x509asn1: Fix host altname verification

- In Curl_verifyhost check all altnames in the certificate.

Prior to this change only the first altname was checked. Only the GSKit
SSL backend was affected by this bug.

Bug: http://curl.haxx.se/mail/lib-2015-12/0062.html
Reported-by: John Kohl

diff --git a/lib/x509asn1.c b/lib/x509asn1.c
index a3dfd646b925907dcaeb962e00e18ad1a43f724b..728562692da7d3e51c32ffa487341f5146339fb0 100644 (file)
--- a/lib/x509asn1.c
+++ b/lib/x509asn1.c
@@ -1061,7 +1061,6 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
   curl_asn1Element elem;
   curl_asn1Element ext;
   curl_asn1Element name;
-  int i;
   const char * p;
   const char * q;
   char * dnsname;
@@ -1110,16 +1109,13 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
         q = Curl_getASN1Element(&name, q, elem.end);
         switch (name.tag) {
         case 2: /* DNS name. */
-          i = 0;
           len = utf8asn1str(&dnsname, CURL_ASN1_IA5_STRING,
                             name.beg, name.end);
-          if(len > 0)
-            if(strlen(dnsname) == (size_t) len)
-              i = Curl_cert_hostcheck((const char *) dnsname, conn->host.name);
+          if(len > 0 && (size_t)len == strlen(dnsname))
+            matched = Curl_cert_hostcheck(dnsname, conn->host.name);
+          else
+            matched = 0;
           free(dnsname);
-          if(!i)
-            return CURLE_PEER_FAILED_VERIFICATION;
-          matched = i;
           break;
 
         case 7: /* IP address. */