On Tue, Jan 04, 2022 at 02:48:17PM +0100, Theo Buehler wrote: > As discussed in the previous thread, we can simplify the verify callback > by getting rid of the extremely noisy warnx at the end. Fail directly on > encountering an unknown critical extension and succeed otherwise.
OK claudio@ (and thanks for taking care of this) > Index: parser.c > =================================================================== > RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v > retrieving revision 1.30 > diff -u -p -r1.30 parser.c > --- parser.c 4 Jan 2022 13:39:01 -0000 1.30 > +++ parser.c 4 Jan 2022 13:44:35 -0000 > @@ -55,9 +55,6 @@ verify_cb(int ok, X509_STORE_CTX *store_ > ASN1_OBJECT *obj; > char *file; > int depth, error, i, nid; > - int saw_ipAddrBlock = 0; > - int saw_autonomousSysNum = 0; > - int saw_unknown = 0; > > error = X509_STORE_CTX_get_error(store_ctx); > depth = X509_STORE_CTX_get_error_depth(store_ctx); > @@ -94,25 +91,16 @@ verify_cb(int ok, X509_STORE_CTX *store_ > nid = OBJ_obj2nid(obj); > switch (nid) { > case NID_sbgp_ipAddrBlock: > - saw_ipAddrBlock = 1; > - break; > case NID_sbgp_autonomousSysNum: > - saw_autonomousSysNum = 1; > - break; > + continue; > default: > warnx("%s: depth %d: unknown extension: nid %d", > file, depth, nid); > - saw_unknown = 1; > - break; > + return 0; > } > } > > - if (verbose > 1) > - warnx("%s: depth %d, ipAddrBlock %d, autonomousSysNum %d", > - file, depth, saw_ipAddrBlock, saw_autonomousSysNum); > - > - /* Fail if we saw an unknown extension. */ > - return !saw_unknown; > + return 1; > } > > /* > -- :wq Claudio