diff options
Diffstat (limited to 'src/libstrongswan/crypto')
| -rw-r--r-- | src/libstrongswan/crypto/ca.c | 22 | ||||
| -rw-r--r-- | src/libstrongswan/crypto/ca.h | 11 |
2 files changed, 30 insertions, 3 deletions
diff --git a/src/libstrongswan/crypto/ca.c b/src/libstrongswan/crypto/ca.c index f08dba057..bb35b37f2 100644 --- a/src/libstrongswan/crypto/ca.c +++ b/src/libstrongswan/crypto/ca.c @@ -100,6 +100,7 @@ struct private_ca_info_t { /** * static options set by ca_info_set_options() */ +static strict_t strict_crl_policy = STRICT_NO; static bool cache_crls = FALSE; static u_int crl_check_interval = 0; @@ -157,6 +158,23 @@ static bool is_crl_issuer(private_ca_info_t *this, const crl_t *crl) } /** + * Implements ca_info_t.is_strict + */ +static bool is_strict(private_ca_info_t *this) +{ + bool strict = strict_crl_policy != STRICT_NO; + + if (strict_crl_policy == STRICT_IFURI) + { + pthread_mutex_lock(&(this->mutex)); + strict = this->crluris->get_count(this->crluris) > 0 || + this->ocspuris->get_count(this->ocspuris) > 0; + pthread_mutex_unlock(&(this->mutex)); + } + return strict; +} + +/** * Implements ca_info_t.has_crl */ static bool has_crl(private_ca_info_t *this) @@ -728,8 +746,9 @@ static void list(private_ca_info_t* this, FILE* out, bool utc) /* * Described in header. */ -void ca_info_set_options(bool cache, u_int interval) +void ca_info_set_options(strict_t strict, bool cache, u_int interval) { + strict_crl_policy = strict; cache_crls = cache; crl_check_interval = interval; } @@ -759,6 +778,7 @@ ca_info_t *ca_info_create(const char *name, x509_t *cacert) this->public.equals_name_release_info = (bool (*) (ca_info_t*,const char*))equals_name_release_info; this->public.is_cert_issuer = (bool (*) (ca_info_t*,const x509_t*))is_cert_issuer; this->public.is_crl_issuer = (bool (*) (ca_info_t*,const crl_t*))is_crl_issuer; + this->public.is_strict = (bool (*) (ca_info_t*))is_strict; this->public.add_info = (void (*) (ca_info_t*,const ca_info_t*))add_info; this->public.add_crl = (void (*) (ca_info_t*,crl_t*))add_crl; this->public.has_crl = (bool (*) (ca_info_t*))has_crl; diff --git a/src/libstrongswan/crypto/ca.h b/src/libstrongswan/crypto/ca.h index 46a10378b..bce39fb95 100644 --- a/src/libstrongswan/crypto/ca.h +++ b/src/libstrongswan/crypto/ca.h @@ -26,7 +26,6 @@ typedef struct ca_info_t ca_info_t; #include <library.h> -#include <chunk.h> #include <credential_store.h> @@ -81,6 +80,14 @@ struct ca_info_t { bool (*is_crl_issuer) (ca_info_t *this, const crl_t *crl); /** + * @brief Checks if the ca enforces a strict crl policy + * + * @param this ca info object + * @return TRUE if the crl policy is strict + */ + bool (*is_strict) (ca_info_t *this); + + /** * @brief Merges info from a secondary ca info object * * @param this primary ca info object @@ -209,7 +216,7 @@ struct ca_info_t { * * @ingroup crypto */ -void ca_info_set_options(bool cache, u_int interval); +void ca_info_set_options(strict_t strict, bool cache, u_int interval); /** * @brief Create a ca info record |