revocation: More accurately describe the flags to disable OCSP/CRL validation
authorTobias Brunner <tobias@strongswan.org>
Wed, 25 Jan 2017 15:17:38 +0000 (16:17 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 15 Feb 2017 09:41:38 +0000 (10:41 +0100)
These options disable validation as such, e.g. even from cached CRLs, not
only the fetching.  Also made the plugin's validate() implementation a
no-op if both options are disabled.

conf/plugins/revocation.opt
src/libstrongswan/plugins/revocation/revocation_validator.c

index 041eaff..5d2b8c0 100644 (file)
@@ -1,7 +1,7 @@
 charon.plugins.revocation.enable_ocsp = yes
-       Whether OCSP fetching should be enabled.
+       Whether OCSP validation should be enabled.
 
 charon.plugins.revocation.enable_crl = yes
-        Whether CRL fetching should be enabled.
+       Whether CRL validation should be enabled.
 
 
index 7984299..16ee0ec 100644 (file)
@@ -38,12 +38,12 @@ struct private_revocation_validator_t {
        revocation_validator_t public;
 
        /**
-        * Enable OCSP fetching
+        * Enable OCSP validation
         */
        bool enable_ocsp;
 
        /**
-        * Enable CRL fetching
+        * Enable CRL validation
         */
        bool enable_crl;
 
@@ -743,9 +743,9 @@ METHOD(cert_validator_t, validate, bool,
        certificate_t *issuer, bool online, u_int pathlen, bool anchor,
        auth_cfg_t *auth)
 {
-       if (subject->get_type(subject) == CERT_X509 &&
-               issuer->get_type(issuer) == CERT_X509 &&
-               online)
+       if (online && (this->enable_ocsp || this->enable_crl) &&
+               subject->get_type(subject) == CERT_X509 &&
+               issuer->get_type(issuer) == CERT_X509)
        {
                DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
                                           subject->get_subject(subject));
@@ -832,12 +832,11 @@ revocation_validator_t *revocation_validator_create()
 
        if (!this->enable_ocsp)
        {
-               DBG1(DBG_LIB, "all OCSP fetching disabled");
+               DBG1(DBG_LIB, "all OCSP validation disabled");
        }
        if (!this->enable_crl)
        {
-               DBG1(DBG_LIB, "all CRL fetching disabled");
+               DBG1(DBG_LIB, "all CRL validation disabled");
        }
-
        return &this->public;
 }