diff options
Diffstat (limited to 'lib/x509/hostname-verify.c')
-rw-r--r-- | lib/x509/hostname-verify.c | 62 |
1 files changed, 37 insertions, 25 deletions
diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c index 6ef8ba0303..c3c6a3e70a 100644 --- a/lib/x509/hostname-verify.c +++ b/lib/x509/hostname-verify.c @@ -44,14 +44,12 @@ * Returns: non-zero for a successful match, and zero on failure. **/ unsigned -gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, - const char *hostname) +gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, const char *hostname) { return gnutls_x509_crt_check_hostname2(cert, hostname, 0); } -static int -check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size) +static int check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size) { char temp[16]; size_t temp_size; @@ -70,11 +68,11 @@ check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size) temp_size = sizeof(temp); ret = gnutls_x509_crt_get_subject_alt_name(cert, i, temp, - &temp_size, - NULL); + &temp_size, NULL); if (ret == GNUTLS_SAN_IPADDRESS) { - if (temp_size == ip_size && memcmp(temp, ip, ip_size) == 0) + if (temp_size == ip_size + && memcmp(temp, ip, ip_size) == 0) return 1; } else if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) { ret = 0; @@ -165,7 +163,8 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, /* check whether @hostname is an ip address */ if (!(flags & GNUTLS_VERIFY_DO_NOT_ALLOW_IP_MATCHES) && - ((p=strchr(hostname, ':')) != NULL || inet_pton(AF_INET, hostname, &ipv4) != 0)) { + ((p = strchr(hostname, ':')) != NULL + || inet_pton(AF_INET, hostname, &ipv4) != 0)) { if (p != NULL) { struct in6_addr ipv6; @@ -187,12 +186,14 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, hostname_fallback: /* convert the provided hostname to ACE-Labels domain. */ - ret = gnutls_idna_map (hostname, strlen(hostname), &out, 0); + ret = gnutls_idna_map(hostname, strlen(hostname), &out, 0); if (ret < 0) { - _gnutls_debug_log("unable to convert hostname %s to IDNA format\n", hostname); - a_hostname = (char*)hostname; + _gnutls_debug_log + ("unable to convert hostname %s to IDNA format\n", + hostname); + a_hostname = (char *)hostname; } else { - a_hostname = (char*)out.data; + a_hostname = (char *)out.data; } /* try matching against: @@ -214,23 +215,28 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, dnsnamesize = sizeof(dnsname); ret = gnutls_x509_crt_get_subject_alt_name(cert, i, dnsname, - &dnsnamesize, - NULL); + &dnsnamesize, NULL); if (ret == GNUTLS_SAN_DNSNAME) { found_dnsname = 1; if (_gnutls_has_embedded_null(dnsname, dnsnamesize)) { - _gnutls_debug_log("certificate has %s with embedded null in name\n", dnsname); + _gnutls_debug_log + ("certificate has %s with embedded null in name\n", + dnsname); continue; } if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { - _gnutls_debug_log("invalid (non-ASCII) name in certificate %.*s\n", (int)dnsnamesize, dnsname); + _gnutls_debug_log + ("invalid (non-ASCII) name in certificate %.*s\n", + (int)dnsnamesize, dnsname); continue; } - ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags); + ret = + _gnutls_hostname_compare(dnsname, dnsnamesize, + a_hostname, flags); if (ret != 0) { ret = 1; goto cleanup; @@ -241,7 +247,9 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, } } - if (!have_other_addresses && !found_dnsname && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, 0) != 0) { + if (!have_other_addresses && !found_dnsname + && _gnutls_check_key_purpose(cert, GNUTLS_KP_TLS_WWW_SERVER, + 0) != 0) { /* did not get the necessary extension, use CN instead, if the * certificate would have been acceptable for a TLS WWW server purpose. * That is because only for that purpose the CN is a valid field to @@ -252,8 +260,7 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, * a single CN must be present */ dnsnamesize = sizeof(dnsname); ret = gnutls_x509_crt_get_dn_by_oid - (cert, OID_X520_COMMON_NAME, 1, 0, dnsname, - &dnsnamesize); + (cert, OID_X520_COMMON_NAME, 1, 0, dnsname, &dnsnamesize); if (ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { ret = 0; goto cleanup; @@ -261,26 +268,31 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, dnsnamesize = sizeof(dnsname); ret = gnutls_x509_crt_get_dn_by_oid - (cert, OID_X520_COMMON_NAME, 0, 0, dnsname, - &dnsnamesize); + (cert, OID_X520_COMMON_NAME, 0, 0, dnsname, &dnsnamesize); if (ret < 0) { ret = 0; goto cleanup; } if (_gnutls_has_embedded_null(dnsname, dnsnamesize)) { - _gnutls_debug_log("certificate has CN %s with embedded null in name\n", dnsname); + _gnutls_debug_log + ("certificate has CN %s with embedded null in name\n", + dnsname); ret = 0; goto cleanup; } if (!_gnutls_str_is_print(dnsname, dnsnamesize)) { - _gnutls_debug_log("invalid (non-ASCII) name in certificate CN %.*s\n", (int)dnsnamesize, dnsname); + _gnutls_debug_log + ("invalid (non-ASCII) name in certificate CN %.*s\n", + (int)dnsnamesize, dnsname); ret = 0; goto cleanup; } - ret = _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, flags); + ret = + _gnutls_hostname_compare(dnsname, dnsnamesize, a_hostname, + flags); if (ret != 0) { ret = 1; goto cleanup; |