lib-ssl-iostream: Fix missing altName handling in openssl_cert_match_name

If name is not found in subjectAltNames, report it as error.

Fixes Panic: file iostream-openssl-common.c: line 177 (openssl_cert_match_name): assertion failed: (*reason_r != NULL)

diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c
index d23159b753d18062c9f8fbac0f6848beb256157c..d79c986ed87ea3e1ef5ab2dfaf64e57e72147170 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -174,8 +174,15 @@ bool openssl_cert_match_name(SSL *ssl, const char *verify_name,
        /* verify against CommonName only when there wasn't any DNS
           SubjectAltNames */
        if (dns_names) {
-               i_assert(*reason_r != NULL);
-               ret = i < count;
+               i_assert(*reason_r != NULL || i == count);
+               if (i == count) {
+                       *reason_r = t_strdup_printf(
+                               "No match to %u SubjectAltNames",
+                               count);
+                       ret = FALSE;
+               } else {
+                       ret = TRUE;
+               }
        } else {
                const char *cname = get_cname(cert);