From f44e3a4d0df9397278735d1520f7681715b83b59 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 3 Mar 2014 11:46:36 +0100
Subject: [PATCH] Curl_cert_hostcheck: reject IP address wildcard matches

There are server certificates used with IP address in the CN field, but
we MUST not allow wild cart certs for hostnames given as IP addresses
only. Therefore we must make Curl_cert_hostcheck() fail such attempts.

Bug: http://curl.haxx.se/docs/adv_20140326B.html
Reported-by: Richard Moore
---
 lib/hostcheck.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/lib/hostcheck.c b/lib/hostcheck.c
index 24ddd89..d144f31 100644
--- a/lib/hostcheck.c
+++ b/lib/hostcheck.c
@@ -28,6 +28,7 @@
 
 #include "hostcheck.h"
 #include "rawstr.h"
+#include "inet_pton.h"
 
 /*
  * Match a hostname against a wildcard pattern.
@@ -43,11 +44,23 @@ static int hostmatch(const char *hostname, const char *pattern)
   const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
   int wildcard_enabled;
   size_t prefixlen, suffixlen;
+  struct in_addr ignored;
+#ifdef ENABLE_IPV6
+  struct sockaddr_in6 si6;
+#endif
   pattern_wildcard = strchr(pattern, '*');
   if(pattern_wildcard == NULL)
     return Curl_raw_equal(pattern, hostname) ?
       CURL_HOST_MATCH : CURL_HOST_NOMATCH;
 
+  /* detect IP address as hostname and fail the match if so */
+  if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+    return CURL_HOST_NOMATCH;
+#ifdef ENABLE_IPV6
+  else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
+    return CURL_HOST_NOMATCH;
+#endif
+
   /* We require at least 2 dots in pattern to avoid too wide wildcard
      match. */
   wildcard_enabled = 1;
-- 
1.9.0