From: Claudio Jeker <cjeker@diehard.n-r-g.com>
Subject: Re: [diff] httpd: pass through dn from tls client cert to fcgi
To: Jack Burton <jack@saosce.com.au>
Cc: Jan Klemkow <jan@openbsd.org>, tech@openbsd.org
Date: Thu, 30 Apr 2026 13:45:43 +0200

On Thu, Apr 30, 2026 at 08:39:19PM +0930, Jack Burton wrote:
> On Thu, 30 Apr 2026 10:36:10 +0200
> Claudio Jeker <cjeker@diehard.n-r-g.com> wrote:
> > On Thu, Apr 30, 2026 at 03:26:20PM +0930, Jack Burton wrote:
> > > On Wed, 29 Apr 2026 21:49:29 +0200> > +		}
> > > +		if (tls_peer_cert_provided(clt->clt_tls_ctx)) {
> > > +			dn =
> > > tls_peer_cert_subject(clt->clt_tls_ctx);
> > > +			if (dn != NULL && fcgi_add_param(&param,
> > > +			    "TLS_PEER_SUBJECT", dn, clt) == -1) {
> > > +				errstr = "failed to encode param";
> > > +				goto fail;
> > > +			}
> > >  		}
> > >  	}  
> > 
> > Is it really an error if dn == NULL or should the code simply omit
> > adding the TLS_PEER_SUBJECT?
> 
> dn == NULL does not trigger an error.  In that case (dn != NULL) is
> false so the goto statement is never reached.
> 
> Perhaps it would more readable with a single conditional statement
> instead of two.

I blame lack of sleep and not reading the code carefully enough.
I often trip over
	if (foo != NULL && xyz(foo) == -1)
		fail hard;
statements because they logic is a bit twisted. In general splitting this
up makes it more legible to me:
	if (foo != NULL) {
		if (xyz(foo) == -1)
			fail hard;
	}

I do the same error myself and build complex if statements and later on I
trip over them in the same way.
 
> How's this?

No, for me that is worse.

-- 
:wq Claudio