Re: acme-client: don't reach into X509

Wed, 13 Oct 2021 13:18:38 -0700 

Theo Buehler([email protected]) on 2021.10.13 13:55:14 +0200:
> In an upcoming libcrypto bump, we will make a few structs in libcrypto
> opaque. This needs a small change in acme-client.  Fetch the extension
> stack using X509_get0_extensions() and iterate using the stack API.
> Note that sk_*_num() returns -1 on NULL, so we won't enter the for loop
> and the extsz dance is unnecessary.
> 
> The first hunk is mostly whitespace. It only drops extsz and adds exts.

ok benno@


> 
> Index: revokeproc.c
> ===================================================================
> RCS file: /cvs/src/usr.sbin/acme-client/revokeproc.c,v
> retrieving revision 1.17
> diff -u -p -r1.17 revokeproc.c
> --- revokeproc.c      2 Jan 2021 19:04:21 -0000       1.17
> +++ revokeproc.c      13 Oct 2021 10:44:57 -0000
> @@ -94,19 +94,20 @@ int
>  revokeproc(int fd, const char *certfile, int force,
>      int revocate, const char *const *alts, size_t altsz)
>  {
> -     char            *der = NULL, *dercp, *der64 = NULL;
> -     char            *san = NULL, *str, *tok;
> -     int              rc = 0, cc, i, extsz, ssz, len;
> -     size_t          *found = NULL;
> -     BIO             *bio = NULL;
> -     FILE            *f = NULL;
> -     X509            *x = NULL;
> -     long             lval;
> -     enum revokeop    op, rop;
> -     time_t           t;
> -     X509_EXTENSION  *ex;
> -     ASN1_OBJECT     *obj;
> -     size_t           j;
> +     char                            *der = NULL, *dercp, *der64 = NULL;
> +     char                            *san = NULL, *str, *tok;
> +     int                              rc = 0, cc, i, ssz, len;
> +     size_t                          *found = NULL;
> +     BIO                             *bio = NULL;
> +     FILE                            *f = NULL;
> +     X509                            *x = NULL;
> +     long                             lval;
> +     enum revokeop                    op, rop;
> +     time_t                           t;
> +     const STACK_OF(X509_EXTENSION)  *exts;
> +     X509_EXTENSION                  *ex;
> +     ASN1_OBJECT                     *obj;
> +     size_t                           j;
>  
>       /*
>        * First try to open the certificate before we drop privileges
> @@ -164,13 +165,12 @@ revokeproc(int fd, const char *certfile,
>        * command line.
>        */
>  
> -     extsz = x->cert_info->extensions != NULL ?
> -             sk_X509_EXTENSION_num(x->cert_info->extensions) : 0;
> +     exts = X509_get0_extensions(x);
>  
>       /* Scan til we find the SAN NID. */
>  
> -     for (i = 0; i < extsz; i++) {
> -             ex = sk_X509_EXTENSION_value(x->cert_info->extensions, i);
> +     for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
> +             ex = sk_X509_EXTENSION_value(exts, i);
>               assert(ex != NULL);
>               obj = X509_EXTENSION_get_object(ex);
>               assert(obj != NULL);
>

Reply via email to