artulab
projects / openbsd / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 40d1347)
Check for X509_get_ext_d2i() failure
authortb <tb@openbsd.org>
Thu, 1 Jun 2023 07:29:15 +0000 (07:29 +0000)
committertb <tb@openbsd.org>
Thu, 1 Jun 2023 07:29:15 +0000 (07:29 +0000)
X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for
various reasons. If it fails because the extension wasn't found, it
sets *crit = -1. In any other case, e.g., the cert is bad or we ran
out of memory in X509V3_EXT_d2i(), crit is set to something else, so
we should actually error.

ok jsing

lib/libtls/tls_verify.c patch | blob | history

diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index a0c39b9..c3127fa 100644 (file)
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.26 2023/05/29 14:12:36 beck Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -92,15 +92,21 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
        union tls_addr addrbuf;
        int addrlen, type;
        int count, i;
+       int critical = 0;
        int rv = 0;
 
        *alt_match = 0;
        *alt_exists = 0;
 
-       altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name,
-           NULL, NULL);
-       if (altname_stack == NULL)
+       altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, &critical,
+           NULL);
+       if (altname_stack == NULL) {
+               if (critical != -1) {
+                       tls_set_errorx(ctx, "error decoding subjectAltName");
+                       return -1;
+               }
                return 0;
+       }
 
        if (inet_pton(AF_INET, name, &addrbuf) == 1) {
                type = GEN_IPADD;
OpenBSD src
by Ahmet Artu Yildirim