summaryrefslogtreecommitdiff
path: root/src/libstrongswan/plugins/revocation
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/plugins/revocation')
-rw-r--r--src/libstrongswan/plugins/revocation/Makefile.in2
-rw-r--r--src/libstrongswan/plugins/revocation/revocation_validator.c114
2 files changed, 74 insertions, 42 deletions
diff --git a/src/libstrongswan/plugins/revocation/Makefile.in b/src/libstrongswan/plugins/revocation/Makefile.in
index 4ec73eff5..cfbbcd8ad 100644
--- a/src/libstrongswan/plugins/revocation/Makefile.in
+++ b/src/libstrongswan/plugins/revocation/Makefile.in
@@ -360,7 +360,6 @@ exec_prefix = @exec_prefix@
fips_mode = @fips_mode@
gtk_CFLAGS = @gtk_CFLAGS@
gtk_LIBS = @gtk_LIBS@
-h_plugins = @h_plugins@
host = @host@
host_alias = @host_alias@
host_cpu = @host_cpu@
@@ -395,6 +394,7 @@ nm_LIBS = @nm_LIBS@
nm_ca_dir = @nm_ca_dir@
nm_plugins = @nm_plugins@
oldincludedir = @oldincludedir@
+p_plugins = @p_plugins@
pcsclite_CFLAGS = @pcsclite_CFLAGS@
pcsclite_LIBS = @pcsclite_LIBS@
pdfdir = @pdfdir@
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index f2e3cdd83..16ee0ecc7 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -36,6 +36,17 @@ struct private_revocation_validator_t {
* Public revocation_validator_t interface.
*/
revocation_validator_t public;
+
+ /**
+ * Enable OCSP validation
+ */
+ bool enable_ocsp;
+
+ /**
+ * Enable CRL validation
+ */
+ bool enable_crl;
+
};
/**
@@ -732,54 +743,63 @@ METHOD(cert_validator_t, validate, bool,
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
auth_cfg_t *auth)
{
- if (subject->get_type(subject) == CERT_X509 &&
- issuer->get_type(issuer) == CERT_X509 &&
- online)
+ if (online && (this->enable_ocsp || this->enable_crl) &&
+ subject->get_type(subject) == CERT_X509 &&
+ issuer->get_type(issuer) == CERT_X509)
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
- switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
- pathlen ? NULL : auth))
+
+ if (this->enable_ocsp)
{
- case VALIDATION_GOOD:
- DBG1(DBG_CFG, "certificate status is good");
- return TRUE;
- case VALIDATION_REVOKED:
- case VALIDATION_ON_HOLD:
- /* has already been logged */
- lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
- subject);
- return FALSE;
- case VALIDATION_SKIPPED:
- DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
- break;
- case VALIDATION_STALE:
- DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
- break;
- case VALIDATION_FAILED:
- DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
- break;
+ switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
+ {
+ case VALIDATION_GOOD:
+ DBG1(DBG_CFG, "certificate status is good");
+ return TRUE;
+ case VALIDATION_REVOKED:
+ case VALIDATION_ON_HOLD:
+ /* has already been logged */
+ lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+ subject);
+ return FALSE;
+ case VALIDATION_SKIPPED:
+ DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
+ break;
+ case VALIDATION_STALE:
+ DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
+ break;
+ case VALIDATION_FAILED:
+ DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
+ break;
+ }
}
- switch (check_crl((x509_t*)subject, (x509_t*)issuer,
- pathlen ? NULL : auth))
+
+ if (this->enable_crl)
{
- case VALIDATION_GOOD:
- DBG1(DBG_CFG, "certificate status is good");
- return TRUE;
- case VALIDATION_REVOKED:
- case VALIDATION_ON_HOLD:
- /* has already been logged */
- lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
- subject);
- return FALSE;
- case VALIDATION_FAILED:
- case VALIDATION_SKIPPED:
- DBG1(DBG_CFG, "certificate status is not available");
- break;
- case VALIDATION_STALE:
- DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
- break;
+ switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+ pathlen ? NULL : auth))
+ {
+ case VALIDATION_GOOD:
+ DBG1(DBG_CFG, "certificate status is good");
+ return TRUE;
+ case VALIDATION_REVOKED:
+ case VALIDATION_ON_HOLD:
+ /* has already been logged */
+ lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+ subject);
+ return FALSE;
+ case VALIDATION_FAILED:
+ case VALIDATION_SKIPPED:
+ DBG1(DBG_CFG, "certificate status is not available");
+ break;
+ case VALIDATION_STALE:
+ DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
+ break;
+ }
}
+
lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED,
subject);
}
@@ -804,7 +824,19 @@ revocation_validator_t *revocation_validator_create()
.validator.validate = _validate,
.destroy = _destroy,
},
+ .enable_ocsp = lib->settings->get_bool(lib->settings,
+ "%s.plugins.revocation.enable_ocsp", TRUE, lib->ns),
+ .enable_crl = lib->settings->get_bool(lib->settings,
+ "%s.plugins.revocation.enable_crl", TRUE, lib->ns),
);
+ if (!this->enable_ocsp)
+ {
+ DBG1(DBG_LIB, "all OCSP validation disabled");
+ }
+ if (!this->enable_crl)
+ {
+ DBG1(DBG_LIB, "all CRL validation disabled");
+ }
return &this->public;
}