ikev2: Don't do online revocation checks in pubkey authenticator if requested

author Tobias Brunner <tobias@strongswan.org>

Tue, 27 Oct 2015 16:28:20 +0000 (17:28 +0100)

committer Tobias Brunner <tobias@strongswan.org>

Thu, 10 Mar 2016 10:07:14 +0000 (11:07 +0100)
author Tobias Brunner <tobias@strongswan.org>
Tue, 27 Oct 2015 16:28:20 +0000 (17:28 +0100)
committer Tobias Brunner <tobias@strongswan.org>
Thu, 10 Mar 2016 10:07:14 +0000 (11:07 +0100)
diff --git a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c

index dca80a4d80c115fc5340d7054d6078ebcfdffe41..04ccd4f4f0142f8ae6a192e2431eb20aca574973 100644 (file)
--- a/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
+++ b/src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
@@ -365,6 +365,7 @@ METHOD(authenticator_t, process, status_t,
         status_t status = NOT_FOUND;
         keymat_v2_t *keymat;
         const char *reason = "unsupported";
+       bool online;
  
         auth_payload = (auth_payload_t*)message->get_payload(message, PLV2_AUTH);
         if (!auth_payload)
@@ -408,8 +409,10 @@ METHOD(authenticator_t, process, status_t,
                 return FAILED;
         }
         auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
+       online = !this->ike_sa->has_condition(this->ike_sa,
+                                                                                 COND_ONLINE_VALIDATION_SUSPENDED);
         enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                                                       key_type, id, auth, TRUE);
+                                                                                                       key_type, id, auth, online);
         while (enumerator->enumerate(enumerator, &public, &current_auth))
         {
                 if (public->verify(public, scheme, octets, auth_data))
@@ -421,6 +424,10 @@ METHOD(authenticator_t, process, status_t,
                         auth->merge(auth, current_auth, FALSE);
                         auth->add(auth, AUTH_RULE_AUTH_CLASS, AUTH_CLASS_PUBKEY);
                         auth->add(auth, AUTH_RULE_IKE_SIGNATURE_SCHEME, (uintptr_t)scheme);
+                       if (!online)
+                       {
+                               auth->add(auth, AUTH_RULE_CERT_VALIDATION_SUSPENDED, TRUE);
+                       }
                         break;
                 }
                 else
author	Tobias Brunner <tobias@strongswan.org>
	Tue, 27 Oct 2015 16:28:20 +0000 (17:28 +0100)
committer	Tobias Brunner <tobias@strongswan.org>
	Thu, 10 Mar 2016 10:07:14 +0000 (11:07 +0100)