New upstream version 5.5.1

2 files changed, 27 insertions, 13 deletions

diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index e6ce51936..4ec73eff5 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -353,7 +353,6 @@ clearsilver_LIBS = @clearsilver_LIBS@
 cmd_plugins = @cmd_plugins@
 datadir = @datadir@
 datarootdir = @datarootdir@
-dbusservicedir = @dbusservicedir@
 dev_headers = @dev_headers@
 docdir = @docdir@
 dvidir = @dvidir@
@@ -387,8 +386,6 @@ libiptc_LIBS = @libiptc_LIBS@
 linux_headers = @linux_headers@
 localedir = @localedir@
 localstatedir = @localstatedir@
-maemo_CFLAGS = @maemo_CFLAGS@
-maemo_LIBS = @maemo_LIBS@
 manager_plugins = @manager_plugins@
 mandir = @mandir@
 medsrv_plugins = @medsrv_plugins@
@@ -442,6 +439,8 @@ target_alias = @target_alias@
 top_build_prefix = @top_build_prefix@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
+tss2_CFLAGS = @tss2_CFLAGS@
+tss2_LIBS = @tss2_LIBS@
 urandom_device = @urandom_device@
 xml_CFLAGS = @xml_CFLAGS@
 xml_LIBS = @xml_LIBS@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index fdcb9902b..f2e3cdd83 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -404,6 +404,26 @@ static bool verify_crl(certificate_t *crl)
 }
 
 /**
+ * Report the given CRL's validity and cache it if valid and requested
+ */
+static bool is_crl_valid(certificate_t *crl, bool cache)
+{
+	time_t valid_until;
+
+	if (crl->get_validity(crl, NULL, NULL, &valid_until))
+	{
+		DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
+		if (cache)
+		{
+			lib->credmgr->cache_cert(lib->credmgr, crl);
+		}
+		return TRUE;
+	}
+	DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
+	return FALSE;
+}
+
+/**
  * Get the better of two CRLs, and check for usable CRL info
  */
 static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
@@ -411,7 +431,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 					bool cache, crl_t *base)
 {
 	enumerator_t *enumerator;
-	time_t revocation, valid_until;
+	time_t revocation;
 	crl_reason_t reason;
 	chunk_t serial;
 	crl_t *crl = (crl_t*)cand;
@@ -447,8 +467,6 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 	{
 		if (chunk_equals(serial, subject->get_serial(subject)))
 		{
-			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
-				 &revocation, TRUE, crl_reason_names, reason);
 			if (reason != CRL_REASON_CERTIFICATE_HOLD)
 			{
 				*valid = VALIDATION_REVOKED;
@@ -458,6 +476,9 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 				/* if the cert is on hold, a newer CRL might not contain it */
 				*valid = VALIDATION_ON_HOLD;
 			}
+			is_crl_valid(cand, cache);
+			DBG1(DBG_CFG, "certificate was revoked on %T, reason: %N",
+				 &revocation, TRUE, crl_reason_names, reason);
 			enumerator->destroy(enumerator);
 			DESTROY_IF(best);
 			return cand;
@@ -470,18 +491,12 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
 	{
 		DESTROY_IF(best);
 		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
+		if (is_crl_valid(best, cache))
 		{
-			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
 			*valid = VALIDATION_GOOD;
-			if (cache)
-			{	/* we cache non-stale crls only, as a stale crls are refetched */
-				lib->credmgr->cache_cert(lib->credmgr, best);
-			}
 		}
 		else
 		{
-			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
 			*valid = VALIDATION_STALE;
 		}
 	}