dovecot-2.2: lib-ssl-iostream: Support wildcard certificates whe...

[dovecot at dovecot.org]

details:   http://hg.dovecot.org/dovecot-2.2/rev/ca262f790338
changeset: 15930:ca262f790338
user:      Timo Sirainen <tss at iki.fi>
date:      Mon Feb 25 15:50:50 2013 +0200
description:
lib-ssl-iostream: Support wildcard certificates when verifying hostname.

diffstat:

 src/lib-ssl-iostream/iostream-openssl-common.c |  20 ++++++++++++++++++--
 1 files changed, 18 insertions(+), 2 deletions(-)

diffs (45 lines):

diff -r 1841a4b95783 -r ca262f790338 src/lib-ssl-iostream/iostream-openssl-common.c
--- a/src/lib-ssl-iostream/iostream-openssl-common.c	Mon Feb 25 14:00:10 2013 +0200
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c	Mon Feb 25 15:50:50 2013 +0200
@@ -97,6 +97,20 @@
 	return asn1_string_to_c(str);
 }
 
+static bool openssl_hostname_equals(const char *ssl_name, const char *host)
+{
+	const char *p;
+
+	if (strcmp(ssl_name, host) == 0)
+		return TRUE;
+
+	/* check for *.example.com wildcard */
+	if (ssl_name[0] != '*' || ssl_name[1] != '.')
+		return FALSE;
+	p = strchr(host, '.');
+	return p != NULL && strcmp(ssl_name+2, p+1) == 0;
+}
+
 int openssl_cert_match_name(SSL *ssl, const char *verify_name)
 {
 	X509 *cert;
@@ -118,7 +132,7 @@
 		if (gn->type == GEN_DNS) {
 			dns_names = TRUE;
 			dnsname = get_general_dns_name(gn);
-			if (strcmp(dnsname, verify_name) == 0)
+			if (openssl_hostname_equals(dnsname, verify_name))
 				break;
 		}
 	}
@@ -128,8 +142,10 @@
 	   SubjectAltNames */
 	if (dns_names)
 		ret = i < count ? 0 : -1;
+	else if (openssl_hostname_equals(get_cname(cert), verify_name))
+		ret = 0;
 	else
-		ret = strcmp(get_cname(cert), verify_name) == 0 ? 0 : -1;
+		ret = -1;
 	X509_free(cert);
 	return ret;
 }