diff --git a/programs/pluto/nss_cert_verify.c b/programs/pluto/nss_cert_verify.c index 32cd1b01ac..51998cab9c 100644 --- a/programs/pluto/nss_cert_verify.c +++ b/programs/pluto/nss_cert_verify.c @@ -405,16 +405,23 @@ static void add_decoded_cert(CERTCertDBHandle *handle, */ if (is_fips_mode()) { SECKEYPublicKey *pk = CERT_ExtractPublicKey(cert); - passert(pk != NULL); - unsigned key_bit_size = pk->u.rsa.modulus.len * BITS_IN_BYTE; - if (pk->keyType == rsaKey && key_bit_size < FIPS_MIN_RSA_KEY_SIZE) { - llog(RC_LOG, logger, - "FIPS: rejecting peer cert with key size %u under %u: %s", - key_bit_size, FIPS_MIN_RSA_KEY_SIZE, - cert->subjectName); - SECKEY_DestroyPublicKey(pk); - CERT_DestroyCertificate(cert); - return; + if (pk == NULL) { + llog_nss_error(RC_LOG, logger, + "extracting certificate public key using CERT_ExtractPublicKey() failed"); + return; + } + + if (pk->keyType == rsaKey) { + unsigned key_bit_size = pk->u.rsa.modulus.len * BITS_IN_BYTE; + if (key_bit_size < FIPS_MIN_RSA_KEY_SIZE) { + llog(RC_LOG, logger, + "FIPS: rejecting peer cert with key size %u under %u: %s", + key_bit_size, FIPS_MIN_RSA_KEY_SIZE, + cert->subjectName); + SECKEY_DestroyPublicKey(pk); + CERT_DestroyCertificate(cert); + return; + } } SECKEY_DestroyPublicKey(pk); } diff --git a/lib/libswan/x509dn.c b/lib/libswan/x509dn.c index 9029167fee..e13585d942 100644 --- a/lib/libswan/x509dn.c +++ b/lib/libswan/x509dn.c @@ -382,6 +382,7 @@ static err_t format_dn(struct jambuf *buf, asn1_t dn, * #BER. */ (nss_compatible && + value_content.len > 0 && ((const char*)value_content.ptr)[0] == '#')) { /* BER */ s += jam_string(buf, "#");