robin.thoni
/
ipxe
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 11 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5879 Commits
2 Branches
Tree: 447e5cd447
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '447e5cd447'
${ noResults }
ipxe/src/net/validator.c

validator.c 16KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610 
  1. /*

  2.  * Copyright (C) 2012 Michael Brown <mbrown@fensystems.co.uk>.

  3.  *

  4.  * This program is free software; you can redistribute it and/or

  5.  * modify it under the terms of the GNU General Public License as

  6.  * published by the Free Software Foundation; either version 2 of the

  7.  * License, or (at your option) any later version.

  8.  *

  9.  * This program is distributed in the hope that it will be useful, but

  10.  * WITHOUT ANY WARRANTY; without even the implied warranty of

  11.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU

  12.  * General Public License for more details.

  13.  *

  14.  * You should have received a copy of the GNU General Public License

  15.  * along with this program; if not, write to the Free Software

  16.  * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA

  17.  * 02110-1301, USA.

  18.  *

  19.  * You can also choose to distribute this program under the terms of

  20.  * the Unmodified Binary Distribution Licence (as given in the file

  21.  * COPYING.UBDL), provided that you have satisfied its requirements.

  22.  */

  23. 

  24. FILE_LICENCE ( GPL2_OR_LATER_OR_UBDL );

  25. 

  26. #include <string.h>

  27. #include <stdio.h>

  28. #include <errno.h>

  29. #include <ipxe/refcnt.h>

  30. #include <ipxe/malloc.h>

  31. #include <ipxe/interface.h>

  32. #include <ipxe/xfer.h>

  33. #include <ipxe/open.h>

  34. #include <ipxe/iobuf.h>

  35. #include <ipxe/xferbuf.h>

  36. #include <ipxe/process.h>

  37. #include <ipxe/x509.h>

  38. #include <ipxe/settings.h>

  39. #include <ipxe/dhcp.h>

  40. #include <ipxe/base64.h>

  41. #include <ipxe/crc32.h>

  42. #include <ipxe/ocsp.h>

  43. #include <ipxe/validator.h>

  44. #include <config/crypto.h>

  45. 

  46. /** @file

  47.  *

  48.  * Certificate validator

  49.  *

  50.  */

  51. 

  52. /** A certificate validator */

  53. struct validator {

  54. 	/** Reference count */

  55. 	struct refcnt refcnt;

  56. 	/** Job control interface */

  57. 	struct interface job;

  58. 	/** Data transfer interface */

  59. 	struct interface xfer;

  60. 

  61. 	/** Process */

  62. 	struct process process;

  63. 

  64. 	/** X.509 certificate chain */

  65. 	struct x509_chain *chain;

  66. 	/** OCSP check */

  67. 	struct ocsp_check *ocsp;

  68. 	/** Data buffer */

  69. 	struct xfer_buffer buffer;

  70. 	/** Action to take upon completed transfer */

  71. 	int ( * done ) ( struct validator *validator, const void *data,

  72. 			 size_t len );

  73. };

  74. 

  75. /**

  76.  * Get validator name (for debug messages)

  77.  *

  78.  * @v validator		Certificate validator

  79.  * @ret name		Validator name

  80.  */

  81. static const char * validator_name ( struct validator *validator ) {

  82. 

  83. 	/* Use name of first certificate in chain */

  84. 	return x509_name ( x509_first ( validator->chain ) );

  85. }

  86. 

  87. /**

  88.  * Free certificate validator

  89.  *

  90.  * @v refcnt		Reference count

  91.  */

  92. static void validator_free ( struct refcnt *refcnt ) {

  93. 	struct validator *validator =

  94. 		container_of ( refcnt, struct validator, refcnt );

  95. 

  96. 	DBGC2 ( validator, "VALIDATOR %p \"%s\" freed\n",

  97. 		validator, validator_name ( validator ) );

  98. 	x509_chain_put ( validator->chain );

  99. 	ocsp_put ( validator->ocsp );

  100. 	xferbuf_free ( &validator->buffer );

  101. 	free ( validator );

  102. }

  103. 

  104. /**

  105.  * Mark certificate validation as finished

  106.  *

  107.  * @v validator		Certificate validator

  108.  * @v rc		Reason for finishing

  109.  */

  110. static void validator_finished ( struct validator *validator, int rc ) {

  111. 

  112. 	/* Remove process */

  113. 	process_del ( &validator->process );

  114. 

  115. 	/* Close all interfaces */

  116. 	intf_shutdown ( &validator->xfer, rc );

  117. 	intf_shutdown ( &validator->job, rc );

  118. }

  119. 

  120. /****************************************************************************

  121.  *

  122.  * Job control interface

  123.  *

  124.  */

  125. 

  126. /** Certificate validator job control interface operations */

  127. static struct interface_operation validator_job_operations[] = {

  128. 	INTF_OP ( intf_close, struct validator *, validator_finished ),

  129. };

  130. 

  131. /** Certificate validator job control interface descriptor */

  132. static struct interface_descriptor validator_job_desc =

  133. 	INTF_DESC ( struct validator, job, validator_job_operations );

  134. 

  135. /****************************************************************************

  136.  *

  137.  * Cross-signing certificates

  138.  *

  139.  */

  140. 

  141. /** Cross-signed certificate source setting */

  142. const struct setting crosscert_setting __setting ( SETTING_CRYPTO, crosscert )={

  143. 	.name = "crosscert",

  144. 	.description = "Cross-signed certificate source",

  145. 	.tag = DHCP_EB_CROSS_CERT,

  146. 	.type = &setting_type_string,

  147. };

  148. 

  149. /** Default cross-signed certificate source */

  150. static const char crosscert_default[] = CROSSCERT;

  151. 

  152. /**

  153.  * Append cross-signing certificates to certificate chain

  154.  *

  155.  * @v validator		Certificate validator

  156.  * @v data		Raw cross-signing certificate data

  157.  * @v len		Length of raw data

  158.  * @ret rc		Return status code

  159.  */

  160. static int validator_append ( struct validator *validator,

  161. 			      const void *data, size_t len ) {

  162. 	struct asn1_cursor cursor;

  163. 	struct x509_chain *certs;

  164. 	struct x509_certificate *cert;

  165. 	struct x509_certificate *last;

  166. 	int rc;

  167. 

  168. 	/* Allocate certificate list */

  169. 	certs = x509_alloc_chain();

  170. 	if ( ! certs ) {

  171. 		rc = -ENOMEM;

  172. 		goto err_alloc_certs;

  173. 	}

  174. 

  175. 	/* Initialise cursor */

  176. 	cursor.data = data;

  177. 	cursor.len = len;

  178. 

  179. 	/* Enter certificateSet */

  180. 	if ( ( rc = asn1_enter ( &cursor, ASN1_SET ) ) != 0 ) {

  181. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not enter "

  182. 		       "certificateSet: %s\n", validator,

  183. 		       validator_name ( validator ), strerror ( rc ) );

  184. 		goto err_certificateset;

  185. 	}

  186. 

  187. 	/* Add each certificate to list */

  188. 	while ( cursor.len ) {

  189. 

  190. 		/* Add certificate to chain */

  191. 		if ( ( rc = x509_append_raw ( certs, cursor.data,

  192. 					      cursor.len ) ) != 0 ) {

  193. 			DBGC ( validator, "VALIDATOR %p \"%s\" could not "

  194. 			       "append certificate: %s\n", validator,

  195. 			       validator_name ( validator ), strerror ( rc) );

  196. 			DBGC_HDA ( validator, 0, cursor.data, cursor.len );

  197. 			return rc;

  198. 		}

  199. 		cert = x509_last ( certs );

  200. 		DBGC ( validator, "VALIDATOR %p \"%s\" found certificate ",

  201. 		       validator, validator_name ( validator ) );

  202. 		DBGC ( validator, "%s\n", x509_name ( cert ) );

  203. 

  204. 		/* Move to next certificate */

  205. 		asn1_skip_any ( &cursor );

  206. 	}

  207. 

  208. 	/* Append certificates to chain */

  209. 	last = x509_last ( validator->chain );

  210. 	if ( ( rc = x509_auto_append ( validator->chain, certs ) ) != 0 ) {

  211. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not append "

  212. 		       "certificates: %s\n", validator,

  213. 		       validator_name ( validator ), strerror ( rc ) );

  214. 		goto err_auto_append;

  215. 	}

  216. 

  217. 	/* Check that at least one certificate has been added */

  218. 	if ( last == x509_last ( validator->chain ) ) {

  219. 		DBGC ( validator, "VALIDATOR %p \"%s\" failed to append any "

  220. 		       "applicable certificates\n", validator,

  221. 		       validator_name ( validator ) );

  222. 		rc = -EACCES;

  223. 		goto err_no_progress;

  224. 	}

  225. 

  226. 	/* Drop reference to certificate list */

  227. 	x509_chain_put ( certs );

  228. 

  229. 	return 0;

  230. 

  231.  err_no_progress:

  232.  err_auto_append:

  233.  err_certificateset:

  234. 	x509_chain_put ( certs );

  235.  err_alloc_certs:

  236. 	return rc;

  237. }

  238. 

  239. /**

  240.  * Start download of cross-signing certificate

  241.  *

  242.  * @v validator		Certificate validator

  243.  * @v cert		X.509 certificate

  244.  * @ret rc		Return status code

  245.  */

  246. static int validator_start_download ( struct validator *validator,

  247. 				      struct x509_certificate *cert ) {

  248. 	const struct asn1_cursor *issuer = &cert->issuer.raw;

  249. 	const char *crosscert;

  250. 	char *crosscert_copy;

  251. 	char *uri_string;

  252. 	size_t uri_string_len;

  253. 	uint32_t crc;

  254. 	int len;

  255. 	int rc;

  256. 

  257. 	/* Determine cross-signed certificate source */

  258. 	fetch_string_setting_copy ( NULL, &crosscert_setting, &crosscert_copy );

  259. 	crosscert = ( crosscert_copy ? crosscert_copy : crosscert_default );

  260. 	if ( ! crosscert[0] ) {

  261. 		rc = -EINVAL;

  262. 		goto err_check_uri_string;

  263. 	}

  264. 

  265. 	/* Allocate URI string */

  266. 	uri_string_len = ( strlen ( crosscert ) + 22 /* "/%08x.der?subject=" */

  267. 			   + base64_encoded_len ( issuer->len ) + 1 /* NUL */ );

  268. 	uri_string = zalloc ( uri_string_len );

  269. 	if ( ! uri_string ) {

  270. 		rc = -ENOMEM;

  271. 		goto err_alloc_uri_string;

  272. 	}

  273. 

  274. 	/* Generate CRC32 */

  275. 	crc = crc32_le ( 0xffffffffUL, issuer->data, issuer->len );

  276. 

  277. 	/* Generate URI string */

  278. 	len = snprintf ( uri_string, uri_string_len, "%s/%08x.der?subject=",

  279. 			 crosscert, crc );

  280. 	base64_encode ( issuer->data, issuer->len, ( uri_string + len ),

  281. 			( uri_string_len - len ) );

  282. 	DBGC ( validator, "VALIDATOR %p \"%s\" downloading ",

  283. 	       validator, validator_name ( validator ) );

  284. 	DBGC ( validator, "\"%s\" cross-signature from %s\n",

  285. 	       x509_name ( cert ), uri_string );

  286. 

  287. 	/* Set completion handler */

  288. 	validator->done = validator_append;

  289. 

  290. 	/* Open URI */

  291. 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,

  292. 					   uri_string ) ) != 0 ) {

  293. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "

  294. 		       "%s\n", validator, validator_name ( validator ),

  295. 		       uri_string, strerror ( rc ) );

  296. 		goto err_open_uri_string;

  297. 	}

  298. 

  299. 	/* Success */

  300. 	rc = 0;

  301. 

  302.  err_open_uri_string:

  303. 	free ( uri_string );

  304.  err_alloc_uri_string:

  305.  err_check_uri_string:

  306. 	free ( crosscert_copy );

  307. 	return rc;

  308. }

  309. 

  310. /****************************************************************************

  311.  *

  312.  * OCSP checks

  313.  *

  314.  */

  315. 

  316. /**

  317.  * Validate OCSP response

  318.  *

  319.  * @v validator		Certificate validator

  320.  * @v data		Raw OCSP response

  321.  * @v len		Length of raw data

  322.  * @ret rc		Return status code

  323.  */

  324. static int validator_ocsp_validate ( struct validator *validator,

  325. 				     const void *data, size_t len ) {

  326. 	time_t now;

  327. 	int rc;

  328. 

  329. 	/* Record OCSP response */

  330. 	if ( ( rc = ocsp_response ( validator->ocsp, data, len ) ) != 0 ) {

  331. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not record OCSP "

  332. 		       "response: %s\n", validator,

  333. 		       validator_name ( validator ),strerror ( rc ) );

  334. 		return rc;

  335. 	}

  336. 

  337. 	/* Validate OCSP response */

  338. 	now = time ( NULL );

  339. 	if ( ( rc = ocsp_validate ( validator->ocsp, now ) ) != 0 ) {

  340. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not validate "

  341. 		       "OCSP response: %s\n", validator,

  342. 		       validator_name ( validator ), strerror ( rc ) );

  343. 		return rc;

  344. 	}

  345. 

  346. 	/* Drop reference to OCSP check */

  347. 	ocsp_put ( validator->ocsp );

  348. 	validator->ocsp = NULL;

  349. 

  350. 	return 0;

  351. }

  352. 

  353. /**

  354.  * Start OCSP check

  355.  *

  356.  * @v validator		Certificate validator

  357.  * @v cert		Certificate to check

  358.  * @v issuer		Issuing certificate

  359.  * @ret rc		Return status code

  360.  */

  361. static int validator_start_ocsp ( struct validator *validator,

  362. 				  struct x509_certificate *cert,

  363. 				  struct x509_certificate *issuer ) {

  364. 	const char *uri_string;

  365. 	int rc;

  366. 

  367. 	/* Create OCSP check */

  368. 	assert ( validator->ocsp == NULL );

  369. 	if ( ( rc = ocsp_check ( cert, issuer, &validator->ocsp ) ) != 0 ) {

  370. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not create OCSP "

  371. 		       "check: %s\n", validator, validator_name ( validator ),

  372. 		       strerror ( rc ) );

  373. 		return rc;

  374. 	}

  375. 

  376. 	/* Set completion handler */

  377. 	validator->done = validator_ocsp_validate;

  378. 

  379. 	/* Open URI */

  380. 	uri_string = validator->ocsp->uri_string;

  381. 	DBGC ( validator, "VALIDATOR %p \"%s\" checking ",

  382. 	       validator, validator_name ( validator ) );

  383. 	DBGC ( validator, "\"%s\" via %s\n",

  384. 	       x509_name ( cert ), uri_string );

  385. 	if ( ( rc = xfer_open_uri_string ( &validator->xfer,

  386. 					   uri_string ) ) != 0 ) {

  387. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not open %s: "

  388. 		       "%s\n", validator, validator_name ( validator ),

  389. 		       uri_string, strerror ( rc ) );

  390. 		return rc;

  391. 	}

  392. 

  393. 	return 0;

  394. }

  395. 

  396. /****************************************************************************

  397.  *

  398.  * Data transfer interface

  399.  *

  400.  */

  401. 

  402. /**

  403.  * Close data transfer interface

  404.  *

  405.  * @v validator		Certificate validator

  406.  * @v rc		Reason for close

  407.  */

  408. static void validator_xfer_close ( struct validator *validator, int rc ) {

  409. 

  410. 	/* Close data transfer interface */

  411. 	intf_restart ( &validator->xfer, rc );

  412. 

  413. 	/* Check for errors */

  414. 	if ( rc != 0 ) {

  415. 		DBGC ( validator, "VALIDATOR %p \"%s\" transfer failed: %s\n",

  416. 		       validator, validator_name ( validator ),

  417. 		       strerror ( rc ) );

  418. 		goto err_transfer;

  419. 	}

  420. 	DBGC2 ( validator, "VALIDATOR %p \"%s\" transfer complete\n",

  421. 		validator, validator_name ( validator ) );

  422. 

  423. 	/* Process completed download */

  424. 	assert ( validator->done != NULL );

  425. 	if ( ( rc = validator->done ( validator, validator->buffer.data,

  426. 				       validator->buffer.len ) ) != 0 )

  427. 		goto err_append;

  428. 

  429. 	/* Free downloaded data */

  430. 	xferbuf_free ( &validator->buffer );

  431. 

  432. 	/* Resume validation process */

  433. 	process_add ( &validator->process );

  434. 

  435. 	return;

  436. 

  437.  err_append:

  438.  err_transfer:

  439. 	validator_finished ( validator, rc );

  440. }

  441. 

  442. /**

  443.  * Receive data

  444.  *

  445.  * @v validator		Certificate validator

  446.  * @v iobuf		I/O buffer

  447.  * @v meta		Data transfer metadata

  448.  * @ret rc		Return status code

  449.  */

  450. static int validator_xfer_deliver ( struct validator *validator,

  451. 				    struct io_buffer *iobuf,

  452. 				    struct xfer_metadata *meta ) {

  453. 	int rc;

  454. 

  455. 	/* Add data to buffer */

  456. 	if ( ( rc = xferbuf_deliver ( &validator->buffer, iob_disown ( iobuf ),

  457. 				      meta ) ) != 0 ) {

  458. 		DBGC ( validator, "VALIDATOR %p \"%s\" could not receive "

  459. 		       "data: %s\n", validator, validator_name ( validator ),

  460. 		       strerror ( rc ) );

  461. 		validator_finished ( validator, rc );

  462. 		return rc;

  463. 	}

  464. 

  465. 	return 0;

  466. }

  467. 

  468. /** Certificate validator data transfer interface operations */

  469. static struct interface_operation validator_xfer_operations[] = {

  470. 	INTF_OP ( xfer_deliver, struct validator *, validator_xfer_deliver ),

  471. 	INTF_OP ( intf_close, struct validator *, validator_xfer_close ),

  472. };

  473. 

  474. /** Certificate validator data transfer interface descriptor */

  475. static struct interface_descriptor validator_xfer_desc =

  476. 	INTF_DESC ( struct validator, xfer, validator_xfer_operations );

  477. 

  478. /****************************************************************************

  479.  *

  480.  * Validation process

  481.  *

  482.  */

  483. 

  484. /**

  485.  * Certificate validation process

  486.  *

  487.  * @v validator		Certificate validator

  488.  */

  489. static void validator_step ( struct validator *validator ) {

  490. 	struct x509_link *link;

  491. 	struct x509_certificate *cert;

  492. 	struct x509_certificate *issuer = NULL;

  493. 	struct x509_certificate *last;

  494. 	time_t now;

  495. 	int rc;

  496. 

  497. 	/* Try validating chain.  Try even if the chain is incomplete,

  498. 	 * since certificates may already have been validated

  499. 	 * previously.

  500. 	 */

  501. 	now = time ( NULL );

  502. 	if ( ( rc = x509_validate_chain ( validator->chain, now, NULL,

  503. 					  NULL ) ) == 0 ) {

  504. 		DBGC ( validator, "VALIDATOR %p \"%s\" validated\n",

  505. 		       validator, validator_name ( validator ) );

  506. 		validator_finished ( validator, 0 );

  507. 		return;

  508. 	}

  509. 

  510. 	/* If there is a certificate that could be validated using

  511. 	 * OCSP, try it.

  512. 	 */

  513. 	list_for_each_entry ( link, &validator->chain->links, list ) {

  514. 		cert = issuer;

  515. 		issuer = link->cert;

  516. 		if ( ! cert )

  517. 			continue;

  518. 		if ( ! x509_is_valid ( issuer ) )

  519. 			continue;

  520. 		/* The issuer is valid, but this certificate is not

  521. 		 * yet valid.  If OCSP is applicable, start it.

  522. 		 */

  523. 		if ( ocsp_required ( cert ) ) {

  524. 			/* Start OCSP */

  525. 			if ( ( rc = validator_start_ocsp ( validator, cert,

  526. 							   issuer ) ) != 0 ) {

  527. 				validator_finished ( validator, rc );

  528. 				return;

  529. 			}

  530. 			return;

  531. 		}

  532. 		/* Otherwise, this is a permanent failure */

  533. 		validator_finished ( validator, rc );

  534. 		return;

  535. 	}

  536. 

  537. 	/* If chain ends with a self-issued certificate, then there is

  538. 	 * nothing more to do.

  539. 	 */

  540. 	last = x509_last ( validator->chain );

  541. 	if ( asn1_compare ( &last->issuer.raw, &last->subject.raw ) == 0 ) {

  542. 		validator_finished ( validator, rc );

  543. 		return;

  544. 	}

  545. 

  546. 	/* Otherwise, try to download a suitable cross-signing

  547. 	 * certificate.

  548. 	 */

  549. 	if ( ( rc = validator_start_download ( validator, last ) ) != 0 ) {

  550. 		validator_finished ( validator, rc );

  551. 		return;

  552. 	}

  553. }

  554. 

  555. /** Certificate validator process descriptor */

  556. static struct process_descriptor validator_process_desc =

  557. 	PROC_DESC_ONCE ( struct validator, process, validator_step );

  558. 

  559. /****************************************************************************

  560.  *

  561.  * Instantiator

  562.  *

  563.  */

  564. 

  565. /**

  566.  * Instantiate a certificate validator

  567.  *

  568.  * @v job		Job control interface

  569.  * @v chain		X.509 certificate chain

  570.  * @ret rc		Return status code

  571.  */

  572. int create_validator ( struct interface *job, struct x509_chain *chain ) {

  573. 	struct validator *validator;

  574. 	int rc;

  575. 

  576. 	/* Sanity check */

  577. 	if ( ! chain ) {

  578. 		rc = -EINVAL;

  579. 		goto err_sanity;

  580. 	}

  581. 

  582. 	/* Allocate and initialise structure */

  583. 	validator = zalloc ( sizeof ( *validator ) );

  584. 	if ( ! validator ) {

  585. 		rc = -ENOMEM;

  586. 		goto err_alloc;

  587. 	}

  588. 	ref_init ( &validator->refcnt, validator_free );

  589. 	intf_init ( &validator->job, &validator_job_desc,

  590. 		    &validator->refcnt );

  591. 	intf_init ( &validator->xfer, &validator_xfer_desc,

  592. 		    &validator->refcnt );

  593. 	process_init ( &validator->process, &validator_process_desc,

  594. 		       &validator->refcnt );

  595. 	validator->chain = x509_chain_get ( chain );

  596. 	xferbuf_malloc_init ( &validator->buffer );

  597. 

  598. 	/* Attach parent interface, mortalise self, and return */

  599. 	intf_plug_plug ( &validator->job, job );

  600. 	ref_put ( &validator->refcnt );

  601. 	DBGC2 ( validator, "VALIDATOR %p \"%s\" validating X509 chain %p\n",

  602. 		validator, validator_name ( validator ), validator->chain );

  603. 	return 0;

  604. 

  605. 	validator_finished ( validator, rc );

  606. 	ref_put ( &validator->refcnt );

  607.  err_alloc:

  608.  err_sanity:

  609. 	return rc;

  610. }