commit 6686352e492b67cb4d57915fc9bca45cdc7cef16
author Bob Beck <bbe@google.com> Thu Apr 21 09:37:41 2022 -0600
committer Boringssl LUCI CQ <boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com> Thu Apr 21 16:15:50 2022 +0000
tree 103f863d3793b8e10978066d0e16e5f84da82f7c
parent f961de5c47ed265c3e758ec70dd15ece20809962

Make calls to the verify callback consistant by calling ctx->verify_cb
directly. This removes some temporary variables that would only be
used to hold ctx->verify_cb.

Change-Id: Id8f61c30bc74bb49757085c68baa4e8eec06b1d0
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52285
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>

crypto/x509/x509_vfy.c

diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 2dfdce2..f41ae6e 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -190,8 +190,8 @@
     X509_VERIFY_PARAM *param = ctx->param;
     int depth, i, ok = 0;
     int num, j, retry, trust;
-    int (*cb) (int xok, X509_STORE_CTX *xctx);
     STACK_OF(X509) *sktmp = NULL;
+
     if (ctx->cert == NULL) {
         OPENSSL_PUT_ERROR(X509, X509_R_NO_CERT_SET_FOR_US_TO_VERIFY);
         ctx->error = X509_V_ERR_INVALID_CALL;
@@ -207,8 +207,6 @@
         return -1;
     }
 
-    cb = ctx->verify_cb;
-
     /*
      * first we make sure the chain we are going to build is present and that
      * the first entry is in place
@@ -331,7 +329,7 @@
                     if (ok == 1)
                         X509_free(xtmp);
                     bad_chain = 1;
-                    ok = cb(0, ctx);
+                    ok = ctx->verify_cb(0, ctx);
                     if (!ok)
                         goto end;
                 } else {
@@ -457,7 +455,7 @@
 
         ctx->error_depth = num - 1;
         bad_chain = 1;
-        ok = cb(0, ctx);
+        ok = ctx->verify_cb(0, ctx);
         if (!ok)
             goto end;
     }
@@ -487,7 +485,7 @@
     if (err != X509_V_OK) {
         ctx->error = err;
         ctx->current_cert = sk_X509_value(ctx->chain, ctx->error_depth);
-        ok = cb(0, ctx);
+        ok = ctx->verify_cb(0, ctx);
         if (!ok)
             goto end;
     }
@@ -577,11 +575,9 @@
 {
     int i, ok = 0, plen = 0;
     X509 *x;
-    int (*cb) (int xok, X509_STORE_CTX *xctx);
     int proxy_path_length = 0;
     int purpose;
     int allow_proxy_certs;
-    cb = ctx->verify_cb;
 
     enum {
         // ca_or_leaf allows either type of certificate so that direct use of
@@ -612,7 +608,7 @@
             ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
             ctx->error_depth = i;
             ctx->current_cert = x;
-            ok = cb(0, ctx);
+            ok = ctx->verify_cb(0, ctx);
             if (!ok)
                 goto end;
         }
@@ -620,7 +616,7 @@
             ctx->error = X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED;
             ctx->error_depth = i;
             ctx->current_cert = x;
-            ok = cb(0, ctx);
+            ok = ctx->verify_cb(0, ctx);
             if (!ok)
                 goto end;
         }
@@ -651,7 +647,7 @@
         if (ret == 0) {
             ctx->error_depth = i;
             ctx->current_cert = x;
-            ok = cb(0, ctx);
+            ok = ctx->verify_cb(0, ctx);
             if (!ok)
                 goto end;
         }
@@ -662,7 +658,7 @@
                 ctx->error = X509_V_ERR_INVALID_PURPOSE;
                 ctx->error_depth = i;
                 ctx->current_cert = x;
-                ok = cb(0, ctx);
+                ok = ctx->verify_cb(0, ctx);
                 if (!ok)
                     goto end;
             }
@@ -674,7 +670,7 @@
             ctx->error = X509_V_ERR_PATH_LENGTH_EXCEEDED;
             ctx->error_depth = i;
             ctx->current_cert = x;
-            ok = cb(0, ctx);
+            ok = ctx->verify_cb(0, ctx);
             if (!ok)
                 goto end;
         }
@@ -691,7 +687,7 @@
                 ctx->error = X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED;
                 ctx->error_depth = i;
                 ctx->current_cert = x;
-                ok = cb(0, ctx);
+                ok = ctx->verify_cb(0, ctx);
                 if (!ok)
                     goto end;
             }
@@ -859,8 +855,6 @@
     size_t i;
     int ok;
     X509 *x = NULL;
-    int (*cb) (int xok, X509_STORE_CTX *xctx);
-    cb = ctx->verify_cb;
     /* Check all trusted certificates in chain */
     for (i = ctx->last_untrusted; i < sk_X509_num(ctx->chain); i++) {
         x = sk_X509_value(ctx->chain, i);
@@ -876,7 +870,7 @@
             ctx->error_depth = i;
             ctx->current_cert = x;
             ctx->error = X509_V_ERR_CERT_REJECTED;
-            ok = cb(0, ctx);
+            ok = ctx->verify_cb(0, ctx);
             if (!ok)
                 return X509_TRUST_REJECTED;
         }
@@ -1792,9 +1786,6 @@
     int ok = 0, n;
     X509 *xs, *xi;
     EVP_PKEY *pkey = NULL;
-    int (*cb) (int xok, X509_STORE_CTX *xctx);
-
-    cb = ctx->verify_cb;
 
     n = sk_X509_num(ctx->chain);
     ctx->error_depth = n - 1;
@@ -1811,7 +1802,7 @@
         if (n <= 0) {
             ctx->error = X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE;
             ctx->current_cert = xi;
-            ok = cb(0, ctx);
+            ok = ctx->verify_cb(0, ctx);
             goto end;
         } else {
             n--;
@@ -1833,13 +1824,13 @@
             if ((pkey = X509_get_pubkey(xi)) == NULL) {
                 ctx->error = X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY;
                 ctx->current_cert = xi;
-                ok = (*cb) (0, ctx);
+                ok = ctx->verify_cb(0, ctx);
                 if (!ok)
                     goto end;
             } else if (X509_verify(xs, pkey) <= 0) {
                 ctx->error = X509_V_ERR_CERT_SIGNATURE_FAILURE;
                 ctx->current_cert = xs;
-                ok = (*cb) (0, ctx);
+                ok = ctx->verify_cb(0, ctx);
                 if (!ok) {
                     EVP_PKEY_free(pkey);
                     goto end;
@@ -1857,7 +1848,7 @@
         /* The last error (if any) is still in the error value */
         ctx->current_issuer = xi;
         ctx->current_cert = xs;
-        ok = (*cb) (1, ctx);
+        ok = ctx->verify_cb(1, ctx);
         if (!ok)
             goto end;