revocation: Support en-/disabling CRL/OCSP at runtime

diff --git a/src/libstrongswan/plugins/revocation/revocation_plugin.c b/src/libstrongswan/plugins/revocation/revocation_plugin.c
index fe7eaa765acb64dd9c0ae48277fa656ce758321a..f688577e164d879093524eac3c5510e059636ffe 100644 (file)
--- a/src/libstrongswan/plugins/revocation/revocation_plugin.c
+++ b/src/libstrongswan/plugins/revocation/revocation_plugin.c
@@ -76,6 +76,13 @@ METHOD(plugin_t, get_features, int,
        return countof(f);
 }
 
+METHOD(plugin_t, reload, bool,
+       private_revocation_plugin_t *this)
+{
+       this->validator->reload(this->validator);
+       return TRUE;
+}
+
 METHOD(plugin_t, destroy, void,
        private_revocation_plugin_t *this)
 {
@@ -95,6 +102,7 @@ plugin_t *revocation_plugin_create()
                        .plugin = {
                                .get_name = _get_name,
                                .get_features = _get_features,
+                               .reload = _reload,
                                .destroy = _destroy,
                        },
                },

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index f8e78ac0c9dd1e5b08d6d801a10376b9220813d6..68292e3cd5aaac1833d17cc5e728232133e54160 100644 (file)
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -27,6 +27,7 @@
 #include <credentials/certificates/ocsp_response.h>
 #include <credentials/sets/ocsp_response_wrapper.h>
 #include <selectors/traffic_selector.h>
+#include <threading/spinlock.h>
 
 typedef struct private_revocation_validator_t private_revocation_validator_t;
 
@@ -50,6 +51,10 @@ struct private_revocation_validator_t {
         */
        bool enable_crl;
 
+       /**
+        * Lock to access flags
+        */
+       spinlock_t *lock;
 };
 
 /**
@@ -795,14 +800,21 @@ METHOD(cert_validator_t, validate, bool,
        certificate_t *issuer, bool online, u_int pathlen, bool anchor,
        auth_cfg_t *auth)
 {
-       if (online && (this->enable_ocsp || this->enable_crl) &&
+       bool enable_ocsp, enable_crl;
+
+       this->lock->lock(this->lock);
+       enable_ocsp = this->enable_ocsp;
+       enable_crl = this->enable_crl;
+       this->lock->unlock(this->lock);
+
+       if (online && (enable_ocsp || enable_crl) &&
                subject->get_type(subject) == CERT_X509 &&
                issuer->get_type(issuer) == CERT_X509)
        {
                DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
                                           subject->get_subject(subject));
 
-               if (this->enable_ocsp)
+               if (enable_ocsp)
                {
                        switch (check_ocsp((x509_t*)subject, (x509_t*)issuer, auth))
                        {
@@ -831,7 +843,7 @@ METHOD(cert_validator_t, validate, bool,
                        auth->add(auth, AUTH_RULE_OCSP_VALIDATION, VALIDATION_SKIPPED);
                }
 
-               if (this->enable_crl)
+               if (enable_crl)
                {
                        switch (check_crl((x509_t*)subject, (x509_t*)issuer, auth))
                        {
@@ -865,9 +877,35 @@ METHOD(cert_validator_t, validate, bool,
        return TRUE;
 }
 
+METHOD(revocation_validator_t, reload, void,
+       private_revocation_validator_t *this)
+{
+       bool enable_ocsp, enable_crl;
+
+       enable_ocsp = lib->settings->get_bool(lib->settings,
+                                                       "%s.plugins.revocation.enable_ocsp", TRUE, lib->ns);
+       enable_crl  = lib->settings->get_bool(lib->settings,
+                                                       "%s.plugins.revocation.enable_crl",  TRUE, lib->ns);
+
+       this->lock->lock(this->lock);
+       this->enable_ocsp = enable_ocsp;
+       this->enable_crl = enable_crl;
+       this->lock->unlock(this->lock);
+
+       if (!enable_ocsp)
+       {
+               DBG1(DBG_LIB, "all OCSP validation disabled");
+       }
+       if (!enable_crl)
+       {
+               DBG1(DBG_LIB, "all CRL validation disabled");
+       }
+}
+
 METHOD(revocation_validator_t, destroy, void,
        private_revocation_validator_t *this)
 {
+       this->lock->destroy(this->lock);
        free(this);
 }
 
@@ -881,21 +919,13 @@ revocation_validator_t *revocation_validator_create()
        INIT(this,
                .public = {
                        .validator.validate = _validate,
+                       .reload = _reload,
                        .destroy = _destroy,
                },
-               .enable_ocsp = lib->settings->get_bool(lib->settings,
-                                                       "%s.plugins.revocation.enable_ocsp", TRUE, lib->ns),
-               .enable_crl  = lib->settings->get_bool(lib->settings,
-                                                       "%s.plugins.revocation.enable_crl",  TRUE, lib->ns),
+               .lock = spinlock_create(),
        );
 
-       if (!this->enable_ocsp)
-       {
-               DBG1(DBG_LIB, "all OCSP validation disabled");
-       }
-       if (!this->enable_crl)
-       {
-               DBG1(DBG_LIB, "all CRL validation disabled");
-       }
+       reload(this);
+
        return &this->public;
 }

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.h b/src/libstrongswan/plugins/revocation/revocation_validator.h
index 82cbde26b15c5919c85536857712b4f1c249dfcd..9128787f18424e985e20bea9e0429cbfc92f0818 100644 (file)
--- a/src/libstrongswan/plugins/revocation/revocation_validator.h
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.h
@@ -1,4 +1,7 @@
 /*
+ * Copyright (C) 2018 Tobias Brunner
+ * HSR Hochschule fuer Technik Rapperswil
+ *
  * Copyright (C) 2010 Martin Willi
  * Copyright (C) 2010 revosec AG
  *
@@ -35,6 +38,11 @@ struct revocation_validator_t {
         */
        cert_validator_t validator;
 
+       /**
+        * Reload the configuration
+        */
+       void (*reload)(revocation_validator_t *this);
+
        /**
         * Destroy a revocation_validator_t.
         */