When verifying whether an IP address is in the commonName of a

certificate, do not perform wildcard matching.
Suggested by Richard Moore (rich@kde)
ok tedu@

1 files changed, 15 insertions, 1 deletions

diff --git a/lib/libressl/ressl_verify.c b/lib/libressl/ressl_verify.c
index 9511ad2ff23..5e9f370e1cc 100644
--- a/lib/libressl/ressl_verify.c
+++ b/lib/libressl/ressl_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ressl_verify.c,v 1.4 2014/10/06 11:53:18 jca Exp $ */
+/* $OpenBSD: ressl_verify.c,v 1.5 2014/10/06 11:55:48 jca Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -166,6 +166,7 @@ ressl_check_common_name(X509 *cert, const char *host)
 	char *common_name = NULL;
 	int common_name_len;
 	int rv = -1;
+	union { struct in_addr ip4; struct in6_addr ip6; } addrbuf;
 
 	name = X509_get_subject_name(cert);
 	if (name == NULL)
@@ -191,6 +192,19 @@ ressl_check_common_name(X509 *cert, const char *host)
 		goto out;
 	}
 
+	if (inet_pton(AF_INET,  host, &addrbuf) == 1 ||
+	    inet_pton(AF_INET6, host, &addrbuf) == 1) {
+		/*
+		 * We don't want to attempt wildcard matching against IP
+		 * addresses, so perform a simple comparison here.
+		 */
+		if (strcmp(common_name, host) == 0)
+			rv = 0;
+		else
+			rv = -1;
+		goto out;
+	}
+
 	if (ressl_match_hostname(common_name, host) == 0)
 		rv = 0;
 out: