From 590db753358a3347436824299d28c2b7b7f2df2b Mon Sep 17 00:00:00 2001
From: tb <>
Date: Fri, 24 Dec 2021 02:23:44 +0000
Subject: Turn asserts in ASIdentifierChoice_canonize() into error checks

The first assert ensures that a stack that was just sorted in a stronger
sense is sorted in a weak sense and the second assert ensures that
the result of the canonization procedure is canonical. All callers check
for error, so these asserts don't do anything useful.

ok jsing
---
 src/lib/libcrypto/x509/x509_asid.c | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libcrypto/x509/x509_asid.c b/src/lib/libcrypto/x509/x509_asid.c
index 5eeb5953d3..bf51c9bb2a 100644
--- a/src/lib/libcrypto/x509/x509_asid.c
+++ b/src/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_asid.c,v 1.25 2021/12/24 02:22:16 tb Exp $ */
+/*	$OpenBSD: x509_asid.c,v 1.26 2021/12/24 02:23:44 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -649,7 +649,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
 		/*
 		 * Make sure we're properly sorted (paranoia).
 		 */
-		OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
+		if (ASN1_INTEGER_cmp(a_min, b_min) > 0)
+			goto done;
 
 		/*
 		 * Punt inverted ranges.
@@ -736,7 +737,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
 	}
 
 	/* Paranoia */
-	OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
+	if (!ASIdentifierChoice_is_canonical(choice))
+		goto done;
 
 	ret = 1;
 
-- 
cgit v1.2.3-55-g6feb