Attachment #145857 for bug #213066

View | Details | Raw Unified | Return to bug 213066
Collapse All | Expand All




check_acceptable_security (smtp_session_t session, SSL *ssl)
{
  X509 *cert;
  char buf[256];
  int bits;
  long vfy_result;
  int ok;

    }
  else
    {
	    STACK	*gens;
	    GENERAL_NAME	*gen;
	    X509_NAME *subj;
	    char data[256];
	    int i;
	gens = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
	if (gens != NULL) {
		for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
			gen = sk_GENERAL_NAME_value(gens, i);
			if (gen->type == GEN_DNS) {

				if (!strcasecmp((char *)gen->d.ia5->data, session->host))
					goto found;
			}
	      X509V3_EXT_METHOD *meth;
	      void *ext_str = NULL;
	      int stack_len;

	      meth = X509V3_EXT_get (ext);
	      if (meth == NULL)
		break;
	      data = ext->value->data;
#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
	      if (meth->it)
		ext_str = ASN1_item_d2i (NULL, &data, ext->value->length,
		                         ASN1_ITEM_ptr (meth->it));
	      else
#endif
	      ext_str = meth->d2i (NULL, &data, ext->value->length);
	      val = meth->i2v (meth, ext_str, NULL);
	      stack_len = sk_CONF_VALUE_num (val);
	      for (j = 0; j < stack_len; j++)
		{
		  nval = sk_CONF_VALUE_value (val, j);
		  if (strcmp (nval->name, "DNS") == 0
		      && match_domain (session->host, nval->value))
		    {
		      ok = 1;
		      break;
		    }
		}
	    }
	  if (ok)
	    break;
	}
	if ((subj = X509_get_subject_name(cert)) != NULL &&
			X509_NAME_get_text_by_NID(subj, NID_commonName,
				data, sizeof data) > 0) {
		data[sizeof data - 1] = 0;
		if (strcasecmp(data, session->host) == 0)
			goto found;
	    {
	      if (session->event_cb != NULL)
		(*session->event_cb) (session, SMTP_EV_WRONG_PEER_CERTIFICATE,
				      session->event_cb_arg, &ok, buf, ssl);
	    }
	  else
	    ok = 1;
	}
	X509_free(cert);
	return 0;
    }

  return 0;
found:
if (cert)
	X509_free(cert);
return 1;
}

void

Return to bug 213066

Lines 492-498 Link Here

(-)smtp-tls.c.O (-59 / +28 lines)
492	check_acceptable_security (smtp_session_t session, SSL *ssl)	492	check_acceptable_security (smtp_session_t session, SSL *ssl)
493	{	493	{
494	X509 *cert;	494	X509 *cert;
495	char buf[256];
496	int bits;	495	int bits;
497	long vfy_result;	496	long vfy_result;
498	int ok;	497	int ok;
Lines 541-608 Link Here
541	}	540	}
542	else	541	else
543	{	542	{
544	int i, j, extcount;	543	STACK *gens;
545		544	GENERAL_NAME *gen;
546	extcount = X509_get_ext_count (cert);	545	X509_NAME *subj;
547	for (i = 0; i < extcount; i++)	546	char data[256];
548	{	547	int i;
549	const char *extstr;	548	gens = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL);
550	X509_EXTENSION *ext = X509_get_ext (cert, i);	549	if (gens != NULL) {
551		550	for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) {
552	extstr = OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext)));	551	gen = sk_GENERAL_NAME_value(gens, i);
553	if (strcmp (extstr, "subjectAltName") == 0)	552	if (gen->type == GEN_DNS) {
554	{	553
555	unsigned char *data;	554	if (!strcasecmp((char *)gen->d.ia5->data, session->host))
556	STACK_OF(CONF_VALUE) *val;	555	goto found;
557	CONF_VALUE *nval;	556	}
558	X509V3_EXT_METHOD *meth;
559	void *ext_str = NULL;
560	int stack_len;
561
562	meth = X509V3_EXT_get (ext);
563	if (meth == NULL)
564	break;
565	data = ext->value->data;
566	#if (OPENSSL_VERSION_NUMBER > 0x00907000L)
567	if (meth->it)
568	ext_str = ASN1_item_d2i (NULL, &data, ext->value->length,
569	ASN1_ITEM_ptr (meth->it));
570	else
571	#endif
572	ext_str = meth->d2i (NULL, &data, ext->value->length);
573	val = meth->i2v (meth, ext_str, NULL);
574	stack_len = sk_CONF_VALUE_num (val);
575	for (j = 0; j < stack_len; j++)
576	{
577	nval = sk_CONF_VALUE_value (val, j);
578	if (strcmp (nval->name, "DNS") == 0
579	&& match_domain (session->host, nval->value))
580	{
581	ok = 1;
582	break;
583	}
584	}	557	}
585	}
586	if (ok)
587	break;
588	}	558	}
589	if (!ok)	559	if ((subj = X509_get_subject_name(cert)) != NULL &&
590	{	560	X509_NAME_get_text_by_NID(subj, NID_commonName,
591	/* Matching by subjectAltName failed, try commonName */	561	data, sizeof data) > 0) {
592	X509_NAME_get_text_by_NID (X509_get_subject_name (cert),	562	data[sizeof data - 1] = 0;
593	NID_commonName, buf, sizeof buf);	563	if (strcasecmp(data, session->host) == 0)
594	if (!match_domain (session->host, buf) != 0)	564	goto found;
595	{
596	if (session->event_cb != NULL)
597	(*session->event_cb) (session, SMTP_EV_WRONG_PEER_CERTIFICATE,
598	session->event_cb_arg, &ok, buf, ssl);
599	}
600	else
601	ok = 1;
602	}	565	}
603	X509_free (cert);	566	X509_free(cert);
		567	return 0;
604	}	568	}
605	return ok;	569
		570	return 0;
		571	found:
		572	if (cert)
		573	X509_free(cert);
		574	return 1;
606	}	575	}
607		576
608	void	577	void