Ticket #65297: patch-alpine-validate-cert.diff

imap/src/osdep/unix/ssl_unix.c

@@ -554 +554 @@
                                 /* Method 2, use cname */
   if(m == 0 || ret != NIL){
      cname = X509_get_subject_name(cert);
-     for(j = 0, ret = NIL; j < X509_NAME_entry_count(cname) && ret == NIL; j++){
+     for (j = 0, ret = NIL; j < X509_NAME_entry_count(cname); j++) {
         if((e = X509_NAME_get_entry(cname, j)) != NULL){
            X509_NAME_get_text_by_OBJ(cname, X509_NAME_ENTRY_get_object(e), buf, sizeof(buf));
            s = (char *) buf;
@@ -564 +564 @@
                                 /* host name matches pattern? */
            ret = ssl_compare_hostnames (host,s) ? NIL :
                  "Server name does not match certificate";
-           ext = NIL;
+           if (ret == NIL) break;
+        }
+     }
+     ext = NIL;
                                 /* if mismatch, see if in extensions */
-           if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
-                (n = sk_GENERAL_NAME_num (ext)))
+     if (ret && (ext = X509_get_ext_d2i (cert,NID_subject_alt_name,NIL,NIL)) &&
+         (n = sk_GENERAL_NAME_num (ext)))
                    /* older versions of OpenSSL use "ia5" instead of dNSName */
-              for (i = 0; ret && (i < n); i++)
-                  if ((name = sk_GENERAL_NAME_value (ext,i)) &&
-                     (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
-                     ssl_compare_hostnames (host,s)) ret = NIL;
-          if(ext) GENERAL_NAMES_free(ext);
-        }
-     }
+       for (i = 0; ret && (i < n); i++)
+         if ((name = sk_GENERAL_NAME_value (ext,i)) &&
+             (name->type = GEN_DNS) && (s = name->d.ia5->data) &&
+             ssl_compare_hostnames (host,s)) ret = NIL;
+     if (ext) GENERAL_NAMES_free(ext);
   }
 
   if (ret == NIL