tls-peer: Make sure to use the right trusted public key for peer

In case a CA certificate uses the same subject DN as the server the
previous code could end up trying to verify the server's signature with
the CA certificate's public key.  By comparing the certificate with the
one sent by the peer we make sure to use the right one.

Fixes #849.

1 files changed, 8 insertions, 4 deletions

diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c
index 08e36de36..99bc92ac0 100644
--- a/src/libtls/tls_peer.c
+++ b/src/libtls/tls_peer.c
@@ -312,7 +312,7 @@ static status_t process_certificate(private_tls_peer_t *this,
 static public_key_t *find_public_key(private_tls_peer_t *this)
 {
 	public_key_t *public = NULL, *current;
-	certificate_t *cert;
+	certificate_t *cert, *found;
 	enumerator_t *enumerator;
 	auth_cfg_t *auth;
 
@@ -323,9 +323,13 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
 						KEY_ANY, cert->get_subject(cert), this->server_auth);
 		while (enumerator->enumerate(enumerator, &current, &auth))
 		{
-			public = current->get_ref(current);
-			this->server_auth->merge(this->server_auth, auth, FALSE);
-			break;
+			found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
+			if (found && cert->equals(cert, found))
+			{
+				public = current->get_ref(current);
+				this->server_auth->merge(this->server_auth, auth, FALSE);
+				break;
+			}
 		}
 		enumerator->destroy(enumerator);
 	}