summaryrefslogtreecommitdiff
path: root/lib/libtls/tls_verify.c
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2023-06-01 07:29:16 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2023-06-01 07:29:16 +0000
commitd0b267bd8fed2f7392beb4d3ae149ffca6bcce0d (patch)
tree8c0ee8226c8d78007ec2b5fb7448c4f7e9fc9622 /lib/libtls/tls_verify.c
parentfe53b4510729330140061baddbb3a582d21b2215 (diff)
Check for X509_get_ext_d2i() failure
X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for various reasons. If it fails because the extension wasn't found, it sets *crit = -1. In any other case, e.g., the cert is bad or we ran out of memory in X509V3_EXT_d2i(), crit is set to something else, so we should actually error. ok jsing
Diffstat (limited to 'lib/libtls/tls_verify.c')
-rw-r--r--lib/libtls/tls_verify.c14
1 files changed, 10 insertions, 4 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index a0c39b9dd4f..c3127fa4fe0 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.26 2023/05/29 14:12:36 beck Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
*
@@ -92,15 +92,21 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
union tls_addr addrbuf;
int addrlen, type;
int count, i;
+ int critical = 0;
int rv = 0;
*alt_match = 0;
*alt_exists = 0;
- altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name,
- NULL, NULL);
- if (altname_stack == NULL)
+ altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, &critical,
+ NULL);
+ if (altname_stack == NULL) {
+ if (critical != -1) {
+ tls_set_errorx(ctx, "error decoding subjectAltName");
+ return -1;
+ }
return 0;
+ }
if (inet_pton(AF_INET, name, &addrbuf) == 1) {
type = GEN_IPADD;