Support optional server certificate name checking. Bug 1479

[exim.git] / src / src / tlscert-gnu.c

diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c
index 085e0568922602a2c5f5e6360e5a7cd3b63ca262..73763730257f989e3a03c926f8c7ddbf7b21738f 100644 (file)
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -84,11 +84,18 @@ return NULL;
 
 
 static uschar *
-time_copy(time_t t)
+time_copy(time_t t, uschar * mod)
 {
-uschar * cp = store_get(32);
-struct tm * tp = gmtime(&t);
-size_t len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
+uschar * cp;
+struct tm * tp;
+size_t len;
+
+if (mod && Ustrcmp(mod, "int") == 0)
+  return string_sprintf("%u", (unsigned)t);
+
+cp = store_get(32);
+tp = gmtime(&t);
+len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
 return len > 0 ? cp : NULL;
 }
 
@@ -116,14 +123,16 @@ uschar *
 tls_cert_not_after(void * cert, uschar * mod)
 {
 return time_copy(
-  gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert));
+  gnutls_x509_crt_get_expiration_time((gnutls_x509_crt_t)cert),
+  mod);
 }
 
 uschar *
 tls_cert_not_before(void * cert, uschar * mod)
 {
 return time_copy(
-  gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert));
+  gnutls_x509_crt_get_activation_time((gnutls_x509_crt_t)cert),
+  mod);
 }
 
 uschar *
@@ -259,7 +268,7 @@ for(index = 0;; index++)
   {
   siz = 0;
   switch(ret = gnutls_x509_crt_get_subject_alt_name(
-    (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
+      (gnutls_x509_crt_t)cert, index, NULL, &siz, NULL))
     {
     case GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE:
       return list;     /* no more elements; normal exit */
@@ -277,7 +286,8 @@ for(index = 0;; index++)
     return g_err("gs1", __FUNCTION__, ret);
   ele[siz] = '\0';
 
-  if (match != -1 && match != ret)
+  if (  match != -1 && match != ret    /* wrong type of SAN */
+     || Ustrlen(ele) != siz)           /* contains a NUL */
     continue;
   switch (ret)
     {