diff options
| author | Michael Brown | 2018-03-18 21:21:49 +0100 |
|---|---|---|
| committer | Michael Brown | 2018-03-18 21:25:01 +0100 |
| commit | a0021a30dd8db832714e327bbbc65d3589f528ab (patch) | |
| tree | facbeee3dc57ac4d3cd314236e087e285ce14289 | |
| parent | [profile] Prevent potential division by zero (diff) | |
| download | ipxe-a0021a30dd8db832714e327bbbc65d3589f528ab.tar.gz ipxe-a0021a30dd8db832714e327bbbc65d3589f528ab.tar.xz ipxe-a0021a30dd8db832714e327bbbc65d3589f528ab.zip | |
[ocsp] Centralise test for whether or not an OCSP check is required
Signed-off-by: Michael Brown <mcb30@ipxe.org>
| -rw-r--r-- | src/crypto/x509.c | 4 | ||||
| -rw-r--r-- | src/include/ipxe/ocsp.h | 15 | ||||
| -rw-r--r-- | src/net/validator.c | 3 |
3 files changed, 18 insertions, 4 deletions
diff --git a/src/crypto/x509.c b/src/crypto/x509.c index 76ace031..feb7e4a0 100644 --- a/src/crypto/x509.c +++ b/src/crypto/x509.c @@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL ); #include <ipxe/socket.h> #include <ipxe/in.h> #include <ipxe/image.h> +#include <ipxe/ocsp.h> #include <ipxe/x509.h> #include <config/crypto.h> @@ -1362,8 +1363,7 @@ int x509_validate ( struct x509_certificate *cert, } /* Fail if OCSP is required */ - if ( cert->extensions.auth_info.ocsp.uri.len && - ( ! cert->extensions.auth_info.ocsp.good ) ) { + if ( ocsp_required ( cert ) ) { DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n", cert, x509_name ( cert ) ); return -EACCES_OCSP_REQUIRED; diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h index 71fa41dc..9a6b3fe6 100644 --- a/src/include/ipxe/ocsp.h +++ b/src/include/ipxe/ocsp.h @@ -111,6 +111,21 @@ ocsp_put ( struct ocsp_check *ocsp ) { ref_put ( &ocsp->refcnt ); } +/** + * Check if X.509 certificate requires an OCSP check + * + * @v cert X.509 certificate + * @ret ocsp_required An OCSP check is required + */ +static inline int ocsp_required ( struct x509_certificate *cert ) { + + /* An OCSP check is required if an OCSP URI exists but the + * OCSP status is not (yet) good. + */ + return ( cert->extensions.auth_info.ocsp.uri.len && + ( ! cert->extensions.auth_info.ocsp.good ) ); +} + extern int ocsp_check ( struct x509_certificate *cert, struct x509_certificate *issuer, struct ocsp_check **ocsp ); diff --git a/src/net/validator.c b/src/net/validator.c index 68abe1b5..40f778c7 100644 --- a/src/net/validator.c +++ b/src/net/validator.c @@ -488,8 +488,7 @@ static void validator_step ( struct validator *validator ) { /* The issuer is valid, but this certificate is not * yet valid. If OCSP is applicable, start it. */ - if ( cert->extensions.auth_info.ocsp.uri.len && - ( ! cert->extensions.auth_info.ocsp.good ) ) { + if ( ocsp_required ( cert ) ) { /* Start OCSP */ if ( ( rc = validator_start_ocsp ( validator, cert, issuer ) ) != 0 ) { |