Commit 6c2c0196 authored by Jay Satiro's avatar Jay Satiro
Browse files

x509asn1: Fix host altname verification 

- In Curl_verifyhost check all altnames in the certificate.

Prior to this change only the first altname was checked. Only the GSKit
SSL backend was affected by this bug.

Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
Reported-by: John Kohl
parent b4a39491

lib/x509asn1.c

+4 −8
Original line number Diff line number Diff line
@@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn, 
  curl_asn1Element elem;

  curl_asn1Element ext;

  curl_asn1Element name;

  int i;

  const char * p;

  const char * q;

  char * dnsname;
@@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn, 
        q = Curl_getASN1Element(&name, q, elem.end);

        switch (name.tag) {

        case 2: /* DNS name. */

          i = 0;

          len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,

                            name.beg, name.end);

          if(len > 0)

            if(strlen(dnsname) == (size_t) len)

              i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name);

          if(len > 0 && (size_t)len == strlen(dnsname))

            matched = Curl_cert_hostcheck(dnsname, conn->host.name);

          else

            matched = 0;

          free(dnsname);

          if(!i)

            return CURLE_PEER_FAILED_VERIFICATION;

          matched = i;

          break;



        case 7: /* IP address. */