[prev in list] [next in list] [prev in thread] [next in thread] 

List:       strongswan-announce
Subject:    [strongSwan-dev] [PATCH 2/2] Do not accept CRLs with future validity
From:       Thomas Egerer <thomas.egerer () secunet ! com>
Date:       2012-03-05 17:41:01
Message-ID: 4F54FAAD.4000907 () secunet ! com
[Download RAW message or body]

---
 .../plugins/revocation/revocation_validator.c      |   15 ++++++++++++---
 1 files changed, 12 insertions(+), 3 deletions(-)



["0002-Do-not-accept-CRLs-with-future-validity.patch" (text/x-patch)]

diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c \
b/src/libstrongswan/plugins/revocation/revocation_validator.c index 34f347d..b5ac32e \
                100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -366,7 +366,7 @@ static certificate_t *get_better_crl(certificate_t *cand, \
certificate_t *best,  bool cache, crl_t *base)
 {
 	enumerator_t *enumerator;
-	time_t revocation, valid_until;
+	time_t revocation, valid_from, valid_until, now;
 	crl_reason_t reason;
 	chunk_t serial;
 	crl_t *crl = (crl_t*)cand;
@@ -423,9 +423,10 @@ static certificate_t *get_better_crl(certificate_t *cand, \
certificate_t *best,  /* select the better of the two CRLs */
 	if (best == NULL || crl_is_newer(crl, (crl_t*)best))
 	{
+		now = time(NULL);
 		DESTROY_IF(best);
 		best = cand;
-		if (best->get_validity(best, NULL, NULL, &valid_until))
+		if (best->get_validity(best, NULL, &valid_from, &valid_until))
 		{
 			DBG1(DBG_CFG, "  crl is valid: until %T", &valid_until, FALSE);
 			*valid = VALIDATION_GOOD;
@@ -436,7 +437,15 @@ static certificate_t *get_better_crl(certificate_t *cand, \
certificate_t *best,  }
 		else
 		{
-			DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
+			if (now > valid_until)
+			{
+				DBG1(DBG_CFG, "  crl is stale: since %T", &valid_until, FALSE);
+			}
+			else
+			{
+				DBG1(DBG_CFG, "  crl not valid yet: valid from %T",
+						&valid_from, FALSE);
+			}
 			*valid = VALIDATION_STALE;
 		}
 	}



_______________________________________________
Dev mailing list
Dev@lists.strongswan.org
https://lists.strongswan.org/mailman/listinfo/dev

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic