ConnectionManager: check that request owner matches TLS certificate
Change-Id: I27cf22e66a4c86742b022136d036ca77c25dc724
diff --git a/src/connectionmanager.cpp b/src/connectionmanager.cpp
index 1ca85e7..baab5af 100644
--- a/src/connectionmanager.cpp
+++ b/src/connectionmanager.cpp
@@ -1124,10 +1124,17 @@
config_->ioContext,
identity(),
dhParams(),
- [ph, w = weak()](const dht::crypto::Certificate& cert) {
+ [ph, deviceId, w=weak(), l=config_->logger](const dht::crypto::Certificate& cert) {
auto shared = w.lock();
if (!shared)
return false;
+ if (cert.getPublicKey().getId() != ph
+ || deviceId != cert.getPublicKey().getLongId()) {
+ if (l) l->warn("[device {}] TLS certificate with ID {} doesn't match the DHT request.",
+ deviceId,
+ cert.getPublicKey().getLongId());
+ return false;
+ }
auto crt = shared->certStore().getCertificate(cert.getLongId().toString());
if (!crt)
return false;