1 files changed, 13 insertions, 13 deletions
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 3b0d6dfa35..aad9cf50c4 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.94 2021/11/04 23:52:34 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.95 2021/11/07 15:51:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -262,7 +262,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                goto end;
        }
        X509_up_ref(ctx->cert);
-        ctx->last_untrusted = 1;
+        ctx->num_untrusted = 1;
        /* We use a temporary STACK so we can chop and hack at it */
        if (ctx->untrusted != NULL &&
@@ -336,7 +336,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                }
                                X509_up_ref(xtmp);
                                (void)sk_X509_delete_ptr(sktmp, xtmp);
-                                ctx->last_untrusted++;
+                                ctx->num_untrusted++;
                                x = xtmp;
                                num++;
                                /*
@@ -394,7 +394,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                        X509_free(x);
                                        x = xtmp;
                                        (void)sk_X509_set(ctx->chain, i - 1, x);
-                                        ctx->last_untrusted = 0;
+                                        ctx->num_untrusted = 0;
                                }
                        } else {
                                /*
@@ -402,7 +402,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                 * certificate for later use
                                 */
                                chain_ss = sk_X509_pop(ctx->chain);
-                                ctx->last_untrusted--;
+                                ctx->num_untrusted--;
                                num--;
                                j--;
                                x = sk_X509_value(ctx->chain, num - 1);
@@ -476,7 +476,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                                X509_free(xtmp);
                                                num--;
                                        }
-                                        ctx->last_untrusted = sk_X509_num(ctx->chain);
+                                        ctx->num_untrusted = sk_X509_num(ctx->chain);
                                        retry = 1;
                                        break;
                                }
@@ -491,7 +491,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
         */
        if (trust != X509_TRUST_TRUSTED && !bad_chain) {
                if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
-                        if (ctx->last_untrusted >= num)
+                        if (ctx->num_untrusted >= num)
                                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
                        else
                                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
@@ -504,7 +504,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                goto end;
                        }
                        num++;
-                        ctx->last_untrusted = num;
+                        ctx->num_untrusted = num;
                        ctx->current_cert = chain_ss;
                        ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
                        chain_ss = NULL;
@@ -749,7 +749,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
        }
        /* Check all untrusted certificates */
-        for (i = 0; i < ctx->last_untrusted; i++) {
+        for (i = 0; i < ctx->num_untrusted; i++) {
                int ret;
                x = sk_X509_value(ctx->chain, i);
                if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
@@ -922,7 +922,7 @@ check_trust(X509_STORE_CTX *ctx)
        cb = ctx->verify_cb;
        /* Check all trusted certificates in chain */
-        for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
+        for (i = ctx->num_untrusted; i < sk_X509_num(ctx->chain); i++) {
                x = sk_X509_value(ctx->chain, i);
                ok = X509_check_trust(x, ctx->param->trust, 0);
@@ -948,14 +948,14 @@ check_trust(X509_STORE_CTX *ctx)
         */
        if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
                X509 *mx;
-                if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
+                if (ctx->num_untrusted < (int)sk_X509_num(ctx->chain))
                        return X509_TRUST_TRUSTED;
                x = sk_X509_value(ctx->chain, 0);
                mx = lookup_cert_match(ctx, x);
                if (mx) {
                        (void)sk_X509_set(ctx->chain, 0, mx);
                        X509_free(x);
-                        ctx->last_untrusted = 0;
+                        ctx->num_untrusted = 0;
                        return X509_TRUST_TRUSTED;
                }
        }
@@ -2567,7 +2567,7 @@ X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
 int
 X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
 {
-        return ctx->last_untrusted; /* XXX */
+        return ctx->num_untrusted;
 }
 int

diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 3b0d6dfa35..aad9cf50c4 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.94 2021/11/04 23:52:34 beck Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.95 2021/11/07 15:51:23 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -262,7 +262,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
262	goto end;	262	goto end;
263	}	263	}
264	X509_up_ref(ctx->cert);	264	X509_up_ref(ctx->cert);
265	ctx->last_untrusted = 1;	265	ctx->num_untrusted = 1;
266		266
267	/* We use a temporary STACK so we can chop and hack at it */	267	/* We use a temporary STACK so we can chop and hack at it */
268	if (ctx->untrusted != NULL &&	268	if (ctx->untrusted != NULL &&
@@ -336,7 +336,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
336	}	336	}
337	X509_up_ref(xtmp);	337	X509_up_ref(xtmp);
338	(void)sk_X509_delete_ptr(sktmp, xtmp);	338	(void)sk_X509_delete_ptr(sktmp, xtmp);
339	ctx->last_untrusted++;	339	ctx->num_untrusted++;
340	x = xtmp;	340	x = xtmp;
341	num++;	341	num++;
342	/*	342	/*
@@ -394,7 +394,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
394	X509_free(x);	394	X509_free(x);
395	x = xtmp;	395	x = xtmp;
396	(void)sk_X509_set(ctx->chain, i - 1, x);	396	(void)sk_X509_set(ctx->chain, i - 1, x);
397	ctx->last_untrusted = 0;	397	ctx->num_untrusted = 0;
398	}	398	}
399	} else {	399	} else {
400	/*	400	/*
@@ -402,7 +402,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
402	* certificate for later use	402	* certificate for later use
403	*/	403	*/
404	chain_ss = sk_X509_pop(ctx->chain);	404	chain_ss = sk_X509_pop(ctx->chain);
405	ctx->last_untrusted--;	405	ctx->num_untrusted--;
406	num--;	406	num--;
407	j--;	407	j--;
408	x = sk_X509_value(ctx->chain, num - 1);	408	x = sk_X509_value(ctx->chain, num - 1);
@@ -476,7 +476,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
476	X509_free(xtmp);	476	X509_free(xtmp);
477	num--;	477	num--;
478	}	478	}
479	ctx->last_untrusted = sk_X509_num(ctx->chain);	479	ctx->num_untrusted = sk_X509_num(ctx->chain);
480	retry = 1;	480	retry = 1;
481	break;	481	break;
482	}	482	}
@@ -491,7 +491,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
491	*/	491	*/
492	if (trust != X509_TRUST_TRUSTED && !bad_chain) {	492	if (trust != X509_TRUST_TRUSTED && !bad_chain) {
493	if ((chain_ss == NULL) \|\| !ctx->check_issued(ctx, x, chain_ss)) {	493	if ((chain_ss == NULL) \|\| !ctx->check_issued(ctx, x, chain_ss)) {
494	if (ctx->last_untrusted >= num)	494	if (ctx->num_untrusted >= num)
495	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;	495	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
496	else	496	else
497	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;	497	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
@@ -504,7 +504,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
504	goto end;	504	goto end;
505	}	505	}
506	num++;	506	num++;
507	ctx->last_untrusted = num;	507	ctx->num_untrusted = num;
508	ctx->current_cert = chain_ss;	508	ctx->current_cert = chain_ss;
509	ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;	509	ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
510	chain_ss = NULL;	510	chain_ss = NULL;
@@ -749,7 +749,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
749	}	749	}
750		750
751	/* Check all untrusted certificates */	751	/* Check all untrusted certificates */
752	for (i = 0; i < ctx->last_untrusted; i++) {	752	for (i = 0; i < ctx->num_untrusted; i++) {
753	int ret;	753	int ret;
754	x = sk_X509_value(ctx->chain, i);	754	x = sk_X509_value(ctx->chain, i);
755	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&	755	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
@@ -922,7 +922,7 @@ check_trust(X509_STORE_CTX *ctx)
922		922
923	cb = ctx->verify_cb;	923	cb = ctx->verify_cb;
924	/* Check all trusted certificates in chain */	924	/* Check all trusted certificates in chain */
925	for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {	925	for (i = ctx->num_untrusted; i < sk_X509_num(ctx->chain); i++) {
926	x = sk_X509_value(ctx->chain, i);	926	x = sk_X509_value(ctx->chain, i);
927	ok = X509_check_trust(x, ctx->param->trust, 0);	927	ok = X509_check_trust(x, ctx->param->trust, 0);
928		928
@@ -948,14 +948,14 @@ check_trust(X509_STORE_CTX *ctx)
948	*/	948	*/
949	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {	949	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
950	X509 *mx;	950	X509 *mx;
951	if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))	951	if (ctx->num_untrusted < (int)sk_X509_num(ctx->chain))
952	return X509_TRUST_TRUSTED;	952	return X509_TRUST_TRUSTED;
953	x = sk_X509_value(ctx->chain, 0);	953	x = sk_X509_value(ctx->chain, 0);
954	mx = lookup_cert_match(ctx, x);	954	mx = lookup_cert_match(ctx, x);
955	if (mx) {	955	if (mx) {
956	(void)sk_X509_set(ctx->chain, 0, mx);	956	(void)sk_X509_set(ctx->chain, 0, mx);
957	X509_free(x);	957	X509_free(x);
958	ctx->last_untrusted = 0;	958	ctx->num_untrusted = 0;
959	return X509_TRUST_TRUSTED;	959	return X509_TRUST_TRUSTED;
960	}	960	}
961	}	961	}
@@ -2567,7 +2567,7 @@ X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2567	int	2567	int
2568	X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)	2568	X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
2569	{	2569	{
2570	return ctx->last_untrusted; /* XXX */	2570	return ctx->num_untrusted;
2571	}	2571	}
2572		2572
2573	int	2573	int