diff options
author | Lukas Venhoda <lvenhoda@redhat.com> | 2015-10-22 14:22:19 +0200 |
---|---|---|
committer | Fabiano FidĂȘncio <fidencio@redhat.com> | 2015-10-23 11:07:45 +0200 |
commit | fb6904f528fc0d43a70646f9ba1fe5a5aaeb47a6 (patch) | |
tree | a63cf2d402db9faf088959794a9492ceae90697a | |
parent | f7ec855af3deff18aeb43ddbf2467c565f4bf346 (diff) |
ssl-verify: Only check addr length when using IP addr
Only check for address length, when connecting through IP address.
It is not used, when connecting through DNS hostname.
-rw-r--r-- | common/ssl_verify.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/common/ssl_verify.c b/common/ssl_verify.c index a830800..fe04409 100644 --- a/common/ssl_verify.c +++ b/common/ssl_verify.c @@ -161,8 +161,6 @@ static int verify_hostname(X509* cert, const char *hostname) { GENERAL_NAMES* subject_alt_names; int found_dns_name = 0; - struct in_addr addr; - int addr_len = 0; int cn_match = 0; X509_NAME* subject; @@ -173,11 +171,6 @@ static int verify_hostname(X509* cert, const char *hostname) return 0; } - // only IpV4 supported - if (inet_aton(hostname, &addr)) { - addr_len = sizeof(struct in_addr); - } - /* try matching against: * 1) a DNS name as an alternative name (subjectAltName) extension * in the certificate @@ -209,8 +202,16 @@ static int verify_hostname(X509* cert, const char *hostname) return 1; } } else if (name->type == GEN_IPADD) { + struct in_addr addr; + int addr_len = 0; int alt_ip_len = ASN1_STRING_length(name->d.iPAddress); found_dns_name = 1; + + // only IpV4 supported + if (inet_aton(hostname, &addr)) { + addr_len = sizeof(struct in_addr); + } + if ((addr_len == alt_ip_len)&& !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) { spice_debug("alt name IP match=%s", |