[Spice-commits] 3 commits - common/ssl_verify.c m4/spice-deps.m4

Fabiano FidĂȘncio fidencio at kemper.freedesktop.org
Fri Oct 23 02:08:16 PDT 2015 

 common/ssl_verify.c |   48 +++++++++++++++++++++++-------------------------
 m4/spice-deps.m4    |    2 +-
 2 files changed, 24 insertions(+), 26 deletions(-)

New commits:
commit 9749e7ed14ded2b455395bc6db84519a8ec0cc7b
Author: Lukas Venhoda <lvenhoda at redhat.com>
Date:   Thu Oct 22 14:22:21 2015 +0200

    ssl-verify: Changed IPv4 hostname to IPv6
    
    Change inet_aton function to glib functions.
    
    inet_aton only supported IPv4 addresses, and wasn't available on windows
    machines. GInetAddress functions support IPv6 natively, and requires less
    boilerplate code then IPv6 gettaddrinfo().

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index fe04409..867c54f 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -31,19 +31,7 @@
 #endif
 #include <ctype.h>
 #include <string.h>
-
-#ifdef WIN32
-static int inet_aton(const char* ip, struct in_addr* in_addr)
-{
-    unsigned long addr = inet_addr(ip);
-
-    if (addr == INADDR_NONE) {
-        return 0;
-    }
-    in_addr->S_un.S_addr = addr;
-    return 1;
-}
-#endif
+#include <gio/gio.h>
 
 static int verify_pubkey(X509* cert, const char *key, size_t key_size)
 {
@@ -202,20 +190,29 @@ static int verify_hostname(X509* cert, const char *hostname)
                     return 1;
                 }
             } else if (name->type == GEN_IPADD) {
-                struct in_addr addr;
-                int addr_len = 0;
-                int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
+                GInetAddress * alt_ip = NULL;
+                GInetAddress * ip = NULL;
+                gchar * alt_ip_string = NULL;
+                const guint8 * ip_binary = NULL;
+                int alt_ip_len = 0;
+                int ip_len = 0;
+
                 found_dns_name = 1;
 
-                // only IpV4 supported
-                if (inet_aton(hostname, &addr)) {
-                    addr_len = sizeof(struct in_addr);
-                }
+                ip = g_inet_address_new_from_string(hostname);
+                ip_len = g_inet_address_get_native_size(ip);
+                ip_binary = g_inet_address_to_bytes(ip);
+
+                alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
+
+                if ((ip_len == alt_ip_len) &&
+                   (memcmp(ASN1_STRING_data(name->d.iPAddress), ip_binary, ip_len)) == 0) {
+                    alt_ip = g_inet_address_new_from_bytes(ASN1_STRING_data(name->d.iPAddress),
+                                                           g_inet_address_get_family(ip));
+                    alt_ip_string = g_inet_address_to_string(alt_ip);
+                    spice_debug("alt name IP match=%s", alt_ip_string);
 
-                if ((addr_len == alt_ip_len)&&
-                    !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) {
-                    spice_debug("alt name IP match=%s",
-                                inet_ntoa(*((struct in_addr*)ASN1_STRING_data(name->d.dNSName))));
+                    g_free(alt_ip_string);
                     GENERAL_NAMES_free(subject_alt_names);
                     return 1;
                 }
commit 9b74e47ed34c297a51d7bbd108b822979895bb6c
Author: Lukas Venhoda <lvenhoda at redhat.com>
Date:   Thu Oct 22 14:22:20 2015 +0200

    m4: Require glib version >= 2.22
    
    This is required by the GInetAddress functions.

diff --git a/m4/spice-deps.m4 b/m4/spice-deps.m4
index f56073f..bcd6f98 100644
--- a/m4/spice-deps.m4
+++ b/m4/spice-deps.m4
@@ -140,7 +140,7 @@ AC_DEFUN([SPICE_CHECK_PIXMAN], [
 # use in the GLIB2_CFLAGS and GLIB2_LIBS variables.
 #------------------
 AC_DEFUN([SPICE_CHECK_GLIB2], [
-    PKG_CHECK_MODULES(GLIB2, glib-2.0)
+    PKG_CHECK_MODULES(GLIB2, glib-2.0 >= 2.22)
 ])
 
 # SPICE_CHECK_PYTHON_MODULES()
commit fb6904f528fc0d43a70646f9ba1fe5a5aaeb47a6
Author: Lukas Venhoda <lvenhoda at redhat.com>
Date:   Thu Oct 22 14:22:19 2015 +0200

    ssl-verify: Only check addr length when using IP addr
    
    Only check for address length, when connecting through IP address.
    It is not used, when connecting through DNS hostname.

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index a830800..fe04409 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -161,8 +161,6 @@ static int verify_hostname(X509* cert, const char *hostname)
 {
     GENERAL_NAMES* subject_alt_names;
     int found_dns_name = 0;
-    struct in_addr addr;
-    int addr_len = 0;
     int cn_match = 0;
     X509_NAME* subject;
 
@@ -173,11 +171,6 @@ static int verify_hostname(X509* cert, const char *hostname)
         return 0;
     }
 
-    // only IpV4 supported
-    if (inet_aton(hostname, &addr)) {
-        addr_len = sizeof(struct in_addr);
-    }
-
     /* try matching against:
      *  1) a DNS name as an alternative name (subjectAltName) extension
      *     in the certificate
@@ -209,8 +202,16 @@ static int verify_hostname(X509* cert, const char *hostname)
                     return 1;
                 }
             } else if (name->type == GEN_IPADD) {
+                struct in_addr addr;
+                int addr_len = 0;
                 int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
                 found_dns_name = 1;
+
+                // only IpV4 supported
+                if (inet_aton(hostname, &addr)) {
+                    addr_len = sizeof(struct in_addr);
+                }
+
                 if ((addr_len == alt_ip_len)&&
                     !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) {
                     spice_debug("alt name IP match=%s",

More information about the Spice-commits mailing list