Lines 492-498
Link Here
|
492 |
check_acceptable_security (smtp_session_t session, SSL *ssl) |
492 |
check_acceptable_security (smtp_session_t session, SSL *ssl) |
493 |
{ |
493 |
{ |
494 |
X509 *cert; |
494 |
X509 *cert; |
495 |
char buf[256]; |
|
|
496 |
int bits; |
495 |
int bits; |
497 |
long vfy_result; |
496 |
long vfy_result; |
498 |
int ok; |
497 |
int ok; |
Lines 541-608
Link Here
|
541 |
} |
540 |
} |
542 |
else |
541 |
else |
543 |
{ |
542 |
{ |
544 |
int i, j, extcount; |
543 |
STACK *gens; |
545 |
|
544 |
GENERAL_NAME *gen; |
546 |
extcount = X509_get_ext_count (cert); |
545 |
X509_NAME *subj; |
547 |
for (i = 0; i < extcount; i++) |
546 |
char data[256]; |
548 |
{ |
547 |
int i; |
549 |
const char *extstr; |
548 |
gens = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); |
550 |
X509_EXTENSION *ext = X509_get_ext (cert, i); |
549 |
if (gens != NULL) { |
551 |
|
550 |
for (i = 0; i < sk_GENERAL_NAME_num(gens); i++) { |
552 |
extstr = OBJ_nid2sn (OBJ_obj2nid (X509_EXTENSION_get_object (ext))); |
551 |
gen = sk_GENERAL_NAME_value(gens, i); |
553 |
if (strcmp (extstr, "subjectAltName") == 0) |
552 |
if (gen->type == GEN_DNS) { |
554 |
{ |
553 |
|
555 |
unsigned char *data; |
554 |
if (!strcasecmp((char *)gen->d.ia5->data, session->host)) |
556 |
STACK_OF(CONF_VALUE) *val; |
555 |
goto found; |
557 |
CONF_VALUE *nval; |
556 |
} |
558 |
X509V3_EXT_METHOD *meth; |
|
|
559 |
void *ext_str = NULL; |
560 |
int stack_len; |
561 |
|
562 |
meth = X509V3_EXT_get (ext); |
563 |
if (meth == NULL) |
564 |
break; |
565 |
data = ext->value->data; |
566 |
#if (OPENSSL_VERSION_NUMBER > 0x00907000L) |
567 |
if (meth->it) |
568 |
ext_str = ASN1_item_d2i (NULL, &data, ext->value->length, |
569 |
ASN1_ITEM_ptr (meth->it)); |
570 |
else |
571 |
#endif |
572 |
ext_str = meth->d2i (NULL, &data, ext->value->length); |
573 |
val = meth->i2v (meth, ext_str, NULL); |
574 |
stack_len = sk_CONF_VALUE_num (val); |
575 |
for (j = 0; j < stack_len; j++) |
576 |
{ |
577 |
nval = sk_CONF_VALUE_value (val, j); |
578 |
if (strcmp (nval->name, "DNS") == 0 |
579 |
&& match_domain (session->host, nval->value)) |
580 |
{ |
581 |
ok = 1; |
582 |
break; |
583 |
} |
584 |
} |
557 |
} |
585 |
} |
|
|
586 |
if (ok) |
587 |
break; |
588 |
} |
558 |
} |
589 |
if (!ok) |
559 |
if ((subj = X509_get_subject_name(cert)) != NULL && |
590 |
{ |
560 |
X509_NAME_get_text_by_NID(subj, NID_commonName, |
591 |
/* Matching by subjectAltName failed, try commonName */ |
561 |
data, sizeof data) > 0) { |
592 |
X509_NAME_get_text_by_NID (X509_get_subject_name (cert), |
562 |
data[sizeof data - 1] = 0; |
593 |
NID_commonName, buf, sizeof buf); |
563 |
if (strcasecmp(data, session->host) == 0) |
594 |
if (!match_domain (session->host, buf) != 0) |
564 |
goto found; |
595 |
{ |
|
|
596 |
if (session->event_cb != NULL) |
597 |
(*session->event_cb) (session, SMTP_EV_WRONG_PEER_CERTIFICATE, |
598 |
session->event_cb_arg, &ok, buf, ssl); |
599 |
} |
600 |
else |
601 |
ok = 1; |
602 |
} |
565 |
} |
603 |
X509_free (cert); |
566 |
X509_free(cert); |
|
|
567 |
return 0; |
604 |
} |
568 |
} |
605 |
return ok; |
569 |
|
|
|
570 |
return 0; |
571 |
found: |
572 |
if (cert) |
573 |
X509_free(cert); |
574 |
return 1; |
606 |
} |
575 |
} |
607 |
|
576 |
|
608 |
void |
577 |
void |