Explicit server certificate check introduced

2016-09-30 14:24:49 +02:00 · 2016-09-30 14:24:49 +02:00 · a1455078e9
commit a1455078e9
parent a834fbcb7c
2 changed files with 10 additions and 0 deletions
--- a/lib/Events/res/EventsETW.man
+++ b/lib/Events/res/EventsETW.man
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@ -1306,6 +1306,16 @@ void eap::method_tls::verify_server_trust() const
        throw sec_runtime_error(status, __FUNCTION__ " Error retrieving server certificate from Schannel.");
 #endif

+    for (list<cert_context>::const_iterator c = m_cfg.m_trusted_root_ca.cbegin(), c_end = m_cfg.m_trusted_root_ca.cend(); c != c_end; ++c) {
+        if (cert->cbCertEncoded == (*c)->cbCertEncoded &&
+            memcmp(cert->pbCertEncoded, (*c)->pbCertEncoded, cert->cbCertEncoded) == 0)
+        {
+            // Server certificate found directly on the trusted root CA list.
+            m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_TRUSTED_EX, event_data::blank);
+            return;
+        }
+    }
+
    // Check server name.
    if (!m_cfg.m_server_names.empty()) {
        bool