diff options
author | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-08-12 22:38:58 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2014-08-17 15:05:44 +0200 |
commit | ce7ba6cdb151976f7f57d1581008de70ac3d2141 (patch) | |
tree | 5a30d127237351a6150fc7796f93f04b4913b45a | |
parent | c681f27fbcef81a32d60e9dcadf1861ed0114ee4 (diff) | |
download | gnutls-ce7ba6cdb151976f7f57d1581008de70ac3d2141.tar.gz |
when checking the hostname of a certificate with multiple CNs use the "most specific" CN
In our case we use the last CN present in the DN. Reported
by David Woodhouse.
https://bugzilla.mozilla.org/show_bug.cgi?id=307234#c2
-rw-r--r-- | lib/x509/rfc2818_hostname.c | 21 |
1 files changed, 13 insertions, 8 deletions
diff --git a/lib/x509/rfc2818_hostname.c b/lib/x509/rfc2818_hostname.c index ea3e858a4a..be0414676c 100644 --- a/lib/x509/rfc2818_hostname.c +++ b/lib/x509/rfc2818_hostname.c @@ -90,7 +90,6 @@ int gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, const char *hostname) { - char dnsname[MAX_CN]; size_t dnsnamesize; int found_dnsname = 0; @@ -157,15 +156,21 @@ gnutls_x509_crt_check_hostname(gnutls_x509_crt_t cert, } if (!found_dnsname) { + unsigned prev_size = 0; /* not got the necessary extension, use CN instead */ - dnsnamesize = sizeof(dnsname); - if (gnutls_x509_crt_get_dn_by_oid - (cert, OID_X520_COMMON_NAME, 0, 0, dnsname, - &dnsnamesize) < 0) { - /* got an error, can't find a name - */ - return 0; + for (i=0;;i++) { + dnsnamesize = sizeof(dnsname); + ret = gnutls_x509_crt_get_dn_by_oid + (cert, OID_X520_COMMON_NAME, i, 0, dnsname, + &dnsnamesize); + if (ret < 0) { + if (i == 0 || ret != GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) + return 0; + dnsnamesize = prev_size; + break; + } + prev_size = dnsnamesize; } if (_gnutls_hostname_compare |