diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-06-01 07:29:16 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-06-01 07:29:16 +0000 |
| commit | d0b267bd8fed2f7392beb4d3ae149ffca6bcce0d (patch) | |
| tree | 8c0ee8226c8d78007ec2b5fb7448c4f7e9fc9622 | |
| parent | fe53b4510729330140061baddbb3a582d21b2215 (diff) | |
Check for X509_get_ext_d2i() failure
X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for
various reasons. If it fails because the extension wasn't found, it
sets *crit = -1. In any other case, e.g., the cert is bad or we ran
out of memory in X509V3_EXT_d2i(), crit is set to something else, so
we should actually error.
ok jsing
| -rw-r--r-- | lib/libtls/tls_verify.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index a0c39b9dd4f..c3127fa4fe0 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.26 2023/05/29 14:12:36 beck Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -92,15 +92,21 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, union tls_addr addrbuf; int addrlen, type; int count, i; + int critical = 0; int rv = 0; *alt_match = 0; *alt_exists = 0; - altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, - NULL, NULL); - if (altname_stack == NULL) + altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, &critical, + NULL); + if (altname_stack == NULL) { + if (critical != -1) { + tls_set_errorx(ctx, "error decoding subjectAltName"); + return -1; + } return 0; + } if (inet_pton(AF_INET, name, &addrbuf) == 1) { type = GEN_IPADD; |