From ea4524024ab61e28c28a2b130efd94fe91566da7 Mon Sep 17 00:00:00 2001
From: Jakob Borg <jakob@nym.se>
Date: Wed, 30 Jul 2014 07:59:22 +0200
Subject: [PATCH] Verify certificate name

---
 cmd/syncthing/main.go | 23 ++++++++++++++++++++++-
 config/config.go      |  1 +
 2 files changed, 23 insertions(+), 1 deletion(-)

diff --git a/cmd/syncthing/main.go b/cmd/syncthing/main.go
index 9c0265277..4c1c89cd5 100644
--- a/cmd/syncthing/main.go
+++ b/cmd/syncthing/main.go
@@ -633,7 +633,8 @@ next:
 			conn.Close()
 			continue
 		}
-		remoteID := protocol.NewNodeID(certs[0].Raw)
+		remoteCert := certs[0]
+		remoteID := protocol.NewNodeID(remoteCert.Raw)
 
 		if remoteID == myID {
 			l.Infof("Connected to myself (%s) - should not happen", remoteID)
@@ -649,10 +650,30 @@ next:
 
 		for _, nodeCfg := range cfg.Nodes {
 			if nodeCfg.NodeID == remoteID {
+				// Verify the name on the certificate. By default we set it to
+				// "syncthing" when generating, but the user may have replaced
+				// the certificate and used another name.
+				certName := nodeCfg.CertName
+				if certName == "" {
+					certName = "syncthing"
+				}
+				err := remoteCert.VerifyHostname(certName)
+				if err != nil {
+					// Incorrect certificate name is something the user most
+					// likely wants to know about, since it's an advanced
+					// config. Warn instead of Info.
+					l.Warnf("Bad certificate from %s (%v): %v", remoteID, conn.RemoteAddr(), err)
+					conn.Close()
+					continue next
+				}
+
+				// If rate limiting is set, we wrap the write side of the
+				// connection in a limiter.
 				var wr io.Writer = conn
 				if rateBucket != nil {
 					wr = &limitedWriter{conn, rateBucket}
 				}
+
 				name := fmt.Sprintf("%s-%s", conn.LocalAddr(), conn.RemoteAddr())
 				protoConn := protocol.NewConnection(remoteID, conn, wr, m, name, nodeCfg.Compression)
 
diff --git a/config/config.go b/config/config.go
index d7ff4428b..4f4ea4bb4 100644
--- a/config/config.go
+++ b/config/config.go
@@ -97,6 +97,7 @@ type NodeConfiguration struct {
 	Name        string          `xml:"name,attr,omitempty"`
 	Addresses   []string        `xml:"address,omitempty"`
 	Compression bool            `xml:"compression,attr"`
+	CertName    string          `xml:"certName,attr,omitempty"`
 }
 
 type OptionsConfiguration struct {