From cf5b89baef0d059b3a6b4ecd4b49409265157b81 Mon Sep 17 00:00:00 2001 From: tb <> Date: Tue, 12 Nov 2024 22:50:06 +0000 Subject: The subject of a certificate is not optional A certificate must have a subject, so X509_get_subject_name() cannot return NULL on a correctly parsed certificate, even if the subject is empty (which is allowed). So if X509_get_subject_name() returns NULL, error instead of silently ignoring it in tls_check_common_name(). This is currently no issue. Where it matters, the match against the common name will fail later, so we fail closed anyway. ok jsing --- src/lib/libtls/tls_verify.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libtls/tls_verify.c b/src/lib/libtls/tls_verify.c index 78f6c249cc..6b2a4fb82a 100644 --- a/src/lib/libtls/tls_verify.c +++ b/src/lib/libtls/tls_verify.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_verify.c,v 1.30 2024/03/26 06:24:52 joshua Exp $ */ +/* $OpenBSD: tls_verify.c,v 1.31 2024/11/12 22:50:06 tb Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas * @@ -226,7 +226,7 @@ tls_check_common_name(struct tls *ctx, X509 *cert, const char *name, subject_name = X509_get_subject_name(cert); if (subject_name == NULL) - goto done; + goto err; lastpos = X509_NAME_get_index_by_NID(subject_name, NID_commonName, lastpos); -- cgit v1.2.3-55-g6feb