diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2024-11-12 22:50:07 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-11-12 22:50:07 +0000 |
| commit | 2a8dd47062ba54a160f8f3b87f306ab0138e1b45 (patch) | |
| tree | 3a5dd835bb927c4e8a0ea662ea6a968330c607c5 /lib | |
| parent | c7762499cbdf2208441f0bbdba2119d0e228cc1c (diff) | |
The subject of a certificate is not optional
A certificate must have a subject, so X509_get_subject_name() cannot
return NULL on a correctly parsed certificate, even if the subject is
empty (which is allowed). So if X509_get_subject_name() returns NULL,
error instead of silently ignoring it in tls_check_common_name().
This is currently no issue. Where it matters, the match against the
common name will fail later, so we fail closed anyway.
ok jsing
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/libtls/tls_verify.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index 78f6c249cc0..6b2a4fb82ab 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.30 2024/03/26 06:24:52 joshua Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.31 2024/11/12 22:50:06 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -226,7 +226,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, subject_name = X509_get_subject_name(cert); if (subject_name == NULL) - goto done; + goto err; lastpos = X509_NAME_get_index_by_NID(subject_name, NID_commonName, lastpos); |