Fix certificate validation for IPv6 literals in sconnect demo

Instead of naïvely trying to truncate at the first colon, use BIO_get_conn_hostname(). That handles IPv6 literals correctly, even stripping the [] from around them. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/9201)
2024-11-27 05:21:51 +08:00 · 2019-06-20 21:39:38 +01:00 · 2019-06-20 21:39:38 +01:00 · 396e720965
commit 396e720965
parent c832840e89
1 changed files with 7 additions and 8 deletions
--- a/demos/bio/sconnect.c
+++ b/demos/bio/sconnect.c
@ -29,7 +29,7 @@ int main(int argc, char *argv[])
 {
    const char *hostport = HOSTPORT;
    const char *CAfile = CAFILE;
-    char *hostname;
+    const char *hostname;
    char *cp;
    BIO *out = NULL;
    char buf[1024 * 10], *p;
@ -43,10 +43,6 @@ int main(int argc, char *argv[])
    if (argc > 2)
        CAfile = argv[2];

-    hostname = OPENSSL_strdup(hostport);
-    if ((cp = strchr(hostname, ':')) != NULL)
-        *cp = 0;
-
 #ifdef WATT32
    dbug_init();
    sock_init();
@ -62,9 +58,6 @@ int main(int argc, char *argv[])
    ssl = SSL_new(ssl_ctx);
    SSL_set_connect_state(ssl);

-    /* Enable peername verification */
-    if (SSL_set1_host(ssl, hostname) <= 0)
-        goto err;

    /* Use it inside an SSL BIO */
    ssl_bio = BIO_new(BIO_f_ssl());
@ -73,6 +66,12 @@ int main(int argc, char *argv[])
    /* Lets use a connect BIO under the SSL BIO */
    out = BIO_new(BIO_s_connect());
    BIO_set_conn_hostname(out, hostport);
+
+    /* The BIO has parsed the host:port and even IPv6 literals in [] */
+    hostname = BIO_get_conn_hostname(out);
+    if (!hostname || SSL_set1_host(ssl, hostname) <= 0)
+        goto err;
+
    BIO_set_nbio(out, 1);
    out = BIO_push(ssl_bio, out);