From: Fabian Keil Date: Mon, 20 Jul 2020 13:10:16 +0000 (+0200) Subject: Only use the Subject Alternative Name extension if it isn't an IP address X-Git-Tag: v_3_0_29~260 X-Git-Url: http://www.privoxy.org/gitweb/?p=privoxy.git;a=commitdiff_plain;h=000d83a2f0bc54f7e4526fe0ddfcd0572e3ad8e2 Only use the Subject Alternative Name extension if it isn't an IP address Sponsored by: Robert Klemme --- diff --git a/ssl.c b/ssl.c index 860a243f..e2389f08 100644 --- a/ssl.c +++ b/ssl.c @@ -28,6 +28,7 @@ * *********************************************************************/ +#include #include #include @@ -1519,6 +1520,53 @@ exit: } + +/********************************************************************* + * + * Function : host_is_ip_address + * + * Description : Checks whether or not a host is specified by + * IP address. Does not actually validate the + * address. + * + * Parameters : + * 1 : host = The host name to check + * + * Returns : 1 => Yes + * 0 => No + * + *********************************************************************/ +static int host_is_ip_address(const char *host) +{ + const char *p; + + if (NULL != strstr(host, ":")) + { + /* Assume an IPv6 address. */ + return 1; + } + + for (p = host; *p; p++) + { + if (*p != '.') + { + if (!privoxy_isdigit(*p)) + { + /* Not a dot or digit so it can't be an IPv4 address. */ + return 0; + } + } + } + + /* + * Host only consists of dots and digits so + * assume that is an IPv4 address. + */ + return 1; + +} + + /********************************************************************* * * Function : generate_webpage_certificate @@ -1894,7 +1942,8 @@ static int generate_webpage_certificate(struct client_state *csp) } #endif /* MBEDTLS_SHA1_C */ - if (set_subject_alternative_name(&cert, csp->http->host)) + if (!host_is_ip_address(csp->http->host) && + set_subject_alternative_name(&cert, csp->http->host)) { /* Errors are already logged by set_subject_alternative_name() */ ret = -1;