From fc04f4a8b95cfe353e7ed51f1b9279729b1b7401 Mon Sep 17 00:00:00 2001 From: Brian Cunnie Date: Mon, 29 Jan 2018 20:08:49 -0800 Subject: Correctly verify abbreviated IPv6 SANs [ This is a backport to the 2.1 branch. ] IPv6 SAN-verification accommodates ["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2). It also accommodates non-compressed addresses. Previously the verification of IPv6 addresses would fail unless the address syntax matched a specific format (no zero-compression, no leading zeroes). As an example, the IPv6 loopback address, if represented as `::1`, would not verify. Nor would it verify if represented as `0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations are valid, RFC-compliant representations. The library would only accept a very specific representation (i.e. `0:0:0:0:0:0:0:1`). This commit addresses that shortcoming, and ensures that any valid IPv6 representation will correctly verify. (cherry picked from commit 9322a104d16b02c7a79f9ab589859c9d63fabf52) --- lib/openssl/ssl.rb | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'lib') diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 6a6f2b94..355eb2eb 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -12,6 +12,7 @@ require "openssl/buffering" require "io/nonblock" +require "ipaddr" module OpenSSL module SSL @@ -272,11 +273,11 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false - # follows GENERAL_NAME_print() in x509v3/v3_alt.c - if san.value.size == 4 - return true if san.value.unpack('C*').join('.') == hostname - elsif san.value.size == 16 - return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname + if san.value.size == 4 || san.value.size == 16 + begin + return true if san.value == IPAddr.new(hostname).hton + rescue IPAddr::InvalidAddressError + end end end } -- cgit v1.2.3