tls-peer: Make sure to use the right trusted public key for peer

In case a CA certificate uses the same subject DN as the server the
previous code could end up trying to verify the server's signature with
the CA certificate's public key.  By comparing the certificate with the
one sent by the peer we make sure to use the right one.

Fixes #849.

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 08e36de3698f95c4732413f84e8bfb2e9ee451ed..99bc92ac016024bdfc7a00c83c6d410a235ee0ed 100644 (file)
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -312,7 +312,7 @@ static status_t process_certificate(private_tls_peer_t *this,
 static public_key_t *find_public_key(private_tls_peer_t *this)
 {
        public_key_t *public = NULL, *current;
-       certificate_t *cert;
+       certificate_t *cert, *found;
        enumerator_t *enumerator;
        auth_cfg_t *auth;
 
@@ -323,9 +323,13 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
                                                KEY_ANY, cert->get_subject(cert), this->server_auth);
                while (enumerator->enumerate(enumerator, &current, &auth))
                {
-                       public = current->get_ref(current);
-                       this->server_auth->merge(this->server_auth, auth, FALSE);
-                       break;
+                       found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+                       if (found && cert->equals(cert, found))
+                       {
+                               public = current->get_ref(current);
+                               this->server_auth->merge(this->server_auth, auth, FALSE);
+                               break;
+                       }
                }
                enumerator->destroy(enumerator);
        }