[Spice-devel] [spice-common PATCH] ssl_verify.c: Add IPv6 support

2015-09-07 Thread Lukas Venhoda 
Add inet_pton and inet_ntop which supports IPv6 address.
inet_aton left for compatibility.
---
 common/ssl_verify.c | 32 +++-
 1 file changed, 23 insertions(+), 9 deletions(-)

diff --git a/common/ssl_verify.c b/common/ssl_verify.c
index a830800..d247d95 100644
--- a/common/ssl_verify.c
+++ b/common/ssl_verify.c
@@ -161,10 +161,12 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 {
 GENERAL_NAMES* subject_alt_names;
 int found_dns_name = 0;
-struct in_addr addr;
+struct in_addr ipv4;
+struct in6_addr ipv6;
 int addr_len = 0;
 int cn_match = 0;
 X509_NAME* subject;
+int using_ipv6 = 0;

 spice_return_val_if_fail(hostname != NULL, 0);

@@ -173,9 +175,11 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 return 0;
 }

-// only IpV4 supported
-if (inet_aton(hostname, )) {
+if (inet_aton(hostname, )) {
 addr_len = sizeof(struct in_addr);
+} else if (inet_pton(AF_INET6, hostname, )) {
+addr_len = sizeof(struct in6_addr);
+using_ipv6 = 1;
 }

 /* try matching against:
@@ -211,12 +215,22 @@ static int verify_hostname(X509* cert, const char 
*hostname)
 } else if (name->type == GEN_IPADD) {
 int alt_ip_len = ASN1_STRING_length(name->d.iPAddress);
 found_dns_name = 1;
-if ((addr_len == alt_ip_len)&&
-!memcmp(ASN1_STRING_data(name->d.iPAddress), , 
addr_len)) {
-spice_debug("alt name IP match=%s",
-inet_ntoa(*((struct 
in_addr*)ASN1_STRING_data(name->d.dNSName;
-GENERAL_NAMES_free(subject_alt_names);
-return 1;
+if (addr_len == alt_ip_len) {
+if (using_ipv6 &&
+!memcmp(ASN1_STRING_data(name->d.iPAddress), , 
addr_len)) {
+char buf[INET6_ADDRSTRLEN];
+inet_ntop(AF_INET6,
+  ((struct 
in6_addr*)ASN1_STRING_data(name->d.dNSName)),
+  buf, INET6_ADDRSTRLEN);
+spice_debug("alt name IP match=%s", buf);
+GENERAL_NAMES_free(subject_alt_names);
+return 1;
+} else if (!memcmp(ASN1_STRING_data(name->d.iPAddress), 
, addr_len)) {
+spice_debug("alt name IP match=%s",
+inet_ntoa(*((struct 
in_addr*)ASN1_STRING_data(name->d.dNSName;
+GENERAL_NAMES_free(subject_alt_names);
+return 1;
+}
 }
 }
 }
--
2.4.3

___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel

Re: [Spice-devel] [spice-common PATCH] ssl_verify.c: Add IPv6 support

2015-09-07 Thread Daniel P. Berrange 
On Mon, Sep 07, 2015 at 06:55:47PM +0200, Lukas Venhoda wrote:
> Add inet_pton and inet_ntop which supports IPv6 address.
> inet_aton left for compatibility.

You really should not use any of the inet_* functions,
even the ones which technically support IPv6.

Instead use getaddrinfo()/getnameinfo(), passing AI_NUMERIC
if you need to skip DNS forward/backward lookups and stick
to numeric ddresses

See this page for detailed information

  http://www.akkadia.org/drepper/userapi-ipv6.html


Regards,
Daniel
-- 
|: http://berrange.com  -o-http://www.flickr.com/photos/dberrange/ :|
|: http://libvirt.org  -o- http://virt-manager.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: http://entangle-photo.org   -o-   http://live.gnome.org/gtk-vnc :|
___
Spice-devel mailing list
Spice-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/spice-devel