From a0021a30dd8db832714e327bbbc65d3589f528ab Mon Sep 17 00:00:00 2001
From: Michael Brown
Date: Sun, 18 Mar 2018 22:21:49 +0200
Subject: [ocsp] Centralise test for whether or not an OCSP check is required

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/crypto/x509.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'src/crypto')

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 76ace031..feb7e4a0 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/socket.h>
 #include <ipxe/in.h>
 #include <ipxe/image.h>
+#include <ipxe/ocsp.h>
 #include <ipxe/x509.h>
 #include <config/crypto.h>
 
@@ -1362,8 +1363,7 @@ int x509_validate ( struct x509_certificate *cert,
 	}
 
 	/* Fail if OCSP is required */
-	if ( cert->extensions.auth_info.ocsp.uri.len &&
-	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
+	if ( ocsp_required ( cert ) ) {
 		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
 		       cert, x509_name ( cert ) );
 		return -EACCES_OCSP_REQUIRED;
-- 
cgit v1.2.3-55-g7522