diff options
Diffstat (limited to 'src')
3 files changed, 14 insertions, 1 deletions
diff --git a/src/libstrongswan/credentials/certificates/certificate.c b/src/libstrongswan/credentials/certificates/certificate.c index 661b69e36..33ba4e907 100644 --- a/src/libstrongswan/credentials/certificates/certificate.c +++ b/src/libstrongswan/credentials/certificates/certificate.c @@ -38,6 +38,7 @@ ENUM(cert_validation_names, VALIDATION_GOOD, VALIDATION_REVOKED, "SKIPPED", "STALE", "FAILED", + "ON_HOLD", "REVOKED", ); diff --git a/src/libstrongswan/credentials/certificates/certificate.h b/src/libstrongswan/credentials/certificates/certificate.h index 330cfe198..2f471da5b 100644 --- a/src/libstrongswan/credentials/certificates/certificate.h +++ b/src/libstrongswan/credentials/certificates/certificate.h @@ -77,6 +77,8 @@ enum cert_validation_t { VALIDATION_STALE, /** validation failed due to a processing error */ VALIDATION_FAILED, + /** certificate is on hold (i.e. temporary revokation) */ + VALIDATION_ON_HOLD, /** certificate has been revoked */ VALIDATION_REVOKED, }; diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index def169275..34f347d1a 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -404,7 +404,15 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, { DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N", &revocation, TRUE, crl_reason_names, reason); - *valid = VALIDATION_REVOKED; + if (reason != CRL_REASON_CERTIFICATE_HOLD) + { + *valid = VALIDATION_REVOKED; + } + else + { + /* if the cert is on hold, a newer CRL might not contain it */ + *valid = VALIDATION_ON_HOLD; + } enumerator->destroy(enumerator); DESTROY_IF(best); return cand; @@ -681,6 +689,7 @@ METHOD(cert_validator_t, validate, bool, DBG1(DBG_CFG, "certificate status is good"); return TRUE; case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: /* has already been logged */ return FALSE; case VALIDATION_SKIPPED: @@ -700,6 +709,7 @@ METHOD(cert_validator_t, validate, bool, DBG1(DBG_CFG, "certificate status is good"); return TRUE; case VALIDATION_REVOKED: + case VALIDATION_ON_HOLD: /* has already been logged */ return FALSE; case VALIDATION_FAILED: |