From 846f1b44eea4bb34d080d055badb40a4a13d369e Mon Sep 17 00:00:00 2001
From: Peter Hartmann <peter.hartmann@nokia.com>
Date: Tue, 10 Aug 2010 13:59:57 +0200
Subject: QSslSocket: fix security vulnerability with wildcard IP addresses

This fixes Westpoint Security issue with Advisory ID#: wp-10-0001.
Before, we would allow wildcards in IP addresses like *.2.3.4 ; now,
IP addresses must match excatly.

Patch-by: Richard J. Moore <rich@kde.org>
Task-number: QT-3704
---
 src/network/ssl/qsslsocket_openssl.cpp   | 5 +++++
 tests/auto/qsslsocket/tst_qsslsocket.cpp | 2 ++
 2 files changed, 7 insertions(+)

diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index b4d030c..bb6910a 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -1288,6 +1288,11 @@ bool QSslSocketBackendPrivate::isMatchingHostname(const QString &cn, const QStri
     if (hostname.midRef(hostname.indexOf(QLatin1Char('.'))) != cn.midRef(firstCnDot))
         return false;
 
+    // Check if the hostname is an IP address, if so then wildcards are not allowed
+    QHostAddress addr(hostname);
+    if (!addr.isNull())
+        return false;
+
     // Ok, I guess this was a wildcard CN and the hostname matches.
     return true;
 }
diff --git a/tests/auto/qsslsocket/tst_qsslsocket.cpp b/tests/auto/qsslsocket/tst_qsslsocket.cpp
index 0c12974..6c1dd8f 100644
--- a/tests/auto/qsslsocket/tst_qsslsocket.cpp
+++ b/tests/auto/qsslsocket/tst_qsslsocket.cpp
@@ -1072,6 +1072,7 @@ void tst_QSslSocket::wildcardCertificateNames()
     QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("*.example.com"), QString("www.example.com")), true );
     QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("xxx*.example.com"), QString("xxxwww.example.com")), true );
     QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("f*.example.com"), QString("foo.example.com")), true );
+    QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("192.168.0.0"), QString("192.168.0.0")), true );
 
     // Failing CN matches
     QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("xxx.example.com"), QString("www.example.com")), false );
@@ -1085,6 +1086,7 @@ void tst_QSslSocket::wildcardCertificateNames()
     QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("*.example."), QString("www.example")), false );
     QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString(""), QString("www")), false );
     QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("*"), QString("www")), false );
+    QCOMPARE( QSslSocketBackendPrivate::isMatchingHostname(QString("*.168.0.0"), QString("192.168.0.0")), false );
 }
 
 void tst_QSslSocket::wildcard()
-- 
cgit v0.12