Added options to flush CRLs/X509 certs from the cert cache
authorMartin Willi <martin@revosec.ch>
Thu, 9 Dec 2010 09:06:25 +0000 (10:06 +0100)
committerMartin Willi <martin@revosec.ch>
Fri, 10 Dec 2010 08:45:22 +0000 (09:45 +0100)
src/ipsec/ipsec.in
src/libcharon/plugins/stroke/stroke_socket.c
src/stroke/stroke.c
src/stroke/stroke_keywords.h
src/stroke/stroke_keywords.txt
src/stroke/stroke_msg.h

index 0bddc20..362ee4e 100755 (executable)
@@ -65,7 +65,7 @@ case "$1" in
        echo "  rereadsecrets|rereadgroups"
        echo "  rereadcacerts|rereadaacerts|rereadocspcerts"
        echo "  rereadacerts|rereadcrls|rereadall"
-       echo "  purgeocsp|purgeike"
+       echo "  purgeocsp|purgecrl|purgex509|purgeike"
        echo "  scencrypt|scdecrypt <value> [--inbase <base>] [--outbase <base>] [--keyid <id>]"
        echo "  openac"
        echo "  pluto"
@@ -191,7 +191,7 @@ rereadall|purgeocsp)
        fi
        exit "$rc"
        ;;
-purgeike)
+purgeike|purgecrl|purgex509)
        rc=7
        if [ -e $IPSEC_CHARON_PID ]
        then
index 2e321f8..aa665cf 100644 (file)
@@ -359,6 +359,14 @@ static void stroke_purge(private_stroke_socket_t *this,
        {
                lib->credmgr->flush_cache(lib->credmgr, CERT_X509_OCSP_RESPONSE);
        }
+       if (msg->purge.flags & PURGE_CRL)
+       {
+               lib->credmgr->flush_cache(lib->credmgr, CERT_X509_CRL);
+       }
+       if (msg->purge.flags & PURGE_X509)
+       {
+               lib->credmgr->flush_cache(lib->credmgr, CERT_X509);
+       }
        if (msg->purge.flags & PURGE_IKE)
        {
                this->control->purge_ike(this->control, msg, out);
index 7c27e12..8b43b6d 100644 (file)
@@ -286,6 +286,8 @@ static int reread(stroke_keyword_t kw)
 static int purge_flags[] = {
        PURGE_OCSP,
        PURGE_IKE,
+       PURGE_CRL,
+       PURGE_X509,
 };
 
 static int purge(stroke_keyword_t kw)
@@ -383,6 +385,10 @@ static void exit_usage(char *error)
        printf("    stroke rereadsecrets|rereadcrls|rereadall\n");
        printf("  Purge ocsp cache entries:\n");
        printf("    stroke purgeocsp\n");
+       printf("  Purge CRL cache entries:\n");
+       printf("    stroke purgecrl\n");
+       printf("  Purge X509 cache entries:\n");
+       printf("    stroke purgex509\n");
        printf("  Purge IKE_SAs without a CHILD_SA:\n");
        printf("    stroke purgeike\n");
        printf("  Export credentials to the console:\n");
@@ -508,6 +514,8 @@ int main(int argc, char *argv[])
                        res = reread(token->kw);
                        break;
                case STROKE_PURGE_OCSP:
+               case STROKE_PURGE_CRL:
+               case STROKE_PURGE_X509:
                case STROKE_PURGE_IKE:
                        res = purge(token->kw);
                        break;
index a57415e..71e67c3 100644 (file)
@@ -49,6 +49,8 @@ typedef enum {
        STROKE_REREAD_CRLS,
        STROKE_REREAD_ALL,
        STROKE_PURGE_OCSP,
+       STROKE_PURGE_CRL,
+       STROKE_PURGE_X509,
        STROKE_PURGE_IKE,
        STROKE_EXPORT_X509,
        STROKE_LEASES,
index 7633da4..099038c 100644 (file)
@@ -56,6 +56,8 @@ rereadacerts,    STROKE_REREAD_ACERTS
 rereadcrls,      STROKE_REREAD_CRLS
 rereadall,       STROKE_REREAD_ALL
 purgeocsp,       STROKE_PURGE_OCSP
+purgecrl,        STROKE_PURGE_CRL
+purgex509,       STROKE_PURGE_X509
 purgeike,        STROKE_PURGE_IKE
 exportx509,      STROKE_EXPORT_X509
 leases,          STROKE_LEASES
index 1abaf6c..64d9aa7 100644 (file)
@@ -107,6 +107,10 @@ enum purge_flag_t {
        PURGE_OCSP =            0x0001,
        /** purge IKE_SAs without a CHILD_SA */
        PURGE_IKE =                     0x0002,
+       /** purge CRL cache entries */
+       PURGE_CRL =                     0x0004,
+       /** purge X509 cache entries */
+       PURGE_X509 =            0x0008,
 };
 
 typedef enum export_flag_t export_flag_t;