From d0b267bd8fed2f7392beb4d3ae149ffca6bcce0d Mon Sep 17 00:00:00 2001 From: Theo Buehler Date: Thu, 1 Jun 2023 07:29:16 +0000 Subject: Check for X509_get_ext_d2i() failure X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for various reasons. If it fails because the extension wasn't found, it sets *crit = -1. In any other case, e.g., the cert is bad or we ran out of memory in X509V3_EXT_d2i(), crit is set to something else, so we should actually error. ok jsing --- lib/libtls/tls_verify.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c index a0c39b9dd4f..c3127fa4fe0 100644 --- a/lib/libtls/tls_verify.c +++ b/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.26 2023/05/29 14:12:36 beck Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * @@ -92,15 +92,21 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, union tls_addr addrbuf; int addrlen, type; int count, i; + int critical = 0; int rv = 0; *alt_match = 0; *alt_exists = 0; - altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, - NULL, NULL); - if (altname_stack == NULL) + altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, &critical, + NULL); + if (altname_stack == NULL) { + if (critical != -1) { + tls_set_errorx(ctx, "error decoding subjectAltName"); + return -1; + } return 0; + } if (inet_pton(AF_INET, name, &addrbuf) == 1) { type = GEN_IPADD; -- cgit v1.2.3