From: tb <tb@openbsd.org>
Date: Wed, 5 Jan 2022 17:46:44 +0000 (+0000)
Subject: Add a helper function to turn unchecked (but sound) use of
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=2ad22f62d8f783f3c093cd0022086f72e430859e;p=openbsd

Add a helper function to turn unchecked (but sound) use of
sk_find + sk_value into something easier to follow and swallow.

ok inoguchi jsing
---

diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c
index 54cfd485cdf..cd04f815fa1 100644
--- a/lib/libcrypto/x509/x509_addr.c
+++ b/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.68 2022/01/05 17:44:30 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.69 2022/01/05 17:46:44 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -480,6 +480,19 @@ IPAddressFamily_cmp(const IPAddressFamily *const *a_,
 	return a->length - b->length;
 }
 
+static IPAddressFamily *
+IPAddressFamily_find_in_parent(IPAddrBlocks *parent, IPAddressFamily *child_af)
+{
+	int index;
+
+	sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
+
+	if ((index = sk_IPAddressFamily_find(parent, child_af)) < 0)
+		return NULL;
+
+	return sk_IPAddressFamily_value(parent, index);
+}
+
 /*
  * Extract the AFI from an IPAddressFamily.
  *
@@ -1687,7 +1700,7 @@ X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent)
 {
 	IPAddressFamily *fc, *fp;
 	IPAddressOrRanges *aorc, *aorp;
-	int i, j, length;
+	int i, length;
 
 	if (child == NULL || child == parent)
 		return 1;
@@ -1697,14 +1710,10 @@ X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent)
 	if (X509v3_addr_inherits(child) || X509v3_addr_inherits(parent))
 		return 0;
 
-	sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
-
 	for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
 		fc = sk_IPAddressFamily_value(child, i);
 
-		j = sk_IPAddressFamily_find(parent, fc);
-		fp = sk_IPAddressFamily_value(parent, j);
-		if (fp == NULL)
+		if ((fp = IPAddressFamily_find_in_parent(parent, fc)) == NULL)
 			return 0;
 
 		if (!IPAddressFamily_afi_length(fp, &length))
@@ -1749,7 +1758,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 	IPAddressOrRanges *aorc, *aorp;
 	X509 *cert = NULL;
 	int depth = -1;
-	int i, k;
+	int i;
 	unsigned int length;
 	int ret = 1;
 
@@ -1818,8 +1827,6 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 				goto done;
 		}
 
-		sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp);
-
 		/*
 		 * Check that the child's resources are covered by the parent.
 		 * Each covered resource is replaced with the parent's resource
@@ -1829,9 +1836,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 		for (i = 0; i < sk_IPAddressFamily_num(child); i++) {
 			fc = sk_IPAddressFamily_value(child, i);
 
-			k = sk_IPAddressFamily_find(parent, fc);
-			fp = sk_IPAddressFamily_value(parent, k);
-
+			fp = IPAddressFamily_find_in_parent(parent, fc);
 			if (fp == NULL) {
 				/*
 				 * If we have no match in the parent and the