Fix certificate validation for IPv6 literals in sconnect demo

Instead of naïvely trying to truncate at the first colon, use
BIO_get_conn_hostname(). That handles IPv6 literals correctly, even
stripping the [] from around them.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)

diff --git a/demos/bio/sconnect.c b/demos/bio/sconnect.c
index 7e46bf0ad8e65571c599ead66d1ac3ea4c12a899..19f8ee78dea4331f935d064b73f5250c738d2967 100644 (file)
--- a/demos/bio/sconnect.c
+++ b/demos/bio/sconnect.c
@@ -29,7 +29,7 @@ int main(int argc, char *argv[])
 {
     const char *hostport = HOSTPORT;
     const char *CAfile = CAFILE;
-    char *hostname;
+    const char *hostname;
     char *cp;
     BIO *out = NULL;
     char buf[1024 * 10], *p;
@@ -43,10 +43,6 @@ int main(int argc, char *argv[])
     if (argc > 2)
         CAfile = argv[2];
 
-    hostname = OPENSSL_strdup(hostport);
-    if ((cp = strchr(hostname, ':')) != NULL)
-        *cp = 0;
-
 #ifdef WATT32
     dbug_init();
     sock_init();
@@ -62,9 +58,6 @@ int main(int argc, char *argv[])
     ssl = SSL_new(ssl_ctx);
     SSL_set_connect_state(ssl);
 
-    /* Enable peername verification */
-    if (SSL_set1_host(ssl, hostname) <= 0)
-        goto err;
 
     /* Use it inside an SSL BIO */
     ssl_bio = BIO_new(BIO_f_ssl());
@@ -73,6 +66,12 @@ int main(int argc, char *argv[])
     /* Lets use a connect BIO under the SSL BIO */
     out = BIO_new(BIO_s_connect());
     BIO_set_conn_hostname(out, hostport);
+
+    /* The BIO has parsed the host:port and even IPv6 literals in [] */
+    hostname = BIO_get_conn_hostname(out);
+    if (!hostname || SSL_set1_host(ssl, hostname) <= 0)
+        goto err;
+
     BIO_set_nbio(out, 1);
     out = BIO_push(ssl_bio, out);