From 480b13c7e6d83543a82b2974a3af0c8864d7b6a7 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Fri, 27 Aug 2010 21:08:14 +0200
Subject: Disallow X.509 wildcard matches in domain literals.

---
 socket.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

(limited to 'socket.c')

diff --git a/socket.c b/socket.c
index 59b0112e..d3cf90d7 100644
--- a/socket.c
+++ b/socket.c
@@ -600,7 +600,23 @@ SSL *SSLGetContext( int sock )
  * The only place where a wildcard is allowed is in the leftmost
  * position of p1. */
 static int name_match(const char *p1, const char *p2) {
-    if (p1[0] == '*' && p1[1] == '.') {
+    const char *const dom = "0123456789.";
+    int wildcard_ok = 1;
+
+    /* blank patterns never match */
+    if (p1[0] == '\0')
+	return 0;
+
+    /* disallow wildcards in certificates for domain literals
+     * (10.9.8.7-like) */
+    if (strspn(p1+(*p1 == '*' ? 1 : 0), dom) == strlen(p1))
+	wildcard_ok = 0;
+
+    /* disallow wildcards for domain literals */
+    if (strspn(p2, dom) == strlen(p2))
+	wildcard_ok = 0;
+
+    if (wildcard_ok && p1[0] == '*' && p1[1] == '.') {
 	size_t l1, l2;
 
 	++p1;
-- 
cgit v1.2.3