From a65418df248f4abc3c854244861cdc93682425c0 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 18 Jun 2024 05:08:41 +0000 Subject: [PATCH] iked: do not attempt to read multiple SANs No extension in a valid certificate appears more than once per RFC 5280 section 4.2. So don't go walking the extension stack and try to inspect multiple subject alternative names because crappy OpenSSL API encourages you to do so. Instead call the API in the only correct way possible and report multiple SANs in log_info(). This is unlikely to be hit since the extension caching in LibreSSL has rejected repeated OIDs in a cert for a long time. ok tobhe --- sbin/iked/ca.c | 20 +++++++++++--------- 1 file changed, 11 insertions(+), 9 deletions(-) diff --git a/sbin/iked/ca.c b/sbin/iked/ca.c index 3c4183440f7..042bce995f2 100644 --- a/sbin/iked/ca.c +++ b/sbin/iked/ca.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ca.c,v 1.101 2024/02/13 12:25:11 tobhe Exp $ */ +/* $OpenBSD: ca.c,v 1.102 2024/06/18 05:08:41 tb Exp $ */ /* * Copyright (c) 2010-2013 Reyk Floeter @@ -1985,13 +1985,13 @@ ca_x509_subjectaltname_do(X509 *cert, int mode, const char *logmsg, GENERAL_NAME *entry; ASN1_STRING *cstr; char idstr[IKED_ID_SIZE]; - int idx, ret, i, type, len; + int crit, ret, i, type, len; const uint8_t *data; ret = -1; - idx = -1; - while ((stack = X509_get_ext_d2i(cert, NID_subject_alt_name, - NULL, &idx)) != NULL) { + crit = -1; + if ((stack = X509_get_ext_d2i(cert, NID_subject_alt_name, + &crit, NULL)) != NULL) { for (i = 0; i < sk_GENERAL_NAME_num(stack); i++) { entry = sk_GENERAL_NAME_value(stack, i); switch (entry->type) { @@ -2071,12 +2071,14 @@ ca_x509_subjectaltname_do(X509 *cert, int mode, const char *logmsg, } } sk_GENERAL_NAME_pop_free(stack, GENERAL_NAME_free); - if (ret != -1) - break; - } - if (idx == -1) + } else if (crit == -2) + log_info("%s: multiple subjectAltName extensions are invalid", + __func__); + else if (crit == -1) log_debug("%s: did not find subjectAltName in certificate", __func__); + else + log_debug("%s: failed to decode subjectAltName", __func__); return ret; } -- 2.20.1