revocation: More accurately describe the flags to disable OCSP/CRL validation

These options disable validation as such, e.g. even from cached CRLs, not
only the fetching.  Also made the plugin's validate() implementation a
no-op if both options are disabled.
This commit is contained in:
Tobias Brunner 2017-01-25 16:17:38 +01:00
parent 067fd2c69c
commit 2de9bb30fe
2 changed files with 9 additions and 10 deletions

View File

@ -1,7 +1,7 @@
charon.plugins.revocation.enable_ocsp = yes
Whether OCSP fetching should be enabled.
Whether OCSP validation should be enabled.
charon.plugins.revocation.enable_crl = yes
Whether CRL fetching should be enabled.
Whether CRL validation should be enabled.

View File

@ -38,12 +38,12 @@ struct private_revocation_validator_t {
revocation_validator_t public;
/**
* Enable OCSP fetching
* Enable OCSP validation
*/
bool enable_ocsp;
/**
* Enable CRL fetching
* Enable CRL validation
*/
bool enable_crl;
@ -743,9 +743,9 @@ METHOD(cert_validator_t, validate, bool,
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
auth_cfg_t *auth)
{
if (subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509 &&
online)
if (online && (this->enable_ocsp || this->enable_crl) &&
subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509)
{
DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
subject->get_subject(subject));
@ -832,12 +832,11 @@ revocation_validator_t *revocation_validator_create()
if (!this->enable_ocsp)
{
DBG1(DBG_LIB, "all OCSP fetching disabled");
DBG1(DBG_LIB, "all OCSP validation disabled");
}
if (!this->enable_crl)
{
DBG1(DBG_LIB, "all CRL fetching disabled");
DBG1(DBG_LIB, "all CRL validation disabled");
}
return &this->public;
}