when checking the hostname of a certificate with multiple CNs use the "most specific" CN

In our case we use the last CN present in the DN. Reported
by David Woodhouse.

1 files changed, 13 insertions, 7 deletions

diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c
index 52fd1db35b..7a50b38b49 100644
--- a/lib/x509/rfc2818_hostname.c
+++ b/lib/x509/rfc2818_hostname.c
@@ -81,15 +81,21 @@ gnutls_x509_crt_check_hostname (gnutls_x509_crt_t cert, const char *hostname)
 
   if (!found_dnsname)
     {
-      /* not got the necessary extension, use CN instead
+      unsigned prev_size = 0;
+      /* not got the necessary extension; use the last CN instead
        */
-      dnsnamesize = sizeof (dnsname);
-      if (gnutls_x509_crt_get_dn_by_oid (cert, OID_X520_COMMON_NAME, 0,
-                                         0, dnsname, &dnsnamesize) < 0)
+      for (i=0;;i++) 
         {
-          /* got an error, can't find a name
-           */
-          return 0;
+          dnsnamesize = sizeof (dnsname);
+          ret = gnutls_x509_crt_get_dn_by_oid(cert, OID_X520_COMMON_NAME, i, 0, dnsname, &dnsnamesize);
+          if (ret < 0)
+            {
+              if (i == 0 || ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+                return 0;
+              dnsnamesize = prev_size;
+              break;
+            }
+          prev_size = dnsnamesize;
         }
 
       if (_gnutls_hostname_compare (dnsname, dnsnamesize, hostname, 0))