revocation: OCSP and/or CRL fetching can be disabled
authorAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 30 Dec 2016 17:12:53 +0000 (18:12 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Fri, 30 Dec 2016 17:12:53 +0000 (18:12 +0100)
conf/Makefile.am
conf/plugins/revocation.opt [new file with mode: 0644]
src/libstrongswan/plugins/revocation/revocation_validator.c

index 4588b09..c4b2c02 100644 (file)
@@ -80,6 +80,7 @@ plugins = \
        plugins/radattr.opt \
        plugins/random.opt \
        plugins/resolve.opt \
+       plugins/revocation.opt \
        plugins/socket-default.opt \
        plugins/sql.opt \
        plugins/stroke.opt \
diff --git a/conf/plugins/revocation.opt b/conf/plugins/revocation.opt
new file mode 100644 (file)
index 0000000..041eaff
--- /dev/null
@@ -0,0 +1,7 @@
+charon.plugins.revocation.enable_ocsp = yes
+       Whether OCSP fetching should be enabled.
+
+charon.plugins.revocation.enable_crl = yes
+        Whether CRL fetching should be enabled.
+
+
index f2e3cdd..7984299 100644 (file)
@@ -36,6 +36,17 @@ struct private_revocation_validator_t {
         * Public revocation_validator_t interface.
         */
        revocation_validator_t public;
+
+       /**
+        * Enable OCSP fetching
+        */
+       bool enable_ocsp;
+
+       /**
+        * Enable CRL fetching
+        */
+       bool enable_crl;
+
 };
 
 /**
@@ -738,48 +749,57 @@ METHOD(cert_validator_t, validate, bool,
        {
                DBG1(DBG_CFG, "checking certificate status of \"%Y\"",
                                           subject->get_subject(subject));
-               switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
-                                                  pathlen ? NULL : auth))
+
+               if (this->enable_ocsp)
                {
-                       case VALIDATION_GOOD:
-                               DBG1(DBG_CFG, "certificate status is good");
-                               return TRUE;
-                       case VALIDATION_REVOKED:
-                       case VALIDATION_ON_HOLD:
-                               /* has already been logged */
-                               lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
-                                                                               subject);
-                               return FALSE;
-                       case VALIDATION_SKIPPED:
-                               DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
-                               break;
-                       case VALIDATION_STALE:
-                               DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
-                               break;
-                       case VALIDATION_FAILED:
-                               DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
-                               break;
+                       switch (check_ocsp((x509_t*)subject, (x509_t*)issuer,
+                                                          pathlen ? NULL : auth))
+                       {
+                               case VALIDATION_GOOD:
+                                       DBG1(DBG_CFG, "certificate status is good");
+                                       return TRUE;
+                               case VALIDATION_REVOKED:
+                               case VALIDATION_ON_HOLD:
+                                       /* has already been logged */
+                                       lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+                                                                                       subject);
+                                       return FALSE;
+                               case VALIDATION_SKIPPED:
+                                       DBG2(DBG_CFG, "ocsp check skipped, no ocsp found");
+                                       break;
+                               case VALIDATION_STALE:
+                                       DBG1(DBG_CFG, "ocsp information stale, fallback to crl");
+                                       break;
+                               case VALIDATION_FAILED:
+                                       DBG1(DBG_CFG, "ocsp check failed, fallback to crl");
+                                       break;
+                       }
                }
-               switch (check_crl((x509_t*)subject, (x509_t*)issuer,
-                                                 pathlen ? NULL : auth))
+
+               if (this->enable_crl)
                {
-                       case VALIDATION_GOOD:
-                               DBG1(DBG_CFG, "certificate status is good");
-                               return TRUE;
-                       case VALIDATION_REVOKED:
-                       case VALIDATION_ON_HOLD:
-                               /* has already been logged */
-                               lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
-                                                                               subject);
-                               return FALSE;
-                       case VALIDATION_FAILED:
-                       case VALIDATION_SKIPPED:
-                               DBG1(DBG_CFG, "certificate status is not available");
-                               break;
-                       case VALIDATION_STALE:
-                               DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
-                               break;
+                       switch (check_crl((x509_t*)subject, (x509_t*)issuer,
+                                                         pathlen ? NULL : auth))
+                       {
+                               case VALIDATION_GOOD:
+                                       DBG1(DBG_CFG, "certificate status is good");
+                                       return TRUE;
+                               case VALIDATION_REVOKED:
+                               case VALIDATION_ON_HOLD:
+                                       /* has already been logged */
+                                       lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_REVOKED,
+                                                                                       subject);
+                                       return FALSE;
+                               case VALIDATION_FAILED:
+                               case VALIDATION_SKIPPED:
+                                       DBG1(DBG_CFG, "certificate status is not available");
+                                       break;
+                               case VALIDATION_STALE:
+                                       DBG1(DBG_CFG, "certificate status is unknown, crl is stale");
+                                       break;
+                       }
                }
+
                lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_VALIDATION_FAILED,
                                                                subject);
        }
@@ -804,7 +824,20 @@ revocation_validator_t *revocation_validator_create()
                        .validator.validate = _validate,
                        .destroy = _destroy,
                },
+               .enable_ocsp = lib->settings->get_bool(lib->settings,
+                                                       "%s.plugins.revocation.enable_ocsp", TRUE, lib->ns),
+               .enable_crl  = lib->settings->get_bool(lib->settings,
+                                                       "%s.plugins.revocation.enable_crl",  TRUE, lib->ns),
        );
 
+       if (!this->enable_ocsp)
+       {
+               DBG1(DBG_LIB, "all OCSP fetching disabled");
+       }
+       if (!this->enable_crl)
+       {
+               DBG1(DBG_LIB, "all CRL fetching disabled");
+       }
+
        return &this->public;
 }