From cc189c580a85ba75a6ca60bf3d50a3edee8845bd Mon Sep 17 00:00:00 2001
From: tb <>
Date: Thu, 1 Jun 2023 07:29:15 +0000
Subject: Check for X509_get_ext_d2i() failure

X509_get_ext_d2i() (or rather X509V3_get_d2i()) can return NULL for
various reasons. If it fails because the extension wasn't found, it
sets *crit = -1. In any other case, e.g., the cert is bad or we ran
out of memory in X509V3_EXT_d2i(), crit is set to something else, so
we should actually error.

ok jsing
---
 src/lib/libtls/tls_verify.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c
index a0c39b9dd4..c3127fa4fe 100644
--- a/src/lib/libtls/tls_verify.c
+++ b/src/lib/libtls/tls_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_verify.c,v 1.26 2023/05/29 14:12:36 beck Exp $ */
+/* $OpenBSD: tls_verify.c,v 1.27 2023/06/01 07:29:15 tb Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  *
@@ -92,15 +92,21 @@ tls_check_subject_altname(struct tls *ctx, X509 *cert, const char *name,
 	union tls_addr addrbuf;
 	int addrlen, type;
 	int count, i;
+	int critical = 0;
 	int rv = 0;
 
 	*alt_match = 0;
 	*alt_exists = 0;
 
-	altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name,
-	    NULL, NULL);
-	if (altname_stack == NULL)
+	altname_stack = X509_get_ext_d2i(cert, NID_subject_alt_name, &critical,
+	    NULL);
+	if (altname_stack == NULL) {
+		if (critical != -1) {
+			tls_set_errorx(ctx, "error decoding subjectAltName");
+			return -1;
+		}
 		return 0;
+	}
 
 	if (inet_pton(AF_INET, name, &addrbuf) == 1) {
 		type = GEN_IPADD;
-- 
cgit v1.2.3-55-g6feb