Remove asserts from addr_validate_path_internal()

This is reachable from x509_verify(), but all asserts are previously checked in the caller. Turn them into error checks and make sure the error is set on the X509_STORE_CTX if present. Change some stack == NULL || sk_num(stack) == 0 checks into sk_num(stack) <= 0 which is equivalent but simpler. ok jsing
author: tb <> 2021-12-24 02:02:37 +0000
committer: tb <> 2021-12-24 02:02:37 +0000
commit: 2a6ad3d378214786ed277d168beba46710d74207 (patch)
tree: 7f0b1ddac23fd280bfd1d94d754267f5d34c7852 /src
parent: 41baa1b274bc3870ce7bbce17b23f6e0820a1a93 (diff)
download: openbsd-2a6ad3d378214786ed277d168beba46710d74207.tar.gz
openbsd-2a6ad3d378214786ed277d168beba46710d74207.tar.bz2
openbsd-2a6ad3d378214786ed277d168beba46710d74207.zip
1 files changed, 19 insertions, 9 deletions
diff --git a/src/lib/libcrypto/x509/x509_addr.c b/src/lib/libcrypto/x509/x509_addr.c
index 894dfff501..5512f310e1 100644
--- a/src/lib/libcrypto/x509/x509_addr.c
+++ b/src/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_addr.c,v 1.23 2021/12/24 01:56:08 tb Exp $ */
+/*      $OpenBSD: x509_addr.c,v 1.24 2021/12/24 02:02:37 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -1493,9 +1493,15 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
        int i, j, ret = 1;
        X509 *x;
-        OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
+        /* We need a non-empty chain to test against. */
-        OPENSSL_assert(ctx != NULL || ext != NULL);
+        if (sk_X509_num(chain) <= 0)
-        OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
+                goto err;
+        /* We need either a store ctx or an extension to work with. */
+        if (ctx == NULL && ext == NULL)
+                goto err;
+        /* If there is a store ctx, it needs a verify_cb. */
+        if (ctx != NULL && ctx->verify_cb == NULL)
+                goto err;
        /*
         * Figure out where to start. If we don't have an extension to check,
@@ -1588,6 +1594,12 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
 done:
        sk_IPAddressFamily_free(child);
        return ret;
+ err:
+        if (ctx != NULL)
+                ctx->error = X509_V_ERR_UNSPECIFIED;
+        return 0;
 }
 #undef validation_err
@@ -1598,9 +1610,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
 int
 X509v3_addr_validate_path(X509_STORE_CTX *ctx)
 {
-        if (ctx->chain == NULL ||
+        if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) {
-            sk_X509_num(ctx->chain) == 0 ||
-            ctx->verify_cb == NULL) {
                ctx->error = X509_V_ERR_UNSPECIFIED;
                return 0;
        }
@@ -1612,12 +1622,12 @@ X509v3_addr_validate_path(X509_STORE_CTX *ctx)
 * Test whether chain covers extension.
 */
 int
-X509v3_addr_validate_resource_set(STACK_OF(X509)*chain, IPAddrBlocks *ext,
+X509v3_addr_validate_resource_set(STACK_OF(X509) *chain, IPAddrBlocks *ext,
    int allow_inheritance)
 {
        if (ext == NULL)
                return 1;
-        if (chain == NULL || sk_X509_num(chain) == 0)
+        if (sk_X509_num(chain) <= 0)
                return 0;
        if (!allow_inheritance && X509v3_addr_inherits(ext))
                return 0;
author	tb <>	2021-12-24 02:02:37 +0000
committer	tb <>	2021-12-24 02:02:37 +0000
commit	2a6ad3d378214786ed277d168beba46710d74207 (patch)
tree	7f0b1ddac23fd280bfd1d94d754267f5d34c7852 /src
parent	41baa1b274bc3870ce7bbce17b23f6e0820a1a93 (diff)
download	openbsd-2a6ad3d378214786ed277d168beba46710d74207.tar.gz openbsd-2a6ad3d378214786ed277d168beba46710d74207.tar.bz2 openbsd-2a6ad3d378214786ed277d168beba46710d74207.zip