In the PKINIT OpenSSL crypto code, use a signed int to hold the result
authorGreg Hudson <ghudson@mit.edu>
Wed, 15 Sep 2010 22:43:00 +0000 (22:43 +0000)
committerGreg Hudson <ghudson@mit.edu>
Wed, 15 Sep 2010 22:43:00 +0000 (22:43 +0000)
of X509_get_ext_by_NID so we can detect negative return values.
Reported by nalin@redhat.com.

ticket: 6774

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@24323 dc483132-0cff-0310-8789-dd5450dbe970

src/plugins/preauth/pkinit/pkinit_crypto_openssl.c

index a109a6797ab79c097bfdded3f2315aab8fd42eb4..bb8f036daa517ef680aabb5e690e74873951d0ce 100644 (file)
@@ -1767,7 +1767,7 @@ crypto_retrieve_X509_sans(krb5_context context,
 {
     krb5_error_code retval = EINVAL;
     char buf[DN_BUF_LEN];
-    int p = 0, u = 0, d = 0;
+    int p = 0, u = 0, d = 0, l;
     krb5_principal *princs = NULL;
     krb5_principal *upns = NULL;
     unsigned char **dnss = NULL;
@@ -1787,14 +1787,14 @@ crypto_retrieve_X509_sans(krb5_context context,
                       buf, sizeof(buf));
     pkiDebug("%s: looking for SANs in cert = %s\n", __FUNCTION__, buf);
 
-    if ((i = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
+    if ((l = X509_get_ext_by_NID(cert, NID_subject_alt_name, -1)) >= 0) {
         X509_EXTENSION *ext = NULL;
         GENERAL_NAMES *ialt = NULL;
         GENERAL_NAME *gen = NULL;
         int ret = 0;
         unsigned int num_sans = 0;
 
-        if (!(ext = X509_get_ext(cert, i)) || !(ialt = X509V3_EXT_d2i(ext))) {
+        if (!(ext = X509_get_ext(cert, l)) || !(ialt = X509V3_EXT_d2i(ext))) {
             pkiDebug("%s: found no subject alt name extensions\n",
                      __FUNCTION__);
             goto cleanup;