diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-29 13:30:50 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-30 13:10:00 +0200 |
commit | 90c0d46db6a43c6d45ccfb5d60f4c1f130d8d72a (patch) | |
tree | 0fa70f08c9a88303738f3e356e3c7ea4777c86e5 | |
parent | aee2ee66fe48788e699f4cd1f2006a2cea3f8813 (diff) | |
download | gnutls-90c0d46db6a43c6d45ccfb5d60f4c1f130d8d72a.tar.gz |
gnutls_x509_crt_check_hostname2: no match dns fields against IPs
Previously we were checking textual IP address matching against
the DNS fields. This match was non-standard and was intended to
work around few broken servers. However that also led to not
evaluating and IP constraints for that IP. No longer follow that
broken behavior.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/hostname-verify.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c index c3d74f8567..9dd2b6b07d 100644 --- a/lib/x509/hostname-verify.c +++ b/lib/x509/hostname-verify.c @@ -105,16 +105,21 @@ static int has_embedded_null(const char *str, unsigned size) * IPv4 addresses are accepted by this function in the dotted-decimal * format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal * x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative - * name extension is consulted, as well as the DNSNames in case of a non-match. - * The latter fallback exists due to misconfiguration of many servers - * which place an IPAddress inside the DNSName extension. + * name extension is consulted. Previous versions to 3.6.0 of GnuTLS + * in case of a non-match would consult (in a non-standard extension) + * the DNSname and CN fields. This is no longer the case. * * When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS is specified no * wildcards are considered. Otherwise they are only considered if the * domain name consists of three components or more, and the wildcard * starts at the leftmost position. * + * The function gnutls_x509_crt_check_ip() is available for matching + * IP addresses. + * * Returns: non-zero for a successful match, and zero on failure. + * + * Since: 3.3.0 **/ unsigned gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, @@ -146,12 +151,9 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, ret = check_ip(cert, &ipv4, 4, flags); } - if (ret != 0) - return ret; - - /* There are several misconfigured servers, that place their IP - * in the DNS field of subjectAlternativeName. Don't break these - * configurations and verify the IP as it would have been a DNS name. */ + /* Prior to 3.6.0 we were accepting misconfigured servers, that place their IP + * in the DNS field of subjectAlternativeName. That is no longer the case. */ + return ret; } hostname_fallback: |