when checking the hostname of a certificate with multiple CNs use the "most specific" CN

In our case we use the last CN present in the DN. Reported
by David Woodhouse.

https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2

1 files changed, 13 insertions, 8 deletions

diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c
index ea3e858a4a..be0414676c 100644
--- a/lib/x509/rfc2818_hostname.c
+++ b/lib/x509/rfc2818_hostname.c
@@ -90,7 +90,6 @@ int
 gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert,
 			       const char *hostname)
 {
-
 	char dnsname[MAX_CN];
 	size_t dnsnamesize;
 	int found_dnsname = 0;
@@ -157,15 +156,21 @@ gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert,
 	}
 
 	if (!found_dnsname) {
+		unsigned prev_size = 0;
 		/* not got the necessary extension, use CN instead
 		 */
-		dnsnamesize = sizeof(dnsname);
-		if (gnutls_x509_crt_get_dn_by_oid
-		    (cert, OID_X520_COMMON_NAME, 0, 0, dnsname,
-		     &dnsnamesize) < 0) {
-			/* got an error, can't find a name
-			 */
-			return 0;
+		for (i=0;;i++) {
+			dnsnamesize = sizeof(dnsname);
+			ret = gnutls_x509_crt_get_dn_by_oid
+				(cert, OID_X520_COMMON_NAME, i, 0, dnsname,
+				 &dnsnamesize);
+			if (ret < 0) {
+				if (i == 0 || ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
+					return 0;
+				dnsnamesize = prev_size;
+				break;
+			}
+			prev_size = dnsnamesize;
 		}
 
 		if (_gnutls_hostname_compare