From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Tue, 27 Mar 2018 07:29:49 +0000 (+0300)
Subject: lib-ssl-iostream: Fix missing altName handling in openssl_cert_match_name
X-Git-Tag: 2.3.2.rc1~90
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9422fd782809a3344b8d51cadb106851153c44f8;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Fix missing altName handling in openssl_cert_match_name

If name is not found in subjectAltNames, report it as error.

Fixes Panic: file iostream-openssl-common.c: line 177 (openssl_cert_match_name): assertion failed: (*reason_r != NULL)
---

diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c
index d23159b753..d79c986ed8 100644
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -174,8 +174,15 @@ bool openssl_cert_match_name(SSL *ssl, const char *verify_name,
 	/* verify against CommonName only when there wasn't any DNS
 	   SubjectAltNames */
 	if (dns_names) {
-		i_assert(*reason_r != NULL);
-		ret = i < count;
+		i_assert(*reason_r != NULL || i == count);
+		if (i == count) {
+			*reason_r = t_strdup_printf(
+				"No match to %u SubjectAltNames",
+				count);
+			ret = FALSE;
+		} else {
+			ret = TRUE;
+		}
 	} else {
 		const char *cname = get_cname(cert);