diff options
author | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-12-30 18:12:53 +0100 |
---|---|---|
committer | Andreas Steffen <andreas.steffen@strongswan.org> | 2016-12-30 18:12:53 +0100 |
commit | e3f63c646914a24355eb63b7873123312549b7a4 (patch) | |
tree | 6d83da97ee316076218607a169d4759d4bf2f0b0 /src/libstrongswan | |
parent | 08253bbba3a719ea09ff531b26a311ea5b82a034 (diff) | |
download | strongswan-e3f63c646914a24355eb63b7873123312549b7a4.tar.bz2 strongswan-e3f63c646914a24355eb63b7873123312549b7a4.tar.xz |
revocation: OCSP and/or CRL fetching can be disabled
Diffstat (limited to 'src/libstrongswan')
-rw-r--r-- | src/libstrongswan/plugins/revocation/revocation_validator.c | 109 |
1 files changed, 71 insertions, 38 deletions
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index f2e3cdd83..798429901 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -36,6 +36,17 @@ struct private_revocation_validator_t { * Public revocation_validator_t interface. */ revocation_validator_t public; + + /** + * Enable OCSP fetching + */ + bool enable_ocsp; + + /** + * Enable CRL fetching + */ + bool enable_crl; + }; /** @@ -738,48 +749,57 @@ METHOD(cert_validator_t, validate, bool, { DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); - switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, - pathlen ? NULL : auth)) + + if (this->enable_ocsp) { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - case VALIDATION_ON_HOLD: - /* has already been logged */ - lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, - subject); - return FALSE; - case VALIDATION_SKIPPED: - DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); - break; - case VALIDATION_FAILED: - DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); - break; + switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: + /* has already been logged */ + lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, + subject); + return FALSE; + case VALIDATION_SKIPPED: + DBG2(DBG_CFG, "ocsp check skipped, no ocsp found"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "ocsp information stale, fallback to crl"); + break; + case VALIDATION_FAILED: + DBG1(DBG_CFG, "ocsp check failed, fallback to crl"); + break; + } } - switch (check_crl((x509_t*)subject, (x509_t*)issuer, - pathlen ? NULL : auth)) + + if (this->enable_crl) { - case VALIDATION_GOOD: - DBG1(DBG_CFG, "certificate status is good"); - return TRUE; - case VALIDATION_REVOKED: - case VALIDATION_ON_HOLD: - /* has already been logged */ - lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, - subject); - return FALSE; - case VALIDATION_FAILED: - case VALIDATION_SKIPPED: - DBG1(DBG_CFG, "certificate status is not available"); - break; - case VALIDATION_STALE: - DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); - break; + switch (check_crl((x509_t*)subject, (x509_t*)issuer, + pathlen ? NULL : auth)) + { + case VALIDATION_GOOD: + DBG1(DBG_CFG, "certificate status is good"); + return TRUE; + case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: + /* has already been logged */ + lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED, + subject); + return FALSE; + case VALIDATION_FAILED: + case VALIDATION_SKIPPED: + DBG1(DBG_CFG, "certificate status is not available"); + break; + case VALIDATION_STALE: + DBG1(DBG_CFG, "certificate status is unknown, crl is stale"); + break; + } } + lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED, subject); } @@ -804,7 +824,20 @@ revocation_validator_t *revocation_validator_create() .validator.validate = _validate, .destroy = _destroy, }, + .enable_ocsp = lib->settings->get_bool(lib->settings, + "%s.plugins.revocation.enable_ocsp", TRUE, lib->ns), + .enable_crl = lib->settings->get_bool(lib->settings, + "%s.plugins.revocation.enable_crl", TRUE, lib->ns), ); + if (!this->enable_ocsp) + { + DBG1(DBG_LIB, "all OCSP fetching disabled"); + } + if (!this->enable_crl) + { + DBG1(DBG_LIB, "all CRL fetching disabled"); + } + return &this->public; } |