revocation: More accurately describe the flags to disable OCSP/CRL validation

These options disable validation as such, e.g. even from cached CRLs, not
only the fetching.  Also made the plugin's validate() implementation a
no-op if both options are disabled.

diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt
index 041eaffe67b8ea21c9f38166fa81bc7f9bcc42f5..5d2b8c02684732551fe9cc05c0f59cfed4baf09a 100644 (file)
--- a/conf/plugins/revocation.opt
+++ b/conf/plugins/revocation.opt
@@ -1,7 +1,7 @@
 charon.plugins.revocation.enable_ocsp = yes
-       Whether OCSP fetching should be enabled.
+       Whether OCSP validation should be enabled.
 
 charon.plugins.revocation.enable_crl = yes
-        Whether CRL fetching should be enabled.
+       Whether CRL validation should be enabled.
 
 

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index 798429901123aaee288a038f09e32a7478dd1515..16ee0ecc73438940d0a0774f7044a6d8ad1251b6 100644 (file)
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -38,12 +38,12 @@ struct private_revocation_validator_t {
        revocation_validator_t public;
 
        /**
-        * Enable OCSP fetching
+        * Enable OCSP validation
         */
        bool enable_ocsp;
 
        /**
-        * Enable CRL fetching
+        * Enable CRL validation
         */
        bool enable_crl;
 
@@ -743,9 +743,9 @@ METHOD(cert_validator_t, validate, bool,
        certificate_t *issuer, bool online, u_int pathlen, bool anchor,
        auth_cfg_t *auth)
 {
-       if (subject->get_type(subject) == CERT_X509 &&
-               issuer->get_type(issuer) == CERT_X509 &&
-               online)
+       if (online && (this->enable_ocsp || this->enable_crl) &&
+               subject->get_type(subject) == CERT_X509 &&
+               issuer->get_type(issuer) == CERT_X509)
        {
                DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
                                           subject->get_subject(subject));
@@ -832,12 +832,11 @@ revocation_validator_t *revocation_validator_create()
 
        if (!this->enable_ocsp)
        {
-               DBG1(DBG_LIB, "all OCSP fetching disabled");
+               DBG1(DBG_LIB, "all OCSP validation disabled");
        }
        if (!this->enable_crl)
        {
-               DBG1(DBG_LIB, "all CRL fetching disabled");
+               DBG1(DBG_LIB, "all CRL validation disabled");
        }
-
        return &this->public;
 }