TcpSocketEndpoint: fix peer certificate comparaison

Compare only public Id is not secure enough to ensure certificate comparaison. Use a byte-comparaison to verify the peer certificate during TLS certificate checkings. Change-Id: Ic90877ba3722e69d833f3adf841b3ebde8e44d9f Reviewed-by: Nicolas Jäger <nicolas.jager@savoirfairelinux.com>

TcpSocketEndpoint: fix peer certificate comparaison
1b5dff33 · Guillaume Roguez · Nicolas Jager · 16551fc6 · 1b5dff33
Commit 1b5dff33 authored 7 years ago by Guillaume Roguez Committed by Nicolas Jager 7 years ago
--- a/src/peer_connection.cpp
+++ b/src/peer_connection.cpp
@@ -324,7 +324,7 @@ TlsSocketEndpoint::Impl::verifyCertificate(gnutls_session_t session)
    for (unsigned i=0; i<cert_list_size; i++)
        crt_data.emplace_back(cert_list[i].data, cert_list[i].data + cert_list[i].size);
    auto crt = dht::crypto::Certificate {crt_data};
-    if (crt.getId() != peerCertificate.getId()) {
+    if (crt.getPacked() != peerCertificate.getPacked()) {
        RING_ERR() << "[TLS-SOCKET] Unexpected peer certificate";
        return GNUTLS_E_CERTIFICATE_ERROR;
    }