credential-manager: Make online revocation checks optional for public key enumerator
authorTobias Brunner <tobias@strongswan.org>
Mon, 26 Oct 2015 14:35:23 +0000 (15:35 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 10 Mar 2016 10:07:14 +0000 (11:07 +0100)
src/libcharon/sa/ikev1/authenticators/pubkey_v1_authenticator.c
src/libcharon/sa/ikev2/authenticators/pubkey_authenticator.c
src/libstrongswan/credentials/credential_manager.c
src/libstrongswan/credentials/credential_manager.h
src/libtls/tls_peer.c
src/libtls/tls_server.c

index 793e6d5..eee7dd1 100644 (file)
@@ -173,7 +173,7 @@ METHOD(authenticator_t, process, status_t,
        sig = sig_payload->get_hash(sig_payload);
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
        enumerator = lib->credmgr->create_public_enumerator(lib->credmgr, this->type,
-                                                                                                               id, auth);
+                                                                                                               id, auth, TRUE);
        while (enumerator->enumerate(enumerator, &public, &current_auth))
        {
                if (public->verify(public, scheme, hash, sig))
index 110c509..dca80a4 100644 (file)
@@ -409,7 +409,7 @@ METHOD(authenticator_t, process, status_t,
        }
        auth = this->ike_sa->get_auth_cfg(this->ike_sa, FALSE);
        enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                                                               key_type, id, auth);
+                                                                                                       key_type, id, auth, TRUE);
        while (enumerator->enumerate(enumerator, &public, &current_auth))
        {
                if (public->verify(public, scheme, octets, auth_data))
index 371e640..736111b 100644 (file)
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -993,7 +994,7 @@ METHOD(enumerator_t, public_destroy, void,
 
 METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
        private_credential_manager_t *this, key_type_t type, identification_t *id,
-       auth_cfg_t *auth)
+       auth_cfg_t *auth, bool online)
 {
        public_enumerator_t *enumerator;
 
@@ -1002,7 +1003,7 @@ METHOD(credential_manager_t, create_public_enumerator, enumerator_t*,
                        .enumerate = (void*)_public_enumerate,
                        .destroy = _public_destroy,
                },
-               .inner = create_trusted_enumerator(this, type, id, TRUE),
+               .inner = create_trusted_enumerator(this, type, id, online),
                .this = this,
        );
        if (auth)
index 445ea3f..022ca56 100644 (file)
@@ -1,4 +1,5 @@
 /*
+ * Copyright (C) 2015 Tobias Brunner
  * Copyright (C) 2007-2009 Martin Willi
  * Hochschule fuer Technik Rapperswil
  *
@@ -202,14 +203,18 @@ struct credential_manager_t {
         * where the auth config helper contains rules for constraint checks.
         * This function is very similar to create_trusted_enumerator(), but
         * gets public keys directly.
+        * If online is set, revocations are checked online for the whole
+        * trustchain.
         *
         * @param type          type of the key to get
         * @param id            owner of the key, signer of the signature
         * @param auth          authentication infos
+        * @param online        whether revocations should be checked online
         * @return                      enumerator
         */
        enumerator_t* (*create_public_enumerator)(credential_manager_t *this,
-                                       key_type_t type, identification_t *id, auth_cfg_t *auth);
+                                       key_type_t type, identification_t *id, auth_cfg_t *auth,
+                                       bool online);
 
        /**
         * Cache a certificate by invoking cache_cert() on all registered sets.
index 000dda4..8087e2e 100644 (file)
@@ -320,7 +320,8 @@ static public_key_t *find_public_key(private_tls_peer_t *this)
        if (cert)
        {
                enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                               KEY_ANY, cert->get_subject(cert), this->server_auth);
+                                                                                       KEY_ANY, cert->get_subject(cert),
+                                                                                       this->server_auth, TRUE);
                while (enumerator->enumerate(enumerator, &current, &auth))
                {
                        found = auth->get(auth, AUTH_RULE_SUBJECT_CERT);
index f9295a1..cfbe020 100644 (file)
@@ -548,7 +548,7 @@ static status_t process_cert_verify(private_tls_server_t *this,
        bio_reader_t *sig;
 
        enumerator = lib->credmgr->create_public_enumerator(lib->credmgr,
-                                                                               KEY_ANY, this->peer, this->peer_auth);
+                                                                       KEY_ANY, this->peer, this->peer_auth, TRUE);
        while (enumerator->enumerate(enumerator, &public, &auth))
        {
                sig = bio_reader_create(reader->peek(reader));