argument. The x509 cert is also inside struct cert and easy to access.
Also switch auth_insert() to a void function since it can't fail.
OK tb@
-/* $OpenBSD: cert.c,v 1.50 2022/01/18 13:06:43 claudio Exp $ */
+/* $OpenBSD: cert.c,v 1.51 2022/01/18 16:36:49 claudio Exp $ */
/*
* Copyright (c) 2021 Job Snijders <job@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
* is also dereferenced.
*/
static struct cert *
-cert_parse_inner(X509 **xp, const char *fn, const unsigned char *der,
- size_t len, int ta)
+cert_parse_inner(const char *fn, const unsigned char *der, size_t len, int ta)
{
int rc = 0, extsz, c;
int sia_present = 0;
ASN1_OBJECT *obj;
struct parse p;
- *xp = NULL;
-
/* just fail for empty buffers, the warning was printed elsewhere */
if (der == NULL)
return NULL;
if ((p.res = calloc(1, sizeof(struct cert))) == NULL)
err(1, NULL);
- if ((x = *xp = d2i_X509(NULL, &der, len)) == NULL) {
+ if ((x = d2i_X509(NULL, &der, len)) == NULL) {
cryptowarnx("%s: d2i_X509_bio", p.fn);
goto out;
}
goto out;
}
- if (X509_up_ref(x) == 0)
- errx(1, "%s: X509_up_ref failed", __func__);
-
p.res->x509 = x;
rc = 1;
if (rc == 0) {
cert_free(p.res);
X509_free(x);
- *xp = NULL;
}
return (rc == 0) ? NULL : p.res;
}
struct cert *
-cert_parse(X509 **xp, const char *fn, const unsigned char *der, size_t len)
+cert_parse(const char *fn, const unsigned char *der, size_t len)
{
- return cert_parse_inner(xp, fn, der, len, 0);
+ return cert_parse_inner(fn, der, len, 0);
}
struct cert *
-ta_parse(X509 **xp, const char *fn, const unsigned char *der, size_t len,
+ta_parse(const char *fn, const unsigned char *der, size_t len,
const unsigned char *pkey, size_t pkeysz)
{
EVP_PKEY *pk = NULL, *opk = NULL;
struct cert *p;
int rc = 0;
- if ((p = cert_parse_inner(xp, fn, der, len, 1)) == NULL)
+ if ((p = cert_parse_inner(fn, der, len, 1)) == NULL)
return NULL;
if (pkey != NULL) {
- assert(*xp != NULL);
pk = d2i_PUBKEY(NULL, &pkey, pkeysz);
assert(pk != NULL);
- if ((opk = X509_get_pubkey(*xp)) == NULL)
+ if ((opk = X509_get_pubkey(p->x509)) == NULL)
cryptowarnx("%s: RFC 6487 (trust anchor): "
"missing pubkey", fn);
else if (EVP_PKEY_cmp(pk, opk) != 1)
if (rc == 0) {
cert_free(p);
p = NULL;
- X509_free(*xp);
- *xp = NULL;
}
return p;
return RB_FIND(auth_tree, auths, &a);
}
-int
+void
auth_insert(struct auth_tree *auths, struct cert *cert, struct auth *parent)
{
struct auth *na;
if (RB_INSERT(auth_tree, auths, na) != NULL)
err(1, "auth tree corrupted");
-
- return 1;
}
static inline int
-/* $OpenBSD: extern.h,v 1.107 2022/01/18 16:24:55 claudio Exp $ */
+/* $OpenBSD: extern.h,v 1.108 2022/01/18 16:36:49 claudio Exp $ */
/*
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
*
RB_PROTOTYPE(auth_tree, auth, entry, authcmp);
struct auth *auth_find(struct auth_tree *, const char *);
-int auth_insert(struct auth_tree *, struct cert *, struct auth *);
+void auth_insert(struct auth_tree *, struct cert *, struct auth *);
/*
* Resource types specified by the RPKI profiles.
void cert_buffer(struct ibuf *, const struct cert *);
void cert_free(struct cert *);
-struct cert *cert_parse(X509 **, const char *, const unsigned char *,
- size_t);
-struct cert *ta_parse(X509 **, const char *, const unsigned char *, size_t,
+struct cert *cert_parse(const char *, const unsigned char *, size_t);
+struct cert *ta_parse(const char *, const unsigned char *, size_t,
const unsigned char *, size_t);
struct cert *cert_read(struct ibuf *);
void cert_insert_brks(struct brk_tree *, struct cert *);
-/* $OpenBSD: parser.c,v 1.42 2022/01/18 16:29:06 claudio Exp $ */
+/* $OpenBSD: parser.c,v 1.43 2022/01/18 16:36:49 claudio Exp $ */
/*
* Copyright (c) 2019 Claudio Jeker <claudio@openbsd.org>
* Copyright (c) 2019 Kristaps Dzonsons <kristaps@bsd.lv>
proc_parser_cert(char *file, const unsigned char *der, size_t len)
{
struct cert *cert;
- X509 *x509;
struct auth *a;
struct crl *crl;
/* Extract certificate data and X509. */
- cert = cert_parse(&x509, file, der, len);
+ cert = cert_parse(file, der, len);
if (cert == NULL)
return NULL;
a = valid_ski_aki(file, &auths, cert->ski, cert->aki);
crl = get_crl(a);
- if (!valid_x509(file, x509, a, crl)) {
+ if (!valid_x509(file, cert->x509, a, crl)) {
cert_free(cert);
- X509_free(x509);
return NULL;
}
- X509_free(x509);
cert->talid = a->cert->talid;
/*
* Add validated CA certs to the RPKI auth tree.
*/
- if (cert->purpose == CERT_PURPOSE_CA) {
- if (!auth_insert(&auths, cert, a)) {
- cert_free(cert);
- return NULL;
- }
- }
+ if (cert->purpose == CERT_PURPOSE_CA)
+ auth_insert(&auths, cert, a);
return cert;
}
/* Extract certificate data and X509. */
- cert = ta_parse(&x509, file, der, len, pkey, pkeysz);
+ cert = ta_parse(file, der, len, pkey, pkeysz);
if (cert == NULL)
return NULL;
+ x509 = cert->x509;
if ((name = X509_get_subject_name(x509)) == NULL) {
warnx("%s Unable to get certificate subject", file);
goto badcert;
goto badcert;
}
- X509_free(x509);
-
cert->talid = talid;
/*
* Add valid roots to the RPKI auth tree.
*/
- if (!auth_insert(&auths, cert, NULL)) {
- cert_free(cert);
- return NULL;
- }
+ auth_insert(&auths, cert, NULL);
return cert;
badcert:
- X509_free(x509);
cert_free(cert);
return NULL;
}
projects / openbsd / commitdiff