Bug 578697: Wildcards and IP addresses don't mix.

1 files changed, 20 insertions, 1 deletions

diff --git a/security/nss/lib/certdb/certdb.c b/security/nss/lib/certdb/certdb.c
index 1b65b69d8..9fe4c36ef 100644
--- a/security/nss/lib/certdb/certdb.c
+++ b/security/nss/lib/certdb/certdb.c
@@ -1415,6 +1415,15 @@ sec_lower_string(char *s)
     return;
 }
 
+static PRBool
+cert_IsIPAddr(const char *hn)
+{
+    PRBool            isIPaddr       = PR_FALSE;
+    PRNetAddr         netAddr;
+    isIPaddr = (PR_SUCCESS == PR_StringToNetAddr(hn, &netAddr));
+    return isIPaddr;
+}
+
 /*
 ** Add a domain name to the list of names that the user has explicitly
 ** allowed (despite cert name mismatches) for use with a server cert.
@@ -1880,7 +1889,17 @@ CERT_VerifyCertName(CERTCertificate *cert, const char *hn)
 
     cn = CERT_GetCommonName(&cert->subject);
     if ( cn ) {
-	rv = cert_TestHostName(cn, hn);
+        PRBool isIPaddr = cert_IsIPAddr(hn);
+        if (isIPaddr) {
+            if (PORT_Strcasecmp(hn, cn) == 0) {
+                rv =  SECSuccess;
+            } else {
+                PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);
+                rv = SECFailure;
+            }
+        } else {
+            rv = cert_TestHostName(cn, hn);
+        }
 	PORT_Free(cn);
     } else 
 	PORT_SetError(SSL_ERROR_BAD_CERT_DOMAIN);