summaryrefslogtreecommitdiff
path: root/lib/x509/hostname-verify.c
diff options
context:
space:
mode:
Diffstat (limited to 'lib/x509/hostname-verify.c')
-rw-r--r--lib/x509/hostname-verify.c62
1 files changed, 37 insertions, 25 deletions
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c
index 6ef8ba0303..c3c6a3e70a 100644
--- a/lib/x509/hostname-verify.c
+++ b/lib/x509/hostname-verify.c
@@ -44,14 +44,12 @@
* Returns: non-zero for a successful match, and zero on failure.
**/
unsigned
-gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert,
- const char *hostname)
+gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, const char *hostname)
{
return gnutls_x509_crt_check_hostname2(cert, hostname, 0);
}
-static int
-check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size)
+static int check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size)
{
char temp[16];
size_t temp_size;
@@ -70,11 +68,11 @@ check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size)
temp_size = sizeof(temp);
ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
temp,
- &temp_size,
- NULL);
+ &temp_size, NULL);
if (ret == GNUTLS_SAN_IPADDRESS) {
- if (temp_size == ip_size && memcmp(temp, ip, ip_size) == 0)
+ if (temp_size == ip_size
+ && memcmp(temp, ip, ip_size) == 0)
return 1;
} else if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
ret = 0;
@@ -165,7 +163,8 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
/* check whether @hostname is an ip address */
if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES) &&
- ((p=strchr(hostname, ':')) != NULL || inet_pton(AF_INET, hostname, &ipv4) != 0)) {
+ ((p = strchr(hostname, ':')) != NULL
+ || inet_pton(AF_INET, hostname, &ipv4) != 0)) {
if (p != NULL) {
struct in6_addr ipv6;
@@ -187,12 +186,14 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
hostname_fallback:
/* convert the provided hostname to ACE-Labels domain. */
- ret = gnutls_idna_map (hostname, strlen(hostname), &out, 0);
+ ret = gnutls_idna_map(hostname, strlen(hostname), &out, 0);
if (ret < 0) {
- _gnutls_debug_log("unable to convert hostname %s to IDNA format\n", hostname);
- a_hostname = (char*)hostname;
+ _gnutls_debug_log
+ ("unable to convert hostname %s to IDNA format\n",
+ hostname);
+ a_hostname = (char *)hostname;
} else {
- a_hostname = (char*)out.data;
+ a_hostname = (char *)out.data;
}
/* try matching against:
@@ -214,23 +215,28 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
dnsnamesize = sizeof(dnsname);
ret = gnutls_x509_crt_get_subject_alt_name(cert, i,
dnsname,
- &dnsnamesize,
- NULL);
+ &dnsnamesize, NULL);
if (ret == GNUTLS_SAN_DNSNAME) {
found_dnsname = 1;
if (_gnutls_has_embedded_null(dnsname, dnsnamesize)) {
- _gnutls_debug_log("certificate has %s with embedded null in name\n", dnsname);
+ _gnutls_debug_log
+ ("certificate has %s with embedded null in name\n",
+ dnsname);
continue;
}
if (!_gnutls_str_is_print(dnsname, dnsnamesize)) {
- _gnutls_debug_log("invalid (non-ASCII) name in certificate %.*s\n", (int)dnsnamesize, dnsname);
+ _gnutls_debug_log
+ ("invalid (non-ASCII) name in certificate %.*s\n",
+ (int)dnsnamesize, dnsname);
continue;
}
- ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags);
+ ret =
+ _gnutls_hostname_compare(dnsname, dnsnamesize,
+ a_hostname, flags);
if (ret != 0) {
ret = 1;
goto cleanup;
@@ -241,7 +247,9 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
}
}
- if (!have_other_addresses && !found_dnsname && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) {
+ if (!have_other_addresses && !found_dnsname
+ && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER,
+ 0) != 0) {
/* did not get the necessary extension, use CN instead, if the
* certificate would have been acceptable for a TLS WWW server purpose.
* That is because only for that purpose the CN is a valid field to
@@ -252,8 +260,7 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
* a single CN must be present */
dnsnamesize = sizeof(dnsname);
ret = gnutls_x509_crt_get_dn_by_oid
- (cert, OID_X520_COMMON_NAME, 1, 0, dnsname,
- &dnsnamesize);
+ (cert, OID_X520_COMMON_NAME, 1, 0, dnsname, &dnsnamesize);
if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
ret = 0;
goto cleanup;
@@ -261,26 +268,31 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
dnsnamesize = sizeof(dnsname);
ret = gnutls_x509_crt_get_dn_by_oid
- (cert, OID_X520_COMMON_NAME, 0, 0, dnsname,
- &dnsnamesize);
+ (cert, OID_X520_COMMON_NAME, 0, 0, dnsname, &dnsnamesize);
if (ret < 0) {
ret = 0;
goto cleanup;
}
if (_gnutls_has_embedded_null(dnsname, dnsnamesize)) {
- _gnutls_debug_log("certificate has CN %s with embedded null in name\n", dnsname);
+ _gnutls_debug_log
+ ("certificate has CN %s with embedded null in name\n",
+ dnsname);
ret = 0;
goto cleanup;
}
if (!_gnutls_str_is_print(dnsname, dnsnamesize)) {
- _gnutls_debug_log("invalid (non-ASCII) name in certificate CN %.*s\n", (int)dnsnamesize, dnsname);
+ _gnutls_debug_log
+ ("invalid (non-ASCII) name in certificate CN %.*s\n",
+ (int)dnsnamesize, dnsname);
ret = 0;
goto cleanup;
}
- ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags);
+ ret =
+ _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname,
+ flags);
if (ret != 0) {
ret = 1;
goto cleanup;
View Lorry Controller Status