tls-peer: Simplify identity check for server certificate

has_subject() already matches the identity against the subject DN and
all the SANs (it actually already did when this check was added with
c81147998619 ("Strictly check if the server certificate matches the TLS
server identity")).

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 58a36dbd2d55d3cab09a3d039eef5593344b4232..69d4917a8fce4e8f98806b4eea5634f573cab208 100644 (file)
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -21,7 +21,6 @@
 #include "tls_peer.h"
 
 #include <utils/debug.h>
-#include <credentials/certificates/x509.h>
 
 #include <time.h>
 
@@ -509,42 +508,6 @@ static status_t process_encrypted_extensions(private_tls_peer_t *this,
        return NEED_MORE;
 }
 
-/**
- * Check if a server certificate is acceptable for the given server identity
- */
-static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
-{
-       identification_t *id;
-
-       if (cert->has_subject(cert, this->server))
-       {
-               return TRUE;
-       }
-       id = cert->get_subject(cert);
-       if (id->matches(id, this->server))
-       {
-               return TRUE;
-       }
-       if (cert->get_type(cert) == CERT_X509)
-       {
-               x509_t *x509 = (x509_t*)cert;
-               enumerator_t *enumerator;
-
-               enumerator = x509->create_subjectAltName_enumerator(x509);
-               while (enumerator->enumerate(enumerator, &id))
-               {
-                       if (id->matches(id, this->server))
-                       {
-                               enumerator->destroy(enumerator);
-                               return TRUE;
-                       }
-               }
-               enumerator->destroy(enumerator);
-       }
-       DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
-       return FALSE;
-}
-
 /**
  * Process a Certificate message
  */
@@ -591,8 +554,10 @@ static status_t process_certificate(private_tls_peer_t *this,
                {
                        if (first)
                        {
-                               if (!check_certificate(this, cert))
+                               if (!cert->has_subject(cert, this->server))
                                {
+                                       DBG1(DBG_TLS, "server certificate does not match to '%Y'",
+                                                this->server);
                                        cert->destroy(cert);
                                        certs->destroy(certs);
                                        this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);