Turn asserts in ASIdentifierChoice_canonize() into error checks

The first assert ensures that a stack that was just sorted in a stronger
sense is sorted in a weak sense and the second assert ensures that
the result of the canonization procedure is canonical. All callers check
for error, so these asserts don't do anything useful.

ok jsing

diff --git a/lib/libcrypto/x509/x509_asid.c b/lib/libcrypto/x509/x509_asid.c
index 5eeb595..bf51c9b 100644 (file)
--- a/lib/libcrypto/x509/x509_asid.c
+++ b/lib/libcrypto/x509/x509_asid.c
@@ -1,4 +1,4 @@
-/*     $OpenBSD: x509_asid.c,v 1.25 2021/12/24 02:22:16 tb Exp $ */
+/*     $OpenBSD: x509_asid.c,v 1.26 2021/12/24 02:23:44 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -649,7 +649,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
                /*
                 * Make sure we're properly sorted (paranoia).
                 */
-               OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0);
+               if (ASN1_INTEGER_cmp(a_min, b_min) > 0)
+                       goto done;
 
                /*
                 * Punt inverted ranges.
@@ -736,7 +737,8 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice)
        }
 
        /* Paranoia */
-       OPENSSL_assert(ASIdentifierChoice_is_canonical(choice));
+       if (!ASIdentifierChoice_is_canonical(choice))
+               goto done;
 
        ret = 1;