ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity

revocation: Support en-/disabling CRL/OCSP at runtime

This commit is contained in:
Tobias Brunner 2018-06-21 08:59:40 +02:00
parent 3eda52f039
commit 0e2a6c46e9
3 changed files with 61 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/libstrongswan/plugins/revocation/revocation_plugin.c
View File

@ -76,6 +76,13 @@ METHOD(plugin_t, get_features, int,
return countof(f);
}
METHOD(plugin_t, reload, bool,
private_revocation_plugin_t *this)
{
this->validator->reload(this->validator);
return TRUE;
}
METHOD(plugin_t, destroy, void,
private_revocation_plugin_t *this)
{
@ -95,6 +102,7 @@ plugin_t *revocation_plugin_create()
.plugin = {
.get_name = _get_name,
.get_features = _get_features,
.reload = _reload,
.destroy = _destroy,
},
},

60
src/libstrongswan/plugins/revocation/revocation_validator.c
View File

@ -27,6 +27,7 @@
#include <credentials/certificates/ocsp_response.h>
#include <credentials/sets/ocsp_response_wrapper.h>
#include <selectors/traffic_selector.h>
#include <threading/spinlock.h>
typedef struct private_revocation_validator_t private_revocation_validator_t;
@ -50,6 +51,10 @@ struct private_revocation_validator_t {
*/
bool enable_crl;
/**
* Lock to access flags
*/
spinlock_t *lock;
};
/**
@ -795,14 +800,21 @@ METHOD(cert_validator_t, validate, bool,
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
auth_cfg_t *auth)
{
if (online && (this->enable_ocsp || this->enable_crl) &&
bool enable_ocsp, enable_crl;
this->lock->lock(this->lock);
enable_ocsp = this->enable_ocsp;
enable_crl = this->enable_crl;
this->lock->unlock(this->lock);
if (online && (enable_ocsp || enable_crl) &&
subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509)
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
if (this->enable_ocsp)
if (enable_ocsp)
{
switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
{
@ -831,7 +843,7 @@ METHOD(cert_validator_t, validate, bool,
auth->add(auth, AUTH_RULE_OCSP_VALIDATION, VALIDATION_SKIPPED);
}
if (this->enable_crl)
if (enable_crl)
{
switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
{
@ -865,9 +877,35 @@ METHOD(cert_validator_t, validate, bool,
return TRUE;
}
METHOD(revocation_validator_t, reload, void,
private_revocation_validator_t *this)
{
bool enable_ocsp, enable_crl;
enable_ocsp = lib->settings->get_bool(lib->settings,
"%s.plugins.revocation.enable_ocsp", TRUE, lib->ns);
enable_crl = lib->settings->get_bool(lib->settings,
"%s.plugins.revocation.enable_crl", TRUE, lib->ns);
this->lock->lock(this->lock);
this->enable_ocsp = enable_ocsp;
this->enable_crl = enable_crl;
this->lock->unlock(this->lock);
if (!enable_ocsp)
{
DBG1(DBG_LIB, "all OCSP validation disabled");
}
if (!enable_crl)
{
DBG1(DBG_LIB, "all CRL validation disabled");
}
}
METHOD(revocation_validator_t, destroy, void,
private_revocation_validator_t *this)
{
this->lock->destroy(this->lock);
free(this);
}
@ -881,21 +919,13 @@ revocation_validator_t *revocation_validator_create()
INIT(this,
.public = {
.validator.validate = _validate,
.reload = _reload,
.destroy = _destroy,
},
.enable_ocsp = lib->settings->get_bool(lib->settings,
"%s.plugins.revocation.enable_ocsp", TRUE, lib->ns),
.enable_crl = lib->settings->get_bool(lib->settings,
"%s.plugins.revocation.enable_crl", TRUE, lib->ns),
.lock = spinlock_create(),
);
if (!this->enable_ocsp)
{
DBG1(DBG_LIB, "all OCSP validation disabled");
}
if (!this->enable_crl)
{
DBG1(DBG_LIB, "all CRL validation disabled");
}
reload(this);
return &this->public;
}

8
src/libstrongswan/plugins/revocation/revocation_validator.h
View File

@ -1,4 +1,7 @@
/*
* Copyright (C) 2018 Tobias Brunner
* HSR Hochschule fuer Technik Rapperswil
*
* Copyright (C) 2010 Martin Willi
* Copyright (C) 2010 revosec AG
*
@ -35,6 +38,11 @@ struct revocation_validator_t {
*/
cert_validator_t validator;
/**
* Reload the configuration
*/
void (*reload)(revocation_validator_t *this);
/**
* Destroy a revocation_validator_t.
*/