mirror/curl
2
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2024-11-27 05:50:21 +08:00
Code Issues Packages Projects Releases Wiki Activity

x509asn1: Fix host altname verification

Browse Source 
- In Curl_verifyhost check all altnames in the certificate.

Prior to this change only the first altname was checked. Only the GSKit
SSL backend was affected by this bug.

Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
Reported-by: John Kohl
This commit is contained in:
Jay Satiro 2015-12-14 16:43:08 -05:00
parent b4a39491ca
commit 6c2c019654
1 changed files with 4 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
lib/x509asn1.c
View File

@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
curl_asn1Element elem;
curl_asn1Element ext;
curl_asn1Element name;
int i;
const char * p;
const char * q;
char * dnsname;
@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
q = Curl_getASN1Element(&name, q, elem.end);
switch (name.tag) {
case 2: /* DNS name. */
i = 0;
len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,
name.beg, name.end);
if(len > 0)
if(strlen(dnsname) == (size_t) len)
i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name);
if(len > 0 && (size_t)len == strlen(dnsname))
matched = Curl_cert_hostcheck(dnsname, conn->host.name);
else
matched = 0;
free(dnsname);
if(!i)
return CURLE_PEER_FAILED_VERIFICATION;
matched = i;
break;
case 7: /* IP address. */