diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-29 13:30:50 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-04-30 13:08:48 +0200 |
commit | 45003f88e5d4dcd4a5027e32d3693594a3b2b992 (patch) | |
tree | 926ffc3287335bfd486ef07811631bc01b2ad094 /lib | |
parent | 645570c035504c0b3bf73e4352d6922e9dccb694 (diff) | |
download | gnutls-45003f88e5d4dcd4a5027e32d3693594a3b2b992.tar.gz |
gnutls_x509_crt_check_hostname2: no match dns fields against IPs
Previously we were checking textual IP address matching against
the DNS fields. This match was non-standard and was intended to
work around few broken servers. However that also led to not
evaluating and IP constraints for that IP. No longer follow that
broken behavior.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/x509/hostname-verify.c | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c index 6aaafdebc9..438d166d57 100644 --- a/lib/x509/hostname-verify.c +++ b/lib/x509/hostname-verify.c @@ -133,9 +133,9 @@ gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, * IPv4 addresses are accepted by this function in the dotted-decimal * format (e.g, ddd.ddd.ddd.ddd), and IPv6 addresses in the hexadecimal * x:x:x:x:x:x:x:x format. For them the IPAddress subject alternative - * name extension is consulted, as well as the DNSNames in case of a non-match. - * The latter fallback exists due to misconfiguration of many servers - * which place an IPAddress inside the DNSName extension. + * name extension is consulted. Previous versions to 3.6.0 of GnuTLS + * in case of a non-match would consult (in a non-standard extension) + * the DNSname and CN fields. This is no longer the case. * * When the flag %GNUTLS_VERIFY_DO_NOT_ALLOW_WILDCARDS is specified no * wildcards are considered. Otherwise they are only considered if the @@ -146,7 +146,12 @@ gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, * the input will be treated as a DNS name, and matching of textual IP addresses * against the IPAddress part of the alternative name will not be allowed. * + * The function gnutls_x509_crt_check_ip() is available for matching + * IP addresses. + * * Returns: non-zero for a successful match, and zero on failure. + * + * Since: 3.3.0 **/ unsigned gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, @@ -180,12 +185,9 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, ret = check_ip(cert, &ipv4, 4); } - if (ret != 0) - return ret; - - /* There are several misconfigured servers, that place their IP - * in the DNS field of subjectAlternativeName. Don't break these - * configurations and verify the IP as it would have been a DNS name. */ + /* Prior to 3.6.0 we were accepting misconfigured servers, that place their IP + * in the DNS field of subjectAlternativeName. That is no longer the case. */ + return ret; } hostname_fallback: |