Skip to content

Commit 5c5bf71

Browse files
rheniumrhenium
authored
Merge pull request #185 from cunnie/IPv6_SAN_verification
Correctly verify abbreviated IPv6 SANs
2 parents f707996 + 9322a10 commit 5c5bf71

File tree

3 files changed

+12
-6
lines changed

3 files changed

+12
-6
lines changed

lib/openssl/ssl.rb

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@
1212

1313
require "openssl/buffering"
1414
require "io/nonblock"
15+
require "ipaddr"
1516

1617
module OpenSSL
1718
module SSL
@@ -272,11 +273,11 @@ def verify_certificate_identity(cert, hostname)
272273
return true if verify_hostname(hostname, san.value)
273274
when 7 # iPAddress in GeneralName (RFC5280)
274275
should_verify_common_name = false
275-
# follows GENERAL_NAME_print() in x509v3/v3_alt.c
276-
if san.value.size == 4
277-
return true if san.value.unpack('C*').join('.') == hostname
278-
elsif san.value.size == 16
279-
return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
276+
if san.value.size == 4 || san.value.size == 16
277+
begin
278+
return true if san.value == IPAddr.new(hostname).hton
279+
rescue IPAddr::InvalidAddressError
280+
end
280281
end
281282
end
282283
}

openssl.gemspec

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,7 @@ Gem::Specification.new do |spec|
1717

1818
spec.required_ruby_version = ">= 2.3.0"
1919

20+
spec.add_runtime_dependency "ipaddr"
2021
spec.add_development_dependency "rake"
2122
spec.add_development_dependency "rake-compiler"
2223
spec.add_development_dependency "test-unit", "~> 3.0"

test/test_ssl.rb

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -516,8 +516,12 @@ def test_verify_certificate_identity
516516
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, "www.example.com\0.evil.com"))
517517
assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.255'))
518518
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '192.168.7.1'))
519-
assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
519+
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13::17'))
520+
assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '13::18'))
520521
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '13:0:0:0:0:0:0:17'))
522+
assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '44:0:0:0:0:0:0:17'))
523+
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(cert, '0013:0000:0000:0000:0000:0000:0000:0017'))
524+
assert_equal(false, OpenSSL::SSL.verify_certificate_identity(cert, '1313:0000:0000:0000:0000:0000:0000:0017'))
521525
end
522526
end
523527

0 commit comments

Comments
 (0)