diff options
| author | Thomas Egerer <thomas.egerer@secunet.com> | 2011-11-04 09:25:05 +0100 |
|---|---|---|
| committer | Tobias Brunner <tobias@strongswan.org> | 2011-11-04 11:11:17 +0100 |
| commit | 6e5e2762d39dd6612304285c5bb768d830403bdd (patch) | |
| tree | 5ea59fe5d03cfedc2ff8147ded6b88e0195500a5 /src/libstrongswan | |
| parent | c125d1ba13e45220109cd3e61c8a4fb353a7e061 (diff) | |
| download | strongswan-6e5e2762d39dd6612304285c5bb768d830403bdd.tar.bz2 strongswan-6e5e2762d39dd6612304285c5bb768d830403bdd.tar.xz | |
Handle certificates being on hold in a CRL
Certificates which are set on hold in a CRL might be removed from any
subsequent CRL. Hence you cannot conclude that a certificate is revoked
for good in this case, you would try to retrieve an update CRL to see if
the certificate on hold is still on it or not.
Diffstat (limited to 'src/libstrongswan')
3 files changed, 14 insertions, 1 deletions
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 661b69e36..33ba4e907 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -38,6 +38,7 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, "SKIPPED", "STALE", "FAILED", + "ON_HOLD", "REVOKED", ); diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index 330cfe198..2f471da5b 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -77,6 +77,8 @@ enum cert_validation_t { VALIDATION_STALE, /** validation failed due to a processing error */ VALIDATION_FAILED, + /** certificate is on hold (i.e. temporary revokation) */ + VALIDATION_ON_HOLD, /** certificate has been revoked */ VALIDATION_REVOKED, }; diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index def169275..34f347d1a 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -404,7 +404,15 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, { DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", &revocation, TRUE, crl_reason_names, reason); - *valid = VALIDATION_REVOKED; + if (reason != CRL_REASON_CERTIFICATE_HOLD) + { + *valid = VALIDATION_REVOKED; + } + else + { + /* if the cert is on hold, a newer CRL might not contain it */ + *valid = VALIDATION_ON_HOLD; + } enumerator->destroy(enumerator); DESTROY_IF(best); return cand; @@ -681,6 +689,7 @@ METHOD(cert_validator_t, validate, bool, DBG1(DBG_CFG, "certificate status is good"); return TRUE; case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: /* has already been logged */ return FALSE; case VALIDATION_SKIPPED: @@ -700,6 +709,7 @@ METHOD(cert_validator_t, validate, bool, DBG1(DBG_CFG, "certificate status is good"); return TRUE; case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: /* has already been logged */ return FALSE; case VALIDATION_FAILED: |