x509asn1: Fix host altname verification
- In Curl_verifyhost check all altnames in the certificate. Prior to this change only the first altname was checked. Only the GSKit SSL backend was affected by this bug. Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html Reported-by: John Kohl
This commit is contained in:
		| @@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn, | |||||||
|   curl_asn1Element elem; |   curl_asn1Element elem; | ||||||
|   curl_asn1Element ext; |   curl_asn1Element ext; | ||||||
|   curl_asn1Element name; |   curl_asn1Element name; | ||||||
|   int i; |  | ||||||
|   const char * p; |   const char * p; | ||||||
|   const char * q; |   const char * q; | ||||||
|   char * dnsname; |   char * dnsname; | ||||||
| @@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn, | |||||||
|         q = Curl_getASN1Element(&name, q, elem.end); |         q = Curl_getASN1Element(&name, q, elem.end); | ||||||
|         switch (name.tag) { |         switch (name.tag) { | ||||||
|         case 2: /* DNS name. */ |         case 2: /* DNS name. */ | ||||||
|           i = 0; |  | ||||||
|           len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING, |           len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING, | ||||||
|                             name.beg, name.end); |                             name.beg, name.end); | ||||||
|           if(len > 0) |           if(len > 0 && (size_t)len == strlen(dnsname)) | ||||||
|             if(strlen(dnsname) == (size_t) len) |             matched = Curl_cert_hostcheck(dnsname, conn->host.name); | ||||||
|               i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name); |           else | ||||||
|  |             matched = 0; | ||||||
|           free(dnsname); |           free(dnsname); | ||||||
|           if(!i) |  | ||||||
|             return CURLE_PEER_FAILED_VERIFICATION; |  | ||||||
|           matched = i; |  | ||||||
|           break; |           break; | ||||||
|  |  | ||||||
|         case 7: /* IP address. */ |         case 7: /* IP address. */ | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user
	 Jay Satiro
					Jay Satiro