[Spice-devel] [spice-common PATCH] ssl_verify.c: Add IPv6 support

Lukas Venhoda lvenhoda at redhat.com
Mon Sep 7 09:55:47 PDT 2015


Add inet_pton and inet_ntop which supports IPv6 address.
inet_aton left for compatibility.
---
 common/ssl_verify.c | 32 +++++++++++++++++++++++---------
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index a830800..d247d95 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -161,10 +161,12 @@ static int verify_hostname(X509* cert, const char *hostname)
 {
     GENERAL_NAMES* subject_alt_names;
     int found_dns_name = 0;
-    struct in_addr addr;
+    struct in_addr ipv4;
+    struct in6_addr ipv6;
     int addr_len = 0;
     int cn_match = 0;
     X509_NAME* subject;
+    int using_ipv6 = 0;

     spice_return_val_if_fail(hostname != NULL, 0);

@@ -173,9 +175,11 @@ static int verify_hostname(X509* cert, const char *hostname)
         return 0;
     }

-    // only IpV4 supported
-    if (inet_aton(hostname, &addr)) {
+    if (inet_aton(hostname, &ipv4)) {
         addr_len = sizeof(struct in_addr);
+    } else if (inet_pton(AF_INET6, hostname, &ipv6)) {
+        addr_len = sizeof(struct in6_addr);
+        using_ipv6 = 1;
     }

     /* try matching against:
@@ -211,12 +215,22 @@ static int verify_hostname(X509* cert, const char *hostname)
             } else if (name->type == GEN_IPADD) {
                 int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
                 found_dns_name = 1;
-                if ((addr_len == alt_ip_len)&&
-                    !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) {
-                    spice_debug("alt name IP match=%s",
-                                inet_ntoa(*((struct in_addr*)ASN1_STRING_data(name->d.dNSName))));
-                    GENERAL_NAMES_free(subject_alt_names);
-                    return 1;
+                if (addr_len == alt_ip_len) {
+                    if (using_ipv6 &&
+                    !memcmp(ASN1_STRING_data(name->d.iPAddress), &ipv6, addr_len)) {
+                        char buf[INET6_ADDRSTRLEN];
+                        inet_ntop(AF_INET6,
+                                  ((struct in6_addr*)ASN1_STRING_data(name->d.dNSName)),
+                                  buf, INET6_ADDRSTRLEN);
+                        spice_debug("alt name IP match=%s", buf);
+                        GENERAL_NAMES_free(subject_alt_names);
+                        return 1;
+                    } else if (!memcmp(ASN1_STRING_data(name->d.iPAddress), &ipv4, addr_len)) {
+                        spice_debug("alt name IP match=%s",
+                                    inet_ntoa(*((struct in_addr*)ASN1_STRING_data(name->d.dNSName))));
+                        GENERAL_NAMES_free(subject_alt_names);
+                        return 1;
+                    }
                 }
             }
         }
--
2.4.3



More information about the Spice-devel mailing list