From 9efbd441891299ea2cc8007c26475bba9300479f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Adrien=20B=C3=A9raud?= <adrien.beraud@savoirfairelinux.com>
Date: Sun, 27 Aug 2023 12:38:07 -0400
Subject: [PATCH] ConnectionManager: check that request owner matches TLS
 certificate

Change-Id: I27cf22e66a4c86742b022136d036ca77c25dc724
---
 src/connectionmanager.cpp | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/connectionmanager.cpp b/src/connectionmanager.cpp
index 1ca85e7..baab5af 100644
--- a/src/connectionmanager.cpp
+++ b/src/connectionmanager.cpp
@@ -1124,10 +1124,17 @@ ConnectionManager::Impl::onRequestOnNegoDone(const PeerConnectionRequest& req)
         config_->ioContext,
         identity(),
         dhParams(),
-        [ph, w = weak()](const dht::crypto::Certificate& cert) {
+        [ph, deviceId, w=weak(), l=config_->logger](const dht::crypto::Certificate& cert) {
             auto shared = w.lock();
             if (!shared)
                 return false;
+            if (cert.getPublicKey().getId() != ph
+             || deviceId != cert.getPublicKey().getLongId()) {
+                if (l) l->warn("[device {}] TLS certificate with ID {} doesn't match the DHT request.",
+                                        deviceId,
+                                        cert.getPublicKey().getLongId());
+                return false;
+            }
             auto crt = shared->certStore().getCertificate(cert.getLongId().toString());
             if (!crt)
                 return false;
-- 
GitLab