From 8bce0c5242ea586811fc25daf24eaf37f3a9a93b Mon Sep 17 00:00:00 2001 From: tb Date: Sat, 3 Feb 2024 14:43:15 +0000 Subject: [PATCH] Fix X509_get_ext_count() usage It doesn't return a value < 0. If it did, someone could feed rpki-client a bad cert that makes it error out, which is bad. There are various checks that will reject a cert without extensions, so we don't need to check this explicitly. ok job --- usr.sbin/rpki-client/cert.c | 12 ++++-------- 1 file changed, 4 insertions(+), 8 deletions(-) diff --git a/usr.sbin/rpki-client/cert.c b/usr.sbin/rpki-client/cert.c index e528e927a78..7e743dc90fd 100644 --- a/usr.sbin/rpki-client/cert.c +++ b/usr.sbin/rpki-client/cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cert.c,v 1.123 2024/02/01 15:11:38 tb Exp $ */ +/* $OpenBSD: cert.c,v 1.124 2024/02/03 14:43:15 tb Exp $ */ /* * Copyright (c) 2022 Theo Buehler * Copyright (c) 2021 Job Snijders @@ -737,8 +737,7 @@ struct cert * cert_parse_pre(const char *fn, const unsigned char *der, size_t len) { const unsigned char *oder; - int extsz; - size_t i; + int i; X509 *x = NULL; X509_EXTENSION *ext = NULL; const X509_ALGOR *palg; @@ -810,10 +809,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) /* Look for X509v3 extensions. */ - if ((extsz = X509_get_ext_count(x)) < 0) - errx(1, "X509_get_ext_count"); - - for (i = 0; i < (size_t)extsz; i++) { + for (i = 0; i < X509_get_ext_count(x); i++) { ext = X509_get_ext(x, i); assert(ext != NULL); obj = X509_EXTENSION_get_object(ext); @@ -942,7 +938,7 @@ cert_parse_pre(const char *fn, const unsigned char *der, size_t len) p.fn); goto out; } - for (i = 0; i < p.res->asz; i++) { + for (i = 0; (size_t)i < p.res->asz; i++) { if (p.res->as[i].type == CERT_AS_INHERIT) { warnx("%s: inherit elements not allowed in EE" " cert", p.fn); -- 2.20.1