* Daniel P. Berrangé (berra...@redhat.com) wrote:
> We need to encode just the address bytes, not the whole struct sockaddr
> data. Add a test case to validate that we're matching on SAN IP
> addresses correctly.
Lets see:
> Signed-off-by: Daniel P. Berrangé <berra...@redhat.com>
> ---
> tests/unit/crypto-tls-x509-helpers.c | 16 +++++++++++++---
> tests/unit/test-crypto-tlssession.c | 11 +++++++++--
> 2 files changed, 22 insertions(+), 5 deletions(-)
>
> diff --git a/tests/unit/crypto-tls-x509-helpers.c
> b/tests/unit/crypto-tls-x509-helpers.c
> index fc609b3fd4..e9937f60d8 100644
> --- a/tests/unit/crypto-tls-x509-helpers.c
> +++ b/tests/unit/crypto-tls-x509-helpers.c
> @@ -168,9 +168,19 @@ test_tls_get_ipaddr(const char *addrstr,
> hints.ai_flags = AI_NUMERICHOST;
> g_assert(getaddrinfo(addrstr, NULL, &hints, &res) == 0);
test_tls_get_ipaddr is passed a char** data ptr that's then passed to
gnutls_x509_crt_set_subject_alt_name with GNUTLS_SAN_IPADDRESS, none of
which I know about, bu tthe manpage says:
'GNUTLS_SAN_IPADDRESS as a binary IP address (4 or 16 bytes)'
so yes, it wants the IP not the full structure.
>
> - *datalen = res->ai_addrlen;
> - *data = g_new(char, *datalen);
> - memcpy(*data, res->ai_addr, *datalen);
> + if (res->ai_family == AF_INET) {
> + struct sockaddr_in *in = (struct sockaddr_in *)res->ai_addr;
> + *datalen = sizeof(in->sin_addr);
> + *data = g_new(char, *datalen);
> + memcpy(*data, &in->sin_addr, *datalen);
> + } else if (res->ai_family == AF_INET6) {
> + struct sockaddr_in6 *in = (struct sockaddr_in6 *)res->ai_addr;
> + *datalen = sizeof(in->sin6_addr);
> + *data = g_new(char, *datalen);
> + memcpy(*data, &in->sin6_addr, *datalen);
> + } else {
> + g_assert_not_reached();
> + }
> freeaddrinfo(res);
Yes, you could use g_memdup,
Reviewed-by: Dr. David Alan Gilbert <dgilb...@redhat.com>
> }
>
> diff --git a/tests/unit/test-crypto-tlssession.c
> b/tests/unit/test-crypto-tlssession.c
> index 5f0da9192c..a6935d8497 100644
> --- a/tests/unit/test-crypto-tlssession.c
> +++ b/tests/unit/test-crypto-tlssession.c
> @@ -512,12 +512,19 @@ int main(int argc, char **argv)
> false, true, "wiki.qemu.org", NULL);
>
> TEST_SESS_REG(altname4, cacertreq.filename,
> + servercertalt1req.filename, clientcertreq.filename,
> + false, false, "192.168.122.1", NULL);
> + TEST_SESS_REG(altname5, cacertreq.filename,
> + servercertalt1req.filename, clientcertreq.filename,
> + false, false, "fec0::dead:beaf", NULL);
> +
> + TEST_SESS_REG(altname6, cacertreq.filename,
> servercertalt2req.filename, clientcertreq.filename,
> false, true, "qemu.org", NULL);
> - TEST_SESS_REG(altname5, cacertreq.filename,
> + TEST_SESS_REG(altname7, cacertreq.filename,
> servercertalt2req.filename, clientcertreq.filename,
> false, false, "www.qemu.org", NULL);
> - TEST_SESS_REG(altname6, cacertreq.filename,
> + TEST_SESS_REG(altname8, cacertreq.filename,
> servercertalt2req.filename, clientcertreq.filename,
> false, false, "wiki.qemu.org", NULL);
>
> --
> 2.35.1
>
--
Dr. David Alan Gilbert / dgilb...@redhat.com / Manchester, UK
