From dce27129b74f906e0d1c086858f360228d5cbc83 Mon Sep 17 00:00:00 2001 From: Dimitri Staessens Date: Fri, 12 Jun 2026 20:26:27 +0200 Subject: irmd: Reject OAP peer crt with unusable CN Added checks for CN > NAME_SIZE. Signed-off-by: Dimitri Staessens Signed-off-by: Sander Vrijders --- src/irmd/oap/auth.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) (limited to 'src/irmd/oap/auth.c') diff --git a/src/irmd/oap/auth.c b/src/irmd/oap/auth.c index ebe1949b..60bd5f97 100644 --- a/src/irmd/oap/auth.c +++ b/src/irmd/oap/auth.c @@ -266,9 +266,13 @@ int oap_auth_peer(char * name, goto fail_pin; } - if (crypt_get_crt_name(crt, name) < 0) { - log_warn_id(id, "Failed to extract name from certificate."); - name[0] = '\0'; + ret = crypt_get_crt_name(crt, name); + if (ret < 0) { + if (ret == -ENAME) + log_err_id(id, "Certificate CN too long."); + else + log_err_id(id, "No name in certificate."); + goto fail_pin; } if (pin != NULL) -- cgit v1.2.3