1 files changed, 25 insertions, 12 deletions
diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 808dad7552..216fd610c2 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: x509_asid.c,v 1.22 2021/12/24 02:07:37 tb Exp $ */
+/*      $OpenBSD: x509_asid.c,v 1.23 2021/12/24 02:12:31 tb Exp $ */
 /*
 * Contributed to the OpenSSL Project by the American Registry for
 * Internet Numbers ("ARIN").
@@ -649,7 +649,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
                /*
                 * Make sure we're properly sorted (paranoia).
                 */
-                OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
+                if (ASN1_INTEGER_cmp(a_min, b_min) > 0)
+                        goto done;
                /*
                 * Punt inverted ranges.
@@ -736,7 +737,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
        }
        /* Paranoia */
-        OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
+        if (!ASIdentifierChoice_is_canonical(choice))
+                goto done;
        ret = 1;
@@ -977,16 +979,22 @@ X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
 * Core code for RFC 3779 3.3 path validation.
 */
 static int
-asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
+asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
    ASIdentifiers *ext)
 {
        ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
        int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
        X509 *x;
-        OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
+        /* We need a non-empty chain to test against. */
-        OPENSSL_assert(ctx != NULL || ext != NULL);
+        if (sk_X509_num(chain) <= 0)
-        OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
+                goto err;
+        /* We need either a store ctx or an extension to work with. */
+        if (ctx == NULL && ext == NULL)
+                goto err;
+        /* If there is a store ctx, it needs a verify_cb. */
+        if (ctx != NULL && ctx->verify_cb == NULL)
+                goto err;
        /*
         * Figure out where to start.  If we don't have an extension to
@@ -1031,7 +1039,6 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
         */
        for (i++; i < sk_X509_num(chain); i++) {
                x = sk_X509_value(chain, i);
-                OPENSSL_assert(x != NULL);
                if (x->rfc3779_asid == NULL) {
                        if (child_as != NULL || child_rdi != NULL)
@@ -1078,7 +1085,9 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
        /*
         * Trust anchor can't inherit.
         */
-        OPENSSL_assert(x != NULL);
+        if (x == NULL)
+                goto err;
        if (x->rfc3779_asid != NULL) {
                if (x->rfc3779_asid->asnum != NULL &&
@@ -1091,6 +1100,12 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
 done:
        return ret;
+ err:
+        if (ctx != NULL)
+                ctx->error = X509_V_ERR_UNSPECIFIED;
+        return 0;
 }
 #undef validation_err
@@ -1101,9 +1116,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
 int
 X509v3_asid_validate_path(X509_STORE_CTX *ctx)
 {
-        if (ctx->chain == NULL ||
+        if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) {
-            sk_X509_num(ctx->chain) == 0 ||
-            ctx->verify_cb == NULL) {
                ctx->error = X509_V_ERR_UNSPECIFIED;
                return 0;
        }

diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c index 808dad7552..216fd610c2 100644 --- a/src/lib/libcrypto/x509/x509_asid.c +++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_asid.c,v 1.22 2021/12/24 02:07:37 tb Exp $ */	1	/* $OpenBSD: x509_asid.c,v 1.23 2021/12/24 02:12:31 tb Exp $ */
2	/*	2	/*
3	* Contributed to the OpenSSL Project by the American Registry for	3	* Contributed to the OpenSSL Project by the American Registry for
4	* Internet Numbers ("ARIN").	4	* Internet Numbers ("ARIN").
@@ -649,7 +649,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
649	/*	649	/*
650	* Make sure we're properly sorted (paranoia).	650	* Make sure we're properly sorted (paranoia).
651	*/	651	*/
652	OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);	652	if (ASN1_INTEGER_cmp(a_min, b_min) > 0)
		653	goto done;
653		654
654	/*	655	/*
655	* Punt inverted ranges.	656	* Punt inverted ranges.
@@ -736,7 +737,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
736	}	737	}
737		738
738	/* Paranoia */	739	/* Paranoia */
739	OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));	740	if (!ASIdentifierChoice_is_canonical(choice))
		741	goto done;
740		742
741	ret = 1;	743	ret = 1;
742		744
@@ -977,16 +979,22 @@ X509v3_asid_subset(ASIdentifiers a, ASIdentifiers b)
977	* Core code for RFC 3779 3.3 path validation.	979	* Core code for RFC 3779 3.3 path validation.
978	*/	980	*/
979	static int	981	static int
980	asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,	982	asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509) chain,
981	ASIdentifiers *ext)	983	ASIdentifiers *ext)
982	{	984	{
983	ASIdOrRanges child_as = NULL, child_rdi = NULL;	985	ASIdOrRanges child_as = NULL, child_rdi = NULL;
984	int i, ret = 1, inherit_as = 0, inherit_rdi = 0;	986	int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
985	X509 *x;	987	X509 *x;
986		988
987	OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);	989	/* We need a non-empty chain to test against. */
988	OPENSSL_assert(ctx != NULL \|\| ext != NULL);	990	if (sk_X509_num(chain) <= 0)
989	OPENSSL_assert(ctx == NULL \|\| ctx->verify_cb != NULL);	991	goto err;
		992	/* We need either a store ctx or an extension to work with. */
		993	if (ctx == NULL && ext == NULL)
		994	goto err;
		995	/* If there is a store ctx, it needs a verify_cb. */
		996	if (ctx != NULL && ctx->verify_cb == NULL)
		997	goto err;
990		998
991	/*	999	/*
992	* Figure out where to start. If we don't have an extension to	1000	* Figure out where to start. If we don't have an extension to
@@ -1031,7 +1039,6 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1031	*/	1039	*/
1032	for (i++; i < sk_X509_num(chain); i++) {	1040	for (i++; i < sk_X509_num(chain); i++) {
1033	x = sk_X509_value(chain, i);	1041	x = sk_X509_value(chain, i);
1034	OPENSSL_assert(x != NULL);
1035		1042
1036	if (x->rfc3779_asid == NULL) {	1043	if (x->rfc3779_asid == NULL) {
1037	if (child_as != NULL \|\| child_rdi != NULL)	1044	if (child_as != NULL \|\| child_rdi != NULL)
@@ -1078,7 +1085,9 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1078	/*	1085	/*
1079	* Trust anchor can't inherit.	1086	* Trust anchor can't inherit.
1080	*/	1087	*/
1081	OPENSSL_assert(x != NULL);	1088
		1089	if (x == NULL)
		1090	goto err;
1082		1091
1083	if (x->rfc3779_asid != NULL) {	1092	if (x->rfc3779_asid != NULL) {
1084	if (x->rfc3779_asid->asnum != NULL &&	1093	if (x->rfc3779_asid->asnum != NULL &&
@@ -1091,6 +1100,12 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1091		1100
1092	done:	1101	done:
1093	return ret;	1102	return ret;
		1103
		1104	err:
		1105	if (ctx != NULL)
		1106	ctx->error = X509_V_ERR_UNSPECIFIED;
		1107
		1108	return 0;
1094	}	1109	}
1095		1110
1096	#undef validation_err	1111	#undef validation_err
@@ -1101,9 +1116,7 @@ asid_validate_path_internal(X509_STORE_CTX ctx, STACK_OF(X509)chain,
1101	int	1116	int
1102	X509v3_asid_validate_path(X509_STORE_CTX *ctx)	1117	X509v3_asid_validate_path(X509_STORE_CTX *ctx)
1103	{	1118	{
1104	if (ctx->chain == NULL \|\|	1119	if (sk_X509_num(ctx->chain) <= 0 \|\| ctx->verify_cb == NULL) {
1105	sk_X509_num(ctx->chain) == 0 \|\|
1106	ctx->verify_cb == NULL) {
1107	ctx->error = X509_V_ERR_UNSPECIFIED;	1120	ctx->error = X509_V_ERR_UNSPECIFIED;
1108	return 0;	1121	return 0;
1109	}	1122	}