aboutsummaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.c1
-rw-r--r--src/libstrongswan/credentials/certificates/certificate.h2
-rw-r--r--src/libstrongswan/plugins/revocation/revocation_validator.c12
3 files changed, 14 insertions, 1 deletions
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c
index 661b69e36..33ba4e907 100644
--- a/src/libstrongswan/credentials/certificates/certificate.c
+++ b/src/libstrongswan/credentials/certificates/certificate.c
@@ -38,6 +38,7 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED,
"SKIPPED",
"STALE",
"FAILED",
+ "ON_HOLD",
"REVOKED",
);
diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h
index 330cfe198..2f471da5b 100644
--- a/src/libstrongswan/credentials/certificates/certificate.h
+++ b/src/libstrongswan/credentials/certificates/certificate.h
@@ -77,6 +77,8 @@ enum cert_validation_t {
VALIDATION_STALE,
/** validation failed due to a processing error */
VALIDATION_FAILED,
+ /** certificate is on hold (i.e. temporary revokation) */
+ VALIDATION_ON_HOLD,
/** certificate has been revoked */
VALIDATION_REVOKED,
};
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index def169275..34f347d1a 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -404,7 +404,15 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
{
DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
&revocation, TRUE, crl_reason_names, reason);
- *valid = VALIDATION_REVOKED;
+ if (reason != CRL_REASON_CERTIFICATE_HOLD)
+ {
+ *valid = VALIDATION_REVOKED;
+ }
+ else
+ {
+ /* if the cert is on hold, a newer CRL might not contain it */
+ *valid = VALIDATION_ON_HOLD;
+ }
enumerator->destroy(enumerator);
DESTROY_IF(best);
return cand;
@@ -681,6 +689,7 @@ METHOD(cert_validator_t, validate, bool,
DBG1(DBG_CFG, "certificate status is good");
return TRUE;
case VALIDATION_REVOKED:
+ case VALIDATION_ON_HOLD:
/* has already been logged */
return FALSE;
case VALIDATION_SKIPPED:
@@ -700,6 +709,7 @@ METHOD(cert_validator_t, validate, bool,
DBG1(DBG_CFG, "certificate status is good");
return TRUE;
case VALIDATION_REVOKED:
+ case VALIDATION_ON_HOLD:
/* has already been logged */
return FALSE;
case VALIDATION_FAILED:
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-23 23:45:45 +0000