { + if ( ( strcmp ( name, session->name ) == 0 ) && + ( tls->root == session->root ) ) { ref_get ( &session->refcnt ); tls->session = session; DBGC ( tls, "TLS %p joining session %s\n", tls, name ); @@ -3116,6 +3119,7 @@ static int tls_session ( struct tls_connection *tls, const char *name ) { name_copy = ( ( ( void * ) session ) + sizeof ( *session ) ); strcpy ( name_copy, name ); session->name = name_copy; + session->root = x509_root_get ( tls->root ); INIT_LIST_HEAD ( &session->conn ); list_add ( &session->list, &tls_sessions ); @@ -3164,7 +3168,7 @@ int add_tls ( struct interface *xfer, const char *name, intf_init ( &tls->validator, &tls_validator_desc, &tls->refcnt ); process_init_stopped ( &tls->process, &tls_process_desc, &tls->refcnt ); - tls->root = x509_root_get ( root ); + tls->root = x509_root_get ( root ? root : &root_certificates ); tls->version = TLS_VERSION_TLS_1_2; tls_clear_cipher ( tls, &tls->tx_cipherspec ); tls_clear_cipher ( tls, &tls->tx_cipherspec_pending ); |