addrblock: Support an optional non-strict mode accepting certs without addrblock

This allows a gateway to enforce the addrblock policy on certificates that
actually have the extension only. For (legacy) certificates not having the
extension, traffic selectors are validated/narrowed by other means, most
likely by the configuration.

diff --git a/conf/Makefile.am b/conf/Makefile.am
index 80fa31e73f9587ceae5d0058c8709ea7a907a1fb..41912c43a7c746dd2ccfafda855f476ed8d416dd 100644 (file)
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@@ -28,6 +28,7 @@ options = \
        options/tnc.opt
 
 plugins = \
+       plugins/addrblock.opt \
        plugins/android_log.opt \
        plugins/attr.opt \
        plugins/attr-sql.opt \

diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt
new file mode 100644 (file)
index 0000000..e35e4c5
--- /dev/null
+++ b/conf/plugins/addrblock.opt
@@ -0,0 +1,8 @@
+charon.plugins.addrblock.strict = yes
+       Whether to strictly require addrblock extension in subject certificates.
+
+       If set to yes, a subject certificate without an addrblock extension is
+       rejected if the issuer certificate has such an addrblock extension. If set
+       to no, subject certificates issued without the addrblock extension are
+       accepted without any traffic selector checks and no policy is enforced
+       by the plugin.

diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c
index 372c978a2232bcaeeb36623d1cf660d4401cb3f7..d16a1170c529af701e3c642b1bb7ab3cd9cd770c 100644 (file)
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@@ -30,12 +30,18 @@ struct private_addrblock_validator_t {
         * Public addrblock_validator_t interface.
         */
        addrblock_validator_t public;
+
+       /**
+        * Whether to reject subject certificates not having a addrBlock extension
+        */
+       bool strict;
 };
 
 /**
  * Do the addrblock check for two x509 plugins
  */
-static bool check_addrblock(x509_t *subject, x509_t *issuer)
+static bool check_addrblock(private_addrblock_validator_t *this,
+                                                       x509_t *subject, x509_t *issuer)
 {
        bool subject_const, issuer_const, contained = TRUE;
        enumerator_t *subject_enumerator, *issuer_enumerator;
@@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
        if (!subject_const)
        {
                DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-               return FALSE;
+               return !this->strict;
        }
        if (!issuer_const)
        {
@@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool,
        if (subject->get_type(subject) == CERT_X509 &&
                issuer->get_type(issuer) == CERT_X509)
        {
-               if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+               if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
                {
                        lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
                                                                        subject);
@@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create()
                        },
                        .destroy = _destroy,
                },
+               .strict = lib->settings->get_bool(lib->settings,
+                                               "%s.plugins.addrblock.strict", TRUE, lib->ns),
        );
 
        return &this->public;