The subject of a certificate is not optional

A certificate must have a subject, so X509_get_subject_name() cannot
return NULL on a correctly parsed certificate, even if the subject is
empty (which is allowed). So if X509_get_subject_name() returns NULL,
error instead of silently ignoring it in tls_check_common_name().

This is currently no issue. Where it matters, the match against the
common name will fail later, so we fail closed anyway.

ok jsing

1 files changed, 2 insertions, 2 deletions

diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index 78f6c249cc..6b2a4fb82a 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.30 2024/03/26 06:24:52 joshua Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.31 2024/11/12 22:50:06 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -226,7 +226,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name,
 
         subject_name = X509_get_subject_name(cert);
         if (subject_name == NULL)
-                goto done;
+                goto err;
 
         lastpos = X509_NAME_get_index_by_NID(subject_name,
             NID_commonName, lastpos);