[Spice-devel] [common PATCH 3/4 v2] ssl-verify: Changed IPv4 hostname to IPv6

[Lukas Venhoda]

Changed old inet_aton function for modern getaddrinfo.

inet_aton only supported IPv4 addresses, and wasn't available on windows
machines. getaddrinfo supports both IPv4 and IPv6 natively.
---
Changes since v1:
 - Changed inet_pton() to getaddrinfo()
 - Removed inet_aton() compatibility function
 - Changed 2 variables into a union
 - Cleaned up memcmp condition
---
 common/ssl_verify.c | 43 +++++++++++++++++++++++++------------------
 common/ssl_verify.h |  1 +
 2 files changed, 26 insertions(+), 18 deletions(-)

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index 72a3dd8..0b7d958 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -28,23 +28,12 @@
 #include <sys/socket.h>
 #include <netinet/in.h>
 #include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
 #endif
 #include <ctype.h>
 #include <string.h>

-#ifdef WIN32
-static int inet_aton(const char* ip, struct in_addr* in_addr)
-{
-    unsigned long addr = inet_addr(ip);
-
-    if (addr == INADDR_NONE) {
-        return 0;
-    }
-    in_addr->S_un.S_addr = addr;
-    return 1;
-}
-#endif
-
 static int verify_pubkey(X509* cert, const char *key, size_t key_size)
 {
     EVP_PKEY* cert_pubkey = NULL;
@@ -161,11 +150,18 @@ static int verify_hostname(X509* cert, const char *hostname)
 {
     GENERAL_NAMES* subject_alt_names;
     int found_dns_name = 0;
-    struct in_addr addr;
+    struct addrinfo hints;
+    struct addrinfo *addr = NULL;
     int addr_len = 0;
     int cn_match = 0;
     X509_NAME* subject;

+    union {
+        struct in_addr ipv4;
+        struct in6_addr ipv6;
+        unsigned char data[16];
+    } ip_addr;
+
     spice_return_val_if_fail(hostname != NULL, 0);

     if (!cert) {
@@ -207,13 +203,24 @@ static int verify_hostname(X509* cert, const char *hostname)
                 int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
                 found_dns_name = 1;

-                // only IpV4 supported
-                if (inet_aton(hostname, &addr)) {
-                    addr_len = sizeof(struct in_addr);
+                memset(&hints, 0, sizeof(hints));
+                hints.ai_socktype = SOCK_STREAM;
+                hints.ai_flags = AI_NUMERICHOST;
+
+                if (getaddrinfo(hostname, NULL, &hints, &addr) == 0) {
+                    if (addr->ai_family == AF_INET) {
+                        addr_len = sizeof(struct in_addr);
+                        ip_addr.ipv4 = ((struct sockaddr_in *)addr->ai_addr)->sin_addr;
+                    } else if (addr->ai_family == AF_INET6) {
+                        addr_len = sizeof(struct in6_addr);
+                        ip_addr.ipv6 = ((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr;
+                    }
+
+                    freeaddrinfo(addr);
                 }

                 if ((addr_len == alt_ip_len)&&
-                    !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) {
+                    (memcmp(ASN1_STRING_data(name->d.iPAddress), &ip_addr.data, addr_len) == 0)) {
                     spice_debug("alt name IP match=%s",
                                 inet_ntoa(*((struct in_addr*)ASN1_STRING_data(name->d.iPAddress))));
                     GENERAL_NAMES_free(subject_alt_names);
diff --git a/common/ssl_verify.h b/common/ssl_verify.h
index e32ca54..a7fcfee 100644
--- a/common/ssl_verify.h
+++ b/common/ssl_verify.h
@@ -20,6 +20,7 @@
 #define SSL_VERIFY_H

 #if defined(WIN32)
+#include <ws2tcpip.h>
 #include <windows.h>
 #include <wincrypt.h>
 #ifdef X509_NAME
--
2.4.3