3 files changed, 17 insertions, 17 deletions
diff --git a/src/lib/libcrypto/x509/x509_lcl.h b/src/lib/libcrypto/x509/x509_lcl.h
index 9ef99584d1..c9df239c3d 100644
--- a/src/lib/libcrypto/x509/x509_lcl.h
+++ b/src/lib/libcrypto/x509/x509_lcl.h
@@ -354,7 +354,7 @@ struct x509_store_ctx_st {
        /* The following is built up */
        int valid;              /* if 0, rebuild chain */
-        int last_untrusted;     /* XXX: number of untrusted certs in chain!!! */
+        int num_untrusted;      /* number of untrusted certs in chain */
        STACK_OF(X509) *chain;          /* chain of X509s - built up and trusted */
        X509_POLICY_TREE *tree; /* Valid policy tree */
diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c
index b9ba2bee3c..4698d2f8b7 100644
--- a/src/lib/libcrypto/x509/x509_verify.c
+++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_verify.c,v 1.51 2021/11/04 23:52:34 beck Exp $ */
+/* $OpenBSD: x509_verify.c,v 1.52 2021/11/07 15:51:23 tb Exp $ */
 /*
 * Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
 *
@@ -296,7 +296,7 @@ x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx,
                return 1;
        /*
-         * XXX last_untrusted is actually the number of untrusted certs at the
+         * XXX num_untrusted is the number of untrusted certs at the
         * bottom of the chain. This works now since we stop at the first
         * trusted cert. This will need fixing once we allow more than one
         * trusted certificate.
@@ -304,7 +304,7 @@ x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx,
        num_untrusted = sk_X509_num(chain->certs);
        if (is_trusted && num_untrusted > 0)
                num_untrusted--;
-        ctx->xsc->last_untrusted = num_untrusted;
+        ctx->xsc->num_untrusted = num_untrusted;
        sk_X509_pop_free(ctx->xsc->chain, X509_free);
        ctx->xsc->chain = X509_chain_up_ref(chain->certs);
diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c
index 3b0d6dfa35..aad9cf50c4 100644
--- a/src/lib/libcrypto/x509/x509_vfy.c
+++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: x509_vfy.c,v 1.94 2021/11/04 23:52:34 beck Exp $ */
+/* $OpenBSD: x509_vfy.c,v 1.95 2021/11/07 15:51:23 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -262,7 +262,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                goto end;
        }
        X509_up_ref(ctx->cert);
-        ctx->last_untrusted = 1;
+        ctx->num_untrusted = 1;
        /* We use a temporary STACK so we can chop and hack at it */
        if (ctx->untrusted != NULL &&
@@ -336,7 +336,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                }
                                X509_up_ref(xtmp);
                                (void)sk_X509_delete_ptr(sktmp, xtmp);
-                                ctx->last_untrusted++;
+                                ctx->num_untrusted++;
                                x = xtmp;
                                num++;
                                /*
@@ -394,7 +394,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                        X509_free(x);
                                        x = xtmp;
                                        (void)sk_X509_set(ctx->chain, i - 1, x);
-                                        ctx->last_untrusted = 0;
+                                        ctx->num_untrusted = 0;
                                }
                        } else {
                                /*
@@ -402,7 +402,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                 * certificate for later use
                                 */
                                chain_ss = sk_X509_pop(ctx->chain);
-                                ctx->last_untrusted--;
+                                ctx->num_untrusted--;
                                num--;
                                j--;
                                x = sk_X509_value(ctx->chain, num - 1);
@@ -476,7 +476,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                                X509_free(xtmp);
                                                num--;
                                        }
-                                        ctx->last_untrusted = sk_X509_num(ctx->chain);
+                                        ctx->num_untrusted = sk_X509_num(ctx->chain);
                                        retry = 1;
                                        break;
                                }
@@ -491,7 +491,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
         */
        if (trust != X509_TRUST_TRUSTED && !bad_chain) {
                if ((chain_ss == NULL) || !ctx->check_issued(ctx, x, chain_ss)) {
-                        if (ctx->last_untrusted >= num)
+                        if (ctx->num_untrusted >= num)
                                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
                        else
                                ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
@@ -504,7 +504,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX *ctx, int *bad, int *out_ok)
                                goto end;
                        }
                        num++;
-                        ctx->last_untrusted = num;
+                        ctx->num_untrusted = num;
                        ctx->current_cert = chain_ss;
                        ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
                        chain_ss = NULL;
@@ -749,7 +749,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
        }
        /* Check all untrusted certificates */
-        for (i = 0; i < ctx->last_untrusted; i++) {
+        for (i = 0; i < ctx->num_untrusted; i++) {
                int ret;
                x = sk_X509_value(ctx->chain, i);
                if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
@@ -922,7 +922,7 @@ check_trust(X509_STORE_CTX *ctx)
        cb = ctx->verify_cb;
        /* Check all trusted certificates in chain */
-        for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
+        for (i = ctx->num_untrusted; i < sk_X509_num(ctx->chain); i++) {
                x = sk_X509_value(ctx->chain, i);
                ok = X509_check_trust(x, ctx->param->trust, 0);
@@ -948,14 +948,14 @@ check_trust(X509_STORE_CTX *ctx)
         */
        if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
                X509 *mx;
-                if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))
+                if (ctx->num_untrusted < (int)sk_X509_num(ctx->chain))
                        return X509_TRUST_TRUSTED;
                x = sk_X509_value(ctx->chain, 0);
                mx = lookup_cert_match(ctx, x);
                if (mx) {
                        (void)sk_X509_set(ctx->chain, 0, mx);
                        X509_free(x);
-                        ctx->last_untrusted = 0;
+                        ctx->num_untrusted = 0;
                        return X509_TRUST_TRUSTED;
                }
        }
@@ -2567,7 +2567,7 @@ X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
 int
 X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
 {
-        return ctx->last_untrusted; /* XXX */
+        return ctx->num_untrusted;
 }
 int

diff --git a/src/lib/libcrypto/x509/x509_lcl.h b/src/lib/libcrypto/x509/x509_lcl.h index 9ef99584d1..c9df239c3d 100644 --- a/src/lib/libcrypto/x509/x509_lcl.h +++ b/src/lib/libcrypto/x509/x509_lcl.h
@@ -354,7 +354,7 @@ struct x509_store_ctx_st {
354		354
355	/* The following is built up */	355	/* The following is built up */
356	int valid; /* if 0, rebuild chain */	356	int valid; /* if 0, rebuild chain */
357	int last_untrusted; /* XXX: number of untrusted certs in chain!!! */	357	int num_untrusted; /* number of untrusted certs in chain */
358	STACK_OF(X509) chain; / chain of X509s - built up and trusted */	358	STACK_OF(X509) chain; / chain of X509s - built up and trusted */
359	X509_POLICY_TREE tree; / Valid policy tree */	359	X509_POLICY_TREE tree; / Valid policy tree */
360		360


diff --git a/src/lib/libcrypto/x509/x509_verify.c b/src/lib/libcrypto/x509/x509_verify.c index b9ba2bee3c..4698d2f8b7 100644 --- a/src/lib/libcrypto/x509/x509_verify.c +++ b/src/lib/libcrypto/x509/x509_verify.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_verify.c,v 1.51 2021/11/04 23:52:34 beck Exp $ */	1	/* $OpenBSD: x509_verify.c,v 1.52 2021/11/07 15:51:23 tb Exp $ */
2	/*	2	/*
3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>	3	* Copyright (c) 2020-2021 Bob Beck <beck@openbsd.org>
4	*	4	*
@@ -296,7 +296,7 @@ x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx,
296	return 1;	296	return 1;
297		297
298	/*	298	/*
299	* XXX last_untrusted is actually the number of untrusted certs at the	299	* XXX num_untrusted is the number of untrusted certs at the
300	* bottom of the chain. This works now since we stop at the first	300	* bottom of the chain. This works now since we stop at the first
301	* trusted cert. This will need fixing once we allow more than one	301	* trusted cert. This will need fixing once we allow more than one
302	* trusted certificate.	302	* trusted certificate.
@@ -304,7 +304,7 @@ x509_verify_ctx_set_xsc_chain(struct x509_verify_ctx *ctx,
304	num_untrusted = sk_X509_num(chain->certs);	304	num_untrusted = sk_X509_num(chain->certs);
305	if (is_trusted && num_untrusted > 0)	305	if (is_trusted && num_untrusted > 0)
306	num_untrusted--;	306	num_untrusted--;
307	ctx->xsc->last_untrusted = num_untrusted;	307	ctx->xsc->num_untrusted = num_untrusted;
308		308
309	sk_X509_pop_free(ctx->xsc->chain, X509_free);	309	sk_X509_pop_free(ctx->xsc->chain, X509_free);
310	ctx->xsc->chain = X509_chain_up_ref(chain->certs);	310	ctx->xsc->chain = X509_chain_up_ref(chain->certs);


diff --git a/src/lib/libcrypto/x509/x509_vfy.c b/src/lib/libcrypto/x509/x509_vfy.c index 3b0d6dfa35..aad9cf50c4 100644 --- a/src/lib/libcrypto/x509/x509_vfy.c +++ b/src/lib/libcrypto/x509/x509_vfy.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: x509_vfy.c,v 1.94 2021/11/04 23:52:34 beck Exp $ */	1	/* $OpenBSD: x509_vfy.c,v 1.95 2021/11/07 15:51:23 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -262,7 +262,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
262	goto end;	262	goto end;
263	}	263	}
264	X509_up_ref(ctx->cert);	264	X509_up_ref(ctx->cert);
265	ctx->last_untrusted = 1;	265	ctx->num_untrusted = 1;
266		266
267	/* We use a temporary STACK so we can chop and hack at it */	267	/* We use a temporary STACK so we can chop and hack at it */
268	if (ctx->untrusted != NULL &&	268	if (ctx->untrusted != NULL &&
@@ -336,7 +336,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
336	}	336	}
337	X509_up_ref(xtmp);	337	X509_up_ref(xtmp);
338	(void)sk_X509_delete_ptr(sktmp, xtmp);	338	(void)sk_X509_delete_ptr(sktmp, xtmp);
339	ctx->last_untrusted++;	339	ctx->num_untrusted++;
340	x = xtmp;	340	x = xtmp;
341	num++;	341	num++;
342	/*	342	/*
@@ -394,7 +394,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
394	X509_free(x);	394	X509_free(x);
395	x = xtmp;	395	x = xtmp;
396	(void)sk_X509_set(ctx->chain, i - 1, x);	396	(void)sk_X509_set(ctx->chain, i - 1, x);
397	ctx->last_untrusted = 0;	397	ctx->num_untrusted = 0;
398	}	398	}
399	} else {	399	} else {
400	/*	400	/*
@@ -402,7 +402,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
402	* certificate for later use	402	* certificate for later use
403	*/	403	*/
404	chain_ss = sk_X509_pop(ctx->chain);	404	chain_ss = sk_X509_pop(ctx->chain);
405	ctx->last_untrusted--;	405	ctx->num_untrusted--;
406	num--;	406	num--;
407	j--;	407	j--;
408	x = sk_X509_value(ctx->chain, num - 1);	408	x = sk_X509_value(ctx->chain, num - 1);
@@ -476,7 +476,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
476	X509_free(xtmp);	476	X509_free(xtmp);
477	num--;	477	num--;
478	}	478	}
479	ctx->last_untrusted = sk_X509_num(ctx->chain);	479	ctx->num_untrusted = sk_X509_num(ctx->chain);
480	retry = 1;	480	retry = 1;
481	break;	481	break;
482	}	482	}
@@ -491,7 +491,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
491	*/	491	*/
492	if (trust != X509_TRUST_TRUSTED && !bad_chain) {	492	if (trust != X509_TRUST_TRUSTED && !bad_chain) {
493	if ((chain_ss == NULL) \|\| !ctx->check_issued(ctx, x, chain_ss)) {	493	if ((chain_ss == NULL) \|\| !ctx->check_issued(ctx, x, chain_ss)) {
494	if (ctx->last_untrusted >= num)	494	if (ctx->num_untrusted >= num)
495	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;	495	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY;
496	else	496	else
497	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;	497	ctx->error = X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT;
@@ -504,7 +504,7 @@ X509_verify_cert_legacy_build_chain(X509_STORE_CTX ctx, int bad, int *out_ok)
504	goto end;	504	goto end;
505	}	505	}
506	num++;	506	num++;
507	ctx->last_untrusted = num;	507	ctx->num_untrusted = num;
508	ctx->current_cert = chain_ss;	508	ctx->current_cert = chain_ss;
509	ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;	509	ctx->error = X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN;
510	chain_ss = NULL;	510	chain_ss = NULL;
@@ -749,7 +749,7 @@ x509_vfy_check_chain_extensions(X509_STORE_CTX *ctx)
749	}	749	}
750		750
751	/* Check all untrusted certificates */	751	/* Check all untrusted certificates */
752	for (i = 0; i < ctx->last_untrusted; i++) {	752	for (i = 0; i < ctx->num_untrusted; i++) {
753	int ret;	753	int ret;
754	x = sk_X509_value(ctx->chain, i);	754	x = sk_X509_value(ctx->chain, i);
755	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&	755	if (!(ctx->param->flags & X509_V_FLAG_IGNORE_CRITICAL) &&
@@ -922,7 +922,7 @@ check_trust(X509_STORE_CTX *ctx)
922		922
923	cb = ctx->verify_cb;	923	cb = ctx->verify_cb;
924	/* Check all trusted certificates in chain */	924	/* Check all trusted certificates in chain */
925	for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {	925	for (i = ctx->num_untrusted; i < sk_X509_num(ctx->chain); i++) {
926	x = sk_X509_value(ctx->chain, i);	926	x = sk_X509_value(ctx->chain, i);
927	ok = X509_check_trust(x, ctx->param->trust, 0);	927	ok = X509_check_trust(x, ctx->param->trust, 0);
928		928
@@ -948,14 +948,14 @@ check_trust(X509_STORE_CTX *ctx)
948	*/	948	*/
949	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {	949	if (ctx->param->flags & X509_V_FLAG_PARTIAL_CHAIN) {
950	X509 *mx;	950	X509 *mx;
951	if (ctx->last_untrusted < (int)sk_X509_num(ctx->chain))	951	if (ctx->num_untrusted < (int)sk_X509_num(ctx->chain))
952	return X509_TRUST_TRUSTED;	952	return X509_TRUST_TRUSTED;
953	x = sk_X509_value(ctx->chain, 0);	953	x = sk_X509_value(ctx->chain, 0);
954	mx = lookup_cert_match(ctx, x);	954	mx = lookup_cert_match(ctx, x);
955	if (mx) {	955	if (mx) {
956	(void)sk_X509_set(ctx->chain, 0, mx);	956	(void)sk_X509_set(ctx->chain, 0, mx);
957	X509_free(x);	957	X509_free(x);
958	ctx->last_untrusted = 0;	958	ctx->num_untrusted = 0;
959	return X509_TRUST_TRUSTED;	959	return X509_TRUST_TRUSTED;
960	}	960	}
961	}	961	}
@@ -2567,7 +2567,7 @@ X509_STORE_CTX_get_explicit_policy(X509_STORE_CTX *ctx)
2567	int	2567	int
2568	X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)	2568	X509_STORE_CTX_get_num_untrusted(X509_STORE_CTX *ctx)
2569	{	2569	{
2570	return ctx->last_untrusted; /* XXX */	2570	return ctx->num_untrusted;
2571	}	2571	}
2572		2572
2573	int	2573	int