From: Tobias Brunner Date: Wed, 25 Jan 2017 15:17:38 +0000 (+0100) Subject: revocation: More accurately describe the flags to disable OCSP/CRL validation X-Git-Tag: 5.5.2dr5~13 X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=2de9bb30fea178bc27db146859a136a64c390013;p=thirdparty%2Fstrongswan.git revocation: More accurately describe the flags to disable OCSP/CRL validation These options disable validation as such, e.g. even from cached CRLs, not only the fetching. Also made the plugin's validate() implementation a no-op if both options are disabled. --- diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt index 041eaffe67..5d2b8c0268 100644 --- a/conf/plugins/revocation.opt +++ b/conf/plugins/revocation.opt @@ -1,7 +1,7 @@ charon.plugins.revocation.enable_ocsp = yes - Whether OCSP fetching should be enabled. + Whether OCSP validation should be enabled. charon.plugins.revocation.enable_crl = yes - Whether CRL fetching should be enabled. + Whether CRL validation should be enabled. diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 7984299011..16ee0ecc73 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -38,12 +38,12 @@ struct private_revocation_validator_t { revocation_validator_t public; /** - * Enable OCSP fetching + * Enable OCSP validation */ bool enable_ocsp; /** - * Enable CRL fetching + * Enable CRL validation */ bool enable_crl; @@ -743,9 +743,9 @@ METHOD(cert_validator_t, validate, bool, certificate_t *issuer, bool online, u_int pathlen, bool anchor, auth_cfg_t *auth) { - if (subject->get_type(subject) == CERT_X509 && - issuer->get_type(issuer) == CERT_X509 && - online) + if (online && (this->enable_ocsp || this->enable_crl) && + subject->get_type(subject) == CERT_X509 && + issuer->get_type(issuer) == CERT_X509) { DBG1(DBG_CFG, "checking certificate status of \"%Y\"", subject->get_subject(subject)); @@ -832,12 +832,11 @@ revocation_validator_t *revocation_validator_create() if (!this->enable_ocsp) { - DBG1(DBG_LIB, "all OCSP fetching disabled"); + DBG1(DBG_LIB, "all OCSP validation disabled"); } if (!this->enable_crl) { - DBG1(DBG_LIB, "all CRL fetching disabled"); + DBG1(DBG_LIB, "all CRL validation disabled"); } - return &this->public; }