Description: Reject IP address wildcard matches
 There are server certificates used with IP address in the CN field, but
 we MUST not allow wildcard certs for hostnames given as IP addresses
 only. Therefore we must make Curl_cert_hostcheck() fail such attempts.
Origin: upstream, http://curl.haxx.se/libcurl-reject-cert-ip-wildcards.patch
Forwarded: not-needed
Author: Daniel Stenberg <daniel@haxx.se>
Last-Update: 2014-03-23

diff --git a/lib/ssluse.c b/lib/ssluse.c
index a55ad3c..77317c6 100644
--- a/lib/ssluse.c
+++ b/lib/ssluse.c
@@ -50,6 +50,7 @@
 #include "select.h"
 #include "sslgen.h"
 #include "rawstr.h"
+#include "inet_pton.h"
 
 #define _MPRINTF_REPLACE /* use the internal *printf() functions */
 #include <curl/mprintf.h>
@@ -1059,10 +1060,23 @@ static int hostmatch(const char *hostname, const char *pattern)
   const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
   int wildcard_enabled;
   size_t prefixlen, suffixlen;
+  struct in_addr ignored;
+#ifdef ENABLE_IPV6
+  struct sockaddr_in6 si6;
+#endif
   pattern_wildcard = strchr(pattern, '*');
   if(pattern_wildcard == NULL) {
     return Curl_raw_equal(pattern, hostname) ? HOST_MATCH : HOST_NOMATCH;
   }
+
+  /* detect IP address as hostname and fail the match if so */
+  if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
+    return HOST_NOMATCH;
+#ifdef ENABLE_IPV6
+  else if(Curl_inet_pton(AF_INET6, hostname, &si6.sin6_addr) > 0)
+    return HOST_NOMATCH;
+#endif
+
   /* We require at least 2 dots in pattern to avoid too wide wildcard
      match. */
   wildcard_enabled = 1;