[crypto] Fix debug name for empty certificate chain validators

An attempt to use a validator for an empty certificate chain will
correctly fail the overall validation with the "empty certificate
chain" error propagated from x509_auto_append().

In a debug build, the call to validator_name() will attempt to call
x509_name() on a non-existent certificate, resulting in garbage in the
debug message.

Fix by checking for the special case of an empty certificate chain.

This issue does not affect non-debug builds, since validator_name() is
(as per its description) called only for debug messages.

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/net/validator.c b/src/net/validator.c
index 69c0df333c2ef5b170425181fe1d260b8bb36c5d..e1371d2e6b1f1e9a570cb4ee8d5f3fe457ab9bcd 100644 (file)
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -135,9 +135,11 @@ struct validator {
  * @ret name           Validator name
  */
 static const char * validator_name ( struct validator *validator ) {
+       struct x509_certificate *cert;
 
-       /* Use name of first certificate in chain */
-       return x509_name ( x509_first ( validator->chain ) );
+       /* Use name of first certificate in chain, if present */
+       cert = x509_first ( validator->chain );
+       return ( cert ? x509_name ( cert ) : "<empty>" );
 }
 
 /**