From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 3 Feb 2010 12:36:21 +0000 (+1300)
Subject: Author: James Brotchie <brotchie@gmail.com>
X-Git-Tag: SQUID_3_2_0_1~434
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8cd03ece9bbe834cfa2919f8fb1c9cf91affba6c;p=thirdparty%2Fsquid.git

Author: James Brotchie <brotchie@gmail.com>
Port of X509 certificate alias-domain handling from 2.7.
---

diff --git a/configure.in b/configure.in
index ac41b98937..83b6ebfce3 100644
--- a/configure.in
+++ b/configure.in
@@ -2537,6 +2537,7 @@ AC_CHECK_HEADERS( \
 	openssl/err.h \
 	openssl/md5.h \
 	openssl/ssl.h \
+	openssl/x509v3.h \
 	netinet/tcp.h \
 	openssl/engine.h \
 	ostream \
diff --git a/src/ssl_support.cc b/src/ssl_support.cc
index fa76d97e7f..d7300683bf 100644
--- a/src/ssl_support.cc
+++ b/src/ssl_support.cc
@@ -157,6 +157,31 @@ ssl_verify_cb(int ok, X509_STORE_CTX * ctx)
             int i;
             int found = 0;
             char cn[1024];
+
+            STACK_OF(GENERAL_NAME) * altnames;
+            altnames = (STACK*)X509_get_ext_d2i(peer_cert, NID_subject_alt_name, NULL, NULL);
+            if (altnames) {
+                int numalts = sk_GENERAL_NAME_num(altnames);
+                debugs(83, 3, "Verifying server domain " << server << " to certificate subjectAltName");
+                for (i = 0; i < numalts; i++) {
+                    const GENERAL_NAME *check = sk_GENERAL_NAME_value(altnames, i);
+                    if (check->type != GEN_DNS) {
+                        continue;
+                    }
+                    ASN1_STRING *data = check->d.dNSName;
+                    if (data->length > (int)sizeof(cn) - 1) {
+                        continue;
+                    }
+                    memcpy(cn, data->data, data->length);
+                    cn[data->length] = '\0';
+                    debugs(83, 4, "Verifying server domain " << server << " to certificate name " << cn);
+                    if (matchDomainName(server, cn[0] == '*' ? cn + 1 : cn) == 0) {
+                        found = 1;
+                        break;
+                    }
+                }
+            }
+
             X509_NAME *name = X509_get_subject_name(peer_cert);
             debugs(83, 3, "Verifying server domain " << server << " to certificate dn " << buffer);
 
diff --git a/src/ssl_support.h b/src/ssl_support.h
index 000fcda1e0..58b43217ca 100644
--- a/src/ssl_support.h
+++ b/src/ssl_support.h
@@ -39,6 +39,9 @@
 #if HAVE_OPENSSL_SSL_H
 #include <openssl/ssl.h>
 #endif
+#if HAVE_OPENSSL_X509V3_H
+#include <openssl/x509v3.h>
+#endif
 #if HAVE_OPENSSL_ERR_H
 #include <openssl/err.h>
 #endif