From 6adcb85d7e505db4fc82e77b5145f5958398bfbc Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Thu, 1 Jun 2023 07:32:25 +0000
Subject: [PATCH] Rework tls_check_subject_altname() error handling

Default to having rv = -1 and explicitly goto done to set rv = 0.
This matches other code better.

ok jsing
---
 lib/libtls/tls_verify.c | 25 +++++++++++++------------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git a/lib/libtls/tls_verify.c b/lib/libtls/tls_verify.c
index c3127fa4fe0..c588f027c56 100644
--- a/lib/libtls/tls_verify.c
+++ b/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.28 2023/06/01 07:32:25 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -93,7 +93,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 	int addrlen, type;
 	int count, i;
 	int critical = 0;
-	int rv = 0;
+	int rv = -1;
 
 	*alt_match = 0;
 	*alt_exists = 0;
@@ -103,9 +103,9 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 	if (altname_stack == NULL) {
 		if (critical != -1) {
 			tls_set_errorx(ctx, "error decoding subjectAltName");
-			return -1;
+			goto err;
 		}
-		return 0;
+		goto done;
 	}
 
 	if (inet_pton(AF_INET, name, &addrbuf) == 1) {
@@ -146,8 +146,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 					    "NUL byte in subjectAltName, "
 					    "probably a malicious certificate",
 					    name);
-					rv = -1;
-					break;
+					goto err;
 				}
 
 				/*
@@ -160,13 +159,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 					    "error verifying name '%s': "
 					    "a dNSName of \" \" must not be "
 					    "used", name);
-					rv = -1;
-					break;
+					goto err;
 				}
 
 				if (tls_match_name(data, name) == 0) {
 					*alt_match = 1;
-					break;
+					goto done;
 				}
 			} else {
 #ifdef DEBUG
@@ -187,8 +185,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 				tls_set_errorx(ctx,
 				    "Unexpected negative length for an "
 				    "IP address: %d", datalen);
-				rv = -1;
-				break;
+				goto err;
 			}
 
 			/*
@@ -198,11 +195,15 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 			if (datalen == addrlen &&
 			    memcmp(data, &addrbuf, addrlen) == 0) {
 				*alt_match = 1;
-				break;
+				goto done;
 			}
 		}
 	}
 
+ done:
+	rv = 0;
+
+ err:
 	sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free);
 	return rv;
 }
-- 
2.20.1