diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-17 14:43:36 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-23 11:38:37 +0100 |
commit | 452704e91fe2f56d8acb6da057cba21580c2e327 (patch) | |
tree | c3f7326db198f62b06ab8c8ae63c4dc80c3d3b69 /lib/x509/hostname-verify.c | |
parent | 110dc6bdd2375c27444b2978df29994dae675136 (diff) | |
download | gnutls-452704e91fe2f56d8acb6da057cba21580c2e327.tar.gz |
Introduced verification flag GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES
This flag when provided to the gnutls_x509_crt_check_hostname2() function
(and its callers), will prevent IP matching of the subject alternative
name. This can be utilized by applications which directly check for
IP addresses using gnutls_x509_crt_check_ip().
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib/x509/hostname-verify.c')
-rw-r--r-- | lib/x509/hostname-verify.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c index 7268917128..b3bffda7cf 100644 --- a/lib/x509/hostname-verify.c +++ b/lib/x509/hostname-verify.c @@ -134,6 +134,10 @@ gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, * wildcards are considered. Otherwise they are only considered if the * domain name consists of three components or more, and the wildcard * starts at the leftmost position. + + * When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES is specified, + * the input will be treated as a DNS name, and matching of textual IP addresses + * against the IPAddress part of the alternative name will not be allowed. * * Returns: non-zero for a successful match, and zero on failure. **/ @@ -152,7 +156,8 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, gnutls_datum_t out; /* check whether @hostname is an ip address */ - if ((p=strchr(hostname, ':')) != NULL || inet_aton(hostname, &ipv4) != 0) { + if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES) && + ((p=strchr(hostname, ':')) != NULL || inet_aton(hostname, &ipv4) != 0)) { if (p != NULL) { struct in6_addr ipv6; |