Convert size_t's used in conjuction with sk_X509_num back to int.

The lets the regress in x509/policy pass instead of infinite looping. The changes are necessry because our sk_num() returns an int with 0 for empty and -1 for NULL, wheras BoringSSL's returns a size_t with 0 for both an empty stack and a NULL stack. pair work with tb@ ok tb@ jsing@
author: beck <> 2023-04-27 16:12:08 +0000
committer: beck <> 2023-04-27 16:12:08 +0000
commit: 74349f45383b238069c51062b033d10e40dc5a19 (patch)
tree: 26cedc3074742f49ff8c219acd35e7a3b5a976e4 /src
parent: 3b4f859c981e38d8a19b0eb9ad8223d7482f6373 (diff)
download: openbsd-74349f45383b238069c51062b033d10e40dc5a19.tar.gz
openbsd-74349f45383b238069c51062b033d10e40dc5a19.tar.bz2
openbsd-74349f45383b238069c51062b033d10e40dc5a19.zip
1 files changed, 12 insertions, 12 deletions
diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index 3a3a7555ca..a1a8e5e60e 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_policy.c,v 1.14 2023/04/27 08:07:26 tb Exp $ */
+/*      $OpenBSD: x509_policy.c,v 1.15 2023/04/27 16:12:08 beck Exp $ */
 /*
 * Copyright (c) 2022, Google Inc.
 *
@@ -266,7 +266,7 @@ x509_policy_level_is_empty(const X509_POLICY_LEVEL *level)
 static void
 x509_policy_level_clear(X509_POLICY_LEVEL *level)
 {
-        size_t i;
+        int i;
        level->has_any_policy = 0;
        for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
@@ -306,7 +306,7 @@ static int
 x509_policy_level_add_nodes(X509_POLICY_LEVEL *level,
    STACK_OF(X509_POLICY_NODE) *nodes)
 {
-        size_t i;
+        int i;
        for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
                X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i);
@@ -362,7 +362,7 @@ process_certificate_policies(const X509 *x509,
    X509_POLICY_LEVEL *level,
    int any_policy_allowed)
 {
-        size_t i;
+        int i;
        int ret = 0;
        int critical;
@@ -517,7 +517,7 @@ process_policy_mappings(const X509 *cert,
    X509_POLICY_LEVEL *level,
    int mapping_allowed)
 {
-        size_t i;
+        int i;
        int ok = 0;
        int critical;
        STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;
@@ -772,13 +772,13 @@ static int
 has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
    const STACK_OF(ASN1_OBJECT) *user_policies)
 {
-        size_t i, j, k;
+        int i, j, k;
        assert(user_policies == NULL ||
            sk_ASN1_OBJECT_is_sorted(user_policies));
        /* Step (g.i). If the policy graph is empty, the intersection is empty. */
-        size_t num_levels = sk_X509_POLICY_LEVEL_num(levels);
+        int num_levels = sk_X509_POLICY_LEVEL_num(levels);
        X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels,
            num_levels - 1);
        if (x509_policy_level_is_empty(level))
@@ -789,7 +789,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
         * anyPolicy value. The caller may also have supplied anyPolicy
         * explicitly.
         */
-        int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0;
+        int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) <= 0;
        for (i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) {
                if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) {
                        user_has_any_policy = 1;
@@ -821,7 +821,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
        for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++)
                sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1;
-        for (i = num_levels - 1; i < num_levels; i--) {
+        for (i = num_levels - 1; i >= 0; i--) {
                level = sk_X509_POLICY_LEVEL_value(levels, i);
                for (j = 0; j < sk_X509_POLICY_NODE_num(level->nodes);
                    j++) {
@@ -882,8 +882,8 @@ X509_policy_check(const STACK_OF(X509) *certs,
        X509_POLICY_LEVEL *level = NULL;
        STACK_OF(X509_POLICY_LEVEL) *levels = NULL;
        STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL;
-        size_t num_certs = sk_X509_num(certs);
+        int num_certs = sk_X509_num(certs);
-        size_t i;
+        int i;
        /* Skip policy checking if the chain is just the trust anchor. */
        if (num_certs <= 1)
@@ -901,7 +901,7 @@ X509_policy_check(const STACK_OF(X509) *certs,
        if (levels == NULL)
                goto err;
-        for (i = num_certs - 2; i < num_certs; i--) {
+        for (i = num_certs - 2; i >= 0; i--) {
                X509 *cert = sk_X509_value(certs, i);
                if (!x509v3_cache_extensions(cert))
                        goto err;
author	beck <>	2023-04-27 16:12:08 +0000
committer	beck <>	2023-04-27 16:12:08 +0000
commit	74349f45383b238069c51062b033d10e40dc5a19 (patch)
tree	26cedc3074742f49ff8c219acd35e7a3b5a976e4 /src
parent	3b4f859c981e38d8a19b0eb9ad8223d7482f6373 (diff)
download	openbsd-74349f45383b238069c51062b033d10e40dc5a19.tar.gz openbsd-74349f45383b238069c51062b033d10e40dc5a19.tar.bz2 openbsd-74349f45383b238069c51062b033d10e40dc5a19.zip

diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c index 3a3a7555ca..a1a8e5e60e 100644 --- a/src/lib/libcrypto/x509/x509_policy.c +++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_policy.c,v 1.14 2023/04/27 08:07:26 tb Exp $ */	1	/* $OpenBSD: x509_policy.c,v 1.15 2023/04/27 16:12:08 beck Exp $ */
2	/*	2	/*
3	* Copyright (c) 2022, Google Inc.	3	* Copyright (c) 2022, Google Inc.
4	*	4	*
@@ -266,7 +266,7 @@ x509_policy_level_is_empty(const X509_POLICY_LEVEL *level)
266	static void	266	static void
267	x509_policy_level_clear(X509_POLICY_LEVEL *level)	267	x509_policy_level_clear(X509_POLICY_LEVEL *level)
268	{	268	{
269	size_t i;	269	int i;
270		270
271	level->has_any_policy = 0;	271	level->has_any_policy = 0;
272	for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {	272	for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++) {
@@ -306,7 +306,7 @@ static int
306	x509_policy_level_add_nodes(X509_POLICY_LEVEL *level,	306	x509_policy_level_add_nodes(X509_POLICY_LEVEL *level,
307	STACK_OF(X509_POLICY_NODE) *nodes)	307	STACK_OF(X509_POLICY_NODE) *nodes)
308	{	308	{
309	size_t i;	309	int i;
310		310
311	for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {	311	for (i = 0; i < sk_X509_POLICY_NODE_num(nodes); i++) {
312	X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i);	312	X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(nodes, i);
@@ -362,7 +362,7 @@ process_certificate_policies(const X509 *x509,
362	X509_POLICY_LEVEL *level,	362	X509_POLICY_LEVEL *level,
363	int any_policy_allowed)	363	int any_policy_allowed)
364	{	364	{
365	size_t i;	365	int i;
366	int ret = 0;	366	int ret = 0;
367	int critical;	367	int critical;
368		368
@@ -517,7 +517,7 @@ process_policy_mappings(const X509 *cert,
517	X509_POLICY_LEVEL *level,	517	X509_POLICY_LEVEL *level,
518	int mapping_allowed)	518	int mapping_allowed)
519	{	519	{
520	size_t i;	520	int i;
521	int ok = 0;	521	int ok = 0;
522	int critical;	522	int critical;
523	STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;	523	STACK_OF(X509_POLICY_NODE) *new_nodes = NULL;
@@ -772,13 +772,13 @@ static int
772	has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,	772	has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
773	const STACK_OF(ASN1_OBJECT) *user_policies)	773	const STACK_OF(ASN1_OBJECT) *user_policies)
774	{	774	{
775	size_t i, j, k;	775	int i, j, k;
776		776
777	assert(user_policies == NULL \|\|	777	assert(user_policies == NULL \|\|
778	sk_ASN1_OBJECT_is_sorted(user_policies));	778	sk_ASN1_OBJECT_is_sorted(user_policies));
779		779
780	/* Step (g.i). If the policy graph is empty, the intersection is empty. */	780	/* Step (g.i). If the policy graph is empty, the intersection is empty. */
781	size_t num_levels = sk_X509_POLICY_LEVEL_num(levels);	781	int num_levels = sk_X509_POLICY_LEVEL_num(levels);
782	X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels,	782	X509_POLICY_LEVEL *level = sk_X509_POLICY_LEVEL_value(levels,
783	num_levels - 1);	783	num_levels - 1);
784	if (x509_policy_level_is_empty(level))	784	if (x509_policy_level_is_empty(level))
@@ -789,7 +789,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
789	* anyPolicy value. The caller may also have supplied anyPolicy	789	* anyPolicy value. The caller may also have supplied anyPolicy
790	* explicitly.	790	* explicitly.
791	*/	791	*/
792	int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) == 0;	792	int user_has_any_policy = sk_ASN1_OBJECT_num(user_policies) <= 0;
793	for (i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) {	793	for (i = 0; i < sk_ASN1_OBJECT_num(user_policies); i++) {
794	if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) {	794	if (is_any_policy(sk_ASN1_OBJECT_value(user_policies, i))) {
795	user_has_any_policy = 1;	795	user_has_any_policy = 1;
@@ -821,7 +821,7 @@ has_explicit_policy(STACK_OF(X509_POLICY_LEVEL) *levels,
821	for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++)	821	for (i = 0; i < sk_X509_POLICY_NODE_num(level->nodes); i++)
822	sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1;	822	sk_X509_POLICY_NODE_value(level->nodes, i)->reachable = 1;
823		823
824	for (i = num_levels - 1; i < num_levels; i--) {	824	for (i = num_levels - 1; i >= 0; i--) {
825	level = sk_X509_POLICY_LEVEL_value(levels, i);	825	level = sk_X509_POLICY_LEVEL_value(levels, i);
826	for (j = 0; j < sk_X509_POLICY_NODE_num(level->nodes);	826	for (j = 0; j < sk_X509_POLICY_NODE_num(level->nodes);
827	j++) {	827	j++) {
@@ -882,8 +882,8 @@ X509_policy_check(const STACK_OF(X509) *certs,
882	X509_POLICY_LEVEL *level = NULL;	882	X509_POLICY_LEVEL *level = NULL;
883	STACK_OF(X509_POLICY_LEVEL) *levels = NULL;	883	STACK_OF(X509_POLICY_LEVEL) *levels = NULL;
884	STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL;	884	STACK_OF(ASN1_OBJECT) *user_policies_sorted = NULL;
885	size_t num_certs = sk_X509_num(certs);	885	int num_certs = sk_X509_num(certs);
886	size_t i;	886	int i;
887		887
888	/* Skip policy checking if the chain is just the trust anchor. */	888	/* Skip policy checking if the chain is just the trust anchor. */
889	if (num_certs <= 1)	889	if (num_certs <= 1)
@@ -901,7 +901,7 @@ X509_policy_check(const STACK_OF(X509) *certs,
901	if (levels == NULL)	901	if (levels == NULL)
902	goto err;	902	goto err;
903		903
904	for (i = num_certs - 2; i < num_certs; i--) {	904	for (i = num_certs - 2; i >= 0; i--) {
905	X509 *cert = sk_X509_value(certs, i);	905	X509 *cert = sk_X509_value(certs, i);
906	if (!x509v3_cache_extensions(cert))	906	if (!x509v3_cache_extensions(cert))
907	goto err;	907	goto err;