Revert previous. The commit contained more than intended.

diff --git a/lib/libcrypto/x509/x509_asid.c b/lib/libcrypto/x509/x509_asid.c
index 216fd61..3fdacb7 100644 (file)
--- a/lib/libcrypto/x509/x509_asid.c
+++ b/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509_asid.c,v 1.23 2021/12/24 02:12:31 tb Exp $ */
+/*     $OpenBSD: x509_asid.c,v 1.24 2021/12/24 02:17:27 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -474,6 +474,8 @@ X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min,
 static int
 extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max)
 {
+       OPENSSL_assert(aor != NULL);
+
        switch (aor->type) {
        case ASIdOrRange_id:
                *min = aor->u.id;
@@ -649,8 +651,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
                /*
                 * Make sure we're properly sorted (paranoia).
                 */
-               if (ASN1_INTEGER_cmp(a_min, b_min) > 0)
-                       goto done;
+               OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
 
                /*
                 * Punt inverted ranges.
@@ -737,8 +738,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
        }
 
        /* Paranoia */
-       if (!ASIdentifierChoice_is_canonical(choice))
-               goto done;
+       OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
 
        ret = 1;
 
@@ -979,22 +979,16 @@ X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b)
  * Core code for RFC 3779 3.3 path validation.
  */
 static int
-asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
+asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain,
     ASIdentifiers *ext)
 {
        ASIdOrRanges *child_as = NULL, *child_rdi = NULL;
        int i, ret = 1, inherit_as = 0, inherit_rdi = 0;
        X509 *x;
 
-       /* We need a non-empty chain to test against. */
-       if (sk_X509_num(chain) <= 0)
-               goto err;
-       /* We need either a store ctx or an extension to work with. */
-       if (ctx == NULL && ext == NULL)
-               goto err;
-       /* If there is a store ctx, it needs a verify_cb. */
-       if (ctx != NULL && ctx->verify_cb == NULL)
-               goto err;
+       OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0);
+       OPENSSL_assert(ctx != NULL || ext != NULL);
+       OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL);
 
        /*
         * Figure out where to start.  If we don't have an extension to
@@ -1039,6 +1033,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
         */
        for (i++; i < sk_X509_num(chain); i++) {
                x = sk_X509_value(chain, i);
+               OPENSSL_assert(x != NULL);
 
                if (x->rfc3779_asid == NULL) {
                        if (child_as != NULL || child_rdi != NULL)
@@ -1085,9 +1080,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
        /*
         * Trust anchor can't inherit.
         */
-
-       if (x == NULL)
-               goto err;
+       OPENSSL_assert(x != NULL);
 
        if (x->rfc3779_asid != NULL) {
                if (x->rfc3779_asid->asnum != NULL &&
@@ -1100,12 +1093,6 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 
  done:
        return ret;
-
- err:
-       if (ctx != NULL)
-               ctx->error = X509_V_ERR_UNSPECIFIED;
-
-       return 0;
 }
 
 #undef validation_err
@@ -1116,7 +1103,9 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 int
 X509v3_asid_validate_path(X509_STORE_CTX *ctx)
 {
-       if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) {
+       if (ctx->chain == NULL ||
+           sk_X509_num(ctx->chain) == 0 ||
+           ctx->verify_cb == NULL) {
                ctx->error = X509_V_ERR_UNSPECIFIED;
                return 0;
        }