From d3c7e8168cc8b73d4cc98c39cd43b2a2096e289a Mon Sep 17 00:00:00 2001 From: claudio Date: Tue, 18 Jan 2022 16:24:55 +0000 Subject: [PATCH] Revert all the files that should have not been committed in last commit. --- usr.sbin/rpki-client/cms.c | 14 +- usr.sbin/rpki-client/extern.h | 6 +- usr.sbin/rpki-client/gbr.c | 4 +- usr.sbin/rpki-client/mft.c | 45 +---- usr.sbin/rpki-client/parser.c | 366 +++++++++++++++------------------- 5 files changed, 174 insertions(+), 261 deletions(-) diff --git a/usr.sbin/rpki-client/cms.c b/usr.sbin/rpki-client/cms.c index 10630ab7a23..950e7b6573f 100644 --- a/usr.sbin/rpki-client/cms.c +++ b/usr.sbin/rpki-client/cms.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cms.c,v 1.12 2022/01/18 16:18:22 claudio Exp $ */ +/* $OpenBSD: cms.c,v 1.13 2022/01/18 16:24:55 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -36,7 +36,7 @@ */ unsigned char * cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, - size_t derlen, const ASN1_OBJECT *oid, size_t *rsz, int nowarn) + size_t derlen, const ASN1_OBJECT *oid, size_t *rsz) { const ASN1_OBJECT *obj; ASN1_OCTET_STRING **os = NULL; @@ -53,8 +53,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, return NULL; if ((cms = d2i_CMS_ContentInfo(NULL, &der, derlen)) == NULL) { - if (nowarn) - goto out; cryptowarnx("%s: RFC 6488: failed CMS parse", fn); goto out; } @@ -66,8 +64,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, if (!CMS_verify(cms, NULL, NULL, NULL, NULL, CMS_NO_SIGNER_CERT_VERIFY)) { - if (nowarn) - goto out; cryptowarnx("%s: RFC 6488: CMS not self-signed", fn); goto out; } @@ -83,8 +79,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, if (OBJ_cmp(obj, oid) != 0) { char buf[128], obuf[128]; - if (nowarn) - goto out; OBJ_obj2txt(buf, sizeof(buf), obj, 1); OBJ_obj2txt(obuf, sizeof(obuf), oid, 1); warnx("%s: RFC 6488 section 2.1.3.1: eContentType: " @@ -100,8 +94,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, certs = CMS_get0_signers(cms); if (certs == NULL || sk_X509_num(certs) != 1) { - if (nowarn) - goto out; warnx("%s: RFC 6488 section 2.1.4: eContent: " "want 1 signer, have %d", fn, sk_X509_num(certs)); goto out; @@ -111,8 +103,6 @@ cms_parse_validate(X509 **xp, const char *fn, const unsigned char *der, /* Verify that we have eContent to disseminate. */ if ((os = CMS_get0_content(cms)) == NULL || *os == NULL) { - if (nowarn) - goto out; warnx("%s: RFC 6488 section 2.1.4: " "eContent: zero-length content", fn); goto out; diff --git a/usr.sbin/rpki-client/extern.h b/usr.sbin/rpki-client/extern.h index 72e478eec85..42bb0fc3af7 100644 --- a/usr.sbin/rpki-client/extern.h +++ b/usr.sbin/rpki-client/extern.h @@ -1,4 +1,4 @@ -/* $OpenBSD: extern.h,v 1.106 2022/01/18 16:18:22 claudio Exp $ */ +/* $OpenBSD: extern.h,v 1.107 2022/01/18 16:24:55 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -418,8 +418,8 @@ void mft_buffer(struct ibuf *, const struct mft *); void mft_free(struct mft *); struct mft *mft_parse(X509 **, const char *, const unsigned char *, size_t); +int mft_check(const char *, struct mft *); struct mft *mft_read(struct ibuf *); -int mft_compare(const struct mft *, const struct mft *); void roa_buffer(struct ibuf *, const struct roa *); void roa_free(struct roa *); @@ -454,7 +454,7 @@ int valid_origin(const char *, const char *); /* Working with CMS. */ unsigned char *cms_parse_validate(X509 **, const char *, const unsigned char *, size_t, - const ASN1_OBJECT *, size_t *, int); + const ASN1_OBJECT *, size_t *); int cms_econtent_version(const char *, const unsigned char **, size_t, long *); /* Helper for ASN1 parsing */ diff --git a/usr.sbin/rpki-client/gbr.c b/usr.sbin/rpki-client/gbr.c index 85cd5a5af83..ecdb1f57551 100644 --- a/usr.sbin/rpki-client/gbr.c +++ b/usr.sbin/rpki-client/gbr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: gbr.c,v 1.13 2022/01/18 16:18:22 claudio Exp $ */ +/* $OpenBSD: gbr.c,v 1.14 2022/01/18 16:24:55 claudio Exp $ */ /* * Copyright (c) 2020 Claudio Jeker * @@ -53,7 +53,7 @@ gbr_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) memset(&p, 0, sizeof(struct parse)); p.fn = fn; - cms = cms_parse_validate(x509, fn, der, len, gbr_oid, &cmsz, 0); + cms = cms_parse_validate(x509, fn, der, len, gbr_oid, &cmsz); if (cms == NULL) return NULL; diff --git a/usr.sbin/rpki-client/mft.c b/usr.sbin/rpki-client/mft.c index bfa8b71b3fc..e393d25f0d3 100644 --- a/usr.sbin/rpki-client/mft.c +++ b/usr.sbin/rpki-client/mft.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mft.c,v 1.47 2022/01/18 16:18:22 claudio Exp $ */ +/* $OpenBSD: mft.c,v 1.48 2022/01/18 16:24:55 claudio Exp $ */ /* * Copyright (c) 2019 Kristaps Dzonsons * @@ -403,8 +403,9 @@ out: /* * Parse the objects that have been published in the manifest. * This conforms to RFC 6486. - * On success the MFT content is returned. Stale MFTs only set - * the stale flag and returned like valid MFTs. + * Note that if the MFT is stale, all referenced objects are stripped + * from the parsed content. + * The MFT content is otherwise returned. */ struct mft * mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) @@ -417,7 +418,7 @@ mft_parse(X509 **x509, const char *fn, const unsigned char *der, size_t len) memset(&p, 0, sizeof(struct parse)); p.fn = fn; - cms = cms_parse_validate(x509, fn, der, len, mft_oid, &cmsz, 0); + cms = cms_parse_validate(x509, fn, der, len, mft_oid, &cmsz); if (cms == NULL) return NULL; assert(*x509 != NULL); @@ -531,39 +532,3 @@ mft_read(struct ibuf *b) return p; } - -/* - * Compare two MFT files, returns 1 if first MFT is better and 0 if second - * should be used. - */ -int -mft_compare(const struct mft *a, const struct mft *b) -{ - BIGNUM *abn = NULL, *bbn = NULL; - int r; - - if (a == NULL) - return 0; - if (b == NULL) - return 1; - -warnx("%s: seq a %s, seq b %s", __func__, a->seqnum, b->seqnum); - BN_hex2bn(&abn, a->seqnum); - BN_hex2bn(&bbn, b->seqnum); - - r = BN_cmp(abn, bbn); - BN_free(abn); - BN_free(bbn); - - if (r <= 0) - return 0; - -warnx("%s: prefer b", __func__); - /* - * Equal sequence numbers should not happen for different content. - * In this case we prefer the newer MFT. It seems some CA update - * the EE cert and timestamps without issuing a new serial. - * This is bad bad bad bad bad. - */ - return 1; -} diff --git a/usr.sbin/rpki-client/parser.c b/usr.sbin/rpki-client/parser.c index a21c3a47cf6..1ac396a4a22 100644 --- a/usr.sbin/rpki-client/parser.c +++ b/usr.sbin/rpki-client/parser.c @@ -1,4 +1,4 @@ -/* $OpenBSD: parser.c,v 1.40 2022/01/18 16:18:22 claudio Exp $ */ +/* $OpenBSD: parser.c,v 1.41 2022/01/18 16:24:55 claudio Exp $ */ /* * Copyright (c) 2019 Claudio Jeker * Copyright (c) 2019 Kristaps Dzonsons @@ -50,7 +50,6 @@ static struct crl_tree crlt = RB_INITIALIZER(&crlt); struct parse_repo { RB_ENTRY(parse_repo) entry; char *path; - char *validpath; unsigned int id; }; @@ -73,75 +72,20 @@ repo_get(unsigned int id) } static void -repo_add(unsigned int id, char *path, char *validpath) +repo_add(unsigned int id, char *path) { struct parse_repo *rp; - if ((rp = calloc(1, sizeof(*rp))) == NULL) + if ((rp = malloc(sizeof(*rp))) == NULL) err(1, NULL); rp->id = id; - if (path != NULL) - if ((rp->path = strdup(path)) == NULL) - err(1, NULL); - if (validpath != NULL) - if ((rp->validpath = strdup(validpath)) == NULL) - err(1, NULL); + if ((rp->path = strdup(path)) == NULL) + err(1, NULL); if (RB_INSERT(repo_tree, &repos, rp) != NULL) errx(1, "repository already added: id %d, %s", id, path); } -/* - * Build access path to file based on repoid, path and file values. - * If wantalt == 1 the function can return NULL, if wantalt == 0 it - * can not fail. - */ -static char * -parse_filepath(unsigned int repoid, const char *path, const char *file, - int wantalt) -{ - struct parse_repo *rp; - char *fn, *repopath; - - /* build file path based on repoid, entity path and filename */ - rp = repo_get(repoid); - if (rp == NULL) { - /* no repo so no alternative path. */ - if (wantalt) - return NULL; - - if (path == NULL) { - if ((fn = strdup(file)) == NULL) - err(1, NULL); - } else { - if (asprintf(&fn, "%s/%s", path, file) == -1) - err(1, NULL); - } - } else { - if (wantalt || rp->path == NULL) - repopath = rp->validpath; - else - repopath = rp->path; - - if (repopath == NULL) - return NULL; - - if (path == NULL) { - if (asprintf(&fn, "%s/%s", repopath, file) == -1) - err(1, NULL); - } else { - if (asprintf(&fn, "%s/%s/%s", repopath, path, - file) == -1) - err(1, NULL); - } - } - return fn; -} - -/* - * Callback for X509_verify_cert() to handle critical extensions in old - * LibreSSL libraries or OpenSSL libs without RFC3779 support. - */ static int verify_cb(int ok, X509_STORE_CTX *store_ctx) { @@ -200,74 +144,52 @@ verify_cb(int ok, X509_STORE_CTX *store_ctx) } /* - * Validate the X509 certificate. If crl is NULL don't check CRL. - * Returns 1 for valid certificates, returns 0 if there is a verify error + * Parse and validate a ROA. + * This is standard stuff. + * Returns the roa on success, NULL on failure. */ -static int -valid_x509(char *file, X509 *x509, struct auth *a, struct crl *crl) +static struct roa * +proc_parser_roa(char *file, const unsigned char *der, size_t len) { - STACK_OF(X509) *chain; - STACK_OF(X509_CRL) *crls = NULL; + struct roa *roa; + X509 *x509; int c; + struct auth *a; + STACK_OF(X509) *chain; + STACK_OF(X509_CRL) *crls; + struct crl *crl; + + if ((roa = roa_parse(&x509, file, der, len)) == NULL) + return NULL; + a = valid_ski_aki(file, &auths, roa->ski, roa->aki); build_chain(a, &chain); - if (crl != NULL) - build_crls(crl, &crls); + crl = get_crl(a); + build_crls(crl, &crls); assert(x509 != NULL); if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) cryptoerrx("X509_STORE_CTX_init"); - X509_STORE_CTX_set_verify_cb(ctx, verify_cb); if (!X509_STORE_CTX_set_app_data(ctx, file)) cryptoerrx("X509_STORE_CTX_set_app_data"); - if (crl != NULL) - X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); X509_STORE_CTX_set0_trusted_stack(ctx, chain); - if (crl != NULL) - X509_STORE_CTX_set0_crls(ctx, crls); + X509_STORE_CTX_set0_crls(ctx, crls); if (X509_verify_cert(ctx) <= 0) { c = X509_STORE_CTX_get_error(ctx); - warnx("%s: %s", file, X509_verify_cert_error_string(c)); X509_STORE_CTX_cleanup(ctx); - sk_X509_free(chain); - sk_X509_CRL_free(crls); - return 0; - } - - X509_STORE_CTX_cleanup(ctx); - sk_X509_free(chain); - sk_X509_CRL_free(crls); - return 1; -} - -/* - * Parse and validate a ROA. - * This is standard stuff. - * Returns the roa on success, NULL on failure. - */ -static struct roa * -proc_parser_roa(char *file, const unsigned char *der, size_t len) -{ - struct roa *roa; - struct crl *crl; - struct auth *a; - X509 *x509; - - if ((roa = roa_parse(&x509, file, der, len)) == NULL) - return NULL; - - a = valid_ski_aki(file, &auths, roa->ski, roa->aki); - crl = get_crl(a); - - if (!valid_x509(file, x509, a, crl)) { + if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) + warnx("%s: %s", file, X509_verify_cert_error_string(c)); X509_free(x509); roa_free(roa); + sk_X509_free(chain); + sk_X509_CRL_free(crls); return NULL; } - X509_free(x509); + X509_STORE_CTX_cleanup(ctx); /* * Check CRL to figure out the soonest transitive expiry moment @@ -292,6 +214,10 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len) if (valid_roa(file, &auths, roa)) roa->valid = 1; + sk_X509_free(chain); + sk_X509_CRL_free(crls); + X509_free(x509); + return roa; } @@ -299,12 +225,17 @@ proc_parser_roa(char *file, const unsigned char *der, size_t len) * Check all files and their hashes in a MFT structure. * Return zero on failure, non-zero on success. */ -static int +int mft_check(const char *fn, struct mft *p) { size_t i; - int fd, try, rc = 1; - char *h, *path; + int fd, rc = 1; + char *cp, *h, *path = NULL; + + /* Check hash of file now, but first build path for it */ + cp = strrchr(fn, '/'); + assert(cp != NULL); + assert(cp - fn < INT_MAX); for (i = 0; i < p->filesz; i++) { const struct mftfile *m = &p->files[i]; @@ -315,24 +246,15 @@ mft_check(const char *fn, struct mft *p) free(h); continue; } - - fd = -1; - try = 0; - path = NULL; - do { - free(path); - if ((path = parse_filepath(p->repoid, p->path, m->file, - try++)) == NULL) - break; - fd = open(path, O_RDONLY); - } while (fd == -1 && try < 2); - - free(path); - + if (asprintf(&path, "%.*s/%s", (int)(cp - fn), fn, + m->file) == -1) + err(1, NULL); + fd = open(path, O_RDONLY); if (!valid_filehash(fd, m->hash, sizeof(m->hash))) { warnx("%s: bad message digest for %s", fn, m->file); rc = 0; } + free(path); } return rc; @@ -354,31 +276,49 @@ proc_parser_mft(char *file, const unsigned char *der, size_t len, { struct mft *mft; X509 *x509; + int c; struct auth *a; + STACK_OF(X509) *chain; if ((mft = mft_parse(&x509, file, der, len)) == NULL) return NULL; a = valid_ski_aki(file, &auths, mft->ski, mft->aki); + build_chain(a, &chain); - if (!valid_x509(file, x509, a, NULL)) { + if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) + cryptoerrx("X509_STORE_CTX_init"); + + /* CRL checks disabled here because CRL is referenced from mft */ + X509_STORE_CTX_set_verify_cb(ctx, verify_cb); + if (!X509_STORE_CTX_set_app_data(ctx, file)) + cryptoerrx("X509_STORE_CTX_set_app_data"); + X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); + X509_STORE_CTX_set0_trusted_stack(ctx, chain); + + if (X509_verify_cert(ctx) <= 0) { + c = X509_STORE_CTX_get_error(ctx); + X509_STORE_CTX_cleanup(ctx); + warnx("%s: %s", file, X509_verify_cert_error_string(c)); mft_free(mft); X509_free(x509); + sk_X509_free(chain); return NULL; } + + X509_STORE_CTX_cleanup(ctx); + sk_X509_free(chain); X509_free(x509); - mft->repoid = repoid; + if (!mft_check(file, mft)) { + mft_free(mft); + return NULL; + } + if (path != NULL) if ((mft->path = strdup(path)) == NULL) err(1, NULL); - - if (!mft->stale) - if (!mft_check(file, mft)) { - mft_free(mft); - return NULL; - } - + mft->repoid = repoid; return mft; } @@ -394,8 +334,10 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len) { struct cert *cert; X509 *x509; - struct auth *a; - struct crl *crl; + int c; + struct auth *a = NULL; + STACK_OF(X509) *chain; + STACK_OF(X509_CRL) *crls; /* Extract certificate data and X509. */ @@ -404,13 +346,35 @@ proc_parser_cert(char *file, const unsigned char *der, size_t len) return NULL; a = valid_ski_aki(file, &auths, cert->ski, cert->aki); - crl = get_crl(a); + build_chain(a, &chain); + build_crls(get_crl(a), &crls); + + assert(x509 != NULL); + if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) + cryptoerrx("X509_STORE_CTX_init"); + + X509_STORE_CTX_set_verify_cb(ctx, verify_cb); + if (!X509_STORE_CTX_set_app_data(ctx, file)) + cryptoerrx("X509_STORE_CTX_set_app_data"); + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); + X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); + X509_STORE_CTX_set0_trusted_stack(ctx, chain); + X509_STORE_CTX_set0_crls(ctx, crls); - if (!valid_x509(file, x509, a, crl)) { + if (X509_verify_cert(ctx) <= 0) { + c = X509_STORE_CTX_get_error(ctx); + warnx("%s: %s", file, X509_verify_cert_error_string(c)); + X509_STORE_CTX_cleanup(ctx); cert_free(cert); + sk_X509_free(chain); + sk_X509_CRL_free(crls); X509_free(x509); return NULL; } + + X509_STORE_CTX_cleanup(ctx); + sk_X509_free(chain); + sk_X509_CRL_free(crls); X509_free(x509); cert->talid = a->cert->talid; @@ -571,18 +535,39 @@ proc_parser_gbr(char *file, const unsigned char *der, size_t len) { struct gbr *gbr; X509 *x509; + int c; struct auth *a; - struct crl *crl; + STACK_OF(X509) *chain; + STACK_OF(X509_CRL) *crls; if ((gbr = gbr_parse(&x509, file, der, len)) == NULL) return; a = valid_ski_aki(file, &auths, gbr->ski, gbr->aki); - crl = get_crl(a); - /* return value can be ignored since nothing happens here */ - valid_x509(file, x509, a, crl); + build_chain(a, &chain); + build_crls(get_crl(a), &crls); + assert(x509 != NULL); + if (!X509_STORE_CTX_init(ctx, NULL, x509, NULL)) + cryptoerrx("X509_STORE_CTX_init"); + X509_STORE_CTX_set_verify_cb(ctx, verify_cb); + if (!X509_STORE_CTX_set_app_data(ctx, file)) + cryptoerrx("X509_STORE_CTX_set_app_data"); + X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_CRL_CHECK); + X509_STORE_CTX_set_depth(ctx, MAX_CERT_DEPTH); + X509_STORE_CTX_set0_trusted_stack(ctx, chain); + X509_STORE_CTX_set0_crls(ctx, crls); + + if (X509_verify_cert(ctx) <= 0) { + c = X509_STORE_CTX_get_error(ctx); + if (verbose > 0 || c != X509_V_ERR_UNABLE_TO_GET_CRL) + warnx("%s: %s", file, X509_verify_cert_error_string(c)); + } + + X509_STORE_CTX_cleanup(ctx); + sk_X509_free(chain); + sk_X509_CRL_free(crls); X509_free(x509); gbr_free(gbr); } @@ -644,40 +629,33 @@ build_crls(const struct crl *crl, STACK_OF(X509_CRL) **crls) } static char * -parse_load_file(struct entity *entp, unsigned char **f, size_t *flen) +parse_filepath(struct entity *entp) { - char *file, *nfile; - - file = parse_filepath(entp->repoid, entp->path, entp->file, 0); + struct parse_repo *rp; + char *file; - /* TAL files include the data already */ - if (entp->type == RTYPE_TAL) { - *f = NULL; - *flen = 0; - return file; + /* build file path based on repoid, entity path and filename */ + rp = repo_get(entp->repoid); + if (rp == NULL) { + if (entp->path == NULL) { + if ((file = strdup(entp->file)) == NULL) + err(1, NULL); + } else { + if (asprintf(&file, "%s/%s", entp->path, + entp->file) == -1) + err(1, NULL); + } + } else { + if (entp->path == NULL) { + if (asprintf(&file, "%s/%s", rp->path, + entp->file) == -1) + err(1, NULL); + } else { + if (asprintf(&file, "%s/%s/%s", rp->path, + entp->path, entp->file) == -1) + err(1, NULL); + } } - - *f = load_file(file, flen); - if (*f != NULL) - return file; - - if (errno != ENOENT) - goto fail; - - /* try alternate file location */ - nfile = parse_filepath(entp->repoid, entp->path, entp->file, 1); - if (nfile == NULL) - goto fail; - - free(file); - file = nfile; - - *f = load_file(file, flen); - if (*f != NULL) - return file; - -fail: - warn("parse file %s", file); return file; } @@ -687,12 +665,12 @@ parse_entity(struct entityq *q, struct msgbuf *msgq) struct entity *entp; struct tal *tal; struct cert *cert; - struct mft *mft, *mft2; + struct mft *mft; struct roa *roa; struct ibuf *b; unsigned char *f; size_t flen; - char *file, *nfile; + char *file; int c; while ((entp = TAILQ_FIRST(q)) != NULL) { @@ -700,18 +678,23 @@ parse_entity(struct entityq *q, struct msgbuf *msgq) /* handle RTYPE_REPO first */ if (entp->type == RTYPE_REPO) { - repo_add(entp->repoid, entp->path, entp->file); + repo_add(entp->repoid, entp->path); entity_free(entp); continue; } - file = parse_load_file(entp, &f, &flen); + f = NULL; + file = parse_filepath(entp); + if (entp->type != RTYPE_TAL) { + f = load_file(file, &flen); + if (f == NULL) + warn("%s", file); + } - /* pass back at least type, repoid and filename */ + /* pass back at least type and filename */ b = io_new_buffer(); io_simple_buffer(b, &entp->type, sizeof(entp->type)); - if (entp->type != RTYPE_MFT) /* MFT handled specially */ - io_str_buffer(b, file); + io_str_buffer(b, file); switch (entp->type) { case RTYPE_TAL: @@ -746,31 +729,7 @@ parse_entity(struct entityq *q, struct msgbuf *msgq) case RTYPE_MFT: mft = proc_parser_mft(file, f, flen, entp->path, entp->repoid); - - /* need to check alternate mft and compare serial */ - nfile = parse_filepath(entp->repoid, entp->path, - entp->file, 1); - if (nfile != NULL && strcmp(nfile, file) != 0) { - free(f); - f = load_file(nfile, &flen); - mft2 = proc_parser_mft(nfile, f, flen, - entp->path, entp->repoid); - if (mft_compare(mft2, mft)) { - /* swap MFT */ -warnx("using old valid MFT %s", nfile); - mft_free(mft); - mft = mft2; - mft2 = NULL; - free(file); - file = nfile; - nfile = NULL; - } - mft_free(mft2); - } - free(nfile); - c = (mft != NULL); - io_str_buffer(b, file); io_simple_buffer(b, &c, sizeof(int)); if (mft != NULL) mft_buffer(b, mft); @@ -817,7 +776,6 @@ proc_parser(int fd) ERR_load_crypto_strings(); OpenSSL_add_all_ciphers(); OpenSSL_add_all_digests(); - x509_init_oid(); if ((ctx = X509_STORE_CTX_new()) == NULL) cryptoerrx("X509_STORE_CTX_new"); -- 2.20.1