diff options
| author | Tobias Brunner <tobias@strongswan.org> | 2015-10-27 17:21:18 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2016-03-10 11:07:14 +0100 |
| commit | ef9171ad1ee9145a7139c365524006abb930a41d (patch) | |
| tree | 01628aabac555fe9d1c90f78ced75ae6bd19cc94 | |
| parent | f371effc5d59c15ff72184898193c6119fb8889b (diff) | |
| download | strongswan-ef9171ad1ee9145a7139c365524006abb930a41d.tar.bz2 strongswan-ef9171ad1ee9145a7139c365524006abb930a41d.tar.xz | |
auth-cfg: Add a rule to suspend certificate validation constraints
| -rw-r--r-- | src/libstrongswan/credentials/auth_cfg.c | 16 | ||||
| -rw-r--r-- | src/libstrongswan/credentials/auth_cfg.h | 2 |
2 files changed, 18 insertions, 0 deletions
diff --git a/src/libstrongswan/credentials/auth_cfg.c b/src/libstrongswan/credentials/auth_cfg.c index 5466a2e08..956ce08c9 100644 --- a/src/libstrongswan/credentials/auth_cfg.c +++ b/src/libstrongswan/credentials/auth_cfg.c @@ -46,6 +46,7 @@ ENUM(auth_rule_names, AUTH_RULE_IDENTITY, AUTH_HELPER_AC_CERT, "RULE_SUBJECT_CERT", "RULE_CRL_VALIDATION", "RULE_OCSP_VALIDATION", + "RULE_CERT_VALIDATION_SUSPENDED", "RULE_GROUP", "RULE_RSA_STRENGTH", "RULE_ECDSA_STRENGTH", @@ -80,6 +81,7 @@ static inline bool is_multi_value_rule(auth_rule_t type) case AUTH_RULE_AAA_IDENTITY: case AUTH_RULE_XAUTH_IDENTITY: case AUTH_RULE_XAUTH_BACKEND: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_SUBJECT_HASH_URL: case AUTH_RULE_MAX: @@ -214,6 +216,7 @@ static void init_entry(entry_t *this, auth_rule_t type, va_list args) case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ this->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -264,6 +267,7 @@ static bool entry_equals(entry_t *e1, entry_t *e2) case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { return e1->value == e2->value; } @@ -356,6 +360,7 @@ static void destroy_entry_value(entry_t *entry) case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: case AUTH_RULE_MAX: break; } @@ -389,6 +394,7 @@ static void replace(private_auth_cfg_t *this, entry_enumerator_t *enumerator, case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: /* integer type */ entry->value = (void*)(uintptr_t)va_arg(args, u_int); break; @@ -471,6 +477,7 @@ METHOD(auth_cfg_t, get, void*, case AUTH_RULE_OCSP_VALIDATION: return (void*)VALIDATION_FAILED; case AUTH_RULE_IDENTITY_LOOSE: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: return (void*)FALSE; case AUTH_RULE_IDENTITY: case AUTH_RULE_EAP_IDENTITY: @@ -757,6 +764,11 @@ METHOD(auth_cfg_t, complies, bool, { uintptr_t validated; + if (get(this, AUTH_RULE_CERT_VALIDATION_SUSPENDED)) + { /* skip validation, may happen later */ + break; + } + e2 = create_enumerator(this); while (e2->enumerate(e2, &t2, &validated)) { @@ -934,6 +946,8 @@ METHOD(auth_cfg_t, complies, bool, /* just an indication when verifying AUTH_RULE_IDENTITY */ case AUTH_RULE_XAUTH_BACKEND: /* not enforced, just a hint for local authentication */ + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: + /* not a constraint */ case AUTH_HELPER_IM_CERT: case AUTH_HELPER_SUBJECT_CERT: case AUTH_HELPER_IM_HASH_URL: @@ -1086,6 +1100,7 @@ static void merge(private_auth_cfg_t *this, private_auth_cfg_t *other, bool copy case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: { add(this, type, (uintptr_t)value); break; @@ -1257,6 +1272,7 @@ METHOD(auth_cfg_t, clone_, auth_cfg_t*, case AUTH_RULE_BLISS_STRENGTH: case AUTH_RULE_SIGNATURE_SCHEME: case AUTH_RULE_IKE_SIGNATURE_SCHEME: + case AUTH_RULE_CERT_VALIDATION_SUSPENDED: clone->add(clone, type, (uintptr_t)value); break; case AUTH_RULE_MAX: diff --git a/src/libstrongswan/credentials/auth_cfg.h b/src/libstrongswan/credentials/auth_cfg.h index 75bc7e97b..6940069de 100644 --- a/src/libstrongswan/credentials/auth_cfg.h +++ b/src/libstrongswan/credentials/auth_cfg.h @@ -94,6 +94,8 @@ enum auth_rule_t { AUTH_RULE_CRL_VALIDATION, /** result of a OCSP validation, cert_validation_t */ AUTH_RULE_OCSP_VALIDATION, + /** CRL/OCSP validation is disabled, bool */ + AUTH_RULE_CERT_VALIDATION_SUSPENDED, /** subject is member of a group, identification_t* * The group membership constraint is fulfilled if the subject is member of * one group defined in the constraints. */ |