Tonight, I spent a few hours implementing RFC5952: https://github.com/colmmacc/s2n/commit/4e7d2424b059b1350353fbb95c251d5ff024535e … ... because it turns out that there's no portable way to be sure that IPv6 strings will be in a canonical format. How is that not fixed in 2019? Crazy! Exact-match is needed in many applications.
Why do you need inet_ntop to verify an IPv6 SAN? The address is stored as 16 octets so verification should just be a memcmp.
-
-
We have an existing verify_host callback fn that a s2n caller can set. It takes a string as an argument, so we have to turn the 16 octets into a string for that function. I want to make sure that the format is always canonicalized and the callback will work the same everywhere.
-
Why not new callbacks verify_ip and verify_ipv6 that take in_addr and in6_addr arguments? It seems generally better for security to keep things as strongly-typed as possible instead of coercing everything to a string.
- 4 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.