From 5452e3d66e6bc20f1052f3d616a0f29eab17256c Mon Sep 17 00:00:00 2001 From: Tobias Brunner Date: Mon, 26 Oct 2015 15:35:23 +0100 Subject: credential-manager: Make online revocation checks optional for public key enumerator --- src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c | 2 +- src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c | 2 +- src/libstrongswan/credentials/credential_manager.c | 5 +++-- src/libstrongswan/credentials/credential_manager.h | 7 ++++++- src/libtls/tls_peer.c | 3 ++- src/libtls/tls_server.c | 2 +- 6 files changed, 14 insertions(+), 7 deletions(-) diff --git a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c index 793e6d5c1..eee7dd10b 100644 --- a/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c +++ b/src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c @@ -173,7 +173,7 @@ METHOD(authenticator_t, process, status_t, sig = sig_payload->get_hash(sig_payload); auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, this->type, - id, auth); + id, auth, TRUE); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { if (public->verify(public, scheme, hash, sig)) diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c index 110c50973..dca80a4d8 100644 --- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c +++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c @@ -409,7 +409,7 @@ METHOD(authenticator_t, process, status_t, } auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE); enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - key_type, id, auth); + key_type, id, auth, TRUE); while (enumerator->enumerate(enumerator, &public, ¤t_auth)) { if (public->verify(public, scheme, octets, auth_data)) diff --git a/src/libstrongswan/credentials/credential_manager.c b/src/libstrongswan/credentials/credential_manager.c index 371e6404d..736111b93 100644 --- a/src/libstrongswan/credentials/credential_manager.c +++ b/src/libstrongswan/credentials/credential_manager.c @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -993,7 +994,7 @@ METHOD(enumerator_t, public_destroy, void, METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, private_credential_manager_t *this, key_type_t type, identification_t *id, - auth_cfg_t *auth) + auth_cfg_t *auth, bool online) { public_enumerator_t *enumerator; @@ -1002,7 +1003,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*, .enumerate = (void*)_public_enumerate, .destroy = _public_destroy, }, - .inner = create_trusted_enumerator(this, type, id, TRUE), + .inner = create_trusted_enumerator(this, type, id, online), .this = this, ); if (auth) diff --git a/src/libstrongswan/credentials/credential_manager.h b/src/libstrongswan/credentials/credential_manager.h index 445ea3f9c..022ca566c 100644 --- a/src/libstrongswan/credentials/credential_manager.h +++ b/src/libstrongswan/credentials/credential_manager.h @@ -1,4 +1,5 @@ /* + * Copyright (C) 2015 Tobias Brunner * Copyright (C) 2007-2009 Martin Willi * Hochschule fuer Technik Rapperswil * @@ -202,14 +203,18 @@ struct credential_manager_t { * where the auth config helper contains rules for constraint checks. * This function is very similar to create_trusted_enumerator(), but * gets public keys directly. + * If online is set, revocations are checked online for the whole + * trustchain. * * @param type type of the key to get * @param id owner of the key, signer of the signature * @param auth authentication infos + * @param online whether revocations should be checked online * @return enumerator */ enumerator_t* (*create_public_enumerator)(credential_manager_t *this, - key_type_t type, identification_t *id, auth_cfg_t *auth); + key_type_t type, identification_t *id, auth_cfg_t *auth, + bool online); /** * Cache a certificate by invoking cache_cert() on all registered sets. diff --git a/src/libtls/tls_peer.c b/src/libtls/tls_peer.c index 000dda43b..8087e2e2d 100644 --- a/src/libtls/tls_peer.c +++ b/src/libtls/tls_peer.c @@ -320,7 +320,8 @@ static public_key_t *find_public_key(private_tls_peer_t *this) if (cert) { enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - KEY_ANY, cert->get_subject(cert), this->server_auth); + KEY_ANY, cert->get_subject(cert), + this->server_auth, TRUE); while (enumerator->enumerate(enumerator, ¤t, &auth)) { found = auth->get(auth, AUTH_RULE_SUBJECT_CERT); diff --git a/src/libtls/tls_server.c b/src/libtls/tls_server.c index f9295a160..cfbe02037 100644 --- a/src/libtls/tls_server.c +++ b/src/libtls/tls_server.c @@ -548,7 +548,7 @@ static status_t process_cert_verify(private_tls_server_t *this, bio_reader_t *sig; enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, - KEY_ANY, this->peer, this->peer_auth); + KEY_ANY, this->peer, this->peer_auth, TRUE); while (enumerator->enumerate(enumerator, &public, &auth)) { sig = bio_reader_create(reader->peek(reader)); -- cgit v1.2.3