summaryrefslogtreecommitdiff
path: root/lib/hostcheck.c
diff options
context:
space:
mode:
authorDaniel Stenberg <daniel@haxx.se>2014-03-03 11:46:36 +0100
committerDaniel Stenberg <daniel@haxx.se>2014-03-25 23:01:37 +0100
commit5019c780958c3a8dbe64123aa90e6eaff1b84cfa (patch)
tree4b1fa4a1de98dcadefc7f1a79720497eb02703c5 /lib/hostcheck.c
parent517b06d657aceb11a234b05cc891170c367ab80d (diff)
downloadcurl-5019c780958c3a8dbe64123aa90e6eaff1b84cfa.tar.gz
Curl_cert_hostcheck: reject IP address wildcard matches
There are server certificates used with IP address in the CN field, but we MUST not allow wild cart certs for hostnames given as IP addresses only. Therefore we must make Curl_cert_hostcheck() fail such attempts. Bug: http://curl.haxx.se/docs/adv_20140326B.html Reported-by: Richard Moore
Diffstat (limited to 'lib/hostcheck.c')
-rw-r--r--lib/hostcheck.c13
1 files changed, 13 insertions, 0 deletions
diff --git a/lib/hostcheck.c b/lib/hostcheck.c
index 24ddd8960..d144f319a 100644
--- a/lib/hostcheck.c
+++ b/lib/hostcheck.c
@@ -28,6 +28,7 @@
#include "hostcheck.h"
#include "rawstr.h"
+#include "inet_pton.h"
/*
* Match a hostname against a wildcard pattern.
@@ -43,11 +44,23 @@ static int hostmatch(const char *hostname, const char *pattern)
const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
int wildcard_enabled;
size_t prefixlen, suffixlen;
+ struct in_addr ignored;
+#ifdef ENABLE_IPV6
+ struct sockaddr_in6 si6;
+#endif
pattern_wildcard = strchr(pattern, '*');
if(pattern_wildcard == NULL)
return Curl_raw_equal(pattern, hostname) ?
CURL_HOST_MATCH : CURL_HOST_NOMATCH;
+ /* detect IP address as hostname and fail the match if so */
+ if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+ return CURL_HOST_NOMATCH;
+#ifdef ENABLE_IPV6
+ else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
+ return CURL_HOST_NOMATCH;
+#endif
+
/* We require at least 2 dots in pattern to avoid too wide wildcard
match. */
wildcard_enabled = 1;