[Spice-devel] [common PATCH 1/3 v4] ssl-verify: Only check addr length when using IP addr

Christophe Fergeau cfergeau at redhat.com
Thu Oct 22 05:46:52 PDT 2015 

On Thu, Oct 22, 2015 at 02:22:19PM +0200, Lukas Venhoda wrote:
> Only check for address lenght, when connecting trough IP address.

Fwiw, 'length', not 'lenght', 'through' rather than 'trough'

> It is not used, when connecting trough DNS hostname.
> ---
> Changes since v3:
>  - Nothing
> 
> Changes since v2:
>  - Also moved variable declarations
> 
> Changes since v1:
>  - New patch
> ---
>  common/ssl_verify.c | 15 ++++++++-------
>  1 file changed, 8 insertions(+), 7 deletions(-)
> 
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index a830800..fe04409 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -161,8 +161,6 @@ static int verify_hostname(X509* cert, const char *hostname)
>  {
>      GENERAL_NAMES* subject_alt_names;
>      int found_dns_name = 0;
> -    struct in_addr addr;
> -    int addr_len = 0;
>      int cn_match = 0;
>      X509_NAME* subject;
> 
> @@ -173,11 +171,6 @@ static int verify_hostname(X509* cert, const char *hostname)
>          return 0;
>      }
> 
> -    // only IpV4 supported
> -    if (inet_aton(hostname, &addr)) {
> -        addr_len = sizeof(struct in_addr);
> -    }
> -
>      /* try matching against:
>       *  1) a DNS name as an alternative name (subjectAltName) extension
>       *     in the certificate
> @@ -209,8 +202,16 @@ static int verify_hostname(X509* cert, const char *hostname)
>                      return 1;
>                  }
>              } else if (name->type == GEN_IPADD) {
> +                struct in_addr addr;
> +                int addr_len = 0;
>                  int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
>                  found_dns_name = 1;
> +
> +                // only IpV4 supported
> +                if (inet_aton(hostname, &addr)) {
> +                    addr_len = sizeof(struct in_addr);
> +                }
> +
>                  if ((addr_len == alt_ip_len)&&
>                      !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) {
>                      spice_debug("alt name IP match=%s",
> --
> 2.4.3
> 
> _______________________________________________
> Spice-devel mailing list
> Spice-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.freedesktop.org/archives/spice-devel/attachments/20151022/5996205f/attachment.sig>

More information about the Spice-devel mailing list