artulab
projects / openbsd / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 7e30afc) | patch
iked: do not attempt to read multiple SANs
authortb <tb@openbsd.org>
Tue, 18 Jun 2024 05:08:41 +0000 (05:08 +0000)
committertb <tb@openbsd.org>
Tue, 18 Jun 2024 05:08:41 +0000 (05:08 +0000)
commita65418df248f4abc3c854244861cdc93682425c0
treefe65493129ef1941520b975fde90ddb2ec561bb4tree | snapshot
parent7e30afce04b513f04457e7b94d25cad8950948eecommit | diff
iked: do not attempt to read multiple SANs

No extension in a valid certificate appears more than once per RFC 5280
section 4.2. So don't go walking the extension stack and try to inspect
multiple subject alternative names because crappy OpenSSL API encourages
you to do so. Instead call the API in the only correct way possible and
report multiple SANs in log_info(). This is unlikely to be hit since the
extension caching in LibreSSL has rejected repeated OIDs in a cert for a
long time.

ok tobhe
sbin/iked/ca.c diff | blob | history
OpenBSD src
by Ahmet Artu Yildirim