summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2023-06-01 07:32:26 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2023-06-01 07:32:26 +0000
commit048f10b3f4ffeb5d376dce6bdac2a76ac2bd6616 (patch)
tree74cc351e8d0b017c20dc1c6281e26cefd1eab6c5 /lib
parentd0b267bd8fed2f7392beb4d3ae149ffca6bcce0d (diff)
Rework tls_check_subject_altname() error handling
Default to having rv = -1 and explicitly goto done to set rv = 0. This matches other code better. ok jsing
Diffstat (limited to 'lib')
-rw-r--r--lib/libtls/tls_verify.c25
1 files changed, 13 insertions, 12 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index c3127fa4fe0..c588f027c56 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.28 2023/06/01 07:32:25 tb Exp $ */
/*
* Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
*
@@ -93,7 +93,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
int addrlen, type;
int count, i;
int critical = 0;
- int rv = 0;
+ int rv = -1;
*alt_match = 0;
*alt_exists = 0;
@@ -103,9 +103,9 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
if (altname_stack == NULL) {
if (critical != -1) {
tls_set_errorx(ctx, "error decoding subjectAltName");
- return -1;
+ goto err;
}
- return 0;
+ goto done;
}
if (inet_pton(AF_INET, name, &addrbuf) == 1) {
@@ -146,8 +146,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
"NUL byte in subjectAltName, "
"probably a malicious certificate",
name);
- rv = -1;
- break;
+ goto err;
}
/*
@@ -160,13 +159,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
"error verifying name '%s': "
"a dNSName of \" \" must not be "
"used", name);
- rv = -1;
- break;
+ goto err;
}
if (tls_match_name(data, name) == 0) {
*alt_match = 1;
- break;
+ goto done;
}
} else {
#ifdef DEBUG
@@ -187,8 +185,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
tls_set_errorx(ctx,
"Unexpected negative length for an "
"IP address: %d", datalen);
- rv = -1;
- break;
+ goto err;
}
/*
@@ -198,11 +195,15 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
if (datalen == addrlen &&
memcmp(data, &addrbuf, addrlen) == 0) {
*alt_match = 1;
- break;
+ goto done;
}
}
}
+ done:
+ rv = 0;
+
+ err:
sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free);
return rv;
}