On Wed, Oct 14, 2015 at 4:57 PM, Lukas Venhoda <lvenhoda@xxxxxxxxxx> wrote:
> Only check for address lenght, when connecting trough IP address.
> It is not used, when connecting trough DNS hostname.
> ---
> Changes since v2:
> - Also moved variable declarations
>
> Changes since v1:
> - New patch
> ---
> common/ssl_verify.c | 15 ++++++++-------
> 1 file changed, 8 insertions(+), 7 deletions(-)
>
> diff --git a/common/ssl_verify.c b/common/ssl_verify.c
> index a830800..fe04409 100644
> --- a/common/ssl_verify.c
> +++ b/common/ssl_verify.c
> @@ -161,8 +161,6 @@ static int verify_hostname(X509* cert, const char *hostname)
> {
> GENERAL_NAMES* subject_alt_names;
> int found_dns_name = 0;
> - struct in_addr addr;
> - int addr_len = 0;
> int cn_match = 0;
> X509_NAME* subject;
>
> @@ -173,11 +171,6 @@ static int verify_hostname(X509* cert, const char *hostname)
> return 0;
> }
>
> - // only IpV4 supported
> - if (inet_aton(hostname, &addr)) {
> - addr_len = sizeof(struct in_addr);
> - }
> -
> /* try matching against:
> * 1) a DNS name as an alternative name (subjectAltName) extension
> * in the certificate
> @@ -209,8 +202,16 @@ static int verify_hostname(X509* cert, const char *hostname)
> return 1;
> }
> } else if (name->type == GEN_IPADD) {
> + struct in_addr addr;
> + int addr_len = 0;
> int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
> found_dns_name = 1;
> +
> + // only IpV4 supported
> + if (inet_aton(hostname, &addr)) {
> + addr_len = sizeof(struct in_addr);
> + }
> +
> if ((addr_len == alt_ip_len)&&
> !memcmp(ASN1_STRING_data(name->d.iPAddress), &addr, addr_len)) {
> spice_debug("alt name IP match=%s",
> --
> 2.4.3
>
> _______________________________________________
> Spice-devel mailing list
> Spice-devel@xxxxxxxxxxxxxxxxxxxxx
> http://lists.freedesktop.org/mailman/listinfo/spice-devel
Looks good, ACK!
--
Fabiano Fidêncio
_______________________________________________
Spice-devel mailing list
Spice-devel@xxxxxxxxxxxxxxxxxxxxx
http://lists.freedesktop.org/mailman/listinfo/spice-devel