From 1b5dff3391940ddcb0783c7b2418ae8fa275447b Mon Sep 17 00:00:00 2001 From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com> Date: Tue, 23 Jan 2018 13:37:11 -0500 Subject: [PATCH] TcpSocketEndpoint: fix peer certificate comparaison MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Compare only public Id is not secure enough to ensure certificate comparaison. Use a byte-comparaison to verify the peer certificate during TLS certificate checkings. Change-Id: Ic90877ba3722e69d833f3adf841b3ebde8e44d9f Reviewed-by: Nicolas Jäger <nicolas.jager@savoirfairelinux.com> --- src/peer_connection.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/peer_connection.cpp b/src/peer_connection.cpp index bd62da9a0e..6fa556a925 100644 --- a/src/peer_connection.cpp +++ b/src/peer_connection.cpp @@ -324,7 +324,7 @@ TlsSocketEndpoint::Impl::verifyCertificate(gnutls_session_t session) for (unsigned i=0; i<cert_list_size; i++) crt_data.emplace_back(cert_list[i].data, cert_list[i].data + cert_list[i].size); auto crt = dht::crypto::Certificate {crt_data}; - if (crt.getId() != peerCertificate.getId()) { + if (crt.getPacked() != peerCertificate.getPacked()) { RING_ERR() << "[TLS-SOCKET] Unexpected peer certificate"; return GNUTLS_E_CERTIFICATE_ERROR; } -- GitLab