Browse Source

[crypto] Fail fast if cross-certificate source is empty

In fully self-contained deployments it may be desirable to build iPXE
with an empty CROSSCERT source to avoid talking to external services.

Add an explicit check for this case and make validator_start_download
fail immediately if the base URI is empty.

Signed-off-by: Ladi Prosek <lprosek@redhat.com>
Modified-by: Michael Brown <mcb30@ipxe.org>
Signed-off-by: Michael Brown <mcb30@ipxe.org>
tags/v1.20.1
Ladi Prosek 7 years ago
parent
commit
0631a46a94
1 changed files with 5 additions and 0 deletions
  1. 5
    0
      src/net/validator.c

+ 5
- 0
src/net/validator.c View File

@@ -239,6 +239,10 @@ static int validator_start_download ( struct validator *validator,
239 239
 	/* Determine cross-signed certificate source */
240 240
 	fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );
241 241
 	crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );
242
+	if ( ! crosscert[0] ) {
243
+		rc = -EINVAL;
244
+		goto err_check_uri_string;
245
+	}
242 246
 
243 247
 	/* Allocate URI string */
244 248
 	uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */
@@ -277,6 +281,7 @@ static int validator_start_download ( struct validator *validator,
277 281
  err_open_uri_string:
278 282
 	free ( uri_string );
279 283
  err_alloc_uri_string:
284
+ err_check_uri_string:
280 285
 	free ( crosscert_copy );
281 286
 	return rc;
282 287
 }

Loading…
Cancel
Save