commit 42ba95f5c6afcf9105266225341dbe86741b1b9c
author David Benjamin <davidben@google.com> Tue Dec 13 14:17:45 2022 -0500
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Dec 15 20:41:17 2022 +0000
tree 5ff1b8db018a270cfca29a5d00b248db68d8613d
parent 030693dc23c91894432aa1ae28b43d2c00d4f421

Const-correct and simplify X509_VERIFY_PARAM_set1_policies.

That loop is just sk_ASN1_OBJECT_deep_copy.

Change-Id: Idc9db7f8e0ac28c853415813f49b1441b646c246
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/55746
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: Bob Beck <bbe@google.com>

crypto/x509/x509_vpm.c

diff --git a/crypto/x509/x509_vpm.c b/crypto/x509/x509_vpm.c
index e594033..21ad5e0 100644
--- a/crypto/x509/x509_vpm.c
+++ b/crypto/x509/x509_vpm.c
@@ -395,41 +395,31 @@
   if (!sk_ASN1_OBJECT_push(param->policies, policy)) {
     return 0;
   }
+  // TODO(davidben): This does not set |X509_V_FLAG_POLICY_CHECK|, while
+  // |X509_VERIFY_PARAM_set1_policies| does. Is this a bug?
   return 1;
 }
 
+static ASN1_OBJECT *dup_object(ASN1_OBJECT *obj) { return OBJ_dup(obj); }
+
 int X509_VERIFY_PARAM_set1_policies(X509_VERIFY_PARAM *param,
-                                    STACK_OF(ASN1_OBJECT) *policies) {
-  size_t i;
-  ASN1_OBJECT *oid, *doid;
+                                    const STACK_OF(ASN1_OBJECT) *policies) {
   if (!param) {
     return 0;
   }
-  if (param->policies) {
-    sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
-  }
 
+  sk_ASN1_OBJECT_pop_free(param->policies, ASN1_OBJECT_free);
   if (!policies) {
     param->policies = NULL;
     return 1;
   }
 
-  param->policies = sk_ASN1_OBJECT_new_null();
+  param->policies =
+      sk_ASN1_OBJECT_deep_copy(policies, dup_object, ASN1_OBJECT_free);
   if (!param->policies) {
     return 0;
   }
 
-  for (i = 0; i < sk_ASN1_OBJECT_num(policies); i++) {
-    oid = sk_ASN1_OBJECT_value(policies, i);
-    doid = OBJ_dup(oid);
-    if (!doid) {
-      return 0;
-    }
-    if (!sk_ASN1_OBJECT_push(param->policies, doid)) {
-      ASN1_OBJECT_free(doid);
-      return 0;
-    }
-  }
   param->flags |= X509_V_FLAG_POLICY_CHECK;
   return 1;
 }

include/openssl/x509.h

diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index e3369d9..ee103ca 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -2808,7 +2808,7 @@
 OPENSSL_EXPORT int X509_VERIFY_PARAM_add0_policy(X509_VERIFY_PARAM *param,
                                                  ASN1_OBJECT *policy);
 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_policies(
-    X509_VERIFY_PARAM *param, STACK_OF(ASN1_OBJECT) *policies);
+    X509_VERIFY_PARAM *param, const STACK_OF(ASN1_OBJECT) *policies);
 
 OPENSSL_EXPORT int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param,
                                                const char *name,