ssl-verify-host: fix verifying ip addresses containing zero's (#732)

* ssl-verify-host: fix verifying ip addresses containing zero's If the subject alternate name contained an ip address with an zero (like 10.42.0.1) it could not successfully verify. It is because in c++ strings are null-terminated and therefore strlen(name) would return a wrong result. As I can not see why we can not trust the length returned by openssl, lets drop this check. * ssl-verify-host: add test case lets try to validate against 127.0.0.1 Co-authored-by: Daniel Ottiger <daniel.ottiger@ch.schindler.com>
2025-06-12 07:41:53 +03:00 · 2020-11-03 02:27:34 +01:00
parent eb1d2e04bc
commit 6e1879dfae
4 changed files with 37 additions and 9 deletions
--- a/httplib.h
+++ b/httplib.h
@ -6225,17 +6225,15 @@ SSLClient::verify_host_with_subject_alt_name(X509 *server_cert) const {
        auto name = (const char *)ASN1_STRING_get0_data(val->d.ia5);
        auto name_len = (size_t)ASN1_STRING_length(val->d.ia5);

-        if (strlen(name) == name_len) {
-          switch (type) {
-          case GEN_DNS: dsn_matched = check_host_name(name, name_len); break;
+        switch (type) {
+        case GEN_DNS: dsn_matched = check_host_name(name, name_len); break;

-          case GEN_IPADD:
-            if (!memcmp(&addr6, name, addr_len) ||
-                !memcmp(&addr, name, addr_len)) {
-              ip_mached = true;
-            }
-            break;
+        case GEN_IPADD:
+          if (!memcmp(&addr6, name, addr_len) ||
+              !memcmp(&addr, name, addr_len)) {
+            ip_mached = true;
          }
+          break;
        }
      }
    }