diff options
author | Lukas Venhoda <lvenhoda@redhat.com> | 2015-10-22 14:22:19 +0200 |
---|---|---|
committer | Fabiano FidĂȘncio <fidencio@redhat.com> | 2015-10-23 11:07:45 +0200 |
commit | fb6904f528fc0d43a70646f9ba1fe5a5aaeb47a6 (patch) | |
tree | a63cf2d402db9faf088959794a9492ceae90697a /common | |
parent | f7ec855af3deff18aeb43ddbf2467c565f4bf346 (diff) | |
download | spice-common-fb6904f528fc0d43a70646f9ba1fe5a5aaeb47a6.tar.gz spice-common-fb6904f528fc0d43a70646f9ba1fe5a5aaeb47a6.tar.xz spice-common-fb6904f528fc0d43a70646f9ba1fe5a5aaeb47a6.zip |
ssl-verify: Only check addr length when using IP addr
Only check for address length, when connecting through IP address.
It is not used, when connecting through DNS hostname.
Diffstat (limited to 'common')
-rw-r--r-- | common/ssl_verify.c | 15 |
1 files changed, 8 insertions, 7 deletions
diff --git a/common/ssl_verify.c b/common/ssl_verify.c index a830800..fe04409 100644 --- a/common/ssl_verify.c +++ b/common/ssl_verify.c @@ -161,8 +161,6 @@ static int verify_hostname(X509* cert, const char *hostname) { GENERAL_NAMES* subject_alt_names; int found_dns_name = 0; - struct in_addr addr; - int addr_len = 0; int cn_match = 0; X509_NAME* subject; @@ -173,11 +171,6 @@ static int verify_hostname(X509* cert, const char *hostname) return 0; } - // only IpV4 supported - if (inet_aton(hostname, &addr)) { - addr_len = sizeof(struct in_addr); - } - /* try matching against: * 1) a DNS name as an alternative name (subjectAltName) extension * in the certificate @@ -209,8 +202,16 @@ static int verify_hostname(X509* cert, const char *hostname) return 1; } } else if (name->type == GEN_IPADD) { + struct in_addr addr; + int addr_len = 0; int alt_ip_len = ASN1_STRING_length(name->d.iPAddress); found_dns_name = 1; + + // only IpV4 supported + if (inet_aton(hostname, &addr)) { + addr_len = sizeof(struct in_addr); + } + if ((addr_len == alt_ip_len)&& !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) { spice_debug("alt name IP match=%s", |