[prev in list] [next in list] [prev in thread] [next in thread]
List: strongswan-announce
Subject: [strongSwan-dev] [PATCH 2/2] Do not accept CRLs with future validity
From: Thomas Egerer <thomas.egerer () secunet ! com>
Date: 2012-03-05 17:41:01
Message-ID: 4F54FAAD.4000907 () secunet ! com
[Download RAW message or body]
---
.../plugins/revocation/revocation_validator.c | 15 ++++++++++++---
1 files changed, 12 insertions(+), 3 deletions(-)
["0002-Do-not-accept-CRLs-with-future-validity.patch" (text/x-patch)]
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c \
b/src/libstrongswan/plugins/revocation/revocation_validator.c index 34f347d..b5ac32e \
100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -366,7 +366,7 @@ static certificate_t *get_better_crl(certificate_t *cand, \
certificate_t *best, bool cache, crl_t *base)
{
enumerator_t *enumerator;
- time_t revocation, valid_until;
+ time_t revocation, valid_from, valid_until, now;
crl_reason_t reason;
chunk_t serial;
crl_t *crl = (crl_t*)cand;
@@ -423,9 +423,10 @@ static certificate_t *get_better_crl(certificate_t *cand, \
certificate_t *best, /* select the better of the two CRLs */
if (best == NULL || crl_is_newer(crl, (crl_t*)best))
{
+ now = time(NULL);
DESTROY_IF(best);
best = cand;
- if (best->get_validity(best, NULL, NULL, &valid_until))
+ if (best->get_validity(best, NULL, &valid_from, &valid_until))
{
DBG1(DBG_CFG, " crl is valid: until %T", &valid_until, FALSE);
*valid = VALIDATION_GOOD;
@@ -436,7 +437,15 @@ static certificate_t *get_better_crl(certificate_t *cand, \
certificate_t *best, }
else
{
- DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE);
+ if (now > valid_until)
+ {
+ DBG1(DBG_CFG, " crl is stale: since %T", &valid_until, FALSE);
+ }
+ else
+ {
+ DBG1(DBG_CFG, " crl not valid yet: valid from %T",
+ &valid_from, FALSE);
+ }
*valid = VALIDATION_STALE;
}
}
_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic