[ocsp] Centralise test for whether or not an OCSP check is required

Signed-off-by: Michael Brown <mcb30@ipxe.org>

diff --git a/src/crypto/x509.c b/src/crypto/x509.c
index 76ace031389d9eafe3113ee2e16ebecd9c88cab3..feb7e4a0aee9985e7ada94c78038ddddf853162c 100644 (file)
--- a/src/crypto/x509.c
+++ b/src/crypto/x509.c
@@ -40,6 +40,7 @@ FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );
 #include <ipxe/socket.h>
 #include <ipxe/in.h>
 #include <ipxe/image.h>
+#include <ipxe/ocsp.h>
 #include <ipxe/x509.h>
 #include <config/crypto.h>
 
@@ -1362,8 +1363,7 @@ int x509_validate ( struct x509_certificate *cert,
        }
 
        /* Fail if OCSP is required */
-       if ( cert->extensions.auth_info.ocsp.uri.len &&
-            ( ! cert->extensions.auth_info.ocsp.good ) ) {
+       if ( ocsp_required ( cert ) ) {
                DBGC ( cert, "X509 %p \"%s\" requires an OCSP check\n",
                       cert, x509_name ( cert ) );
                return -EACCES_OCSP_REQUIRED;

diff --git a/src/include/ipxe/ocsp.h b/src/include/ipxe/ocsp.h
index 71fa41dc924631efee93e3ea45d62cdb86c3e862..9a6b3fe67d3a50e56172ba54dafd72937c983c32 100644 (file)
--- a/src/include/ipxe/ocsp.h
+++ b/src/include/ipxe/ocsp.h
@@ -111,6 +111,21 @@ ocsp_put ( struct ocsp_check *ocsp ) {
        ref_put ( &ocsp->refcnt );
 }
 
+/**
+ * Check if X.509 certificate requires an OCSP check
+ *
+ * @v cert             X.509 certificate
+ * @ret ocsp_required  An OCSP check is required
+ */
+static inline int ocsp_required ( struct x509_certificate *cert ) {
+
+       /* An OCSP check is required if an OCSP URI exists but the
+        * OCSP status is not (yet) good.
+        */
+       return ( cert->extensions.auth_info.ocsp.uri.len &&
+                ( ! cert->extensions.auth_info.ocsp.good ) );
+}
+
 extern int ocsp_check ( struct x509_certificate *cert,
                        struct x509_certificate *issuer,
                        struct ocsp_check **ocsp );

diff --git a/src/net/validator.c b/src/net/validator.c
index 68abe1b55640af8763d0826bec81f76e0af65781..40f778c7dc230e0632dc6022ff6f9e724321402b 100644 (file)
--- a/src/net/validator.c
+++ b/src/net/validator.c
@@ -488,8 +488,7 @@ static void validator_step ( struct validator *validator ) {
                /* The issuer is valid, but this certificate is not
                 * yet valid.  If OCSP is applicable, start it.
                 */
-               if ( cert->extensions.auth_info.ocsp.uri.len &&
-                    ( ! cert->extensions.auth_info.ocsp.good ) ) {
+               if ( ocsp_required ( cert ) ) {
                        /* Start OCSP */
                        if ( ( rc = validator_start_ocsp ( validator, cert,
                                                           issuer ) ) != 0 ) {