--- /dev/null
+charon.plugins.addrblock.strict = yes
+ Whether to strictly require addrblock extension in subject certificates.
+
+ If set to yes, a subject certificate without an addrblock extension is
+ rejected if the issuer certificate has such an addrblock extension. If set
+ to no, subject certificates issued without the addrblock extension are
+ accepted without any traffic selector checks and no policy is enforced
+ by the plugin.
* Public addrblock_validator_t interface.
*/
addrblock_validator_t public;
+
+ /**
+ * Whether to reject subject certificates not having a addrBlock extension
+ */
+ bool strict;
};
/**
* Do the addrblock check for two x509 plugins
*/
-static bool check_addrblock(x509_t *subject, x509_t *issuer)
+static bool check_addrblock(private_addrblock_validator_t *this,
+ x509_t *subject, x509_t *issuer)
{
bool subject_const, issuer_const, contained = TRUE;
enumerator_t *subject_enumerator, *issuer_enumerator;
if (!subject_const)
{
DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
- return FALSE;
+ return !this->strict;
}
if (!issuer_const)
{
if (subject->get_type(subject) == CERT_X509 &&
issuer->get_type(issuer) == CERT_X509)
{
- if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+ if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
{
lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
subject);
},
.destroy = _destroy,
},
+ .strict = lib->settings->get_bool(lib->settings,
+ "%s.plugins.addrblock.strict", TRUE, lib->ns),
);
return &this->public;