diff mbox series

[Openvpn-devel,v2] extract_x509_field_ssl(): verify that X509_NAME is not NULL.

Message ID 20251127113517.1352-1-gert@greenie.muc.de
State New
Headers show
Series [Openvpn-devel,v2] extract_x509_field_ssl(): verify that X509_NAME is not NULL. | expand

Commit Message

Gert Doering Nov. 27, 2025, 11:35 a.m. UTC 
This seems to be unlikely to ever happen, but this check won't harm
- as a matter of coding convention, we do not ensure this inside
extract_x509_field_ssl(), but in the (single) caller.

While at it, fix pre-C99 local-variable indent block, and missing {}
block in else/#endif construction.

Reported-By: Joshua Rogers <contact@joshua.hu>
Found-by: ZeroPath (https://zeropath.com/)

Change-Id: I1e9c7eee06bf5f2e8aed8cd2523684539294ac8b
Signed-off-by: Gert Doering <gert@greenie.muc.de>
Acked-by: Antonio Quartulli <antonio@mandelbit.com>
Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388
---

This change was reviewed on Gerrit and approved by at least one
developer. I request to merge it to master.

Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388
This mail reflects revision 2 of this Change.

Acked-by according to Gerrit (reflected above):
Antonio Quartulli <antonio@mandelbit.com>

Comments

Gert Doering Nov. 27, 2025, 12:01 p.m. UTC | #1 
Only subjected to basic t_client tests - this extracts the subject name
to print it, so things still work for the non-error case (and I have no
cert that would trigger the error case).

Opened github #917 to start a discussion about the ENABLE_X509ALTUSERNAME
conditional... (one cannot simply touch OpenVPN code without finding
things :-/ )

Your patch has been applied to the master branch.

commit f18e3141fae709fff47b82d7931024249ba09cc1
Author: Gert Doering
Date:   Thu Nov 27 12:35:12 2025 +0100

     extract_x509_field_ssl(): verify that X509_NAME is not NULL.

     Signed-off-by: Gert Doering <gert@greenie.muc.de>
     Acked-by: Antonio Quartulli <antonio@mandelbit.com>
     Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388
     Message-Id: <20251127113517.1352-1-gert@greenie.muc.de>
     URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg34748.html
     Signed-off-by: Gert Doering <gert@greenie.muc.de>


--
kind regards,

Gert Doering
diff mbox series

Patch

diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c
index 40d117b..6cb04ee 100644
--- a/src/openvpn/ssl_verify_openssl.c
+++ b/src/openvpn/ssl_verify_openssl.c
@@ -202,8 +202,8 @@ 
     X509_NAME_ENTRY *x509ne = NULL;
     ASN1_STRING *asn1 = NULL;
     unsigned char *buf = NULL;
-    ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0);
 
+    ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0);
     if (field_name_obj == NULL)
     {
         msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name);
@@ -244,11 +244,9 @@ 
 
     strncpynt(out, (char *)buf, size);
 
-    {
-        const result_t ret = (strlen((char *)buf) < size) ? SUCCESS : FAILURE;
-        OPENSSL_free(buf);
-        return ret;
-    }
+    const result_t ret = (strlen((char *)buf) < size) ? SUCCESS : FAILURE;
+    OPENSSL_free(buf);
+    return ret;
 }
 
 result_t
@@ -278,12 +276,21 @@ 
     }
     else
 #endif /* ifdef ENABLE_X509ALTUSERNAME */
+    {
+        X509_NAME *x509_subject_name = X509_get_subject_name(peer_cert);
+        if (x509_subject_name == NULL)
+        {
+            msg(D_TLS_ERRORS, "X509 subject name is NULL");
+            return FAILURE;
+        }
+
         if (FAILURE
-            == extract_x509_field_ssl(X509_get_subject_name(peer_cert), x509_username_field,
+            == extract_x509_field_ssl(x509_subject_name, x509_username_field,
                                       common_name, cn_len))
         {
             return FAILURE;
         }
+    }
 
     return SUCCESS;
 }