diff options
| author | tb <> | 2022-01-04 20:33:02 +0000 |
|---|---|---|
| committer | tb <> | 2022-01-04 20:33:02 +0000 |
| commit | 0e99290a277d63a8358a221e9ab15b6adc2bc55b (patch) | |
| tree | 957810afc3dacc2a08a2e1a4f282bc6b9c53792b /src/lib | |
| parent | 191a8ff01f214920fa1d8dd7be9fa3513400f74a (diff) | |
| download | openbsd-0e99290a277d63a8358a221e9ab15b6adc2bc55b.tar.gz openbsd-0e99290a277d63a8358a221e9ab15b6adc2bc55b.tar.bz2 openbsd-0e99290a277d63a8358a221e9ab15b6adc2bc55b.zip | |
Only check the parent to be canonical once we know it is non-NULL.
suggested by jsing during review
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libcrypto/x509/x509_addr.c | 11 |
1 files changed, 5 insertions, 6 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c index e80ba35661..0b735c3bc5 100644 --- a/src/lib/libcrypto/x509/x509_addr.c +++ b/src/lib/libcrypto/x509/x509_addr.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: x509_addr.c,v 1.55 2022/01/04 20:30:30 tb Exp $ */ | 1 | /* $OpenBSD: x509_addr.c,v 1.56 2022/01/04 20:33:02 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Contributed to the OpenSSL Project by the American Registry for | 3 | * Contributed to the OpenSSL Project by the American Registry for |
| 4 | * Internet Numbers ("ARIN"). | 4 | * Internet Numbers ("ARIN"). |
| @@ -1763,12 +1763,8 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, | |||
| 1763 | */ | 1763 | */ |
| 1764 | for (i++; i < sk_X509_num(chain); i++) { | 1764 | for (i++; i < sk_X509_num(chain); i++) { |
| 1765 | x = sk_X509_value(chain, i); | 1765 | x = sk_X509_value(chain, i); |
| 1766 | parent = x->rfc3779_addr; | ||
| 1767 | 1766 | ||
| 1768 | if (!X509v3_addr_is_canonical(parent)) | 1767 | if ((parent = x->rfc3779_addr) == NULL) { |
| 1769 | validation_err(X509_V_ERR_INVALID_EXTENSION); | ||
| 1770 | |||
| 1771 | if (parent == NULL) { | ||
| 1772 | for (j = 0; j < sk_IPAddressFamily_num(child); j++) { | 1768 | for (j = 0; j < sk_IPAddressFamily_num(child); j++) { |
| 1773 | fc = sk_IPAddressFamily_value(child, j); | 1769 | fc = sk_IPAddressFamily_value(child, j); |
| 1774 | 1770 | ||
| @@ -1780,6 +1776,9 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, | |||
| 1780 | continue; | 1776 | continue; |
| 1781 | } | 1777 | } |
| 1782 | 1778 | ||
| 1779 | if (!X509v3_addr_is_canonical(parent)) | ||
| 1780 | validation_err(X509_V_ERR_INVALID_EXTENSION); | ||
| 1781 | |||
| 1783 | sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp); | 1782 | sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp); |
| 1784 | 1783 | ||
| 1785 | /* | 1784 | /* |