dovecot-2.2: lib-ssl-iostream: Support wildcard certificates whe...
dovecot at dovecot.org
dovecot at dovecot.org
Mon Feb 25 15:51:05 EET 2013
details: http://hg.dovecot.org/dovecot-2.2/rev/ca262f790338
changeset: 15930:ca262f790338
user: Timo Sirainen <tss at iki.fi>
date: Mon Feb 25 15:50:50 2013 +0200
description:
lib-ssl-iostream: Support wildcard certificates when verifying hostname.
diffstat:
src/lib-ssl-iostream/iostream-openssl-common.c | 20 ++++++++++++++++++--
1 files changed, 18 insertions(+), 2 deletions(-)
diffs (45 lines):
diff -r 1841a4b95783 -r ca262f790338 src/lib-ssl-iostream/iostream-openssl-common.c
--- a/src/lib-ssl-iostream/iostream-openssl-common.c Mon Feb 25 14:00:10 2013 +0200
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c Mon Feb 25 15:50:50 2013 +0200
@@ -97,6 +97,20 @@
return asn1_string_to_c(str);
}
+static bool openssl_hostname_equals(const char *ssl_name, const char *host)
+{
+ const char *p;
+
+ if (strcmp(ssl_name, host) == 0)
+ return TRUE;
+
+ /* check for *.example.com wildcard */
+ if (ssl_name[0] != '*' || ssl_name[1] != '.')
+ return FALSE;
+ p = strchr(host, '.');
+ return p != NULL && strcmp(ssl_name+2, p+1) == 0;
+}
+
int openssl_cert_match_name(SSL *ssl, const char *verify_name)
{
X509 *cert;
@@ -118,7 +132,7 @@
if (gn->type == GEN_DNS) {
dns_names = TRUE;
dnsname = get_general_dns_name(gn);
- if (strcmp(dnsname, verify_name) == 0)
+ if (openssl_hostname_equals(dnsname, verify_name))
break;
}
}
@@ -128,8 +142,10 @@
SubjectAltNames */
if (dns_names)
ret = i < count ? 0 : -1;
+ else if (openssl_hostname_equals(get_cname(cert), verify_name))
+ ret = 0;
else
- ret = strcmp(get_cname(cert), verify_name) == 0 ? 0 : -1;
+ ret = -1;
X509_free(cert);
return ret;
}
More information about the dovecot-cvs
mailing list