From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 20 Feb 2015 10:29:02 +0000 (+0100)
Subject: tls-peer: Make sure to use the right trusted public key for peer
X-Git-Tag: 5.3.0dr1~24
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=18597950fa305666e9040099b7bcd67dcc95da7f;p=thirdparty%2Fstrongswan.git

tls-peer: Make sure to use the right trusted public key for peer

In case a CA certificate uses the same subject DN as the server the
previous code could end up trying to verify the server's signature with
the CA certificate's public key.  By comparing the certificate with the
one sent by the peer we make sure to use the right one.

Fixes #849.
---

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 08e36de369..99bc92ac01 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -312,7 +312,7 @@ static status_t process_certificate(private_tls_peer_t *this,
 static public_key_t *find_public_key(private_tls_peer_t *this)
 {
 	public_key_t *public = NULL, *current;
-	certificate_t *cert;
+	certificate_t *cert, *found;
 	enumerator_t *enumerator;
 	auth_cfg_t *auth;
 
@@ -323,9 +323,13 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
 						KEY_ANY, cert->get_subject(cert), this->server_auth);
 		while (enumerator->enumerate(enumerator, &current, &auth))
 		{
-			public = current->get_ref(current);
-			this->server_auth->merge(this->server_auth, auth, FALSE);
-			break;
+			found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+			if (found && cert->equals(cert, found))
+			{
+				public = current->get_ref(current);
+				this->server_auth->merge(this->server_auth, auth, FALSE);
+				break;
+			}
 		}
 		enumerator->destroy(enumerator);
 	}