X-Git-Url: https://git.openssl.org/gitweb/?a=blobdiff_plain;f=crypto%2Fx509%2Fx509_vfy.c;h=acacb257c99553e8fbdaeb7ca42cdfd5ddbe63f6;hb=aace6dbcb34ba40e9b5ef2da11d3d3e724599ca9;hp=3799036a6eb6dfc84015553ba260213346582332;hpb=3fc0b1edad0c75d7beb51fa77f63ffe817295e2c;p=openssl.git

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3799036a6e..acacb257c9 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -495,7 +495,6 @@ static int check_issued(X509_STORE_CTX *ctx, X509 *x, X509 *issuer)
 	ctx->current_cert = x;
 	ctx->current_issuer = issuer;
 	return ctx->verify_cb(0, ctx);
-	return 0;
 }
 
 /* Alternative lookup method: look from a STACK stored in other_ctx */
@@ -719,12 +718,28 @@ static int check_id_error(X509_STORE_CTX *ctx, int errcode)
 	return ctx->verify_cb(0, ctx);
 	}
 
+static int check_hosts(X509 *x, X509_VERIFY_PARAM_ID *id)
+	{
+	int i;
+	int n = sk_OPENSSL_STRING_num(id->hosts);
+	char *name;
+
+	for (i = 0; i < n; ++i)
+		{
+		name = sk_OPENSSL_STRING_value(id->hosts, i);
+		if (X509_check_host(x, name, 0, id->hostflags,
+				    &id->peername) > 0)
+			return 1;
+		}
+	return n == 0;
+	}
+
 static int check_id(X509_STORE_CTX *ctx)
 	{
 	X509_VERIFY_PARAM *vpm = ctx->param;
 	X509_VERIFY_PARAM_ID *id = vpm->id;
 	X509 *x = ctx->cert;
-	if (id->host && X509_check_host(x, id->host, 0, id->hostflags) <= 0)
+	if (id->hosts && check_hosts(x, id) <= 0)
 		{
 		if (!check_id_error(ctx, X509_V_ERR_HOSTNAME_MISMATCH))
 			return 0;