* src/ne_session.c (ne__ssl_match_hostname): Deny a wildcard match

  against anything which parses as an IP address.

* test/ssl.c (fail_wildcard_ip): Add test case.

* test/makekeys.sh: Generate test wildcard IP cert.


git-svn-id: http://svn.webdav.org/repos/projects/neon/trunk@1811 61a7d7f5-40b7-0310-9c16-bb0ea8cb1845

1 files changed, 19 insertions, 0 deletions

diff --git a/src/ne_session.c b/src/ne_session.c
index 41f50fd..1502140 100644
--- a/src/ne_session.c
+++ b/src/ne_session.c
@@ -583,6 +583,25 @@ int ne__ssl_match_hostname(const char *cn, size_t cnlen, const char *hostname)
 
     if (strncmp(cn, "*.", 2) == 0 && cnlen > 2
         && (dot = strchr(hostname, '.')) != NULL) {
+        ne_inet_addr *ia;
+
+        /* Prevent wildcard CN matches against anything which can be
+         * parsed as an IP address (i.e. a CN of "*.1.1.1" should not
+         * be match 8.1.1.1).  draft-saintandre-tls-server-id-check
+         * will require some more significant changes to cert ID
+         * verification which will probably obviate this check, but
+         * this is a desirable policy tightening in the mean time. */
+        ia = ne_iaddr_parse(hostname, ne_iaddr_ipv4);
+        if (ia == NULL)
+            ia = ne_iaddr_parse(hostname, ne_iaddr_ipv6);
+        
+        if (ia) {
+            NE_DEBUG(NE_DBG_SSL, "ssl: Denying wildcard match for numeric "
+                     "IP address.\n");
+            ne_iaddr_free(ia);
+            return 0;
+        }
+
 	hostname = dot + 1;
 	cn += 2;
         cnlen -= 2;