diff options
Diffstat (limited to 'tls_verify.c')
-rw-r--r-- | tls_verify.c | 30 |
1 files changed, 17 insertions, 13 deletions
diff --git a/tls_verify.c b/tls_verify.c index acbe163..0cb86f6 100644 --- a/tls_verify.c +++ b/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.20 2018/02/05 00:52:24 jsing Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.23 2023/05/11 07:35:27 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * @@ -115,7 +115,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, count = sk_GENERAL_NAME_num(altname_stack); for (i = 0; i < count; i++) { - GENERAL_NAME *altname; + GENERAL_NAME *altname; altname = sk_GENERAL_NAME_value(altname_stack, i); @@ -126,12 +126,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, continue; if (type == GEN_DNS) { - unsigned char *data; - int format, len; + const unsigned char *data; + int format, len; format = ASN1_STRING_type(altname->d.dNSName); if (format == V_ASN1_IA5STRING) { - data = ASN1_STRING_data(altname->d.dNSName); + data = ASN1_STRING_get0_data(altname->d.dNSName); len = ASN1_STRING_length(altname->d.dNSName); if (len < 0 || (size_t)len != strlen(data)) { @@ -171,11 +171,11 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name, } } else if (type == GEN_IPADD) { - unsigned char *data; - int datalen; + const unsigned char *data; + int datalen; datalen = ASN1_STRING_length(altname->d.iPAddress); - data = ASN1_STRING_data(altname->d.iPAddress); + data = ASN1_STRING_get0_data(altname->d.iPAddress); if (datalen < 0) { tls_set_errorx(ctx, @@ -209,7 +209,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, char *common_name = NULL; union tls_addr addrbuf; int common_name_len; - int rv = 0; + int rv = -1; *cn_match = 0; @@ -223,8 +223,10 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, goto done; common_name = calloc(common_name_len + 1, 1); - if (common_name == NULL) - goto done; + if (common_name == NULL) { + tls_set_error(ctx, "out of memory"); + goto err; + } X509_NAME_get_text_by_NID(subject_name, NID_commonName, common_name, common_name_len + 1); @@ -235,8 +237,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, tls_set_errorx(ctx, "error verifying name '%s': " "NUL byte in Common Name field, " "probably a malicious certificate", name); - rv = -1; - goto done; + goto err; } /* @@ -254,6 +255,9 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, *cn_match = 1; done: + rv = 0; + + err: free(common_name); return rv; } |