From 5fc393520e66be4c7d4cf4501e6eba680d3d5606 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 13 Oct 2021 18:09:42 +0000
Subject: [PATCH] acme-client: stop reaching into X509

Prepare for an upcoming change in libcrypto and retrieve the stack
of extensions via X509_get0_extensions(). Simplify the for loop by
relying on the fact that empty or NULL stacks have an sk_num() of 0
and -1, respectively, so the loop won't be entered and the extsz
dance is unnecessary.

ok florian
---
 usr.sbin/acme-client/revokeproc.c | 36 +++++++++++++++----------------
 1 file changed, 18 insertions(+), 18 deletions(-)

diff --git a/usr.sbin/acme-client/revokeproc.c b/usr.sbin/acme-client/revokeproc.c
index e3cab0cd5a2..9280b2c334f 100644
--- a/usr.sbin/acme-client/revokeproc.c
+++ b/usr.sbin/acme-client/revokeproc.c
@@ -1,4 +1,4 @@
-/*	$Id: revokeproc.c,v 1.17 2021/01/02 19:04:21 sthen Exp $ */
+/*	$Id: revokeproc.c,v 1.18 2021/10/13 18:09:42 tb Exp $ */
 /*
  * Copyright (c) 2016 Kristaps Dzonsons <kristaps@bsd.lv>
  *
@@ -94,19 +94,20 @@ int
 revokeproc(int fd, const char *certfile, int force,
     int revocate, const char *const *alts, size_t altsz)
 {
-	char		*der = NULL, *dercp, *der64 = NULL;
-	char		*san = NULL, *str, *tok;
-	int		 rc = 0, cc, i, extsz, ssz, len;
-	size_t		*found = NULL;
-	BIO		*bio = NULL;
-	FILE		*f = NULL;
-	X509		*x = NULL;
-	long		 lval;
-	enum revokeop	 op, rop;
-	time_t		 t;
-	X509_EXTENSION	*ex;
-	ASN1_OBJECT	*obj;
-	size_t		 j;
+	char				*der = NULL, *dercp, *der64 = NULL;
+	char				*san = NULL, *str, *tok;
+	int				 rc = 0, cc, i, ssz, len;
+	size_t				*found = NULL;
+	BIO				*bio = NULL;
+	FILE				*f = NULL;
+	X509				*x = NULL;
+	long				 lval;
+	enum revokeop			 op, rop;
+	time_t				 t;
+	const STACK_OF(X509_EXTENSION)	*exts;
+	X509_EXTENSION			*ex;
+	ASN1_OBJECT			*obj;
+	size_t				 j;
 
 	/*
 	 * First try to open the certificate before we drop privileges
@@ -164,13 +165,12 @@ revokeproc(int fd, const char *certfile, int force,
 	 * command line.
 	 */
 
-	extsz = x->cert_info->extensions != NULL ?
-		sk_X509_EXTENSION_num(x->cert_info->extensions) : 0;
+	exts = X509_get0_extensions(x);
 
 	/* Scan til we find the SAN NID. */
 
-	for (i = 0; i < extsz; i++) {
-		ex = sk_X509_EXTENSION_value(x->cert_info->extensions, i);
+	for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+		ex = sk_X509_EXTENSION_value(exts, i);
 		assert(ex != NULL);
 		obj = X509_EXTENSION_get_object(ex);
 		assert(obj != NULL);
-- 
2.20.1