verify_peer_identity: Check for missing application specific data.

millert · millert · commit 3226ef7b3d66 · 2025-11-13T08:45:44.000-07:00
This should not be possible in practice since we always store the data point when peer verification is enabled. Found by the ZeroPath AI Security Engineer <https://zeropath.com>
diff --git a/logsrvd/tls_client.c b/logsrvd/tls_client.c
@@ -64,7 +64,7 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
 
     current_cert = X509_STORE_CTX_get_current_cert(ctx);
 
-    /* if pre-verification of the cert failed, just propagate that result back */
+    /* If pre-verification of the cert failed, just propagate that result back */
     if (preverify_ok != 1) {
         int err = X509_STORE_CTX_get_error(ctx);
         char current_cert_name[256] = "";
@@ -79,7 +79,7 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
 
     /*
      * Since this callback is called for each cert in the chain,
-     * check that current cert is the peer's certificate
+     * check that current cert is the peer's certificate.
      */
     peer_cert = X509_STORE_CTX_get0_cert(ctx);
     if (current_cert != peer_cert) {
@@ -88,7 +88,13 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
 
     /* Fetch the attached peer_info from the ssl connection object. */
     ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+    if (ssl == NULL) {
+        debug_return_int(0);
+    }
     peer_info = SSL_get_ex_data(ssl, 1);
+    if (peer_info == NULL) {
+        debug_return_int(0);
+    }
 
     /* Validate the cert based on the host name and IP address. */
     result = validate_hostname(peer_cert, peer_info->name, peer_info->ipaddr);
diff --git a/plugins/sudoers/log_client.c b/plugins/sudoers/log_client.c
@@ -146,7 +146,7 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
 
     current_cert = X509_STORE_CTX_get_current_cert(ctx);
 
-    /* if pre-verification of the cert failed, just propagate that result back */
+    /* If pre-verification of the cert failed, just propagate that result back */
     if (preverify_ok != 1) {
         int err = X509_STORE_CTX_get_error(ctx);
         char current_cert_name[256] = "";
@@ -159,29 +159,29 @@ verify_peer_identity(int preverify_ok, X509_STORE_CTX *ctx)
         debug_return_int(0);
     }
 
-    /* since this callback is called for each cert in the chain,
-     * check that current cert is the peer's certificate
+    /*
+     * Since this callback is called for each cert in the chain,
+     * check that current cert is the peer's certificate.
      */
     peer_cert = X509_STORE_CTX_get0_cert(ctx);
-
     if (current_cert != peer_cert) {
         debug_return_int(1);
     }
 
-    /* read out the attached object (closure) from the ssl connection object */
+    /* Fetch the attached closure from the ssl connection object. */
     ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+    if (ssl == NULL) {
+        debug_return_int(0);
+    }
     closure = SSL_get_ex_data(ssl, 1);
+    if (closure == NULL) {
+        debug_return_int(0);
+    }
 
     result = validate_hostname(peer_cert, closure->server_name,
 	closure->server_ip);
 
-    switch(result)
-    {
-        case MatchFound:
-            debug_return_int(1);
-        default:
-            debug_return_int(0);
-    }
+    debug_return_int(result == MatchFound);
 }
 
 static bool
