summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authortb <>2023-06-01 07:32:25 +0000
committertb <>2023-06-01 07:32:25 +0000
commitb8dce7ac320a7caa6b20f0d8cf605cfc4879bde3 (patch)
tree7681a8dc75a26ddedb3b85c713a37b65b77c57e7 /src
parentcc189c580a85ba75a6ca60bf3d50a3edee8845bd (diff)
downloadopenbsd-b8dce7ac320a7caa6b20f0d8cf605cfc4879bde3.tar.gz
openbsd-b8dce7ac320a7caa6b20f0d8cf605cfc4879bde3.tar.bz2
openbsd-b8dce7ac320a7caa6b20f0d8cf605cfc4879bde3.zip
Rework tls_check_subject_altname() error handling
Default to having rv = -1 and explicitly goto done to set rv = 0. This matches other code better. ok jsing
Diffstat (limited to 'src')
-rw-r--r--src/lib/libtls/tls_verify.c25
1 files changed, 13 insertions, 12 deletions
diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index c3127fa4fe..c588f027c5 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */ 1/* $OpenBSD: tls_verify.c,v 1.28 2023/06/01 07:32:25 tb Exp $ */
2/* 2/*
3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> 3 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
4 * 4 *
@@ -93,7 +93,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
93 int addrlen, type; 93 int addrlen, type;
94 int count, i; 94 int count, i;
95 int critical = 0; 95 int critical = 0;
96 int rv = 0; 96 int rv = -1;
97 97
98 *alt_match = 0; 98 *alt_match = 0;
99 *alt_exists = 0; 99 *alt_exists = 0;
@@ -103,9 +103,9 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
103 if (altname_stack == NULL) { 103 if (altname_stack == NULL) {
104 if (critical != -1) { 104 if (critical != -1) {
105 tls_set_errorx(ctx, "error decoding subjectAltName"); 105 tls_set_errorx(ctx, "error decoding subjectAltName");
106 return -1; 106 goto err;
107 } 107 }
108 return 0; 108 goto done;
109 } 109 }
110 110
111 if (inet_pton(AF_INET, name, &addrbuf) == 1) { 111 if (inet_pton(AF_INET, name, &addrbuf) == 1) {
@@ -146,8 +146,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
146 "NUL byte in subjectAltName, " 146 "NUL byte in subjectAltName, "
147 "probably a malicious certificate", 147 "probably a malicious certificate",
148 name); 148 name);
149 rv = -1; 149 goto err;
150 break;
151 } 150 }
152 151
153 /* 152 /*
@@ -160,13 +159,12 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
160 "error verifying name '%s': " 159 "error verifying name '%s': "
161 "a dNSName of \" \" must not be " 160 "a dNSName of \" \" must not be "
162 "used", name); 161 "used", name);
163 rv = -1; 162 goto err;
164 break;
165 } 163 }
166 164
167 if (tls_match_name(data, name) == 0) { 165 if (tls_match_name(data, name) == 0) {
168 *alt_match = 1; 166 *alt_match = 1;
169 break; 167 goto done;
170 } 168 }
171 } else { 169 } else {
172#ifdef DEBUG 170#ifdef DEBUG
@@ -187,8 +185,7 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
187 tls_set_errorx(ctx, 185 tls_set_errorx(ctx,
188 "Unexpected negative length for an " 186 "Unexpected negative length for an "
189 "IP address: %d", datalen); 187 "IP address: %d", datalen);
190 rv = -1; 188 goto err;
191 break;
192 } 189 }
193 190
194 /* 191 /*
@@ -198,11 +195,15 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
198 if (datalen == addrlen && 195 if (datalen == addrlen &&
199 memcmp(data, &addrbuf, addrlen) == 0) { 196 memcmp(data, &addrbuf, addrlen) == 0) {
200 *alt_match = 1; 197 *alt_match = 1;
201 break; 198 goto done;
202 } 199 }
203 } 200 }
204 } 201 }
205 202
203 done:
204 rv = 0;
205
206 err:
206 sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free); 207 sk_GENERAL_NAME_pop_free(altname_stack, GENERAL_NAME_free);
207 return rv; 208 return rv;
208} 209}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-29 19:50:20 +0000