From patchwork Thu Nov 27 11:35:12 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 4642 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6c3:b0:7b1:439f:bdf with SMTP id j3csp4012754maw; Thu, 27 Nov 2025 03:35:35 -0800 (PST) X-Forwarded-Encrypted: i=2; AJvYcCXKM6oyr3UK0+4eAMrc6HoTn6cjkS4qZdGK8SVH+KVzZ2Zd9HQ+WQ6niVaGHk2ZsTqgb99SZ9+zSOk=@openvpn.net X-Google-Smtp-Source: AGHT+IEJz+WP0jqvjtHhJNUewf3odiV04KvlzPdmBYN0Bh4c7ZzcEJCC+6tQSN+WkLClX2iRIRzx X-Received: by 2002:a05:6830:719c:b0:7c7:5fb3:73cb with SMTP id 46e09a7af769-7c798c4aa7dmr11285813a34.7.1764243335515; Thu, 27 Nov 2025 03:35:35 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1764243335; cv=none; d=google.com; s=arc-20240605; b=Y5K4ekGyTFv951IgxFBDDq/nESnJmotIqCK9CCaRWb34tZ/xKJPUK6GNMeZiW8Hrt0 tFLasvxDfiV3RV8XBU0JXHu6FY/sCEwmX2oRy/g5oRjttbKgpfOQ9XGXaYbiiDB5SH3n H3qmEA0CgpXJYz56AI/Wye19Ktejhk5URUNFyOy5k4i4u0wBoVgAUYOHd7aae1TWrDEi lSp8Y3E/plUv2eO1Ks1giB/c4TLRBTE9OpIisWdX10/7jDTZ4QjTiQfylQ805O7xCB7/ 8GCUhPpn5JC+GWcbqxZIqa7HsRtDeMa1Shxpd2TP0cBXmMKgmESDMw7O1PGxzBDcVwZP lF6g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature:dkim-signature; bh=yyMemlwR4T2m8Qj7cXheVxu+Z6Uqu83IJ+0X7ra5Vi0=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=ZETZwl4ucNiQAauCkuOudgPf1tfK7IsumyXL8uWHD8OqXoVlCVz/opRFQNlth+/rto 1HBNeil6W7V2vuFQwE0Mzq3SWHB1nq3aFHnhBGckCeKLAGzhN79TAyGp7iEANqLCJie2 U84UQlycM2m12AcFNrBxA1wOl4JdCmB7BpXb33Nn2NG1jQKLpgNm/V7jyoDzibuGZrfR 0RUnI828WmjWzUs7tlGqAFc/jVMNjAhHJ0f/UhF4iV8fUd0Ln3Ty1EcB0xPc6ZHNmtkC 2uYsCHACVWs9Kmzg9y4p76bhEOWVQ3b1kPvgKgh0BPqUUfzC0r1sjFjDNjmcsyxqVGRn a5NQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Bc2OEd1d; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=J8X3AegS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fRR9JN74; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-7c91004205asi201689a34.530.2025.11.27.03.35.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 27 Nov 2025 03:35:35 -0800 (PST) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=pass header.i=@lists.sourceforge.net header.s=beta header.b=Bc2OEd1d; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=J8X3AegS; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=fRR9JN74; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.sourceforge.net; s=beta; h=Content-Transfer-Encoding:Content-Type: List-Subscribe:List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id: Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From:Sender: Reply-To:Cc:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Owner; bh=yyMemlwR4T2m8Qj7cXheVxu+Z6Uqu83IJ+0X7ra5Vi0=; b=Bc2OEd1dogQ3p5PiMvU7JTFlJn skLzEnzdAv+W+jgwv6SupYHMcxKReFezLpzXmAgXo3z4CL+5oh5R4Ez3OleuVo3YIvi9l+j5JGcHL qdJn8k4mgAG+0wPlGTUrsKL5zANeLE6L4LEQR7mtOoMPOufImHcb3l9/JkGzSwshjXGk=; Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1vOaHd-00065H-0O; Thu, 27 Nov 2025 11:35:33 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1vOaHb-00064m-6B for openvpn-devel@lists.sourceforge.net; Thu, 27 Nov 2025 11:35:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=b35qDjlnlOECNOc2v/dSHESrTAfRZxyy2uyUxkZrz3I=; b=J8X3AegSTUsIdwG5pTpl8EmKnv Z4It0N1Ua80gfbidpaEKJRk0o0SKpStZSevNfZF0K6qiGtzRWeOHQoTDM2gDTDhQB92OhFIkrmIAZ ehbHztNipwxVoABN/VMLfkBBSYvhX5Zijfgf4g1gQUvDQ99dBhge+I3Nxv9SIYjwtuqk=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=b35qDjlnlOECNOc2v/dSHESrTAfRZxyy2uyUxkZrz3I=; b=fRR9JN7449wiqNmsiQhC0FaQO8 a8FLeFYg51QzgTmgb/Q4rQuxiMQdTt2mgUuMfp+ltwe0vW8hLLyKd0DP96/IfZFFRDuygoihbuH1V BIi6R9JXxaA/X/fBh2YIv2NrwelSBXf2po/GEfDuMpB0Jra4aJJSKNtT4vWURm4/JuJg=; Received: from [193.149.48.134] (helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1vOaHZ-0007S6-VW for openvpn-devel@lists.sourceforge.net; Thu, 27 Nov 2025 11:35:30 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.18.1/8.18.1) with ESMTP id 5ARBZIP0001368 for ; Thu, 27 Nov 2025 12:35:18 +0100 Received: (from gert@localhost) by blue.greenie.muc.de (8.18.1/8.18.1/Submit) id 5ARBZIhf001367 for openvpn-devel@lists.sourceforge.net; Thu, 27 Nov 2025 12:35:18 +0100 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Thu, 27 Nov 2025 12:35:12 +0100 Message-ID: <20251127113517.1352-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.51.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: 1.3 (+) X-Spam-Report: Spam detection software, running on the system "sfi-spamd-1.hosts.colo.sdot.me", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: This seems to be unlikely to ever happen, but this check won't harm - as a matter of coding convention, we do not ensure this inside extract_x509_field_ssl(), but in the (single) caller. While at it, fix pre-C99 local-variable indent block, and missing {} block in else/#endif construction. Content analysis details: (1.3 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- 1.3 RDNS_NONE Delivered to internal network by a host with no rDNS X-Headers-End: 1vOaHZ-0007S6-VW Subject: [Openvpn-devel] [PATCH v2] extract_x509_field_ssl(): verify that X509_NAME is not NULL. X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1849943219638639749?= X-GMAIL-MSGID: =?utf-8?q?1849943219638639749?= This seems to be unlikely to ever happen, but this check won't harm - as a matter of coding convention, we do not ensure this inside extract_x509_field_ssl(), but in the (single) caller. While at it, fix pre-C99 local-variable indent block, and missing {} block in else/#endif construction. Reported-By: Joshua Rogers Found-by: ZeroPath (https://zeropath.com/) Change-Id: I1e9c7eee06bf5f2e8aed8cd2523684539294ac8b Signed-off-by: Gert Doering Acked-by: Antonio Quartulli Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388 --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/1388 This mail reflects revision 2 of this Change. Acked-by according to Gerrit (reflected above): Antonio Quartulli diff --git a/src/openvpn/ssl_verify_openssl.c b/src/openvpn/ssl_verify_openssl.c index 40d117b..6cb04ee 100644 --- a/src/openvpn/ssl_verify_openssl.c +++ b/src/openvpn/ssl_verify_openssl.c @@ -202,8 +202,8 @@ X509_NAME_ENTRY *x509ne = NULL; ASN1_STRING *asn1 = NULL; unsigned char *buf = NULL; - ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0); + ASN1_OBJECT *field_name_obj = OBJ_txt2obj(field_name, 0); if (field_name_obj == NULL) { msg(D_TLS_ERRORS, "Invalid X509 attribute name '%s'", field_name); @@ -244,11 +244,9 @@ strncpynt(out, (char *)buf, size); - { - const result_t ret = (strlen((char *)buf) < size) ? SUCCESS : FAILURE; - OPENSSL_free(buf); - return ret; - } + const result_t ret = (strlen((char *)buf) < size) ? SUCCESS : FAILURE; + OPENSSL_free(buf); + return ret; } result_t @@ -278,12 +276,21 @@ } else #endif /* ifdef ENABLE_X509ALTUSERNAME */ + { + X509_NAME *x509_subject_name = X509_get_subject_name(peer_cert); + if (x509_subject_name == NULL) + { + msg(D_TLS_ERRORS, "X509 subject name is NULL"); + return FAILURE; + } + if (FAILURE - == extract_x509_field_ssl(X509_get_subject_name(peer_cert), x509_username_field, + == extract_x509_field_ssl(x509_subject_name, x509_username_field, common_name, cn_len)) { return FAILURE; } + } return SUCCESS; }