From 4c5a9894be051d3d86d69bfccbc9c2eb4560dbdc Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 24 Dec 2021 02:17:27 +0000 Subject: [PATCH] Revert previous. The commit contained more than intended. --- lib/libcrypto/x509/x509_asid.c | 39 ++++++++++++---------------------- 1 file changed, 14 insertions(+), 25 deletions(-) diff --git a/lib/libcrypto/x509/x509_asid.c b/lib/libcrypto/x509/x509_asid.c index 216fd610c2a..3fdacb711f1 100644 --- a/lib/libcrypto/x509/x509_asid.c +++ b/lib/libcrypto/x509/x509_asid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_asid.c,v 1.23 2021/12/24 02:12:31 tb Exp $ */ +/* $OpenBSD: x509_asid.c,v 1.24 2021/12/24 02:17:27 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -474,6 +474,8 @@ X509v3_asid_add_id_or_range(ASIdentifiers *asid, int which, ASN1_INTEGER *min, static int extract_min_max(ASIdOrRange *aor, ASN1_INTEGER **min, ASN1_INTEGER **max) { + OPENSSL_assert(aor != NULL); + switch (aor->type) { case ASIdOrRange_id: *min = aor->u.id; @@ -649,8 +651,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice) /* * Make sure we're properly sorted (paranoia). */ - if (ASN1_INTEGER_cmp(a_min, b_min) > 0) - goto done; + OPENSSL_assert(ASN1_INTEGER_cmp(a_min, b_min) <= 0); /* * Punt inverted ranges. @@ -737,8 +738,7 @@ ASIdentifierChoice_canonize(ASIdentifierChoice *choice) } /* Paranoia */ - if (!ASIdentifierChoice_is_canonical(choice)) - goto done; + OPENSSL_assert(ASIdentifierChoice_is_canonical(choice)); ret = 1; @@ -979,22 +979,16 @@ X509v3_asid_subset(ASIdentifiers *a, ASIdentifiers *b) * Core code for RFC 3779 3.3 path validation. */ static int -asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, +asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509)*chain, ASIdentifiers *ext) { ASIdOrRanges *child_as = NULL, *child_rdi = NULL; int i, ret = 1, inherit_as = 0, inherit_rdi = 0; X509 *x; - /* We need a non-empty chain to test against. */ - if (sk_X509_num(chain) <= 0) - goto err; - /* We need either a store ctx or an extension to work with. */ - if (ctx == NULL && ext == NULL) - goto err; - /* If there is a store ctx, it needs a verify_cb. */ - if (ctx != NULL && ctx->verify_cb == NULL) - goto err; + OPENSSL_assert(chain != NULL && sk_X509_num(chain) > 0); + OPENSSL_assert(ctx != NULL || ext != NULL); + OPENSSL_assert(ctx == NULL || ctx->verify_cb != NULL); /* * Figure out where to start. If we don't have an extension to @@ -1039,6 +1033,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, */ for (i++; i < sk_X509_num(chain); i++) { x = sk_X509_value(chain, i); + OPENSSL_assert(x != NULL); if (x->rfc3779_asid == NULL) { if (child_as != NULL || child_rdi != NULL) @@ -1085,9 +1080,7 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, /* * Trust anchor can't inherit. */ - - if (x == NULL) - goto err; + OPENSSL_assert(x != NULL); if (x->rfc3779_asid != NULL) { if (x->rfc3779_asid->asnum != NULL && @@ -1100,12 +1093,6 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, done: return ret; - - err: - if (ctx != NULL) - ctx->error = X509_V_ERR_UNSPECIFIED; - - return 0; } #undef validation_err @@ -1116,7 +1103,9 @@ asid_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, int X509v3_asid_validate_path(X509_STORE_CTX *ctx) { - if (sk_X509_num(ctx->chain) <= 0 || ctx->verify_cb == NULL) { + if (ctx->chain == NULL || + sk_X509_num(ctx->chain) == 0 || + ctx->verify_cb == NULL) { ctx->error = X509_V_ERR_UNSPECIFIED; return 0; } -- 2.20.1