[Spice-devel] [common PATCH 4/4 v2] ssl-verify: Changed debug msg from IPv4 to IPv6
Christophe Fergeau
cfergeau at redhat.com
Fri Oct 9 09:05:51 PDT 2015
On Thu, Oct 08, 2015 at 04:32:58PM +0200, Lukas Venhoda wrote:
> Spice debug message printed only IPv4 addresses using inet_ntoa.
> Changed to inet_pton for IPv6 support.
>
> Can't use getnameinfo, because IP address in certificate is already in
> struct in(6)_addr format used by inet_ntop function.
>
> Added inet_ntop for Windows XP compatibility.
> ---
> Changes since v1:
> - Added inet_ntop() compatibility function
> - For Windows XP
> - Added ip_address_to_string() function
> - Cleaned up alt match debug message
> ---
> common/ssl_verify.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++--
> 1 file changed, 48 insertions(+), 2 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index 0b7d958..ca3bd23 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -34,6 +34,49 @@
> #include <ctype.h>
> #include <string.h>
>
> +#ifdef WIN32
> +/* Code snippet from http://memset.wordpress.com/2010/10/09/inet_ntop-for-win32/ */
> +static const char * inet_ntop(int af, const void * src, char * dst, socklen_t size)
> +{
> + struct sockaddr_in addr_in;
> +
> + memset(&addr_in, 0, sizeof(struct sockaddr_in));
> + memcpy(&(addr_in.sin_addr), src, sizeof(addr_in.sin_addr));
> +
> + addr_in.sin_family = af;
> + if (WSAAddressToString((struct sockaddr *) &addr_in, sizeof(struct sockaddr_in), 0, dst, &size) != 0) {
> + spice_warning("WSAAddressToString() : %d", WSAGetLastError());
> + return NULL;
> + }
> + return dst;
> +}
> +#endif
Is this code released under a LGPLv2-compatible licence? If not, we
cannot reuse it like that.
> +
> +static int ip_address_to_string(const void * ip_addr, char * string, int ipv6)
> +{
> + int ipversion;
> + int af;
> + socklen_t addr_len;
> +
> + memset(string, 0, INET6_ADDRSTRLEN);
> +
> + if (ipv6) {
> + af = AF_INET6;
> + addr_len = INET6_ADDRSTRLEN;
> + ipversion = 6;
> + } else {
> + af = AF_INET;
> + addr_len = INET_ADDRSTRLEN;
> + ipversion = 4;
> + }
> +
> + if (inet_ntop(af, ip_addr, string, addr_len) == NULL) {
> + return 0;
> + }
> +
> + return ipversion;
> +}
Hmm, might be simpler to use GResolver in the previous commit, and
g_inet_address_to_string () here.
Christophe
> +
> static int verify_pubkey(X509* cert, const char *key, size_t key_size)
> {
> EVP_PKEY* cert_pubkey = NULL;
> @@ -221,8 +264,11 @@ static int verify_hostname(X509* cert, const char *hostname)
>
> if ((addr_len == alt_ip_len)&&
> (memcmp(ASN1_STRING_data(name->d.iPAddress), &ip_addr.data, addr_len) == 0)) {
> - spice_debug("alt name IP match=%s",
> - inet_ntoa(*((struct in_addr*)ASN1_STRING_data(name->d.iPAddress))));
> + char buf[INET6_ADDRSTRLEN];
> + int ipversion = ip_address_to_string((void *)ASN1_STRING_data(name->d.iPAddress),
> + buf, addr_len == sizeof(struct in6_addr));
> + spice_debug("alt name IPv%d match=%s", ipversion, buf);
> +
> GENERAL_NAMES_free(subject_alt_names);
> return 1;
> }
> --
> 2.4.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20151009/aeaaf1a8/attachment.sig>
More information about the Spice-devel
mailing list