diff options
author | Jay Satiro <raysatiro@yahoo.com> | 2015-12-14 16:43:08 -0500 |
---|---|---|
committer | Jay Satiro <raysatiro@yahoo.com> | 2015-12-15 14:07:28 -0500 |
commit | 6c2c019654e658a78ccf692f5b8553cef337ec27 (patch) | |
tree | a239d68c602dc02690ead058ddc9e79a64fde45c | |
parent | b4a39491cacde68c9ed5499db7fcc873976e1879 (diff) |
x509asn1: Fix host altname verification
- In Curl_verifyhost check all altnames in the certificate.
Prior to this change only the first altname was checked. Only the GSKit
SSL backend was affected by this bug.
Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
Reported-by: John Kohl
-rw-r--r-- | lib/x509asn1.c | 12 |
1 files changed, 4 insertions, 8 deletions
diff --git a/lib/x509asn1.c b/lib/x509asn1.c index a3dfd646b..728562692 100644 --- a/lib/x509asn1.c +++ b/lib/x509asn1.c @@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn, curl_asn1Element elem; curl_asn1Element ext; curl_asn1Element name; - int i; const char * p; const char * q; char * dnsname; @@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn, q = Curl_getASN1Element(&name, q, elem.end); switch (name.tag) { case 2: /* DNS name. */ - i = 0; len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING, name.beg, name.end); - if(len > 0) - if(strlen(dnsname) == (size_t) len) - i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name); + if(len > 0 && (size_t)len == strlen(dnsname)) + matched = Curl_cert_hostcheck(dnsname, conn->host.name); + else + matched = 0; free(dnsname); - if(!i) - return CURLE_PEER_FAILED_VERIFICATION; - matched = i; break; case 7: /* IP address. */ |