diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-06-01 07:32:26 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-06-01 07:32:26 +0000 |
| commit | 048f10b3f4ffeb5d376dce6bdac2a76ac2bd6616 (patch) | |
| tree | 74cc351e8d0b017c20dc1c6281e26cefd1eab6c5 /lib/libtls/tls_verify.c | |
| parent | d0b267bd8fed2f7392beb4d3ae149ffca6bcce0d (diff) | |
Rework tls_check_subject_altname() error handling
Default to having rv = -1 and explicitly goto done to set rv = 0.
This matches other code better.
ok jsing
Diffstat (limited to 'lib/libtls/tls_verify.c')
| -rw-r--r-- | lib/libtls/tls_verify.c | 25 |
1 files changed, 13 insertions, 12 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index c3127fa4fe0..c588f027c56 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.28 2023/06/01 07:32:25 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -93,7 +93,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, int addrlen, type; int count, i; int critical = 0; - int rv = 0; + int rv = -1; *alt_match = 0; *alt_exists = 0; @@ -103,9 +103,9 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, if (altname_stack == NULL) { if (critical != -1) { tls_set_errorx(ctx, "error decoding subjectAltName"); - return -1; + goto err; } - return 0; + goto done; } if (inet_pton(AF_INET, name, &addrbuf) == 1) { @@ -146,8 +146,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, "NUL byte in subjectAltName, " "probably a malicious certificate", name); - rv = -1; - break; + goto err; } /* @@ -160,13 +159,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, "error verifying name '%s': " "a dNSName of \" \" must not be " "used", name); - rv = -1; - break; + goto err; } if (tls_match_name(data, name) == 0) { *alt_match = 1; - break; + goto done; } } else { #ifdef DEBUG @@ -187,8 +185,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, tls_set_errorx(ctx, "Unexpected negative length for an " "IP address: %d", datalen); - rv = -1; - break; + goto err; } /* @@ -198,11 +195,15 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, if (datalen == addrlen && memcmp(data, &addrbuf, addrlen) == 0) { *alt_match = 1; - break; + goto done; } } } + done: + rv = 0; + + err: sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free); return rv; } |