Always pass auth info to validate(), use pathlen to check for user certificate

author: Martin Willi <martin@revosec.ch> 2010-12-22 10:34:58 +0100
committer: Martin Willi <martin@revosec.ch> 2011-01-05 16:46:04 +0100
commit: 09e319d419a34cacc98420c1585e131362127574 (patch)
tree: 5fb711af171df5d8ca3698be8a5b2ea4c193a9f6 /src/libstrongswan/plugins
parent: 98ef286580bbd27bfd62b857098ee8c5d8acb2dc (diff)
download: strongswan-09e319d419a34cacc98420c1585e131362127574.tar.bz2
strongswan-09e319d419a34cacc98420c1585e131362127574.tar.xz
2 files changed, 8 insertions, 5 deletions
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 5c8ea7de2..36a622d6b 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -293,7 +293,8 @@ static bool has_policy(x509_t *issuer, chunk_t oid)
 /**
  * Check certificatePolicies
  */
-static bool check_policy(x509_t *subject, x509_t *issuer, auth_cfg_t *auth)
+static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen,
+						 auth_cfg_t *auth)
 {
 	certificate_t *cert = (certificate_t*)subject;
 	x509_policy_mapping_t *mapping;
@@ -329,7 +330,7 @@ static bool check_policy(x509_t *subject, x509_t *issuer, auth_cfg_t *auth)
 			enumerator->destroy(enumerator);
 			return FALSE;
 		}
-		if (auth)
+		if (pathlen == 0)
 		{
 			oid = asn1_oid_to_string(policy->oid);
 			if (oid)
@@ -358,7 +359,7 @@ METHOD(cert_validator_t, validate, bool,
 		{
 			return FALSE;
 		}
-		if (!check_policy((x509_t*)subject, (x509_t*)issuer, auth))
+		if (!check_policy((x509_t*)subject, (x509_t*)issuer, pathlen, auth))
 		{
 			return FALSE;
 		}
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index c9a60934b..0fe97225f 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -576,7 +576,8 @@ METHOD(cert_validator_t, validate, bool,
 	{
 		DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
 					   subject->get_subject(subject));
-		switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
+		switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+						   pathlen ? NULL : auth))
 		{
 			case VALIDATION_GOOD:
 				DBG1(DBG_CFG, "certificate status is good");
@@ -594,7 +595,8 @@ METHOD(cert_validator_t, validate, bool,
 				DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
 				break;
 		}
-		switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
+		switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+						  pathlen ? NULL : auth))
 		{
 			case VALIDATION_GOOD:
 				DBG1(DBG_CFG, "certificate status is good");
author	Martin Willi <martin@revosec.ch>	2010-12-22 10:34:58 +0100
committer	Martin Willi <martin@revosec.ch>	2011-01-05 16:46:04 +0100
commit	09e319d419a34cacc98420c1585e131362127574 (patch)
tree	5fb711af171df5d8ca3698be8a5b2ea4c193a9f6 /src/libstrongswan/plugins
parent	98ef286580bbd27bfd62b857098ee8c5d8acb2dc (diff)
download	strongswan-09e319d419a34cacc98420c1585e131362127574.tar.bz2 strongswan-09e319d419a34cacc98420c1585e131362127574.tar.xz