diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-16 10:07:37 +0100 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2017-03-23 11:37:48 +0100 |
commit | 459d432c3e7f2aaeb3b7f54f98c5af825c1142d3 (patch) | |
tree | 39fb722e114df3f259ba8d61b4bf2876fac3e301 | |
parent | 45dd985db7c0dd8bb50e3c172c1cecaf3c5cceba (diff) | |
download | gnutls-459d432c3e7f2aaeb3b7f54f98c5af825c1142d3.tar.gz |
Added gnutls_x509_crt_check_ip()
This function allows to directly verify IP addresses on a certificate.
That is a first step towards making gnutls_x509_crt_check_hostname2()
not verify IP addresses.
Based on discussion and suggestion by Suphannee Sivakorn. See
https://lists.gnupg.org/pipermail/gnutls-devel/2017-March/008368.html
Relates #185
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/includes/gnutls/x509.h | 5 | ||||
-rw-r--r-- | lib/libgnutls.map | 1 | ||||
-rw-r--r-- | lib/x509/hostname-verify.c | 27 |
3 files changed, 30 insertions, 3 deletions
diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index e865d28f4f..9463e6cdf1 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -213,6 +213,11 @@ unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email, unsigned int flags); +unsigned +gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, + const unsigned char *ip, unsigned int ip_size, + unsigned int flags); + int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert); int gnutls_x509_crt_get_signature(gnutls_x509_crt_t cert, char *sig, size_t * sizeof_sig); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index ba4ef45a0e..adf4902774 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1135,6 +1135,7 @@ GNUTLS_3_4 gnutls_idna_map; gnutls_idna_reverse_map; gnutls_x509_crt_set_flags; + gnutls_x509_crt_check_ip; local: *; }; diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c index c3d74f8567..7268917128 100644 --- a/lib/x509/hostname-verify.c +++ b/lib/x509/hostname-verify.c @@ -49,7 +49,7 @@ gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, } static int -check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size, unsigned flags) +check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size) { char temp[16]; size_t temp_size; @@ -92,6 +92,27 @@ static int has_embedded_null(const char *str, unsigned size) } /** + * gnutls_x509_crt_check_ip: + * @cert: should contain an gnutls_x509_crt_t type + * @ip: A pointer to the raw IP address + * @ip_size: the number of bytes in ip (4 or 16) + * @flags: should be zero + * + * This function will check if the IP allowed IP addresses in + * the certificate's subject alternative name match the provided + * IP address. + * + * Returns: non-zero for a successful match, and zero on failure. + **/ +unsigned +gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, + const unsigned char *ip, unsigned int ip_size, + unsigned int flags) +{ + return check_ip(cert, ip, ip_size); +} + +/** * gnutls_x509_crt_check_hostname2: * @cert: should contain an gnutls_x509_crt_t type * @hostname: A null terminated string that contains a DNS name @@ -141,9 +162,9 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, gnutls_assert(); goto hostname_fallback; } - ret = check_ip(cert, &ipv6, 16, flags); + ret = check_ip(cert, &ipv6, 16); } else { - ret = check_ip(cert, &ipv4, 4, flags); + ret = check_ip(cert, &ipv4, 4); } if (ret != 0) |