Skip to content
Snippets Groups Projects
Commit 1b5dff33 authored by Guillaume Roguez's avatar Guillaume Roguez Committed by Nicolas Jager
Browse files

TcpSocketEndpoint: fix peer certificate comparaison


Compare only public Id is not secure enough to ensure
certificate comparaison.
Use a byte-comparaison to verify the peer certificate
during TLS certificate checkings.

Change-Id: Ic90877ba3722e69d833f3adf841b3ebde8e44d9f
Reviewed-by: default avatarNicolas Jäger <nicolas.jager@savoirfairelinux.com>
parent 16551fc6
Branches
Tags
No related merge requests found
...@@ -324,7 +324,7 @@ TlsSocketEndpoint::Impl::verifyCertificate(gnutls_session_t session) ...@@ -324,7 +324,7 @@ TlsSocketEndpoint::Impl::verifyCertificate(gnutls_session_t session)
for (unsigned i=0; i<cert_list_size; i++) for (unsigned i=0; i<cert_list_size; i++)
crt_data.emplace_back(cert_list[i].data, cert_list[i].data + cert_list[i].size); crt_data.emplace_back(cert_list[i].data, cert_list[i].data + cert_list[i].size);
auto crt = dht::crypto::Certificate {crt_data}; auto crt = dht::crypto::Certificate {crt_data};
if (crt.getId() != peerCertificate.getId()) { if (crt.getPacked() != peerCertificate.getPacked()) {
RING_ERR() << "[TLS-SOCKET] Unexpected peer certificate"; RING_ERR() << "[TLS-SOCKET] Unexpected peer certificate";
return GNUTLS_E_CERTIFICATE_ERROR; return GNUTLS_E_CERTIFICATE_ERROR;
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment