[glib-networking] tlscertificate-gnutls: add support for X509v3 SAN IP addresses
- From: Dan Winship <danw src gnome org>
- To: commits-list gnome org
- Cc:
- Subject: [glib-networking] tlscertificate-gnutls: add support for X509v3 SAN IP addresses
- Date: Mon, 21 Jul 2014 16:29:27 +0000 (UTC)
commit b342cd555e11cae0b5e221ac48b6eae5c92f929a
Author: Aleix Conchillo FlaquƩ <aleix oblong com>
Date: Mon Mar 17 18:51:57 2014 -0700
tlscertificate-gnutls: add support for X509v3 SAN IP addresses
If a network address is given and the IP can not resolve to a hostname
we now check it with the X509v3 Subject Alternate Name IP
fields (GNUTLS_SAN_IPADDRESS).
https://bugzilla.gnome.org/show_bug.cgi?id=726596
tls/gnutls/gtlscertificate-gnutls.c | 44 ++++++++++++++++++++++++++++++++--
1 files changed, 41 insertions(+), 3 deletions(-)
---
diff --git a/tls/gnutls/gtlscertificate-gnutls.c b/tls/gnutls/gtlscertificate-gnutls.c
index a2b46a8..ba6b5d2 100644
--- a/tls/gnutls/gtlscertificate-gnutls.c
+++ b/tls/gnutls/gtlscertificate-gnutls.c
@@ -545,6 +545,7 @@ g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
GSocketConnectable *identity)
{
const char *hostname;
+ GInetAddress *addr;
if (G_IS_NETWORK_ADDRESS (identity))
hostname = g_network_address_get_hostname (G_NETWORK_ADDRESS (identity));
@@ -553,10 +554,47 @@ g_tls_certificate_gnutls_verify_identity (GTlsCertificateGnutls *gnutls,
else
hostname = NULL;
- if (hostname)
+ if (!hostname)
+ return G_TLS_CERTIFICATE_BAD_IDENTITY;
+
+ if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
+ return 0;
+
+ if (!g_hostname_is_ip_address (hostname))
+ return G_TLS_CERTIFICATE_BAD_IDENTITY;
+
+ addr = g_inet_address_new_from_string (hostname);
+ if (addr)
{
- if (gnutls_x509_crt_check_hostname (gnutls->priv->cert, hostname))
- return 0;
+ int i, ret = 0;
+ gsize addr_size;
+ const guint8 *addr_bytes;
+
+ addr_bytes = g_inet_address_to_bytes (addr);
+ addr_size = g_inet_address_get_native_size (addr);
+
+ /* Here we only add an additional check to support IP addresses. */
+ for (i = 0; ret >= 0; i++)
+ {
+ char san[500];
+ size_t san_size;
+
+ san_size = sizeof (san);
+ ret = gnutls_x509_crt_get_subject_alt_name (gnutls->priv->cert, i,
+ san, &san_size, NULL);
+
+ if ((ret == GNUTLS_SAN_IPADDRESS) && (addr_size == san_size))
+ {
+ /* Let's check if found a matching IP. */
+ if (memcmp (addr_bytes, san, addr_size) == 0)
+ {
+ g_object_unref (addr);
+ return 0;
+ }
+ }
+ }
+
+ g_object_unref (addr);
}
/* FIXME: check sRVName and uniformResourceIdentifier
[
Date Prev][
Date Next] [
Thread Prev][
Thread Next]
[
Thread Index]
[
Date Index]
[
Author Index]