From 28d6404fff3be532e2c4bfb01943f6bd5eeb5c3f Mon Sep 17 00:00:00 2001 From: tb Date: Sun, 4 Feb 2024 07:43:27 +0000 Subject: [PATCH] Split X509_get_ext_count() out of for loop again The compiler can't know that the count doesn't change, so avoid evaluating X509_get_ext_count() in each iteration. Also use a separate loop variable in the ASid non-inheritance check to avoid a silly cast. ok claudio --- usr.sbin/rpki-client/cert.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index 7e743dc90fd..14bed46ee61 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.124 2024/02/03 14:43:15 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.125 2024/02/04 07:43:27 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -737,7 +737,8 @@ struct cert * cert_parse_pre(const char *fn, const unsigned char *der, size_t len) { const unsigned char *oder; - int i; + size_t j; + int i, extsz; X509 *x = NULL; X509_EXTENSION *ext = NULL; const X509_ALGOR *palg; @@ -808,8 +809,12 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) goto out; /* Look for X509v3 extensions. */ + if ((extsz = X509_get_ext_count(x)) <= 0) { + warnx("%s: certificate without X.509v3 extensions", fn); + goto out; + } - for (i = 0; i < X509_get_ext_count(x); i++) { + for (i = 0; i < extsz; i++) { ext = X509_get_ext(x, i); assert(ext != NULL); obj = X509_EXTENSION_get_object(ext); @@ -938,8 +943,8 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) p.fn); goto out; } - for (i = 0; (size_t)i < p.res->asz; i++) { - if (p.res->as[i].type == CERT_AS_INHERIT) { + for (j = 0; j < p.res->asz; j++) { + if (p.res->as[j].type == CERT_AS_INHERIT) { warnx("%s: inherit elements not allowed in EE" " cert", p.fn); goto out; -- 2.20.1