Re: [PATCH v3 1/9] tests: fix encoding of IP addresses in x509 certs

From: "Dr. David Alan Gilbert" <dgilbert@redhat.com>
To: "Daniel P. Berrangé" <berrange@redhat.com>
Cc: Laurent Vivier <lvivier@redhat.com>,
	Thomas Huth <thuth@redhat.com>,
	Juan Quintela <quintela@redhat.com>,
	qemu-devel@nongnu.org, Peter Xu <peterx@redhat.com>,
	Paolo Bonzini <pbonzini@redhat.com>
Subject: Re: [PATCH v3 1/9] tests: fix encoding of IP addresses in x509 certs
Date: Thu, 28 Apr 2022 10:46:45 +0100	[thread overview]
Message-ID: <YmpiheB319XMmv5p@work-vm> (raw)
In-Reply-To: <20220426160048.812266-2-berrange@redhat.com>

* Daniel P. Berrangé (berrange@redhat.com) wrote:
> We need to encode just the address bytes, not the whole struct sockaddr
> data. Add a test case to validate that we're matching on SAN IP
> addresses correctly.

Lets see:
> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
> ---
>  tests/unit/crypto-tls-x509-helpers.c | 16 +++++++++++++---
>  tests/unit/test-crypto-tlssession.c  | 11 +++++++++--
>  2 files changed, 22 insertions(+), 5 deletions(-)
> 
> diff --git a/tests/unit/crypto-tls-x509-helpers.c b/tests/unit/crypto-tls-x509-helpers.c
> index fc609b3fd4..e9937f60d8 100644
> --- a/tests/unit/crypto-tls-x509-helpers.c
> +++ b/tests/unit/crypto-tls-x509-helpers.c
> @@ -168,9 +168,19 @@ test_tls_get_ipaddr(const char *addrstr,
>      hints.ai_flags = AI_NUMERICHOST;
>      g_assert(getaddrinfo(addrstr, NULL, &hints, &res) == 0);

test_tls_get_ipaddr is passed a char** data ptr that's then passed to
gnutls_x509_crt_set_subject_alt_name with GNUTLS_SAN_IPADDRESS, none of
which I know about, bu tthe manpage says:
  'GNUTLS_SAN_IPADDRESS as a binary IP address (4 or 16 bytes)'

so yes, it wants the IP not the full structure.

>  
> -    *datalen = res->ai_addrlen;
> -    *data = g_new(char, *datalen);
> -    memcpy(*data, res->ai_addr, *datalen);
> +    if (res->ai_family == AF_INET) {
> +        struct sockaddr_in *in = (struct sockaddr_in *)res->ai_addr;
> +        *datalen = sizeof(in->sin_addr);
> +        *data = g_new(char, *datalen);
> +        memcpy(*data, &in->sin_addr, *datalen);
> +    } else if (res->ai_family == AF_INET6) {
> +        struct sockaddr_in6 *in = (struct sockaddr_in6 *)res->ai_addr;
> +        *datalen = sizeof(in->sin6_addr);
> +        *data = g_new(char, *datalen);
> +        memcpy(*data, &in->sin6_addr, *datalen);
> +    } else {
> +        g_assert_not_reached();
> +    }
>      freeaddrinfo(res);

Yes, you could use g_memdup,

Reviewed-by: Dr. David Alan Gilbert <dgilbert@redhat.com>

>  }
>  
> diff --git a/tests/unit/test-crypto-tlssession.c b/tests/unit/test-crypto-tlssession.c
> index 5f0da9192c..a6935d8497 100644
> --- a/tests/unit/test-crypto-tlssession.c
> +++ b/tests/unit/test-crypto-tlssession.c
> @@ -512,12 +512,19 @@ int main(int argc, char **argv)
>                    false, true, "wiki.qemu.org", NULL);
>  
>      TEST_SESS_REG(altname4, cacertreq.filename,
> +                  servercertalt1req.filename, clientcertreq.filename,
> +                  false, false, "192.168.122.1", NULL);
> +    TEST_SESS_REG(altname5, cacertreq.filename,
> +                  servercertalt1req.filename, clientcertreq.filename,
> +                  false, false, "fec0::dead:beaf", NULL);
> +
> +    TEST_SESS_REG(altname6, cacertreq.filename,
>                    servercertalt2req.filename, clientcertreq.filename,
>                    false, true, "qemu.org", NULL);
> -    TEST_SESS_REG(altname5, cacertreq.filename,
> +    TEST_SESS_REG(altname7, cacertreq.filename,
>                    servercertalt2req.filename, clientcertreq.filename,
>                    false, false, "www.qemu.org", NULL);
> -    TEST_SESS_REG(altname6, cacertreq.filename,
> +    TEST_SESS_REG(altname8, cacertreq.filename,
>                    servercertalt2req.filename, clientcertreq.filename,
>                    false, false, "wiki.qemu.org", NULL);
>  
> -- 
> 2.35.1
> 
-- 
Dr. David Alan Gilbert / dgilbert@redhat.com / Manchester, UK