From a1455078e94477107c3ac654336c4759957768e0 Mon Sep 17 00:00:00 2001
From: Simon Rozman <simon@rozman.si>
Date: Fri, 30 Sep 2016 14:24:49 +0200
Subject: [PATCH] Explicit server certificate check introduced

---
 lib/Events/res/EventsETW.man | Bin 103110 -> 103654 bytes
 lib/TLS/src/Method.cpp       |  10 ++++++++++
 2 files changed, 10 insertions(+)

diff --git a/lib/Events/res/EventsETW.man b/lib/Events/res/EventsETW.man
index 9366d8da6c33d46d86d307b3da3cdbb3a14c15bc..2e586a0062936175ad85cb8cd3caf49946797ed6 100644
GIT binary patch
delta 143
zcmX@Ml<nC{wuUW?GR)HtFfwMb#xuAwL`+_|Omwn>B-`X^7k#ErU}9`wc4erTZ1_)g
zx(PF*6{E@ad}hXjz0-5j82P3<Ok|t{XYoz{Fp<%0x<d`4#q?iHjACGY3zrFlRDtCr
ggi{$R7z!A27%~}>fw%<7s+=A@kx_BF+9bvW0Esg$SO5S3

delta 73
zcmaF1lI_@1wuUW?GR%|h{z*)q#lmRCZp@$uf|CuoM7MunVO-Wb{arny!1Onh8TqDf
Vn#9-w=c-N5n#?FS-E9iv0szSP8tDK4

diff --git a/lib/TLS/src/Method.cpp b/lib/TLS/src/Method.cpp
index 800457c..25ebfbc 100644
--- a/lib/TLS/src/Method.cpp
+++ b/lib/TLS/src/Method.cpp
@@ -1306,6 +1306,16 @@ void eap::method_tls::verify_server_trust() const
         throw sec_runtime_error(status, __FUNCTION__ " Error retrieving server certificate from Schannel.");
 #endif
 
+    for (list<cert_context>::const_iterator c = m_cfg.m_trusted_root_ca.cbegin(), c_end = m_cfg.m_trusted_root_ca.cend(); c != c_end; ++c) {
+        if (cert->cbCertEncoded == (*c)->cbCertEncoded &&
+            memcmp(cert->pbCertEncoded, (*c)->pbCertEncoded, cert->cbCertEncoded) == 0)
+        {
+            // Server certificate found directly on the trusted root CA list.
+            m_module.log_event(&EAPMETHOD_TLS_SERVER_CERT_TRUSTED_EX, event_data::blank);
+            return;
+        }
+    }
+
     // Check server name.
     if (!m_cfg.m_server_names.empty()) {
         bool