From 6c2c019654e658a78ccf692f5b8553cef337ec27 Mon Sep 17 00:00:00 2001 From: Jay Satiro Date: Mon, 14 Dec 2015 16:43:08 -0500 Subject: x509asn1: Fix host altname verification - In Curl_verifyhost check all altnames in the certificate. Prior to this change only the first altname was checked. Only the GSKit SSL backend was affected by this bug. Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html Reported-by: John Kohl --- lib/x509asn1.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/lib/x509asn1.c b/lib/x509asn1.c index a3dfd646b..728562692 100644 --- a/lib/x509asn1.c +++ b/lib/x509asn1.c @@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn, curl_asn1Element elem; curl_asn1Element ext; curl_asn1Element name; - int i; const char * p; const char * q; char * dnsname; @@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn, q = Curl_getASN1Element(&name, q, elem.end); switch (name.tag) { case 2: /* DNS name. */ - i = 0; len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING, name.beg, name.end); - if(len > 0) - if(strlen(dnsname) == (size_t) len) - i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name); + if(len > 0 && (size_t)len == strlen(dnsname)) + matched = Curl_cert_hostcheck(dnsname, conn->host.name); + else + matched = 0; free(dnsname); - if(!i) - return CURLE_PEER_FAILED_VERIFICATION; - matched = i; break; case 7: /* IP address. */ -- cgit v1.2.3