Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[crypto] Fail fast if cross-certificate source is empty
In fully self-contained deployments it may be desirable to build iPXE
with an empty CROSSCERT source to avoid talking to external services.

Add an explicit check for this case and make validator_start_download
fail immediately if the base URI is empty.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Modified-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
  • Loading branch information
ladipro authored and mcb30 committed Sep 24, 2017
1 parent 74d90b3 commit 0631a46
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/net/validator.c
Expand Up @@ -239,6 +239,10 @@ static int validator_start_download ( struct validator *validator,
/* Determine cross-signed certificate source */
fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
if ( ! crosscert[0] ) {
rc = -EINVAL;
goto err_check_uri_string;
}

/* Allocate URI string */
uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
Expand Down Expand Up @@ -277,6 +281,7 @@ static int validator_start_download ( struct validator *validator,
err_open_uri_string:
free ( uri_string );
err_alloc_uri_string:
err_check_uri_string:
free ( crosscert_copy );
return rc;
}
Expand Down

0 comments on commit 0631a46

Please sign in to comment.