From: Tobias Brunner Date: Thu, 31 Oct 2019 08:49:21 +0000 (+0100) Subject: vici: Remove obsolete certificate registration for hash-and-URL X-Git-Tag: 5.8.2dr2~1^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ad14f3a60dc7496d061e30920bba3b72dfc6269c;p=thirdparty%2Fstrongswan.git vici: Remove obsolete certificate registration for hash-and-URL --- diff --git a/src/libcharon/plugins/vici/vici_authority.c b/src/libcharon/plugins/vici/vici_authority.c index bac3eb3884..a91ece0903 100644 --- a/src/libcharon/plugins/vici/vici_authority.c +++ b/src/libcharon/plugins/vici/vici_authority.c @@ -87,11 +87,6 @@ struct authority_t { */ linked_list_t *ocsp_uris; - /** - * Hashes of certificates issued by this CA - */ - linked_list_t *hashes; - /** * Base URI used for certificates from this CA */ @@ -109,7 +104,6 @@ static authority_t *authority_create(char *name) .name = strdup(name), .crl_uris = linked_list_create(), .ocsp_uris = linked_list_create(), - .hashes = linked_list_create(), ); return authority; @@ -122,7 +116,6 @@ static void authority_destroy(authority_t *this) { this->crl_uris->destroy_function(this->crl_uris, free); this->ocsp_uris->destroy_function(this->ocsp_uris, free); - this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); DESTROY_IF(this->cert); free(this->cert_uri_base); free(this->name); @@ -738,48 +731,6 @@ METHOD(credential_set_t, create_cdp_enumerator, enumerator_t*, (void*)create_inner_cdp, data, (void*)cdp_data_destroy); } -METHOD(vici_authority_t, check_for_hash_and_url, void, - private_vici_authority_t *this, certificate_t* cert) -{ - authority_t *authority; - enumerator_t *enumerator; - hasher_t *hasher; - - hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - if (hasher == NULL) - { - DBG1(DBG_CFG, "unable to use hash-and-url: sha1 not supported"); - return; - } - - this->lock->write_lock(this->lock); - enumerator = this->authorities->create_enumerator(this->authorities); - while (enumerator->enumerate(enumerator, &authority)) - { - if (authority->cert_uri_base && - cert->issued_by(cert, authority->cert, NULL)) - { - chunk_t hash, encoded; - - if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) - { - if (hasher->allocate_hash(hasher, encoded, &hash)) - { - authority->hashes->insert_last(authority->hashes, - identification_create_from_encoding(ID_KEY_ID, hash)); - chunk_free(&hash); - } - chunk_free(&encoded); - } - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - hasher->destroy(hasher); -} - METHOD(vici_authority_t, destroy, void, private_vici_authority_t *this) { @@ -808,7 +759,6 @@ vici_authority_t *vici_authority_create(vici_dispatcher_t *dispatcher, .create_cdp_enumerator = _create_cdp_enumerator, .cache_cert = (void*)nop, }, - .check_for_hash_and_url = _check_for_hash_and_url, .destroy = _destroy, }, .dispatcher = dispatcher, diff --git a/src/libcharon/plugins/vici/vici_authority.h b/src/libcharon/plugins/vici/vici_authority.h index dbeabae620..58f542cdd9 100644 --- a/src/libcharon/plugins/vici/vici_authority.h +++ b/src/libcharon/plugins/vici/vici_authority.h @@ -36,13 +36,6 @@ struct vici_authority_t { */ credential_set_t set; - /** - * Check if a certificate can be made available through hash and URL. - * - * @param cert end entity certificate - */ - void (*check_for_hash_and_url)(vici_authority_t *this, certificate_t* cert); - /** * Destroy a vici_authority_t. */ diff --git a/src/libcharon/plugins/vici/vici_config.c b/src/libcharon/plugins/vici/vici_config.c index 1ff0754f44..49ebea44b0 100644 --- a/src/libcharon/plugins/vici/vici_config.c +++ b/src/libcharon/plugins/vici/vici_config.c @@ -1417,14 +1417,8 @@ CALLBACK(parse_cert_policy, bool, */ static bool add_cert(auth_data_t *auth, auth_rule_t rule, certificate_t *cert) { - vici_authority_t *authority; vici_cred_t *cred; - if (rule == AUTH_RULE_SUBJECT_CERT) - { - authority = auth->request->this->authority; - authority->check_for_hash_and_url(authority, cert); - } cred = auth->request->this->cred; cert = cred->add_cert(cred, cert); auth->cfg->add(auth->cfg, rule, cert);