From 1b5dff3391940ddcb0783c7b2418ae8fa275447b Mon Sep 17 00:00:00 2001
From: Guillaume Roguez <guillaume.roguez@savoirfairelinux.com>
Date: Tue, 23 Jan 2018 13:37:11 -0500
Subject: [PATCH] TcpSocketEndpoint: fix peer certificate comparaison
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Compare only public Id is not secure enough to ensure
certificate comparaison.
Use a byte-comparaison to verify the peer certificate
during TLS certificate checkings.

Change-Id: Ic90877ba3722e69d833f3adf841b3ebde8e44d9f
Reviewed-by: Nicolas Jäger <nicolas.jager@savoirfairelinux.com>
---
 src/peer_connection.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/peer_connection.cpp b/src/peer_connection.cpp
index bd62da9a0e..6fa556a925 100644
--- a/src/peer_connection.cpp
+++ b/src/peer_connection.cpp
@@ -324,7 +324,7 @@ TlsSocketEndpoint::Impl::verifyCertificate(gnutls_session_t session)
     for (unsigned i=0; i<cert_list_size; i++)
         crt_data.emplace_back(cert_list[i].data, cert_list[i].data + cert_list[i].size);
     auto crt = dht::crypto::Certificate {crt_data};
-    if (crt.getId() != peerCertificate.getId()) {
+    if (crt.getPacked() != peerCertificate.getPacked()) {
         RING_ERR() << "[TLS-SOCKET] Unexpected peer certificate";
         return GNUTLS_E_CERTIFICATE_ERROR;
     }
-- 
GitLab