From a0021a30dd8db832714e327bbbc65d3589f528ab Mon Sep 17 00:00:00 2001
From: Michael Brown
Date: Sun, 18 Mar 2018 22:21:49 +0200
Subject: [ocsp] Centralise test for whether or not an OCSP check is required

Signed-off-by: Michael Brown <mcb30@ipxe.org>
---
 src/crypto/x509.c       |  4 ++--
 src/include/ipxe/ocsp.h | 15 +++++++++++++++
 src/net/validator.c     |  3 +--
 3 files changed, 18 insertions(+), 4 deletions(-)

(limited to 'src')

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 76ace031..feb7e4a0 100644
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/socket.h>
 #include <ipxe/in.h>
 #include <ipxe/image.h>
+#include <ipxe/ocsp.h>
 #include <ipxe/x509.h>
 #include <config/crypto.h>
 
@@ -1362,8 +1363,7 @@ int x509_validate ( struct x509_certificate *cert,
 	}
 
 	/* Fail if OCSP is required */
-	if ( cert->extensions.auth_info.ocsp.uri.len &&
-	     ( ! cert->extensions.auth_info.ocsp.good ) ) {
+	if ( ocsp_required ( cert ) ) {
 		DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
 		       cert, x509_name ( cert ) );
 		return -EACCES_OCSP_REQUIRED;
diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index 71fa41dc..9a6b3fe6 100644
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -111,6 +111,21 @@ ocsp_put ( struct ocsp_check *ocsp ) {
 	ref_put ( &ocsp->refcnt );
 }
 
+/**
+ * Check if X.509 certificate requires an OCSP check
+ *
+ * @v cert		X.509 certificate
+ * @ret ocsp_required	An OCSP check is required
+ */
+static inline int ocsp_required ( struct x509_certificate *cert ) {
+
+	/* An OCSP check is required if an OCSP URI exists but the
+	 * OCSP status is not (yet) good.
+	 */
+	return ( cert->extensions.auth_info.ocsp.uri.len &&
+		 ( ! cert->extensions.auth_info.ocsp.good ) );
+}
+
 extern int ocsp_check ( struct x509_certificate *cert,
 			struct x509_certificate *issuer,
 			struct ocsp_check **ocsp );
diff --git a/src/net/validator.c b/src/net/validator.c
index 68abe1b5..40f778c7 100644
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -488,8 +488,7 @@ static void validator_step ( struct validator *validator ) {
 		/* The issuer is valid, but this certificate is not
 		 * yet valid.  If OCSP is applicable, start it.
 		 */
-		if ( cert->extensions.auth_info.ocsp.uri.len &&
-		     ( ! cert->extensions.auth_info.ocsp.good ) ) {
+		if ( ocsp_required ( cert ) ) {
 			/* Start OCSP */
 			if ( ( rc = validator_start_ocsp ( validator, cert,
 							   issuer ) ) != 0 ) {
-- 
cgit v1.2.3-55-g7522