diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2022-01-05 17:46:45 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2022-01-05 17:46:45 +0000 |
commit | 190906ee0a5216d5be18a272e8a3087a8d3af8e3 (patch) | |
tree | 996a28c264483c9699621035a6242bfd020967c8 | |
parent | 3a4131f5eed3ab0237168059fbc1af4a8c023e03 (diff) |
Add a helper function to turn unchecked (but sound) use of
sk_find + sk_value into something easier to follow and swallow.
ok inoguchi jsing
-rw-r--r-- | lib/libcrypto/x509/x509_addr.c | 31 |
1 files changed, 18 insertions, 13 deletions
diff --git a/lib/libcrypto/x509/x509_addr.c b/lib/libcrypto/x509/x509_addr.c index 54cfd485cdf..cd04f815fa1 100644 --- a/lib/libcrypto/x509/x509_addr.c +++ b/lib/libcrypto/x509/x509_addr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_addr.c,v 1.68 2022/01/05 17:44:30 tb Exp $ */ +/* $OpenBSD: x509_addr.c,v 1.69 2022/01/05 17:46:44 tb Exp $ */ /* * Contributed to the OpenSSL Project by the American Registry for * Internet Numbers ("ARIN"). @@ -480,6 +480,19 @@ IPAddressFamily_cmp(const IPAddressFamily *const *a_, return a->length - b->length; } +static IPAddressFamily * +IPAddressFamily_find_in_parent(IPAddrBlocks *parent, IPAddressFamily *child_af) +{ + int index; + + sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp); + + if ((index = sk_IPAddressFamily_find(parent, child_af)) < 0) + return NULL; + + return sk_IPAddressFamily_value(parent, index); +} + /* * Extract the AFI from an IPAddressFamily. * @@ -1687,7 +1700,7 @@ X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent) { IPAddressFamily *fc, *fp; IPAddressOrRanges *aorc, *aorp; - int i, j, length; + int i, length; if (child == NULL || child == parent) return 1; @@ -1697,14 +1710,10 @@ X509v3_addr_subset(IPAddrBlocks *child, IPAddrBlocks *parent) if (X509v3_addr_inherits(child) || X509v3_addr_inherits(parent)) return 0; - sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp); - for (i = 0; i < sk_IPAddressFamily_num(child); i++) { fc = sk_IPAddressFamily_value(child, i); - j = sk_IPAddressFamily_find(parent, fc); - fp = sk_IPAddressFamily_value(parent, j); - if (fp == NULL) + if ((fp = IPAddressFamily_find_in_parent(parent, fc)) == NULL) return 0; if (!IPAddressFamily_afi_length(fp, &length)) @@ -1749,7 +1758,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, IPAddressOrRanges *aorc, *aorp; X509 *cert = NULL; int depth = -1; - int i, k; + int i; unsigned int length; int ret = 1; @@ -1818,8 +1827,6 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, goto done; } - sk_IPAddressFamily_set_cmp_func(parent, IPAddressFamily_cmp); - /* * Check that the child's resources are covered by the parent. * Each covered resource is replaced with the parent's resource @@ -1829,9 +1836,7 @@ addr_validate_path_internal(X509_STORE_CTX *ctx, STACK_OF(X509) *chain, for (i = 0; i < sk_IPAddressFamily_num(child); i++) { fc = sk_IPAddressFamily_value(child, i); - k = sk_IPAddressFamily_find(parent, fc); - fp = sk_IPAddressFamily_value(parent, k); - + fp = IPAddressFamily_find_in_parent(parent, fc); if (fp == NULL) { /* * If we have no match in the parent and the |