From 9e624728fb9bd4e2a5d90c801de7b4d4ad5000a0 Mon Sep 17 00:00:00 2001 From: tb Date: Sun, 31 Dec 2023 07:10:50 +0000 Subject: [PATCH] Replace the sorted extensions lookup with a switch If all you have is OBJ_bsearch_(), everything looks like a nail. This changes a binary search over a list of 12 elements with a lookup via a switch. switch suggested by claudio ok jsing --- lib/libcrypto/x509/x509_purp.c | 81 ++++++++++------------------------ 1 file changed, 23 insertions(+), 58 deletions(-) diff --git a/lib/libcrypto/x509/x509_purp.c b/lib/libcrypto/x509/x509_purp.c index 999ba639c51..8b8075b00e5 100644 --- a/lib/libcrypto/x509/x509_purp.c +++ b/lib/libcrypto/x509/x509_purp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: x509_purp.c,v 1.30 2023/11/13 10:33:00 tb Exp $ */ +/* $OpenBSD: x509_purp.c,v 1.31 2023/12/31 07:10:50 tb Exp $ */ /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL * project 2001. */ @@ -386,68 +386,33 @@ X509_PURPOSE_get_trust(const X509_PURPOSE *xp) } LCRYPTO_ALIAS(X509_PURPOSE_get_trust); -static int -nid_cmp(const int *a, const int *b) -{ - return *a - *b; -} - -static int nid_cmp_BSEARCH_CMP_FN(const void *, const void *); -static int nid_cmp(int const *, int const *); -static int *OBJ_bsearch_nid(int *key, int const *base, int num); - -static int -nid_cmp_BSEARCH_CMP_FN(const void *a_, const void *b_) -{ - int const *a = a_; - int const *b = b_; - return nid_cmp(a, b); -} - -static int * -OBJ_bsearch_nid(int *key, int const *base, int num) -{ - return (int *)OBJ_bsearch_(key, base, num, sizeof(int), - nid_cmp_BSEARCH_CMP_FN); -} - +/* + * List of NIDs of extensions supported by the verifier. If an extension + * is critical and doesn't appear in this list, then the certificate will + * normally be rejected. + */ int -X509_supported_extension(X509_EXTENSION *ex) +X509_supported_extension(X509_EXTENSION *ext) { - /* This table is a list of the NIDs of supported extensions: - * that is those which are used by the verify process. If - * an extension is critical and doesn't appear in this list - * then the verify process will normally reject the certificate. - * The list must be kept in numerical order because it will be - * searched using bsearch. - */ - - static const int supported_nids[] = { - NID_netscape_cert_type, /* 71 */ - NID_key_usage, /* 83 */ - NID_subject_alt_name, /* 85 */ - NID_basic_constraints, /* 87 */ - NID_certificate_policies, /* 89 */ - NID_ext_key_usage, /* 126 */ + switch(OBJ_obj2nid(X509_EXTENSION_get_object(ext))) { + case NID_netscape_cert_type: + case NID_key_usage: + case NID_subject_alt_name: + case NID_basic_constraints: + case NID_certificate_policies: + case NID_ext_key_usage: #ifndef OPENSSL_NO_RFC3779 - NID_sbgp_ipAddrBlock, /* 290 */ - NID_sbgp_autonomousSysNum, /* 291 */ + case NID_sbgp_ipAddrBlock: + case NID_sbgp_autonomousSysNum: #endif - NID_policy_constraints, /* 401 */ - NID_name_constraints, /* 666 */ - NID_policy_mappings, /* 747 */ - NID_inhibit_any_policy /* 748 */ - }; - - int ex_nid = OBJ_obj2nid(X509_EXTENSION_get_object(ex)); - - if (ex_nid == NID_undef) - return 0; - - if (OBJ_bsearch_nid(&ex_nid, supported_nids, - sizeof(supported_nids) / sizeof(int))) + case NID_policy_constraints: + case NID_name_constraints: + case NID_policy_mappings: + case NID_inhibit_any_policy: return 1; - return 0; + default: + return 0; + } } LCRYPTO_ALIAS(X509_supported_extension); -- 2.20.1