Hello ordex, plaisthos,
I'd like you to reexamine a change. Please visit
http://gerrit.openvpn.net/c/openvpn/+/1388?usp=email
to look at the new patch set (#3).
The following approvals got outdated and were removed:
Code-Review+2 by ordex
Change subject: extract_x509_field_ssl(): verify that X509_NAME is not NULL.
......................................................................
extract_x509_field_ssl(): verify that X509_NAME is not NULL.
This seems to be unlikely to ever happen, but this check won't harm
- as a matter of coding convention, we do not ensure this inside
extract_x509_field_ssl(), but in the (single) caller.
While at it, fix pre-C99 local-variable indent block, and missing {}
block in else/#endif construction.
Reported-By: Joshua Rogers <[email protected]>
Found-by: ZeroPath (https://zeropath.com/)
Change-Id: I1e9c7eee06bf5f2e8aed8cd2523684539294ac8b
Signed-off-by: Gert Doering <[email protected]>
Acked-by: Antonio Quartulli <[email protected]>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388
Message-Id: <[email protected]>
URL:
https://www.mail-archive.com/[email protected]/msg34748.html
Signed-off-by: Gert Doering <[email protected]>
---
M src/openvpn/ssl_verify_openssl.c
1 file changed, 14 insertions(+), 7 deletions(-)
git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/88/1388/3
diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 40d117b..6cb04ee 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -202,8 +202,8 @@
X509_NAME_ENTRY *x509ne = NULL;
ASN1_STRING *asn1 = NULL;
unsigned char *buf = NULL;
- ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0);
+ ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0);
if (field_name_obj == NULL)
{
msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name);
@@ -244,11 +244,9 @@
strncpynt(out, (char *)buf, size);
- {
- const result_t ret = (strlen((char *)buf) < size) ? SUCCESS : FAILURE;
- OPENSSL_free(buf);
- return ret;
- }
+ const result_t ret = (strlen((char *)buf) < size) ? SUCCESS : FAILURE;
+ OPENSSL_free(buf);
+ return ret;
}
result_t
@@ -278,12 +276,21 @@
}
else
#endif /* ifdef ENABLE_X509ALTUSERNAME */
+ {
+ X509_NAME *x509_subject_name = X509_get_subject_name(peer_cert);
+ if (x509_subject_name == NULL)
+ {
+ msg(D_TLS_ERRORS, "X509 subject name is NULL");
+ return FAILURE;
+ }
+
if (FAILURE
- == extract_x509_field_ssl(X509_get_subject_name(peer_cert),
x509_username_field,
+ == extract_x509_field_ssl(x509_subject_name, x509_username_field,
common_name, cn_len))
{
return FAILURE;
}
+ }
return SUCCESS;
}
--
To view, visit http://gerrit.openvpn.net/c/openvpn/+/1388?usp=email
To unsubscribe, or for help writing mail filters, visit
http://gerrit.openvpn.net/settings?usp=email
Gerrit-MessageType: newpatchset
Gerrit-Project: openvpn
Gerrit-Branch: master
Gerrit-Change-Id: I1e9c7eee06bf5f2e8aed8cd2523684539294ac8b
Gerrit-Change-Number: 1388
Gerrit-PatchSet: 3
Gerrit-Owner: cron2 <[email protected]>
Gerrit-Reviewer: ordex <[email protected]>
Gerrit-Reviewer: plaisthos <[email protected]>
Gerrit-CC: openvpn-devel <[email protected]>
_______________________________________________
Openvpn-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openvpn-devel
