From e217322f39ae18f0a9976d8c23bb1661f9966d5f Mon Sep 17 00:00:00 2001
From: Jarrod Johnson <jbjohnso@us.ibm.com>
Date: Mon, 24 Mar 2014 15:38:07 -0400
Subject: [PATCH] Fix assertion failure on certs without subjectAltName

While the patch had been done to correctly indicate presence,
it still hit assertions.
---
 src/net/tls.c | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/src/net/tls.c b/src/net/tls.c
index c7964728..32f3b9ea 100644
--- a/src/net/tls.c
+++ b/src/net/tls.c
@@ -2445,14 +2445,15 @@ static int tls_validator_name( struct tls_session *tls, struct x509_certificate
 	if ( ( cert->subject.name == NULL ) && ( !cert->extensions.subject_alt_name.present ) ) {
 		return -1;
 	}
-	struct x509_san_link* link;
-	list_for_each_entry ( link, &cert->extensions.subject_alt_name.names, list ) {
-		/* If the name matches, return 0, otherwise, continue */
-		if ( dns_wildcard_matcher ( tls->name, link->name ) == 0) {
-			return 0;
+	if ( cert->extensions.subject_alt_name.present ) {
+		struct x509_san_link* link;
+		list_for_each_entry ( link, &cert->extensions.subject_alt_name.names, list ) {
+			/* If the name matches, return 0, otherwise, continue */
+			if ( dns_wildcard_matcher ( tls->name, link->name ) == 0) {
+				return 0;
+			}
 		}
-	}
-	if ( !cert->extensions.subject_alt_name.present ) {
+    } else {
 		return dns_wildcard_matcher ( tls->name, cert->subject.name );
 	}
 	return -1;