From: Andreas Steffen <andreas.steffen@strongswan.org>
Date: Sun, 20 Dec 2009 14:53:39 +0000 (+0100)
Subject: discard certificate with unknown critical extensions
X-Git-Tag: 4.3.6~94
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28c25485baf30aeee2ea84ca5dee81639697fb47;p=thirdparty%2Fstrongswan.git

discard certificate with unknown critical extensions
---

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 623a26803e..fc68cdc7bd 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -905,6 +905,14 @@ static bool parse_certificate(private_x509_cert_t *this)
 						}
 						break;
 					default:
+						if (critical && lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.x509_cert.enforce_critical", FALSE))
+						{
+							DBG1("critical %s extension not supported",
+								 (extn_oid == OID_UNKNOWN) ? "unknown" :
+								 (char*)oid_names[extn_oid].name); 
+							goto end;
+						}
 						break;
 				}
 				break;