On Tue, Jan 18, 2022 at 07:15:54PM +0100, Theo Buehler wrote: > > I will commit this version in a bit (once rpki-client finished its run). > > I like this approach a lot better. ok > > One small comment below. > > > -- > > :wq Claudio > > > > Index: parser.c > > =================================================================== > > RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v > > retrieving revision 1.43 > > diff -u -p -r1.43 parser.c > > --- parser.c 18 Jan 2022 16:36:49 -0000 1.43 > > +++ parser.c 18 Jan 2022 18:03:37 -0000 > > @@ -204,15 +204,15 @@ verify_cb(int ok, X509_STORE_CTX *store_ > > * Returns 1 for valid certificates, returns 0 if there is a verify error > > */ > > static int > > -valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl) > > +valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl, > > + unsigned long flags) > > { > > STACK_OF(X509) *chain; > > STACK_OF(X509_CRL) *crls = NULL; > > int c; > > > > build_chain(a, &chain); > > - if (crl != NULL) > > - build_crls(crl, &crls); > > + build_crls(crl, &crls); > > > > assert(x509 != NULL); > > if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) > > @@ -221,12 +221,11 @@ valid_x509(char *file, X509 *x509, struc > > X509_STORE_CTX_set_verify_cb(ctx, verify_cb); > > if (!X509_STORE_CTX_set_app_data(ctx, file)) > > cryptoerrx("X509_STORE_CTX_set_app_data"); > > - if (crl != NULL) > > - X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); > > + if (flags != 0) > > + X509_STORE_CTX_set_flags(ctx, flags); > > Feel free to leave it, but you could now drop the if (flags != 0) check. >
I left it for clarity. Maybe one day I will remove it :) -- :wq Claudio