From: Tobias Brunner Date: Thu, 31 Oct 2019 08:51:07 +0000 (+0100) Subject: stroke: Remove obsolete certificate registration for hash-and-URL X-Git-Tag: 5.8.2dr2~1^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d592ff72bc19a348c8546e682130906b4bcfb734;p=thirdparty%2Fstrongswan.git stroke: Remove obsolete certificate registration for hash-and-URL --- diff --git a/src/libcharon/plugins/stroke/stroke_ca.c b/src/libcharon/plugins/stroke/stroke_ca.c index f728284d98..bfaa9a9d94 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.c +++ b/src/libcharon/plugins/stroke/stroke_ca.c @@ -89,11 +89,6 @@ struct ca_section_t { */ linked_list_t *ocsp; - /** - * Hashes of certificates issued by this CA - */ - linked_list_t *hashes; - /** * Base URI used for certificates from this CA */ @@ -132,7 +127,6 @@ static ca_section_t *ca_section_create(char *name, char *path) ca->path = strdup(path); ca->crl = linked_list_create(); ca->ocsp = linked_list_create(); - ca->hashes = linked_list_create(); ca->certuribase = NULL; return ca; } @@ -144,7 +138,6 @@ static void ca_section_destroy(ca_section_t *this) { this->crl->destroy_function(this->crl, free); this->ocsp->destroy_function(this->ocsp, free); - this->hashes->destroy_offset(this->hashes, offsetof(identification_t, destroy)); this->cert->destroy(this->cert); free(this->certuribase); free(this->path); @@ -607,46 +600,6 @@ static void list_uris(linked_list_t *list, char *label, FILE *out) enumerator->destroy(enumerator); } -METHOD(stroke_ca_t, check_for_hash_and_url, void, - private_stroke_ca_t *this, certificate_t* cert) -{ - ca_section_t *section; - enumerator_t *enumerator; - - hasher_t *hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1); - if (hasher == NULL) - { - DBG1(DBG_IKE, "unable to use hash-and-url: sha1 not supported"); - return; - } - - this->lock->write_lock(this->lock); - enumerator = this->sections->create_enumerator(this->sections); - while (enumerator->enumerate(enumerator, (void**)§ion)) - { - if (section->certuribase && cert->issued_by(cert, section->cert, NULL)) - { - chunk_t hash, encoded; - - if (cert->get_encoding(cert, CERT_ASN1_DER, &encoded)) - { - if (hasher->allocate_hash(hasher, encoded, &hash)) - { - section->hashes->insert_last(section->hashes, - identification_create_from_encoding(ID_KEY_ID, hash)); - chunk_free(&hash); - } - chunk_free(&encoded); - } - break; - } - } - enumerator->destroy(enumerator); - this->lock->unlock(this->lock); - - hasher->destroy(hasher); -} - METHOD(stroke_ca_t, list, void, private_stroke_ca_t *this, stroke_msg_t *msg, FILE *out) { @@ -726,7 +679,6 @@ stroke_ca_t *stroke_ca_create() .get_cert_ref = _get_cert_ref, .reload_certs = _reload_certs, .replace_certs = _replace_certs, - .check_for_hash_and_url = _check_for_hash_and_url, .destroy = _destroy, }, .sections = linked_list_create(), diff --git a/src/libcharon/plugins/stroke/stroke_ca.h b/src/libcharon/plugins/stroke/stroke_ca.h index 064a7edec3..97b77dbb98 100644 --- a/src/libcharon/plugins/stroke/stroke_ca.h +++ b/src/libcharon/plugins/stroke/stroke_ca.h @@ -58,13 +58,6 @@ struct stroke_ca_t { */ void (*list)(stroke_ca_t *this, stroke_msg_t *msg, FILE *out); - /** - * Check if a certificate can be made available through hash and URL. - * - * @param cert peer certificate - */ - void (*check_for_hash_and_url)(stroke_ca_t *this, certificate_t* cert); - /** * Get a reference to a CA certificate if it is already stored, * otherwise returns the same certificate. diff --git a/src/libcharon/plugins/stroke/stroke_config.c b/src/libcharon/plugins/stroke/stroke_config.c index 1514b74dd3..fe5c1a542e 100644 --- a/src/libcharon/plugins/stroke/stroke_config.c +++ b/src/libcharon/plugins/stroke/stroke_config.c @@ -425,10 +425,6 @@ static auth_cfg_t *build_auth_cfg(private_stroke_config_t *this, certificate = this->cred->load_peer(this->cred, cert); if (certificate) { - if (local) - { - this->ca->check_for_hash_and_url(this->ca, certificate); - } cfg->add(cfg, AUTH_RULE_SUBJECT_CERT, certificate); if (!first) {