imap-send: support subjectAltName as well

diff --git a/imap-send.c b/imap-send.c
index 0b9c464ad9e9fa35b29f95ca48889e446777f837..171c887076b115f8f53707c2c5845c8f6d3e69bd 100644 (file)
--- a/imap-send.c
+++ b/imap-send.c
@@ -30,6 +30,7 @@ typedef void *SSL;
 #else
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
+#include <openssl/x509v3.h>
 #endif
 
 struct store_conf {
@@ -292,6 +293,24 @@ static int verify_hostname(X509 *cert, const char *hostname)
        int len;
        X509_NAME *subj;
        char cname[1000];
+       int i, found;
+       STACK_OF(GENERAL_NAME) *subj_alt_names;
+
+       /* try the DNS subjectAltNames */
+       found = 0;
+       if ((subj_alt_names = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL))) {
+               int num_subj_alt_names = sk_GENERAL_NAME_num(subj_alt_names);
+               for (i = 0; !found && i < num_subj_alt_names; i++) {
+                       GENERAL_NAME *subj_alt_name = sk_GENERAL_NAME_value(subj_alt_names, i);
+                       if (subj_alt_name->type == GEN_DNS &&
+                           strlen((const char *)subj_alt_name->d.ia5->data) == (size_t)subj_alt_name->d.ia5->length &&
+                           host_matches(hostname, (const char *)(subj_alt_name->d.ia5->data)))
+                               found = 1;
+               }
+               sk_GENERAL_NAME_pop_free(subj_alt_names, GENERAL_NAME_free);
+       }
+       if (found)
+               return 0;
 
        /* try the common name */
        if (!(subj = X509_get_subject_name(cert)))