From 459d432c3e7f2aaeb3b7f54f98c5af825c1142d3 Mon Sep 17 00:00:00 2001 From: Nikos Mavrogiannopoulos Date: Thu, 16 Mar 2017 10:07:37 +0100 Subject: Added gnutls_x509_crt_check_ip() This function allows to directly verify IP addresses on a certificate. That is a first step towards making gnutls_x509_crt_check_hostname2() not verify IP addresses. Based on discussion and suggestion by Suphannee Sivakorn. See https://lists.gnupg.org/pipermail/gnutls-devel/2017-March/008368.html Relates #185 Signed-off-by: Nikos Mavrogiannopoulos --- lib/includes/gnutls/x509.h | 5 +++++ lib/libgnutls.map | 1 + lib/x509/hostname-verify.c | 27 ++++++++++++++++++++++++--- 3 files changed, 30 insertions(+), 3 deletions(-) diff --git a/lib/includes/gnutls/x509.h b/lib/includes/gnutls/x509.h index e865d28f4f..9463e6cdf1 100644 --- a/lib/includes/gnutls/x509.h +++ b/lib/includes/gnutls/x509.h @@ -213,6 +213,11 @@ unsigned gnutls_x509_crt_check_email(gnutls_x509_crt_t cert, const char *email, unsigned int flags); +unsigned +gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, + const unsigned char *ip, unsigned int ip_size, + unsigned int flags); + int gnutls_x509_crt_get_signature_algorithm(gnutls_x509_crt_t cert); int gnutls_x509_crt_get_signature(gnutls_x509_crt_t cert, char *sig, size_t * sizeof_sig); diff --git a/lib/libgnutls.map b/lib/libgnutls.map index ba4ef45a0e..adf4902774 100644 --- a/lib/libgnutls.map +++ b/lib/libgnutls.map @@ -1135,6 +1135,7 @@ GNUTLS_3_4 gnutls_idna_map; gnutls_idna_reverse_map; gnutls_x509_crt_set_flags; + gnutls_x509_crt_check_ip; local: *; }; diff --git a/lib/x509/hostname-verify.c b/lib/x509/hostname-verify.c index c3d74f8567..7268917128 100644 --- a/lib/x509/hostname-verify.c +++ b/lib/x509/hostname-verify.c @@ -49,7 +49,7 @@ gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, } static int -check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size, unsigned flags) +check_ip(gnutls_x509_crt_t cert, const void *ip, unsigned ip_size) { char temp[16]; size_t temp_size; @@ -91,6 +91,27 @@ static int has_embedded_null(const char *str, unsigned size) return 0; } +/** + * gnutls_x509_crt_check_ip: + * @cert: should contain an gnutls_x509_crt_t type + * @ip: A pointer to the raw IP address + * @ip_size: the number of bytes in ip (4 or 16) + * @flags: should be zero + * + * This function will check if the IP allowed IP addresses in + * the certificate's subject alternative name match the provided + * IP address. + * + * Returns: non-zero for a successful match, and zero on failure. + **/ +unsigned +gnutls_x509_crt_check_ip(gnutls_x509_crt_t cert, + const unsigned char *ip, unsigned int ip_size, + unsigned int flags) +{ + return check_ip(cert, ip, ip_size); +} + /** * gnutls_x509_crt_check_hostname2: * @cert: should contain an gnutls_x509_crt_t type @@ -141,9 +162,9 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert, gnutls_assert(); goto hostname_fallback; } - ret = check_ip(cert, &ipv6, 16, flags); + ret = check_ip(cert, &ipv6, 16); } else { - ret = check_ip(cert, &ipv4, 4, flags); + ret = check_ip(cert, &ipv4, 4); } if (ret != 0) -- cgit v1.2.1