From cea45a45078374c6ea43407908cf77cdb9c1a2ac Mon Sep 17 00:00:00 2001
From: Aki Tuomi <aki.tuomi@dovecot.fi>
Date: Tue, 27 Mar 2018 10:29:49 +0300
Subject: [PATCH] lib-ssl-iostream: Fix missing altName handling in
 openssl_cert_match_name

If name is not found in subjectAltNames, report it as error.

Fixes Panic: file iostream-openssl-common.c: line 177 (openssl_cert_match_name): assertion failed: (*reason_r != NULL)
---
 src/lib-ssl-iostream/iostream-openssl-common.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/src/lib-ssl-iostream/iostream-openssl-common.c b/src/lib-ssl-iostream/iostream-openssl-common.c
index d23159b753..d79c986ed8 100644
--- a/src/lib-ssl-iostream/iostream-openssl-common.c
+++ b/src/lib-ssl-iostream/iostream-openssl-common.c
@@ -174,8 +174,15 @@ bool openssl_cert_match_name(SSL *ssl, const char *verify_name,
 	/* verify against CommonName only when there wasn't any DNS
 	   SubjectAltNames */
 	if (dns_names) {
-		i_assert(*reason_r != NULL);
-		ret = i < count;
+		i_assert(*reason_r != NULL || i == count);
+		if (i == count) {
+			*reason_r = t_strdup_printf(
+				"No match to %u SubjectAltNames",
+				count);
+			ret = FALSE;
+		} else {
+			ret = TRUE;
+		}
 	} else {
 		const char *cname = get_cname(cert);