diff options
| author | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2014-10-06 11:55:49 +0000 |
|---|---|---|
| committer | Jeremie Courreges-Anglas <jca@cvs.openbsd.org> | 2014-10-06 11:55:49 +0000 |
| commit | 2d4478144ca7605fb9d55da7c6c0c535499ed929 (patch) | |
| tree | 140708f3588ada7b5493d4a9a49864dede247471 | |
| parent | a8c351b55fc2d096bc6c1a56c85922f23af09aa2 (diff) | |
When verifying whether an IP address is in the commonName of a
certificate, do not perform wildcard matching.
Suggested by Richard Moore (rich@kde)
ok tedu@
| -rw-r--r-- | lib/libressl/ressl_verify.c | 16 |
1 files changed, 15 insertions, 1 deletions
diff --git a/lib/libressl/ressl_verify.c b/lib/libressl/ressl_verify.c index 9511ad2ff23..5e9f370e1cc 100644 --- a/lib/libressl/ressl_verify.c +++ b/lib/libressl/ressl_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ressl_verify.c,v 1.4 2014/10/06 11:53:18 jca Exp $ */ +/* $OpenBSD: ressl_verify.c,v 1.5 2014/10/06 11:55:48 jca Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -166,6 +166,7 @@ ressl_check_common_name(X509 *cert, const char *host) char *common_name = NULL; int common_name_len; int rv = -1; + union { struct in_addr ip4; struct in6_addr ip6; } addrbuf; name = X509_get_subject_name(cert); if (name == NULL) @@ -191,6 +192,19 @@ ressl_check_common_name(X509 *cert, const char *host) goto out; } + if (inet_pton(AF_INET, host, &addrbuf) == 1 || + inet_pton(AF_INET6, host, &addrbuf) == 1) { + /* + * We don't want to attempt wildcard matching against IP + * addresses, so perform a simple comparison here. + */ + if (strcmp(common_name, host) == 0) + rv = 0; + else + rv = -1; + goto out; + } + if (ressl_match_hostname(common_name, host) == 0) rv = 0; out: |