[refactor] for reusability, build list of supported schemes at compile-time
diff --git a/include/picotls/openssl.h b/include/picotls/openssl.h
index 2cc8c96..e528fdd 100644
--- a/include/picotls/openssl.h
+++ b/include/picotls/openssl.h
@@ -52,7 +52,7 @@
#endif
#if defined(NID_X25519) && !defined(LIBRESSL_VERSION_NUMBER)
#define PTLS_OPENSSL_HAVE_X25519 1
-#define PTLS_OPENSSL_HAS_X25519 1 /* deprecated; use HAVE_ */
+#define PTLS_OPENSSL_HAS_X25519 1 /* deprecated; use HAVE_ */
extern ptls_key_exchange_algorithm_t ptls_openssl_x25519;
#endif
#ifndef OPENSSL_NO_BF
@@ -91,13 +91,13 @@
struct st_ptls_openssl_signature_scheme_t {
uint16_t scheme_id;
- const EVP_MD *scheme_md;
+ const EVP_MD *(*scheme_md)(void);
};
typedef struct st_ptls_openssl_sign_certificate_t {
ptls_sign_certificate_t super;
EVP_PKEY *key;
- struct st_ptls_openssl_signature_scheme_t schemes[4]; /* terminated by .scheme_id == UINT16_MAX */
+ const struct st_ptls_openssl_signature_scheme_t *schemes; /* terminated by .scheme_id == UINT16_MAX */
} ptls_openssl_sign_certificate_t;
int ptls_openssl_init_sign_certificate(ptls_openssl_sign_certificate_t *self, EVP_PKEY *key);
diff --git a/lib/openssl.c b/lib/openssl.c
index 3221a7e..1300222 100644
--- a/lib/openssl.c
+++ b/lib/openssl.c
@@ -955,7 +955,7 @@
Found:
*selected_algorithm = scheme->scheme_id;
- return do_sign(self->key, outbuf, input, scheme->scheme_md);
+ return do_sign(self->key, outbuf, input, scheme->scheme_md());
}
static X509 *to_x509(ptls_iovec_t vec)
@@ -1013,37 +1013,43 @@
return ret;
}
+static const struct st_ptls_openssl_signature_scheme_t rsa_signature_schemes[] = {{PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, EVP_sha256},
+ {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384, EVP_sha384},
+ {PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512, EVP_sha512},
+ {UINT16_MAX, NULL}};
+static const struct st_ptls_openssl_signature_scheme_t secp256r1_signature_schemes[] = {
+ {PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, EVP_sha256}, {UINT16_MAX, NULL}};
+#if defined(NID_secp384r1) && !OPENSSL_NO_SHA384
+static const struct st_ptls_openssl_signature_scheme_t secp384r1_signature_schemes[] = {
+ {PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384, EVP_sha384}, {UINT16_MAX, NULL}};
+#endif
+#if defined(NID_secp521r1) && !OPENSSL_NO_SHA512
+static const struct st_ptls_openssl_signature_scheme_t secp521r1_signature_schemes[] = {
+ {PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512, EVP_sha512}, {UINT16_MAX, NULL}};
+#endif
+
int ptls_openssl_init_sign_certificate(ptls_openssl_sign_certificate_t *self, EVP_PKEY *key)
{
*self = (ptls_openssl_sign_certificate_t){{sign_certificate}};
- size_t scheme_index = 0;
-
-#define PUSH_SCHEME(id, md) \
- self->schemes[scheme_index++] = (struct st_ptls_openssl_signature_scheme_t) \
- { \
- id, md \
- }
switch (EVP_PKEY_id(key)) {
case EVP_PKEY_RSA:
- PUSH_SCHEME(PTLS_SIGNATURE_RSA_PSS_RSAE_SHA256, EVP_sha256());
- PUSH_SCHEME(PTLS_SIGNATURE_RSA_PSS_RSAE_SHA384, EVP_sha384());
- PUSH_SCHEME(PTLS_SIGNATURE_RSA_PSS_RSAE_SHA512, EVP_sha512());
+ self->schemes = rsa_signature_schemes;
break;
case EVP_PKEY_EC: {
EC_KEY *eckey = EVP_PKEY_get1_EC_KEY(key);
switch (EC_GROUP_get_curve_name(EC_KEY_get0_group(eckey))) {
case NID_X9_62_prime256v1:
- PUSH_SCHEME(PTLS_SIGNATURE_ECDSA_SECP256R1_SHA256, EVP_sha256());
+ self->schemes = secp256r1_signature_schemes;
break;
#if defined(NID_secp384r1) && !OPENSSL_NO_SHA384
case NID_secp384r1:
- PUSH_SCHEME(PTLS_SIGNATURE_ECDSA_SECP384R1_SHA384, EVP_sha384());
+ self->schemes = secp384r1_signature_schemes;
break;
#endif
-#if defined(NID_secp384r1) && !OPENSSL_NO_SHA512
+#if defined(NID_secp521r1) && !OPENSSL_NO_SHA512
case NID_secp521r1:
- PUSH_SCHEME(PTLS_SIGNATURE_ECDSA_SECP521R1_SHA512, EVP_sha512());
+ self->schemes = secp521r1_signature_schemes;
break;
#endif
default:
@@ -1055,10 +1061,6 @@
default:
return PTLS_ERROR_INCOMPATIBLE_KEY;
}
- PUSH_SCHEME(UINT16_MAX, NULL);
- assert(scheme_index <= PTLS_ELEMENTSOF(self->schemes));
-
-#undef PUSH_SCHEME
EVP_PKEY_up_ref(key);
self->key = key;