From 66d5d7d5b34bf542137abdb15c68ec1be3f500d7 Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 28 Apr 2023 15:27:15 +0000
Subject: Deassert X509_policy_check()

Instead of asserting that i == num_certs - 2, simply make that an error
check.

with beck
ok jsing
---
 src/lib/libcrypto/x509/x509_policy.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/lib/libcrypto/x509/x509_policy.c b/src/lib/libcrypto/x509/x509_policy.c
index 0f60a11c77..c2ef47aa0f 100644
--- a/src/lib/libcrypto/x509/x509_policy.c
+++ b/src/lib/libcrypto/x509/x509_policy.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_policy.c,v 1.18 2023/04/28 15:21:22 tb Exp $ */
+/*	$OpenBSD: x509_policy.c,v 1.19 2023/04/28 15:27:15 tb Exp $ */
 /*
  * Copyright (c) 2022, Google Inc.
  *
@@ -899,7 +899,8 @@ X509_policy_check(const STACK_OF(X509) *certs,
 		is_self_issued = (cert->ex_flags & EXFLAG_SI) != 0;
 
 		if (level == NULL) {
-			assert(i == num_certs - 2);
+			if (i != num_certs - 2)
+				goto err;
 			level = x509_policy_level_new();
 			if (level == NULL)
 				goto err;
-- 
cgit v1.2.3-55-g6feb