From eccfd27f03491dd1f428d62aab939caefe10d7a4 Mon Sep 17 00:00:00 2001
From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 4 Feb 2022 11:16:14 +0100
Subject: [PATCH] tls-peer: Simplify identity check for server certificate

has_subject() already matches the identity against the subject DN and
all the SANs (it actually already did when this check was added with
c81147998619 ("Strictly check if the server certificate matches the TLS
server identity")).
---
 src/libtls/tls_peer.c | 41 +++--------------------------------------
 1 file changed, 3 insertions(+), 38 deletions(-)

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 58a36dbd2..69d4917a8 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -21,7 +21,6 @@
 #include "tls_peer.h"
 
 #include <utils/debug.h>
-#include <credentials/certificates/x509.h>
 
 #include <time.h>
 
@@ -509,42 +508,6 @@ static status_t process_encrypted_extensions(private_tls_peer_t *this,
 	return NEED_MORE;
 }
 
-/**
- * Check if a server certificate is acceptable for the given server identity
- */
-static bool check_certificate(private_tls_peer_t *this, certificate_t *cert)
-{
-	identification_t *id;
-
-	if (cert->has_subject(cert, this->server))
-	{
-		return TRUE;
-	}
-	id = cert->get_subject(cert);
-	if (id->matches(id, this->server))
-	{
-		return TRUE;
-	}
-	if (cert->get_type(cert) == CERT_X509)
-	{
-		x509_t *x509 = (x509_t*)cert;
-		enumerator_t *enumerator;
-
-		enumerator = x509->create_subjectAltName_enumerator(x509);
-		while (enumerator->enumerate(enumerator, &id))
-		{
-			if (id->matches(id, this->server))
-			{
-				enumerator->destroy(enumerator);
-				return TRUE;
-			}
-		}
-		enumerator->destroy(enumerator);
-	}
-	DBG1(DBG_TLS, "server certificate does not match to '%Y'", this->server);
-	return FALSE;
-}
-
 /**
  * Process a Certificate message
  */
@@ -591,8 +554,10 @@ static status_t process_certificate(private_tls_peer_t *this,
 		{
 			if (first)
 			{
-				if (!check_certificate(this, cert))
+				if (!cert->has_subject(cert, this->server))
 				{
+					DBG1(DBG_TLS, "server certificate does not match to '%Y'",
+						 this->server);
 					cert->destroy(cert);
 					certs->destroy(certs);
 					this->alert->add(this->alert, TLS_FATAL, TLS_ACCESS_DENIED);
-- 
2.47.3