diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-08-17 15:25:24 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-08-17 15:41:47 +0200 |
commit | 1c501715f412452d87a9547bda249afd2584e522 (patch) | |
tree | 82fe4c4a5c9018110b2ed970d2525f16b69b3110 | |
parent | 5cea03a6c6c9fbdc746dcc2d73d97edd5ebb1052 (diff) | |
download | gnutls-1c501715f412452d87a9547bda249afd2584e522.tar.gz |
when checking the hostname of a certificate with multiple CNs use the "most specific" CN
In our case we use the last CN present in the DN. Reported
by David Woodhouse.
-rw-r--r-- | lib/x509/rfc2818_hostname.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index 52fd1db35b..7a50b38b49 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -81,15 +81,21 @@ gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname) if (!found_dnsname) { - /* not got the necessary extension, use CN instead + unsigned prev_size = 0; + /* not got the necessary extension; use the last CN instead */ - dnsnamesize = sizeof (dnsname); - if (gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0, - 0, dnsname, &dnsnamesize) < 0) + for (i=0;;i++) { - /* got an error, can't find a name - */ - return 0; + dnsnamesize = sizeof (dnsname); + ret = gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, i, 0, dnsname, &dnsnamesize); + if (ret < 0) + { + if (i == 0 || ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + return 0; + dnsnamesize = prev_size; + break; + } + prev_size = dnsnamesize; } if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0)) |