return _ssl_context[sock];
}
+/** A picky certificate name check:
+ * check if the pattern or string in s1 (from a certificate) matches the
+ * hostname (in s2), returns true if matched.
+ *
+ * The only place where a wildcard is allowed is in the leftmost
+ * position of p1. */
+static int name_match(const char *p1, const char *p2) {
+ if (p1[0] == '*') {
+ size_t l1, l2;
+
+ ++p1;
+ l1 = strlen(p1);
+ l2 = strlen(p2);
+ if (l2 > l1)
+ p2 += l2 - l1;
+ }
+
+ return (0 == strcasecmp(p1, p2));
+}
/* ok_return (preverify_ok) is 1 if this stage of certificate verification
passed, or 0 if it failed. This callback lets us display informative
if (_ssl_server_cname != NULL) {
char *p1 = buf;
char *p2 = _ssl_server_cname;
- int n;
int matched = 0;
STACK_OF(GENERAL_NAME) *gens;
-
+
/* RFC 2595 section 2.4: find a matching name
* first find a match among alternative names */
gens = (STACK_OF(GENERAL_NAME) *)X509_get_ext_d2i(x509_cert, NID_subject_alt_name, NULL, NULL);
sk_GENERAL_NAME_free(gens);
return 0;
}
- if (*p1 == '*') {
- ++p1;
- n = strlen(p2) - strlen(p1);
- if (n >= 0)
- p2 += n;
- }
- if (0 == strcasecmp(p1, p2)) {
- matched = 1;
+ if (name_match(p1, p2)) {
+ matched = 1;
}
}
}
sk_GENERAL_NAME_free(gens);
}
- if (*p1 == '*') {
- ++p1;
- n = strlen(p2) - strlen(p1);
- if (n >= 0)
- p2 += n;
- }
- if (0 == strcasecmp(p1, p2)) {
+ if (name_match(p1, p2)) {
matched = 1;
}
if (!matched) {
projects / ~andy / fetchmail / blobdiff