revocation: OCSP and/or CRL fetching can be disabled

3 files changed, 79 insertions, 38 deletions

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 4588b0999..c4b2c02fd 100644
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -80,6 +80,7 @@ plugins = \
 	plugins/radattr.opt \
 	plugins/random.opt \
 	plugins/resolve.opt \
+	plugins/revocation.opt \
 	plugins/socket-default.opt \
 	plugins/sql.opt \
 	plugins/stroke.opt \
diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt
new file mode 100644
index 000000000..041eaffe6
--- /dev/null
+++ b/conf/plugins/revocation.opt
@@ -0,0 +1,7 @@
+charon.plugins.revocation.enable_ocsp = yes
+	Whether OCSP fetching should be enabled.
+
+charon.plugins.revocation.enable_crl = yes
+        Whether CRL fetching should be enabled.
+
+
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index f2e3cdd83..798429901 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -36,6 +36,17 @@ struct private_revocation_validator_t {
 	 * Public revocation_validator_t interface.
 	 */
 	revocation_validator_t public;
+
+	/**
+	 * Enable OCSP fetching
+	 */
+	bool enable_ocsp;
+
+	/**
+	 * Enable CRL fetching
+	 */
+	bool enable_crl;
+
 };
 
 /**
@@ -738,48 +749,57 @@ METHOD(cert_validator_t, validate, bool,
 	{
 		DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
 					   subject->get_subject(subject));
-		switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
-						   pathlen ? NULL : auth))
+
+		if (this->enable_ocsp)
 		{
-			case VALIDATION_GOOD:
-				DBG1(DBG_CFG, "certificate status is good");
-				return TRUE;
-			case VALIDATION_REVOKED:
-			case VALIDATION_ON_HOLD:
-				/* has already been logged */
-				lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
-										subject);
-				return FALSE;
-			case VALIDATION_SKIPPED:
-				DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
-				break;
-			case VALIDATION_STALE:
-				DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
-				break;
-			case VALIDATION_FAILED:
-				DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
-				break;
+			switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+							   pathlen ? NULL : auth))
+			{
+				case VALIDATION_GOOD:
+					DBG1(DBG_CFG, "certificate status is good");
+					return TRUE;
+				case VALIDATION_REVOKED:
+				case VALIDATION_ON_HOLD:
+					/* has already been logged */
+					lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+											subject);
+					return FALSE;
+				case VALIDATION_SKIPPED:
+					DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
+					break;
+				case VALIDATION_STALE:
+					DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
+					break;
+				case VALIDATION_FAILED:
+					DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
+					break;
+			}
 		}
-		switch (check_crl((x509_t*)subject, (x509_t*)issuer,
-						  pathlen ? NULL : auth))
+
+		if (this->enable_crl)
 		{
-			case VALIDATION_GOOD:
-				DBG1(DBG_CFG, "certificate status is good");
-				return TRUE;
-			case VALIDATION_REVOKED:
-			case VALIDATION_ON_HOLD:
-				/* has already been logged */
-				lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
-										subject);
-				return FALSE;
-			case VALIDATION_FAILED:
-			case VALIDATION_SKIPPED:
-				DBG1(DBG_CFG, "certificate status is not available");
-				break;
-			case VALIDATION_STALE:
-				DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
-				break;
+			switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+							  pathlen ? NULL : auth))
+			{
+				case VALIDATION_GOOD:
+					DBG1(DBG_CFG, "certificate status is good");
+					return TRUE;
+				case VALIDATION_REVOKED:
+				case VALIDATION_ON_HOLD:
+					/* has already been logged */
+					lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+											subject);
+					return FALSE;
+				case VALIDATION_FAILED:
+				case VALIDATION_SKIPPED:
+					DBG1(DBG_CFG, "certificate status is not available");
+					break;
+				case VALIDATION_STALE:
+					DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
+					break;
+			}
 		}
+
 		lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED,
 								subject);
 	}
@@ -804,7 +824,20 @@ revocation_validator_t *revocation_validator_create()
 			.validator.validate = _validate,
 			.destroy = _destroy,
 		},
+		.enable_ocsp = lib->settings->get_bool(lib->settings,
+							"%s.plugins.revocation.enable_ocsp", TRUE, lib->ns),
+		.enable_crl  = lib->settings->get_bool(lib->settings,
+							"%s.plugins.revocation.enable_crl",  TRUE, lib->ns),
 	);
 
+	if (!this->enable_ocsp)
+	{
+		DBG1(DBG_LIB, "all OCSP fetching disabled");
+	}
+	if (!this->enable_crl)
+	{
+		DBG1(DBG_LIB, "all CRL fetching disabled");
+	}
+
 	return &this->public;
 }