From 6894e20b50c1204bfc990093b4e7ccd10f92865d Mon Sep 17 00:00:00 2001
From: =?utf8?q?Tobias=20Nie=C3=9Fen?= <tniessen@tnie.de>
Date: Mon, 29 Nov 2021 03:41:20 +0000
Subject: [PATCH] Fix infinite verification loops due to has_san_id

Where name constraints apply, X509_verify() would incorrectly report an
internal error in the event that a certificate has no SAN extension.

CVE-2021-4044

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
---
 crypto/x509/x509_vfy.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 7221bbe050e..8ab6381daf3 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -630,7 +630,7 @@ static int has_san_id(X509 *x, int gtype)
     GENERAL_NAMES *gs = X509_get_ext_d2i(x, NID_subject_alt_name, NULL, NULL);
 
     if (gs == NULL)
-        return -1;
+        return 0;
 
     for (i = 0; i < sk_GENERAL_NAME_num(gs); i++) {
         GENERAL_NAME *g = sk_GENERAL_NAME_value(gs, i);
-- 
2.47.2