New upstream version 5.7.0

author: Yves-Alexis Perez <corsac@debian.org> 2018-09-24 15:11:14 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2018-09-24 15:11:14 +0200
commit: e0e280b7669435b991b7e457abd8aa450930b3e8 (patch)
tree: 3e6084f13b14ad2df104e2ce6e589eb96c5f7ac9 /src/libstrongswan/plugins/revocation
parent: 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (diff)
download: vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.tar.gz
vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.zip
4 files changed, 67 insertions, 20 deletions
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 15e91b24a..4d4fcf1f1 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -313,7 +313,6 @@ PYTHON_VERSION = @PYTHON_VERSION@
 PY_TEST = @PY_TEST@
 RANLIB = @RANLIB@
 RTLIB = @RTLIB@
-RUBY = @RUBY@
 RUBYGEMDIR = @RUBYGEMDIR@
 SED = @SED@
 SET_MAKE = @SET_MAKE@
@@ -339,6 +338,8 @@ am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
 bindir = @bindir@
+botan_CFLAGS = @botan_CFLAGS@
+botan_LIBS = @botan_LIBS@
 build = @build@
 build_alias = @build_alias@
 build_cpu = @build_cpu@
@@ -359,8 +360,6 @@ dvidir = @dvidir@
 exec_prefix = @exec_prefix@
 fips_mode = @fips_mode@
 fuzz_plugins = @fuzz_plugins@
-gtk_CFLAGS = @gtk_CFLAGS@
-gtk_LIBS = @gtk_LIBS@
 host = @host@
 host_alias = @host_alias@
 host_cpu = @host_cpu@
@@ -415,8 +414,6 @@ random_device = @random_device@
 resolv_conf = @resolv_conf@
 routing_table = @routing_table@
 routing_table_prio = @routing_table_prio@
-ruby_CFLAGS = @ruby_CFLAGS@
-ruby_LIBS = @ruby_LIBS@
 runstatedir = @runstatedir@
 s_plugins = @s_plugins@
 sbindir = @sbindir@
@@ -445,8 +442,12 @@ top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 tss2_CFLAGS = @tss2_CFLAGS@
 tss2_LIBS = @tss2_LIBS@
+tss2_esys_CFLAGS = @tss2_esys_CFLAGS@
+tss2_esys_LIBS = @tss2_esys_LIBS@
 tss2_socket_CFLAGS = @tss2_socket_CFLAGS@
 tss2_socket_LIBS = @tss2_socket_LIBS@
+tss2_sys_CFLAGS = @tss2_sys_CFLAGS@
+tss2_sys_LIBS = @tss2_sys_LIBS@
 tss2_tabrmd_CFLAGS = @tss2_tabrmd_CFLAGS@
 tss2_tabrmd_LIBS = @tss2_tabrmd_LIBS@
 urandom_device = @urandom_device@
diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index fe7eaa765..f688577e1 100644
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -76,6 +76,13 @@ METHOD(plugin_t, get_features, int,
 	return countof(f);
 }
 
+METHOD(plugin_t, reload, bool,
+	private_revocation_plugin_t *this)
+{
+	this->validator->reload(this->validator);
+	return TRUE;
+}
+
 METHOD(plugin_t, destroy, void,
 	private_revocation_plugin_t *this)
 {
@@ -95,6 +102,7 @@ plugin_t *revocation_plugin_create()
 			.plugin = {
 				.get_name = _get_name,
 				.get_features = _get_features,
+				.reload = _reload,
 				.destroy = _destroy,
 			},
 		},
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index f8e78ac0c..68292e3cd 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -27,6 +27,7 @@
 #include <credentials/certificates/ocsp_response.h>
 #include <credentials/sets/ocsp_response_wrapper.h>
 #include <selectors/traffic_selector.h>
+#include <threading/spinlock.h>
 
 typedef struct private_revocation_validator_t private_revocation_validator_t;
 
@@ -50,6 +51,10 @@ struct private_revocation_validator_t {
 	 */
 	bool enable_crl;
 
+	/**
+	 * Lock to access flags
+	 */
+	spinlock_t *lock;
 };
 
 /**
@@ -795,14 +800,21 @@ METHOD(cert_validator_t, validate, bool,
 	certificate_t *issuer, bool online, u_int pathlen, bool anchor,
 	auth_cfg_t *auth)
 {
-	if (online && (this->enable_ocsp || this->enable_crl) &&
+	bool enable_ocsp, enable_crl;
+
+	this->lock->lock(this->lock);
+	enable_ocsp = this->enable_ocsp;
+	enable_crl = this->enable_crl;
+	this->lock->unlock(this->lock);
+
+	if (online && (enable_ocsp || enable_crl) &&
 		subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509)
 	{
 		DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
 					   subject->get_subject(subject));
 
-		if (this->enable_ocsp)
+		if (enable_ocsp)
 		{
 			switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
 			{
@@ -831,7 +843,7 @@ METHOD(cert_validator_t, validate, bool,
 			auth->add(auth, AUTH_RULE_OCSP_VALIDATION, VALIDATION_SKIPPED);
 		}
 
-		if (this->enable_crl)
+		if (enable_crl)
 		{
 			switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
 			{
@@ -865,9 +877,35 @@ METHOD(cert_validator_t, validate, bool,
 	return TRUE;
 }
 
+METHOD(revocation_validator_t, reload, void,
+	private_revocation_validator_t *this)
+{
+	bool enable_ocsp, enable_crl;
+
+	enable_ocsp = lib->settings->get_bool(lib->settings,
+							"%s.plugins.revocation.enable_ocsp", TRUE, lib->ns);
+	enable_crl  = lib->settings->get_bool(lib->settings,
+							"%s.plugins.revocation.enable_crl",  TRUE, lib->ns);
+
+	this->lock->lock(this->lock);
+	this->enable_ocsp = enable_ocsp;
+	this->enable_crl = enable_crl;
+	this->lock->unlock(this->lock);
+
+	if (!enable_ocsp)
+	{
+		DBG1(DBG_LIB, "all OCSP validation disabled");
+	}
+	if (!enable_crl)
+	{
+		DBG1(DBG_LIB, "all CRL validation disabled");
+	}
+}
+
 METHOD(revocation_validator_t, destroy, void,
 	private_revocation_validator_t *this)
 {
+	this->lock->destroy(this->lock);
 	free(this);
 }
 
@@ -881,21 +919,13 @@ revocation_validator_t *revocation_validator_create()
 	INIT(this,
 		.public = {
 			.validator.validate = _validate,
+			.reload = _reload,
 			.destroy = _destroy,
 		},
-		.enable_ocsp = lib->settings->get_bool(lib->settings,
-							"%s.plugins.revocation.enable_ocsp", TRUE, lib->ns),
-		.enable_crl  = lib->settings->get_bool(lib->settings,
-							"%s.plugins.revocation.enable_crl",  TRUE, lib->ns),
+		.lock = spinlock_create(),
 	);
 
-	if (!this->enable_ocsp)
-	{
-		DBG1(DBG_LIB, "all OCSP validation disabled");
-	}
-	if (!this->enable_crl)
-	{
-		DBG1(DBG_LIB, "all CRL validation disabled");
-	}
+	reload(this);
+
 	return &this->public;
 }
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.h b/src/libstrongswan/plugins/revocation/revocation_validator.h
index 82cbde26b..9128787f1 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.h
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -36,6 +39,11 @@ struct revocation_validator_t {
 	cert_validator_t validator;
 
 	/**
+	 * Reload the configuration
+	 */
+	void (*reload)(revocation_validator_t *this);
+
+	/**
 	 * Destroy a revocation_validator_t.
 	 */
 	void (*destroy)(revocation_validator_t *this);
author	Yves-Alexis Perez <corsac@debian.org>	2018-09-24 15:11:14 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2018-09-24 15:11:14 +0200
commit	e0e280b7669435b991b7e457abd8aa450930b3e8 (patch)
tree	3e6084f13b14ad2df104e2ce6e589eb96c5f7ac9 /src/libstrongswan/plugins/revocation
parent	51a71ee15c1bcf0e82f363a16898f571e211f9c3 (diff)
download	vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.tar.gz vyos-strongswan-e0e280b7669435b991b7e457abd8aa450930b3e8.zip