Chiebot-Mirror
/
boringssl
8
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Make calls to the verify callback consistant by calling ctx->verify_cb

Browse Source 
directly. This removes some temporary variables that would only be
used to hold ctx->verify_cb.

Change-Id: Id8f61c30bc74bb49757085c68baa4e8eec06b1d0
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52285
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
fips-20220613
Bob Beck 3 years ago committed by Boringssl LUCI CQ
parent f961de5c47
commit 6686352e49
1 changed files with 15 additions and 24 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 39
      crypto/x509/x509_vfy.c

39
crypto/x509/x509_vfy.c
Unescape View File

@ -190,8 +190,8 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
X509_VERIFY_PARAM *param = ctx->param; X509_VERIFY_PARAM *param = ctx->param;
int depth, i, ok = 0; int depth, i, ok = 0;
int num, j, retry, trust; int num, j, retry, trust;
int (*cb) (int xok, X509_STORE_CTX *xctx);
STACK_OF(X509) *sktmp = NULL; STACK_OF(X509) *sktmp = NULL;
if (ctx->cert == NULL) { if (ctx->cert == NULL) {
OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY); OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
ctx->error = X509_V_ERR_INVALID_CALL; ctx->error = X509_V_ERR_INVALID_CALL;
@ -207,8 +207,6 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
return -1; return -1;
} }
cb = ctx->verify_cb;
/* /*
* first we make sure the chain we are going to build is present and that * first we make sure the chain we are going to build is present and that
* the first entry is in place * the first entry is in place
@ -331,7 +329,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
if (ok == 1) if (ok == 1)
X509_free(xtmp); X509_free(xtmp);
bad_chain = 1; bad_chain = 1;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} else { } else {
@ -457,7 +455,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
ctx->error_depth = num - 1; ctx->error_depth = num - 1;
bad_chain = 1; bad_chain = 1;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -487,7 +485,7 @@ int X509_verify_cert(X509_STORE_CTX *ctx)
if (err != X509_V_OK) { if (err != X509_V_OK) {
ctx->error = err; ctx->error = err;
ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth); ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -577,11 +575,9 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
{ {
int i, ok = 0, plen = 0; int i, ok = 0, plen = 0;
X509 *x; X509 *x;
int (*cb) (int xok, X509_STORE_CTX *xctx);
int proxy_path_length = 0; int proxy_path_length = 0;
int purpose; int purpose;
int allow_proxy_certs; int allow_proxy_certs;
cb = ctx->verify_cb;
enum { enum {
// ca_or_leaf allows either type of certificate so that direct use of // ca_or_leaf allows either type of certificate so that direct use of
@ -612,7 +608,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION; ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
ctx->error_depth = i; ctx->error_depth = i;
ctx->current_cert = x; ctx->current_cert = x;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -620,7 +616,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED; ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
ctx->error_depth = i; ctx->error_depth = i;
ctx->current_cert = x; ctx->current_cert = x;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -651,7 +647,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
if (ret == 0) { if (ret == 0) {
ctx->error_depth = i; ctx->error_depth = i;
ctx->current_cert = x; ctx->current_cert = x;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -662,7 +658,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ctx->error = X509_V_ERR_INVALID_PURPOSE; ctx->error = X509_V_ERR_INVALID_PURPOSE;
ctx->error_depth = i; ctx->error_depth = i;
ctx->current_cert = x; ctx->current_cert = x;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -674,7 +670,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED; ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i; ctx->error_depth = i;
ctx->current_cert = x; ctx->current_cert = x;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -691,7 +687,7 @@ static int check_chain_extensions(X509_STORE_CTX *ctx)
ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED; ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
ctx->error_depth = i; ctx->error_depth = i;
ctx->current_cert = x; ctx->current_cert = x;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} }
@ -859,8 +855,6 @@ static int check_trust(X509_STORE_CTX *ctx)
size_t i; size_t i;
int ok; int ok;
X509 *x = NULL; X509 *x = NULL;
int (*cb) (int xok, X509_STORE_CTX *xctx);
cb = ctx->verify_cb;
/* Check all trusted certificates in chain */ /* Check all trusted certificates in chain */
for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) { for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
x = sk_X509_value(ctx->chain, i); x = sk_X509_value(ctx->chain, i);
@ -876,7 +870,7 @@ static int check_trust(X509_STORE_CTX *ctx)
ctx->error_depth = i; ctx->error_depth = i;
ctx->current_cert = x; ctx->current_cert = x;
ctx->error = X509_V_ERR_CERT_REJECTED; ctx->error = X509_V_ERR_CERT_REJECTED;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
return X509_TRUST_REJECTED; return X509_TRUST_REJECTED;
} }
@ -1792,9 +1786,6 @@ static int internal_verify(X509_STORE_CTX *ctx)
int ok = 0, n; int ok = 0, n;
X509 *xs, *xi; X509 *xs, *xi;
EVP_PKEY *pkey = NULL; EVP_PKEY *pkey = NULL;
int (*cb) (int xok, X509_STORE_CTX *xctx);
cb = ctx->verify_cb;
n = sk_X509_num(ctx->chain); n = sk_X509_num(ctx->chain);
ctx->error_depth = n - 1; ctx->error_depth = n - 1;
@ -1811,7 +1802,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
if (n <= 0) { if (n <= 0) {
ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE; ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
ctx->current_cert = xi; ctx->current_cert = xi;
ok = cb(0, ctx); ok = ctx->verify_cb(0, ctx);
goto end; goto end;
} else { } else {
n--; n--;
@ -1833,13 +1824,13 @@ static int internal_verify(X509_STORE_CTX *ctx)
if ((pkey = X509_get_pubkey(xi)) == NULL) { if ((pkey = X509_get_pubkey(xi)) == NULL) {
ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY; ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
ctx->current_cert = xi; ctx->current_cert = xi;
ok = (*cb) (0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) if (!ok)
goto end; goto end;
} else if (X509_verify(xs, pkey) <= 0) { } else if (X509_verify(xs, pkey) <= 0) {
ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE; ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
ctx->current_cert = xs; ctx->current_cert = xs;
ok = (*cb) (0, ctx); ok = ctx->verify_cb(0, ctx);
if (!ok) { if (!ok) {
EVP_PKEY_free(pkey); EVP_PKEY_free(pkey);
goto end; goto end;
@ -1857,7 +1848,7 @@ static int internal_verify(X509_STORE_CTX *ctx)
/* The last error (if any) is still in the error value */ /* The last error (if any) is still in the error value */
ctx->current_issuer = xi; ctx->current_issuer = xi;
ctx->current_cert = xs; ctx->current_cert = xs;
ok = (*cb) (1, ctx); ok = ctx->verify_cb(1, ctx);
if (!ok) if (!ok)
goto end; goto end;

Write Preview
Loading…
Cancel
Save