From 1855e3e6b59aadbce5b890562bacb9a41ebbe3b2 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Tue, 25 Nov 2025 05:12:44 +0000
Subject: [PATCH] isakmpd: do not reach into ASN1_STRING for the SAN

ok beck millert
---
 sbin/isakmpd/x509.c | 17 +++++++++--------
 sbin/isakmpd/x509.h |  4 ++--
 2 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/sbin/isakmpd/x509.c b/sbin/isakmpd/x509.c
index fae735d423b..107ac833e8f 100644
--- a/sbin/isakmpd/x509.c
+++ b/sbin/isakmpd/x509.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.c,v 1.126 2024/04/28 16:43:42 florian Exp $	 */
+/* $OpenBSD: x509.c,v 1.127 2025/11/25 05:12:44 tb Exp $	 */
 /* $EOM: x509.c,v 1.54 2001/01/16 18:42:16 ho Exp $	 */
 
 /*
@@ -1098,11 +1098,11 @@ x509_cert_obtain(u_int8_t *id, size_t id_len, void *data, u_int8_t **cert,
 
 /* Returns a pointer to the subjectAltName information of X509 certificate.  */
 int
-x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
+x509_cert_subjectaltname(X509 *scert, const u_int8_t **altname, u_int32_t *len)
 {
 	X509_EXTENSION		*subjectaltname;
 	ASN1_OCTET_STRING	*sanasn1data;
-	u_int8_t		*sandata;
+	const u_int8_t		*sandata;
 	int			 extpos, santype, sanlen;
 
 	extpos = X509_get_ext_by_NID(scert, NID_subject_alt_name, -1);
@@ -1114,14 +1114,15 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
 	subjectaltname = X509_get_ext(scert, extpos);
 	sanasn1data = X509_EXTENSION_get_data(subjectaltname);
 
-	if (!subjectaltname || !sanasn1data || !sanasn1data->data ||
-	    sanasn1data->length < 4) {
+	if (!subjectaltname || !sanasn1data ||
+	    !ASN1_STRING_get0_data(sanasn1data) ||
+	     ASN1_STRING_length(sanasn1data) < 4) {
 		log_print("x509_cert_subjectaltname: invalid "
 		    "subjectaltname extension");
 		return 0;
 	}
 	/* SSL does not handle unknown ASN stuff well, do it by hand.  */
-	sandata = sanasn1data->data;
+	sandata = ASN1_STRING_get0_data(sanasn1data);
 	santype = sandata[2] & 0x3f;
 	sanlen = sandata[3];
 	sandata += 4;
@@ -1131,7 +1132,7 @@ x509_cert_subjectaltname(X509 *scert, u_int8_t **altname, u_int32_t *len)
 	 * extra stuff in subjectAltName, so we will just take the first
 	 * salen bytes, and not worry about what follows.
 	 */
-	if (sanlen + 4 > sanasn1data->length) {
+	if (sanlen + 4 > ASN1_STRING_length(sanasn1data)) {
 		log_print("x509_cert_subjectaltname: subjectaltname invalid "
 		    "length");
 		return 0;
@@ -1148,7 +1149,7 @@ x509_cert_get_subjects(void *scert, int *cnt, u_int8_t ***id,
 	X509		*cert = scert;
 	X509_NAME	*subject;
 	int		type;
-	u_int8_t	*altname;
+	const u_int8_t	*altname;
 	u_int32_t	altlen;
 	u_int8_t	*buf = 0;
 	unsigned char	*ubuf;
diff --git a/sbin/isakmpd/x509.h b/sbin/isakmpd/x509.h
index 3c33a3eb78c..befcf591868 100644
--- a/sbin/isakmpd/x509.h
+++ b/sbin/isakmpd/x509.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509.h,v 1.22 2007/08/05 09:43:09 tom Exp $	 */
+/* $OpenBSD: x509.h,v 1.23 2025/11/25 05:12:44 tb Exp $	 */
 /* $EOM: x509.h,v 1.11 2000/09/28 12:53:27 niklas Exp $	 */
 
 /*
@@ -82,7 +82,7 @@ int		x509_ca_count(void);
 
 char           *x509_DN_string(u_int8_t *, size_t);
 int             x509_cert_insert(int, void *);
-int             x509_cert_subjectaltname(X509 * cert, u_char **, u_int *);
+int             x509_cert_subjectaltname(X509 * cert, const u_char **, u_int *);
 X509           *x509_from_asn(u_char *, u_int);
 int             x509_generate_kn(int, X509 *);
 int             x509_read_from_dir(X509_STORE *, char *, int, int *);