diff options
author | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2010-09-28 11:55:07 +0000 |
---|---|---|
committer | joe <joe@61a7d7f5-40b7-0310-9c16-bb0ea8cb1845> | 2010-09-28 11:55:07 +0000 |
commit | a1e4022572152528ccde55137d531e13185fd4f7 (patch) | |
tree | 9e9c71652ef81a5cd22ec8b6ab48bf0a7f2b337d /src/ne_session.c | |
parent | ecb2399b1643f03ab843be363f2480068064ee7a (diff) | |
download | neon-a1e4022572152528ccde55137d531e13185fd4f7.tar.gz |
* src/ne_session.c (ne__ssl_match_hostname): Deny a wildcard match
against anything which parses as an IP address.
* test/ssl.c (fail_wildcard_ip): Add test case.
* test/makekeys.sh: Generate test wildcard IP cert.
git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1811 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845
Diffstat (limited to 'src/ne_session.c')
-rw-r--r-- | src/ne_session.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/src/ne_session.c b/src/ne_session.c index 41f50fd..1502140 100644 --- a/src/ne_session.c +++ b/src/ne_session.c @@ -583,6 +583,25 @@ int ne__ssl_match_hostname(const char *cn, size_t cnlen, const char *hostname) if (strncmp(cn, "*.", 2) == 0 && cnlen > 2 && (dot = strchr(hostname, '.')) != NULL) { + ne_inet_addr *ia; + + /* Prevent wildcard CN matches against anything which can be + * parsed as an IP address (i.e. a CN of "*.1.1.1" should not + * be match 8.1.1.1). draft-saintandre-tls-server-id-check + * will require some more significant changes to cert ID + * verification which will probably obviate this check, but + * this is a desirable policy tightening in the mean time. */ + ia = ne_iaddr_parse(hostname, ne_iaddr_ipv4); + if (ia == NULL) + ia = ne_iaddr_parse(hostname, ne_iaddr_ipv6); + + if (ia) { + NE_DEBUG(NE_DBG_SSL, "ssl: Denying wildcard match for numeric " + "IP address.\n"); + ne_iaddr_free(ia); + return 0; + } + hostname = dot + 1; cn += 2; cnlen -= 2; |