summaryrefslogtreecommitdiff
path: root/lib/x509asn1.c
diff options
context:
space:
mode:
authorJay Satiro <raysatiro@yahoo.com>2015-12-14 16:43:08 -0500
committerJay Satiro <raysatiro@yahoo.com>2015-12-15 14:07:28 -0500
commit6c2c019654e658a78ccf692f5b8553cef337ec27 (patch)
treea239d68c602dc02690ead058ddc9e79a64fde45c /lib/x509asn1.c
parentb4a39491cacde68c9ed5499db7fcc873976e1879 (diff)
downloadcurl-6c2c019654e658a78ccf692f5b8553cef337ec27.tar.gz
x509asn1: Fix host altname verification
- In Curl_verifyhost check all altnames in the certificate. Prior to this change only the first altname was checked. Only the GSKit SSL backend was affected by this bug. Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html Reported-by: John Kohl
Diffstat (limited to 'lib/x509asn1.c')
-rw-r--r--lib/x509asn1.c12
1 files changed, 4 insertions, 8 deletions
diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index a3dfd646b..728562692 100644
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
curl_asn1Element elem;
curl_asn1Element ext;
curl_asn1Element name;
- int i;
const char * p;
const char * q;
char * dnsname;
@@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
q = Curl_getASN1Element(&name, q, elem.end);
switch (name.tag) {
case 2: /* DNS name. */
- i = 0;
len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,
name.beg, name.end);
- if(len > 0)
- if(strlen(dnsname) == (size_t) len)
- i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name);
+ if(len > 0 && (size_t)len == strlen(dnsname))
+ matched = Curl_cert_hostcheck(dnsname, conn->host.name);
+ else
+ matched = 0;
free(dnsname);
- if(!i)
- return CURLE_PEER_FAILED_VERIFICATION;
- matched = i;
break;
case 7: /* IP address. */