diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-12-30 18:12:53 +0100 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-12-30 18:12:53 +0100 |
commit | e3f63c646914a24355eb63b7873123312549b7a4 (patch) | |
tree | 6d83da97ee316076218607a169d4759d4bf2f0b0 | |
parent | 08253bbba3a719ea09ff531b26a311ea5b82a034 (diff) | |
download | strongswan-e3f63c646914a24355eb63b7873123312549b7a4.tar.bz2 strongswan-e3f63c646914a24355eb63b7873123312549b7a4.tar.xz |
revocation: OCSP and/or CRL fetching can be disabled
-rw-r--r-- | conf/Makefile.am | 1 | ||||
-rw-r--r-- | conf/plugins/revocation.opt | 7 | ||||
-rw-r--r-- | src/libstrongswan/plugins/revocation/revocation_validator.c | 109 |
3 files changed, 79 insertions, 38 deletions
diff --git a/conf/Makefile.am b/conf/Makefile.am index 4588b0999..c4b2c02fd 100644 --- a/conf/Makefile.am +++ b/conf/Makefile.am @@ -80,6 +80,7 @@ plugins = \ plugins/radattr.opt \ plugins/random.opt \ plugins/resolve.opt \ + plugins/revocation.opt \ plugins/socket-default.opt \ plugins/sql.opt \ plugins/stroke.opt \ diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt new file mode 100644 index 000000000..041eaffe6 --- /dev/null +++ b/conf/plugins/revocation.opt @@ -0,0 +1,7 @@ +charon.plugins.revocation.enable_ocsp = yes + Whether OCSP fetching should be enabled. + +charon.plugins.revocation.enable_crl = yes + Whether CRL fetching should be enabled. + + diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index f2e3cdd83..798429901 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -36,6 +36,17 @@ struct private_revocation_validator_t { * Public revocation_validator_t interface. */ revocation_validator_t public; + + /** + * Enable OCSP fetching + */ + bool enable_ocsp; + + /** + * Enable CRL fetching + */ + bool enable_crl; + }; /** @@ -738,48 +749,57 @@ METHOD(cert_validator_t, validate, bool, { DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); - switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, - pathlen ? NULL : auth)) + + if (this->enable_ocsp) { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - case VALIDATION_ON_HOLD: - /* has already been logged */ - lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, - subject); - return FALSE; - case VALIDATION_SKIPPED: - DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); - break; - case VALIDATION_FAILED: - DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); - break; + switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: + /* has already been logged */ + lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, + subject); + return FALSE; + case VALIDATION_SKIPPED: + DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); + break; + case VALIDATION_FAILED: + DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); + break; + } } - switch (check_crl((x509_t*)subject, (x509_t*)issuer, - pathlen ? NULL : auth)) + + if (this->enable_crl) { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - case VALIDATION_ON_HOLD: - /* has already been logged */ - lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, - subject); - return FALSE; - case VALIDATION_FAILED: - case VALIDATION_SKIPPED: - DBG1(DBG_CFG, "certificate status is not available"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); - break; + switch (check_crl((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: + /* has already been logged */ + lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, + subject); + return FALSE; + case VALIDATION_FAILED: + case VALIDATION_SKIPPED: + DBG1(DBG_CFG, "certificate status is not available"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); + break; + } } + lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED, subject); } @@ -804,7 +824,20 @@ revocation_validator_t *revocation_validator_create() .validator.validate = _validate, .destroy = _destroy, }, + .enable_ocsp = lib->settings->get_bool(lib->settings, + "%s.plugins.revocation.enable_ocsp", TRUE, lib->ns), + .enable_crl = lib->settings->get_bool(lib->settings, + "%s.plugins.revocation.enable_crl", TRUE, lib->ns), ); + if (!this->enable_ocsp) + { + DBG1(DBG_LIB, "all OCSP fetching disabled"); + } + if (!this->enable_crl) + { + DBG1(DBG_LIB, "all CRL fetching disabled"); + } + return &this->public; } |