From: Tobias Brunner Date: Wed, 20 Jun 2018 15:18:03 +0000 (+0200) Subject: android: Add flags to control CRL/OCSP fetching and strict revocation X-Git-Tag: 5.7.0dr5~20^2~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a7060581188b60d63a6da0f5827b217d01209d00;p=thirdparty%2Fstrongswan.git android: Add flags to control CRL/OCSP fetching and strict revocation --- diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfile.java b/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfile.java index 00cd393ca6..84ac65f706 100644 --- a/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfile.java +++ b/src/frontends/android/app/src/main/java/org/strongswan/android/data/VpnProfile.java @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * HSR Hochschule fuer Technik Rapperswil @@ -30,7 +30,11 @@ public class VpnProfile implements Cloneable /* While storing this as EnumSet would be nicer this simplifies storing it in a database */ public static final int SPLIT_TUNNELING_BLOCK_IPV4 = 1; public static final int SPLIT_TUNNELING_BLOCK_IPV6 = 2; - public static final int FLAGS_SUPPRESS_CERT_REQS = 1; + + public static final int FLAGS_SUPPRESS_CERT_REQS = 1 << 0; + public static final int FLAGS_DISABLE_CRL = 1 << 1; + public static final int FLAGS_DISABLE_OCSP = 1 << 2; + public static final int FLAGS_STRICT_REVOCATION = 1 << 3; private String mName, mGateway, mUsername, mPassword, mCertificate, mUserCertificate; private String mRemoteId, mLocalId, mExcludedSubnets, mIncludedSubnets, mSelectedApps; diff --git a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java index b46127e2c1..2f402de5db 100644 --- a/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java +++ b/src/frontends/android/app/src/main/java/org/strongswan/android/logic/CharonVpnService.java @@ -300,6 +300,8 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe writer.setValue("global.language", Locale.getDefault().getLanguage()); writer.setValue("global.mtu", mCurrentProfile.getMTU()); writer.setValue("global.nat_keepalive", mCurrentProfile.getNATKeepAlive()); + writer.setValue("global.crl", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_DISABLE_CRL) == 0); + writer.setValue("global.ocsp", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_DISABLE_OCSP) == 0); writer.setValue("connection.type", mCurrentProfile.getVpnType().getIdentifier()); writer.setValue("connection.server", mCurrentProfile.getGateway()); writer.setValue("connection.port", mCurrentProfile.getPort()); @@ -308,6 +310,7 @@ public class CharonVpnService extends VpnService implements Runnable, VpnStateSe writer.setValue("connection.local_id", mCurrentProfile.getLocalId()); writer.setValue("connection.remote_id", mCurrentProfile.getRemoteId()); writer.setValue("connection.certreq", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_SUPPRESS_CERT_REQS) == 0); + writer.setValue("connection.strict_revocation", (mCurrentProfile.getFlags() & VpnProfile.FLAGS_STRICT_REVOCATION) != 0); writer.setValue("connection.ike_proposal", mCurrentProfile.getIkeProposal()); writer.setValue("connection.esp_proposal", mCurrentProfile.getEspProposal()); initiate(writer.serialize()); diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c index f4418bd882..055e23bac4 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/backend/android_service.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2010-2017 Tobias Brunner + * Copyright (C) 2010-2018 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * HSR Hochschule fuer Technik Rapperswil @@ -822,6 +822,10 @@ static job_requeue_t initiate(private_android_service_t *this) } auth->add(auth, AUTH_RULE_IDENTITY, gateway); auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY); + if (this->settings->get_bool(this->settings, "connection.strict_revocation", FALSE)) + { + auth->add(auth, AUTH_RULE_CRL_VALIDATION, VALIDATION_GOOD); + } peer_cfg->add_auth_cfg(peer_cfg, auth, FALSE); child_cfg = child_cfg_create("android", &child); diff --git a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c index cb9dfa8075..cc3edbdf45 100644 --- a/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c +++ b/src/frontends/android/app/src/main/jni/libandroidbridge/charonservice.c @@ -1,5 +1,5 @@ /* - * Copyright (C) 2012-2017 Tobias Brunner + * Copyright (C) 2012-2018 Tobias Brunner * Copyright (C) 2012 Giuliano Grassi * Copyright (C) 2012 Ralf Sager * HSR Hochschule fuer Technik Rapperswil @@ -412,6 +412,12 @@ static void initiate(settings_t *settings) lib->settings->set_str(lib->settings, "charon.plugins.tnc-imc.preferred_language", settings->get_str(settings, "global.language", "en")); + lib->settings->set_bool(lib->settings, + "charon.plugins.revocation.enable_crl", + settings->get_bool(settings, "global.crl", TRUE)); + lib->settings->set_bool(lib->settings, + "charon.plugins.revocation.enable_ocsp", + settings->get_bool(settings, "global.ocsp", TRUE)); /* this is actually the size of the complete IKE/IP packet, so if the MTU * for the TUN devices has to be reduced to pass traffic the IKE packets * will be a bit smaller than necessary as there is no IPsec overhead like @@ -426,6 +432,9 @@ static void initiate(settings_t *settings) settings->get_int(settings, "global.nat_keepalive", ANDROID_KEEPALIVE_INTERVAL)); + /* reload plugins after changing settings */ + lib->plugins->reload(lib->plugins, NULL); + this->creds->clear(this->creds); DESTROY_IF(this->service); this->service = android_service_create(this->creds, settings);