[glib-networking] tlscertificate-gnutls: add support for X509v3 SAN IP addresses

[Dan Winship <danw src gnome org>]

commit b342cd555e11cae0b5e221ac48b6eae5c92f929a
Author: Aleix Conchillo Flaqué <aleix oblong com>
Date:   Mon Mar 17 18:51:57 2014 -0700

    tlscertificate-gnutls: add support for X509v3 SAN IP addresses
    
    If a network address is given and the IP can not resolve to a hostname
    we now check it with the X509v3 Subject Alternate Name IP
    fields (GNUTLS_SAN_IPADDRESS).
    
    https://bugzilla.gnome.org/show_bug.cgi?id=726596

 tls/gnutls/gtlscertificate-gnutls.c |   44 ++++++++++++++++++++++++++++++++--
 1 files changed, 41 insertions(+), 3 deletions(-)
---
diff --git a/tls/gnutls/gtlscertificate-gnutls.c b/tls/gnutls/gtlscertificate-gnutls.c
index a2b46a8..ba6b5d2 100644
--- a/tls/gnutls/gtlscertificate-gnutls.c
+++ b/tls/gnutls/gtlscertificate-gnutls.c
@@ -545,6 +545,7 @@ g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
                                          GSocketConnectable    *identity)
 {
   const char *hostname;
+  GInetAddress *addr;
 
   if (G_IS_NETWORK_ADDRESS (identity))
     hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
@@ -553,10 +554,47 @@ g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
   else
     hostname = NULL;
 
-  if (hostname)
+  if (!hostname)
+    return G_TLS_CERTIFICATE_BAD_IDENTITY;
+
+  if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
+    return 0;
+
+  if (!g_hostname_is_ip_address (hostname))
+    return G_TLS_CERTIFICATE_BAD_IDENTITY;
+
+  addr = g_inet_address_new_from_string (hostname);
+  if (addr)
     {
-      if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
-       return 0;
+      int i, ret = 0;
+      gsize addr_size;
+      const guint8 *addr_bytes;
+
+      addr_bytes = g_inet_address_to_bytes (addr);
+      addr_size = g_inet_address_get_native_size (addr);
+
+      /* Here we only add an additional check to support IP addresses. */
+      for (i = 0; ret >= 0; i++)
+        {
+          char san[500];
+          size_t san_size;
+
+          san_size = sizeof (san);
+          ret = gnutls_x509_crt_get_subject_alt_name (gnutls->priv->cert, i,
+                                                      san, &san_size, NULL);
+
+          if ((ret == GNUTLS_SAN_IPADDRESS) && (addr_size == san_size))
+            {
+              /* Let's check if found a matching IP. */
+              if (memcmp (addr_bytes, san, addr_size) == 0)
+                {
+                  g_object_unref (addr);
+                  return 0;
+                }
+            }
+        }
+
+      g_object_unref (addr);
     }
 
   /* FIXME: check sRVName and uniformResourceIdentifier