[Spice-devel] [common PATCH 3/4 v2] ssl-verify: Changed IPv4 hostname to IPv6
Christophe Fergeau
cfergeau at redhat.com
Fri Oct 9 09:03:07 PDT 2015
On Thu, Oct 08, 2015 at 04:32:57PM +0200, Lukas Venhoda wrote:
> Changed old inet_aton function for modern getaddrinfo.
>
> inet_aton only supported IPv4 addresses, and wasn't available on windows
> machines. getaddrinfo supports both IPv4 and IPv6 natively.
> ---
> Changes since v1:
> - Changed inet_pton() to getaddrinfo()
> - Removed inet_aton() compatibility function
> - Changed 2 variables into a union
> - Cleaned up memcmp condition
> ---
> common/ssl_verify.c | 43 +++++++++++++++++++++++++------------------
> common/ssl_verify.h | 1 +
> 2 files changed, 26 insertions(+), 18 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 72a3dd8..0b7d958 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -28,23 +28,12 @@
> #include <sys/socket.h>
> #include <netinet/in.h>
> #include <arpa/inet.h>
> +#include <netdb.h>
> +#include <netinet/in.h>
> #endif
> #include <ctype.h>
> #include <string.h>
>
> -#ifdef WIN32
> -static int inet_aton(const char* ip, struct in_addr* in_addr)
> -{
> - unsigned long addr = inet_addr(ip);
> -
> - if (addr == INADDR_NONE) {
> - return 0;
> - }
> - in_addr->S_un.S_addr = addr;
> - return 1;
> -}
> -#endif
> -
> static int verify_pubkey(X509* cert, const char *key, size_t key_size)
> {
> EVP_PKEY* cert_pubkey = NULL;
> @@ -161,11 +150,18 @@ static int verify_hostname(X509* cert, const char *hostname)
> {
> GENERAL_NAMES* subject_alt_names;
> int found_dns_name = 0;
> - struct in_addr addr;
> + struct addrinfo hints;
> + struct addrinfo *addr = NULL;
> int addr_len = 0;
> int cn_match = 0;
> X509_NAME* subject;
>
> + union {
> + struct in_addr ipv4;
> + struct in6_addr ipv6;
> + unsigned char data[16];
> + } ip_addr;
> +
> spice_return_val_if_fail(hostname != NULL, 0);
>
> if (!cert) {
> @@ -207,13 +203,24 @@ static int verify_hostname(X509* cert, const char *hostname)
> int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
> found_dns_name = 1;
>
> - // only IpV4 supported
> - if (inet_aton(hostname, &addr)) {
> - addr_len = sizeof(struct in_addr);
> + memset(&hints, 0, sizeof(hints));
> + hints.ai_socktype = SOCK_STREAM;
> + hints.ai_flags = AI_NUMERICHOST;
> +
> + if (getaddrinfo(hostname, NULL, &hints, &addr) == 0) {
> + if (addr->ai_family == AF_INET) {
> + addr_len = sizeof(struct in_addr);
> + ip_addr.ipv4 = ((struct sockaddr_in *)addr->ai_addr)->sin_addr;
> + } else if (addr->ai_family == AF_INET6) {
> + addr_len = sizeof(struct in6_addr);
> + ip_addr.ipv6 = ((struct sockaddr_in6 *)addr->ai_addr)->sin6_addr;
> + }
> +
> + freeaddrinfo(addr);
You are supposed to be iterating over the results returned by
getaddrinfo, so I would add a helper function doing the iteration and
seeing if there's a match with name->d.iPAddress. Or you could try your
luck with g_resolver_lookup_by_name()
Christophe
> }
>
> if ((addr_len == alt_ip_len)&&
> - !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) {
> + (memcmp(ASN1_STRING_data(name->d.iPAddress), &ip_addr.data, addr_len) == 0)) {
> spice_debug("alt name IP match=%s",
> inet_ntoa(*((struct in_addr*)ASN1_STRING_data(name->d.iPAddress))));
> GENERAL_NAMES_free(subject_alt_names);
> diff --git a/common/ssl_verify.h b/common/ssl_verify.h
> index e32ca54..a7fcfee 100644
> --- a/common/ssl_verify.h
> +++ b/common/ssl_verify.h
> @@ -20,6 +20,7 @@
> #define SSL_VERIFY_H
>
> #if defined(WIN32)
> +#include <ws2tcpip.h>
> #include <windows.h>
> #include <wincrypt.h>
> #ifdef X509_NAME
> --
> 2.4.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20151009/ffcfbd7d/attachment.sig>
More information about the Spice-devel
mailing list