when verifying an IP, also verify it as a hostname

There are several misconfigured servers that placed their IP
as a DNS name. Pointed out by David Woodhouse.

diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c
index ee21458c083662a8757508e06a778328e345281e..f4e1d04c22f2112f7440c23cf8f912de9ec83667 100644 (file)
--- a/lib/x509/rfc2818_hostname.c
+++ b/lib/x509/rfc2818_hostname.c
@@ -131,11 +131,20 @@ gnutls_x509_crt_check_hostname2(gnutls_x509_crt_t cert,
                                gnutls_assert();
                                goto hostname_fallback;
                        }
-                       return check_ip(cert, &ipv6, 16, flags);
+                       ret = check_ip(cert, &ipv6, 16, flags);
+#else
+                       ret = 0;
 #endif
                } else {
-                       return check_ip(cert, &ipv4, 4, flags);
+                       ret = check_ip(cert, &ipv4, 4, flags);
                }
+
+               if (ret != 0)
+                       return ret;
+
+               /* There are several misconfigured servers, that place their IP
+                * in the DNS field of subjectAlternativeName. Don't break these
+                * configurations and verify the IP as it would have been a DNS name. */
        }
 
  hostname_fallback: