From 6c2c019654e658a78ccf692f5b8553cef337ec27 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Mon, 14 Dec 2015 16:43:08 -0500
Subject: x509asn1: Fix host altname verification

- In Curl_verifyhost check all altnames in the certificate.

Prior to this change only the first altname was checked. Only the GSKit
SSL backend was affected by this bug.

Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
Reported-by: John Kohl
---
 lib/x509asn1.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index a3dfd646b..728562692 100644
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
   curl_asn1Element elem;
   curl_asn1Element ext;
   curl_asn1Element name;
-  int i;
   const char * p;
   const char * q;
   char * dnsname;
@@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
         q = Curl_getASN1Element(&name, q, elem.end);
         switch (name.tag) {
         case 2: /* DNS name. */
-          i = 0;
           len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,
                             name.beg, name.end);
-          if(len > 0)
-            if(strlen(dnsname) == (size_t) len)
-              i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name);
+          if(len > 0 && (size_t)len == strlen(dnsname))
+            matched = Curl_cert_hostcheck(dnsname, conn->host.name);
+          else
+            matched = 0;
           free(dnsname);
-          if(!i)
-            return CURLE_PEER_FAILED_VERIFICATION;
-          matched = i;
           break;
 
         case 7: /* IP address. */
-- 
cgit v1.2.3