On Tue, Jan 18, 2022 at 07:15:54PM +0100, Theo Buehler wrote:
> > I will commit this version in a bit (once rpki-client finished its run).
>
> I like this approach a lot better. ok
>
> One small comment below.
>
> > --
> > :wq Claudio
> >
> > Index: parser.c
> > ===================================================================
> > RCS file: /cvs/src/usr.sbin/rpki-client/parser.c,v
> > retrieving revision 1.43
> > diff -u -p -r1.43 parser.c
> > --- parser.c 18 Jan 2022 16:36:49 -0000 1.43
> > +++ parser.c 18 Jan 2022 18:03:37 -0000
> > @@ -204,15 +204,15 @@ verify_cb(int ok, X509_STORE_CTX *store_
> > * Returns 1 for valid certificates, returns 0 if there is a verify error
> > */
> > static int
> > -valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl)
> > +valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl,
> > + unsigned long flags)
> > {
> > STACK_OF(X509) *chain;
> > STACK_OF(X509_CRL) *crls = NULL;
> > int c;
> >
> > build_chain(a, &chain);
> > - if (crl != NULL)
> > - build_crls(crl, &crls);
> > + build_crls(crl, &crls);
> >
> > assert(x509 != NULL);
> > if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL))
> > @@ -221,12 +221,11 @@ valid_x509(char *file, X509 *x509, struc
> > X509_STORE_CTX_set_verify_cb(ctx, verify_cb);
> > if (!X509_STORE_CTX_set_app_data(ctx, file))
> > cryptoerrx("X509_STORE_CTX_set_app_data");
> > - if (crl != NULL)
> > - X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK);
> > + if (flags != 0)
> > + X509_STORE_CTX_set_flags(ctx, flags);
>
> Feel free to leave it, but you could now drop the if (flags != 0) check.
>
I left it for clarity. Maybe one day I will remove it :)
--
:wq Claudio
