imap-send: support subjectAltName as well
Check not only the common name of the certificate subject, but also
check the subject alternative DNS names as well, when verifying that
the certificate matches that of the host we are trying to talk to.
Signed-off-by: Oswald Buddenhagen <ossi@kde.org>
Signed-off-by: Junio C Hamano <gitster@pobox.com>
diff --git a/imap-send.c b/imap-send.c
index 0b9c464..171c887 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -30,6 +30,7 @@
#else
#include <openssl/evp.h>
#include <openssl/hmac.h>
+#include <openssl/x509v3.h>
#endif
struct store_conf {
@@ -292,6 +293,24 @@
int len;
X509_NAME *subj;
char cname[1000];
+ int i, found;
+ STACK_OF(GENERAL_NAME) *subj_alt_names;
+
+ /* try the DNS subjectAltNames */
+ found = 0;
+ if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) {
+ int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names);
+ for (i = 0; !found && i < num_subj_alt_names; i++) {
+ GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
+ if (subj_alt_name->type == GEN_DNS &&
+ strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length &&
+ host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data)))
+ found = 1;
+ }
+ sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free);
+ }
+ if (found)
+ return 0;
/* try the common name */
if (!(subj = X509_get_subject_name(cert)))
