Move TLS cert verification callback from Credentials_Manager to TLS::Callbacks

It is the only function in C_M which is called on to process session-specific (and adversarially provided) inputs, rather than passively returning some credential which is typically not session specific.
author: Jack Lloyd <[email protected]> 2016-11-21 20:13:15 -0500
committer: Jack Lloyd <[email protected]> 2016-11-23 08:31:07 -0500
commit: 33e855853886193867b32da847b8b77f7bc102ee (patch)
tree: ed8d4d93f247832f7768b5fe1e92cde7109e4352 /src/lib/tls/tls_server.cpp
parent: 987fcef3f93fe06500b81da2706b358cff85d53a (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/src/lib/tls/tls_server.cpp b/src/lib/tls/tls_server.cpp
index 5e3b222f1..abe22df3c 100644
--- a/src/lib/tls/tls_server.cpp
+++ b/src/lib/tls/tls_server.cpp
@@ -523,7 +523,13 @@ void Server::process_certificate_verify_msg(Server_Handshake_State& pending_stat
 
     try
         {
-        m_creds.verify_certificate_chain ( "tls-server", "", client_certs );
+        const std::string sni_hostname = pending_state.client_hello()->sni_hostname();
+        auto trusted_CAs = m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
+
+        callbacks().tls_verify_cert_chain(client_certs,
+                                          trusted_CAs,
+                                          Usage_Type::TLS_CLIENT_AUTH,
+                                          sni_hostname);
         }
     catch ( std::exception& e )
         {
author	Jack Lloyd <[email protected]>	2016-11-21 20:13:15 -0500
committer	Jack Lloyd <[email protected]>	2016-11-23 08:31:07 -0500
commit	33e855853886193867b32da847b8b77f7bc102ee (patch)
tree	ed8d4d93f247832f7768b5fe1e92cde7109e4352 /src/lib/tls/tls_server.cpp
parent	987fcef3f93fe06500b81da2706b358cff85d53a (diff)