Revert previous. The commit contained more than intended.

author: tb <> 2021-12-24 02:17:27 +0000
committer: tb <> 2021-12-24 02:17:27 +0000
commit: fa15e1fb558c746f8f8e71d2bce4500950cbea04 (patch)
tree: 5eb8d9cb67ee338d1a239a8482465efa5a308b56 /src
parent: 5f20e4d06b4c24bf12b9027a91e9d8a3de6b6c62 (diff)
download: openbsd-fa15e1fb558c746f8f8e71d2bce4500950cbea04.tar.gz
openbsd-fa15e1fb558c746f8f8e71d2bce4500950cbea04.tar.bz2
openbsd-fa15e1fb558c746f8f8e71d2bce4500950cbea04.zip
1 files changed, 14 insertions, 25 deletions
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 216fd610c2..3fdacb711f 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_asid.c,v 1.23 2021/12/24 02:12:31 tb Exp $ */
+/*      $OpenBSD: x509_asid.c,v 1.24 2021/12/24 02:17:27 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -474,6 +474,8 @@ X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
 static int
 extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max)
 {
+        OPENSSL_assert(aor != NULL);
        switch (aor->type) {
        case ASIdOrRange_id:
                *min = aor->u.id;
@@ -649,8 +651,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
                /*
                 * Make sure we're properly sorted (paranoia).
                 */
-                if (ASN1_INTEGER_cmp(a_min, b_min) > 0)
+                OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
-                        goto done;
                /*
                 * Punt inverted ranges.
@@ -737,8 +738,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
        }
        /* Paranoia */
-        if (!ASIdentifierChoice_is_canonical(choice))
+        OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
-                goto done;
        ret = 1;
@@ -979,22 +979,16 @@ X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
 * Core code for RFC 3779 3.3 path validation.
 */
 static int
-asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
+asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
    ASIdentifiers *ext)
 {
        ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
        int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
        X509 *x;
-        /* We need a non-empty chain to test against. */
+        OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
-        if (sk_X509_num(chain) <= 0)
+        OPENSSL_assert(ctx != NULL || ext != NULL);
-                goto err;
+        OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
-        /* We need either a store ctx or an extension to work with. */
-        if (ctx == NULL && ext == NULL)
-                goto err;
-        /* If there is a store ctx, it needs a verify_cb. */
-        if (ctx != NULL && ctx->verify_cb == NULL)
-                goto err;
        /*
         * Figure out where to start.  If we don't have an extension to
@@ -1039,6 +1033,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
         */
        for (i++; i < sk_X509_num(chain); i++) {
                x = sk_X509_value(chain, i);
+                OPENSSL_assert(x != NULL);
                if (x->rfc3779_asid == NULL) {
                        if (child_as != NULL || child_rdi != NULL)
@@ -1085,9 +1080,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
        /*
         * Trust anchor can't inherit.
         */
+        OPENSSL_assert(x != NULL);
-        if (x == NULL)
-                goto err;
        if (x->rfc3779_asid != NULL) {
                if (x->rfc3779_asid->asnum != NULL &&
@@ -1100,12 +1093,6 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 done:
        return ret;
- err:
-        if (ctx != NULL)
-                ctx->error = X509_V_ERR_UNSPECIFIED;
-        return 0;
 }
 #undef validation_err
@@ -1116,7 +1103,9 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 int
 X509v3_asid_validate_path(X509_STORE_CTX *ctx)
 {
-        if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) {
+        if (ctx->chain == NULL ||
+            sk_X509_num(ctx->chain) == 0 ||
+            ctx->verify_cb == NULL) {
                ctx->error = X509_V_ERR_UNSPECIFIED;
                return 0;
        }
author	tb <>	2021-12-24 02:17:27 +0000
committer	tb <>	2021-12-24 02:17:27 +0000
commit	fa15e1fb558c746f8f8e71d2bce4500950cbea04 (patch)
tree	5eb8d9cb67ee338d1a239a8482465efa5a308b56 /src
parent	5f20e4d06b4c24bf12b9027a91e9d8a3de6b6c62 (diff)
download	openbsd-fa15e1fb558c746f8f8e71d2bce4500950cbea04.tar.gz openbsd-fa15e1fb558c746f8f8e71d2bce4500950cbea04.tar.bz2 openbsd-fa15e1fb558c746f8f8e71d2bce4500950cbea04.zip

diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c index 216fd610c2..3fdacb711f 100644 --- a/src/lib/libcrypto/x509/x509_asid.c +++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_asid.c,v 1.23 2021/12/24 02:12:31 tb Exp $ */	1	/* $OpenBSD: x509_asid.c,v 1.24 2021/12/24 02:17:27 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -474,6 +474,8 @@ X509v3_asid_add_id_or_range(ASIdentifiers asid, int which, ASN1_INTEGER min,
474	static int	474	static int
475	extract_min_max(ASIdOrRange aor, ASN1_INTEGER min, ASN1_INTEGER *max)	475	extract_min_max(ASIdOrRange aor, ASN1_INTEGER min, ASN1_INTEGER *max)
476	{	476	{
		477	OPENSSL_assert(aor != NULL);
		478
477	switch (aor->type) {	479	switch (aor->type) {
478	case ASIdOrRange_id:	480	case ASIdOrRange_id:
479	*min = aor->u.id;	481	*min = aor->u.id;
@@ -649,8 +651,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
649	/*	651	/*
650	* Make sure we're properly sorted (paranoia).	652	* Make sure we're properly sorted (paranoia).
651	*/	653	*/
652	if (ASN1_INTEGER_cmp(a_min, b_min) > 0)	654	OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
653	goto done;
654		655
655	/*	656	/*
656	* Punt inverted ranges.	657	* Punt inverted ranges.
@@ -737,8 +738,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
737	}	738	}
738		739
739	/* Paranoia */	740	/* Paranoia */
740	if (!ASIdentifierChoice_is_canonical(choice))	741	OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
741	goto done;
742		742
743	ret = 1;	743	ret = 1;
744		744
@@ -979,22 +979,16 @@ X509v3_asid_subset(ASIdentifiers a, ASIdentifiers b)
979	* Core code for RFC 3779 3.3 path validation.	979	* Core code for RFC 3779 3.3 path validation.
980	*/	980	*/
981	static int	981	static int
982	asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,	982	asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
983	ASIdentifiers *ext)	983	ASIdentifiers *ext)
984	{	984	{
985	ASIdOrRanges child_as = NULL, child_rdi = NULL;	985	ASIdOrRanges child_as = NULL, child_rdi = NULL;
986	int i, ret = 1, inherit_as = 0, inherit_rdi = 0;	986	int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
987	X509 *x;	987	X509 *x;
988		988
989	/* We need a non-empty chain to test against. */	989	OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
990	if (sk_X509_num(chain) <= 0)	990	OPENSSL_assert(ctx != NULL \|\| ext != NULL);
991	goto err;	991	OPENSSL_assert(ctx == NULL \|\| ctx->verify_cb != NULL);
992	/* We need either a store ctx or an extension to work with. */
993	if (ctx == NULL && ext == NULL)
994	goto err;
995	/* If there is a store ctx, it needs a verify_cb. */
996	if (ctx != NULL && ctx->verify_cb == NULL)
997	goto err;
998		992
999	/*	993	/*
1000	* Figure out where to start. If we don't have an extension to	994	* Figure out where to start. If we don't have an extension to
@@ -1039,6 +1033,7 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1039	*/	1033	*/
1040	for (i++; i < sk_X509_num(chain); i++) {	1034	for (i++; i < sk_X509_num(chain); i++) {
1041	x = sk_X509_value(chain, i);	1035	x = sk_X509_value(chain, i);
		1036	OPENSSL_assert(x != NULL);
1042		1037
1043	if (x->rfc3779_asid == NULL) {	1038	if (x->rfc3779_asid == NULL) {
1044	if (child_as != NULL \|\| child_rdi != NULL)	1039	if (child_as != NULL \|\| child_rdi != NULL)
@@ -1085,9 +1080,7 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1085	/*	1080	/*
1086	* Trust anchor can't inherit.	1081	* Trust anchor can't inherit.
1087	*/	1082	*/
1088		1083	OPENSSL_assert(x != NULL);
1089	if (x == NULL)
1090	goto err;
1091		1084
1092	if (x->rfc3779_asid != NULL) {	1085	if (x->rfc3779_asid != NULL) {
1093	if (x->rfc3779_asid->asnum != NULL &&	1086	if (x->rfc3779_asid->asnum != NULL &&
@@ -1100,12 +1093,6 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1100		1093
1101	done:	1094	done:
1102	return ret;	1095	return ret;
1103
1104	err:
1105	if (ctx != NULL)
1106	ctx->error = X509_V_ERR_UNSPECIFIED;
1107
1108	return 0;
1109	}	1096	}
1110		1097
1111	#undef validation_err	1098	#undef validation_err
@@ -1116,7 +1103,9 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
1116	int	1103	int
1117	X509v3_asid_validate_path(X509_STORE_CTX *ctx)	1104	X509v3_asid_validate_path(X509_STORE_CTX *ctx)
1118	{	1105	{
1119	if (sk_X509_num(ctx->chain) <= 0 \|\| ctx->verify_cb == NULL) {	1106	if (ctx->chain == NULL \|\|
		1107	sk_X509_num(ctx->chain) == 0 \|\|
		1108	ctx->verify_cb == NULL) {
1120	ctx->error = X509_V_ERR_UNSPECIFIED;	1109	ctx->error = X509_V_ERR_UNSPECIFIED;
1121	return 0;	1110	return 0;
1122	}	1111	}