From 767ce4b7803e04003e3ac12767863bfaba6221d1 Mon Sep 17 00:00:00 2001
From: Matthias Andree <matthias.andree@gmx.de>
Date: Sat, 29 Oct 2005 14:02:22 +0000
Subject: Add support for SubjectAltName (RFC-2595 or 2818). Patch by Roland
 Stigge, Debian Bug#201113.

svn path=/trunk/; revision=4368
---
 NEWS     |  2 ++
 socket.c | 34 ++++++++++++++++++++++++++++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index e0c94f81..a794a196 100644
--- a/NEWS
+++ b/NEWS
@@ -238,6 +238,8 @@ fetchmail 6.3.0 (not yet released officially):
   by Sunil Shetye. (MA)
 * fetchmailconf -h documents the fetchmailconf -h option. Matthias Andree
 * fetchmailconf -V now prints the fetchmailconf version. Matthias Andree
+* Add support for SubjectAltName (RFC-2595 or 2818), to avoid bogus certificate
+  mismatch errors. Patch by Roland Stigge, Debian Bug#201113. (MA)
 
 # INTERNAL CHANGES
 * Switched to automake. Matthias Andree.
diff --git a/socket.c b/socket.c
index 2383e965..6fade9dd 100644
--- a/socket.c
+++ b/socket.c
@@ -342,7 +342,7 @@ va_dcl {
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
-#include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/rand.h>
 
 static	SSL_CTX *_ctx = NULL;
@@ -648,14 +648,44 @@ static int SSL_verify_callback( int ok_return, X509_STORE_CTX *ctx, int strict )
 				char *p1 = buf;
 				char *p2 = _ssl_server_cname;
 				int n;
+				int matched = 0;
+				STACK_OF(GENERAL_NAME) *gens;
 				
+				/* RFC 2595 section 2.4: find a matching name
+				 * first find a match among alternative names */
+				gens = X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
+				if (gens) {
+					int i, r;
+					for (i = 0, r = sk_GENERAL_NAME_num(gens); i < r; ++i) {
+						const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
+						if (gn->type == GEN_DNS) {
+							char *p1 = gn->d.ia5->data;
+							char *p2 = _ssl_server_cname;
+							if (outlevel == O_VERBOSE)
+								report(stderr, "Subject Alternative Name: %s\n", p1);
+							if (*p1 == '*') {
+								++p1;
+								n = strlen(p2) - strlen(p1);
+								if (n >= 0)
+									p2 += n;
+							}
+							if (0 == strcasecmp(p1, p2)) {
+								matched = 1;
+							}
+						}
+					}
+					sk_GENERAL_NAME_free(gens);
+				}
 				if (*p1 == '*') {
 					++p1;
 					n = strlen(p2) - strlen(p1);
 					if (n >= 0)
 						p2 += n;
 				}	
-				if (0 != strcasecmp(p1, p2)) {
+				if (0 == strcasecmp(p1, p2)) {
+				  matched = 1;
+				}
+				if (!matched) {
 					report(stderr,
 					    GT_("Server CommonName mismatch: %s != %s\n"),
 					    buf, _ssl_server_cname );
-- 
cgit v1.2.3