diff options
4 files changed, 12 insertions, 8 deletions
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h index 1e67c23ab..3c1ebc9f2 100644 --- a/src/libstrongswan/credentials/cert_validator.h +++ b/src/libstrongswan/credentials/cert_validator.h @@ -40,12 +40,13 @@ struct cert_validator_t { * @param subject subject certificate to check * @param issuer issuer of subject * @param online wheter to do online revocation checking - * @param pathlen the current length of the path up to the root CA + * @param pathlen the current length of the path bottom-up + * @param anchor is issuer trusted root anchor * @param auth container for resulting authentication info */ bool (*validate)(cert_validator_t *this, certificate_t *subject, certificate_t *issuer, bool online, int pathlen, - auth_cfg_t *auth); + bool anchor, auth_cfg_t *auth); }; #endif /** CERT_VALIDATOR_H_ @}*/ diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index c32eb4422..3cca0b2e8 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -452,8 +452,8 @@ static void cache_queue(private_credential_manager_t *this) * check a certificate for its lifetime */ static bool check_certificate(private_credential_manager_t *this, - certificate_t *subject, certificate_t *issuer, - bool online, int pathlen, auth_cfg_t *auth) + certificate_t *subject, certificate_t *issuer, bool online, + int pathlen, bool trusted, auth_cfg_t *auth) { time_t not_before, not_after; cert_validator_t *validator; @@ -476,7 +476,7 @@ static bool check_certificate(private_credential_manager_t *this, while (enumerator->enumerate(enumerator, &validator)) { if (!validator->validate(validator, subject, issuer, - online, pathlen, auth)) + online, pathlen, trusted, auth)) { enumerator->destroy(enumerator); return FALSE; @@ -622,7 +622,8 @@ static bool verify_trust_chain(private_credential_manager_t *this, break; } } - if (!check_certificate(this, current, issuer, online, pathlen, auth)) + if (!check_certificate(this, current, issuer, online, + pathlen, trusted, auth)) { trusted = FALSE; issuer->destroy(issuer); diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c index 36a622d6b..fa045273f 100644 --- a/src/libstrongswan/plugins/constraints/constraints_validator.c +++ b/src/libstrongswan/plugins/constraints/constraints_validator.c @@ -346,7 +346,8 @@ static bool check_policy(x509_t *subject, x509_t *issuer, int pathlen, METHOD(cert_validator_t, validate, bool, private_constraints_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, int pathlen, bool anchor, + auth_cfg_t *auth) { if (issuer->get_type(issuer) == CERT_X509 && subject->get_type(subject) == CERT_X509) diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 0fe97225f..be6d3a9a6 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -568,7 +568,8 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer, METHOD(cert_validator_t, validate, bool, private_revocation_validator_t *this, certificate_t *subject, - certificate_t *issuer, bool online, int pathlen, auth_cfg_t *auth) + certificate_t *issuer, bool online, int pathlen, bool anchor, + auth_cfg_t *auth) { if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509 && |