From 892a9e4c99f13e295f6146b41e72b92b91899a12 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Mon, 11 May 2020 19:28:03 +0100
Subject: Disallow setting more than one IP address with SSL_add1_host()

The X509_VERIFY_PARAM can only take a single IP address, although it can
have multiple hostnames. When SSL_add1_host() is given an IP address,
don't accept it if there is already one configured.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/9201)
---
 ssl/ssl_lib.c | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a31d2dd2ff..3f621d5677 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -967,8 +967,27 @@ int SSL_add1_host(SSL *s, const char *hostname)
 {
     /* If a hostname is provided and parses as an IP address,
      * treat it as such. */
-    if (hostname && X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname) == 1)
-        return 1;
+    if (hostname)
+    {
+        ASN1_OCTET_STRING *ip;
+        char *old_ip;
+
+        ip = a2i_IPADDRESS(hostname);
+        if (ip) {
+            /* We didn't want it; only to check if it *is* an IP address */
+            ASN1_OCTET_STRING_free(ip);
+
+            old_ip = X509_VERIFY_PARAM_get1_ip_asc(s->param);
+            if (old_ip)
+            {
+                free(old_ip);
+                /* There can be only one IP address */
+                return 0;
+            }
+
+            return X509_VERIFY_PARAM_set1_ip_asc(s->param, hostname);
+        }
+    }
 
     return X509_VERIFY_PARAM_add1_host(s->param, hostname, 0);
 }
-- 
cgit v1.2.3