From 6788a3ca30d19b303ceb248494dbeb8ac51bedb0 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Wed, 5 Jan 2022 17:38:14 +0000
Subject: [PATCH] In addr_validate_path_internal() rename i to depth because
 that's what it is.

---
 lib/libcrypto/x509/x509_addr.c | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c
index dac9d8e0558..056fa866b54 100644
--- a/lib/libcrypto/x509/x509_addr.c
+++ b/lib/libcrypto/x509/x509_addr.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: x509_addr.c,v 1.64 2022/01/05 17:36:32 tb Exp $ */
+/*	$OpenBSD: x509_addr.c,v 1.65 2022/01/05 17:38:14 tb Exp $ */
 /*
  * Contributed to the OpenSSL Project by the American Registry for
  * Internet Numbers ("ARIN").
@@ -1747,8 +1747,9 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 	IPAddrBlocks *child = NULL, *parent = NULL;
 	IPAddressFamily *fc, *fp;
 	IPAddressOrRanges *aorc, *aorp;
-	X509 *x;
-	int i, j, k;
+	X509 *x = NULL;
+	int depth = -1;
+	int j, k;
 	unsigned int length;
 	int ret = 1;
 
@@ -1767,19 +1768,16 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 	 * we're done.  Otherwise, check canonical form and set up for walking
 	 * up the chain.
 	 */
-	if (ext != NULL) {
-		i = -1;
-		x = NULL;
-	} else {
-		i = 0;
-		x = sk_X509_value(chain, i);
+	if (ext == NULL) {
+		depth = 0;
+		x = sk_X509_value(chain, depth);
 		if ((ext = x->rfc3779_addr) == NULL)
 			goto done;
 	}
 
 	if (!X509v3_addr_is_canonical(ext)) {
 		if ((ret = verify_error(ctx, x,
-		    X509_V_ERR_INVALID_EXTENSION, i)) == 0)
+		    X509_V_ERR_INVALID_EXTENSION, depth)) == 0)
 			goto done;
 	}
 
@@ -1796,8 +1794,8 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 	 * Now walk up the chain. No cert may list resources that its parent
 	 * doesn't list.
 	 */
-	for (i++; i < sk_X509_num(chain); i++) {
-		x = sk_X509_value(chain, i);
+	for (depth++; depth < sk_X509_num(chain); depth++) {
+		x = sk_X509_value(chain, depth);
 
 		if ((parent = x->rfc3779_addr) == NULL) {
 			for (j = 0; j < sk_IPAddressFamily_num(child); j++) {
@@ -1807,7 +1805,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 					continue;
 
 				if ((ret = verify_error(ctx, x,
-				    X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+				    X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0)
 					goto done;
 				break;
 			}
@@ -1816,7 +1814,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 
 		if (!X509v3_addr_is_canonical(parent)) {
 			if ((ret = verify_error(ctx, x,
-			    X509_V_ERR_INVALID_EXTENSION, i)) == 0)
+			    X509_V_ERR_INVALID_EXTENSION, depth)) == 0)
 				goto done;
 		}
 
@@ -1844,7 +1842,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 
 				/* Otherwise the child isn't covered. */
 				if ((ret = verify_error(ctx, x,
-				    X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+				    X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0)
 					goto done;
 				break;
 			}
@@ -1880,7 +1878,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 			}
 
 			if ((ret = verify_error(ctx, x,
-			    X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+			    X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0)
 				goto done;
 		}
 	}
@@ -1899,7 +1897,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain,
 				continue;
 
 			if ((ret = verify_error(ctx, x,
-			    X509_V_ERR_UNNESTED_RESOURCE, i)) == 0)
+			    X509_V_ERR_UNNESTED_RESOURCE, depth)) == 0)
 				goto done;
 		}
 	}
-- 
2.20.1