[Spice-devel] [common PATCH 1/4 v2] ssl-verify: Only check addr length when using IP addr
Christophe Fergeau
cfergeau at redhat.com
Fri Oct 9 08:52:57 PDT 2015
Hey,
On Thu, Oct 08, 2015 at 04:32:55PM +0200, Lukas Venhoda wrote:
> Only check for address lenght, when connecting trough IP address.
> It is not used, when connecting trough DNS hostname.
> ---
> Changes since v1:
> - New patch
> - Wasn't moved in v1
> ---
> common/ssl_verify.c | 11 ++++++-----
> 1 file changed, 6 insertions(+), 5 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index a830800..24c6e2c 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -173,11 +173,6 @@ static int verify_hostname(X509* cert, const char *hostname)
> return 0;
> }
>
> - // only IpV4 supported
> - if (inet_aton(hostname, &addr)) {
> - addr_len = sizeof(struct in_addr);
> - }
> -
> /* try matching against:
> * 1) a DNS name as an alternative name (subjectAltName) extension
> * in the certificate
> @@ -211,6 +206,12 @@ static int verify_hostname(X509* cert, const char *hostname)
> } else if (name->type == GEN_IPADD) {
> int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
> found_dns_name = 1;
> +
> + // only IpV4 supported
> + if (inet_aton(hostname, &addr)) {
> + addr_len = sizeof(struct in_addr);
> + }
I'd even move the declaration of the 'addr' and 'addr_len' variables to
that block, this way the compiler will tell us if they are used
elsewhere or not (and this makes the code easier to read/follow imo).
ACK otherwise, better to have this ipv4 specific check as localized as
possible.
Christophe
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20151009/b6efcd37/attachment.sig>
More information about the Spice-devel
mailing list