From: Andreas Steffen Date: Sat, 5 Feb 2011 08:01:18 +0000 (+0100) Subject: introduced libstrongswan.x509.enforce_critical parameter X-Git-Tag: 4.5.1~58 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c4fd3b2f42a489f8e6328bd7e9400cbca35f0d09;p=thirdparty%2Fstrongswan.git introduced libstrongswan.x509.enforce_critical parameter --- diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in index 88d14ae3fd..47aa6d552d 100644 --- a/man/strongswan.conf.5.in +++ b/man/strongswan.conf.5.in @@ -460,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup .TP .BR libstrongswan.leak_detective.detailed " [yes]" Includes source file names and line numbers in leak detective output +.TP +.BR libstrongswan.x509.enforce_critical " [yes]" +Discard certificates with unsupported or unknown critical extensions .SS libstrongswan.plugins subsection .TP .BR libstrongswan.plugins.attr-sql.database @@ -475,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys! ENGINE ID to use in the OpenSSL plugin .TP .BR libstrongswan.plugins.pkcs11.modules - .TP .BR libstrongswan.plugins.pkcs11.use_hasher " [no]" - -.TP -.BR libstrongswan.plugins.x509.enforce_critical " [no]" -Discard certificates with unsupported or unknown critical extensions .SS libtls section .TP .BR libtls.cipher diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c index 7786b7fbb8..58401faa51 100644 --- a/src/libstrongswan/plugins/openssl/openssl_crl.c +++ b/src/libstrongswan/plugins/openssl/openssl_crl.c @@ -460,7 +460,9 @@ static bool parse_extensions(private_openssl_crl_t *this) ok = parse_crlNumber_ext(this, ext); break; default: - ok = X509_EXTENSION_get_critical(ext) != 0; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); if (!ok) { DBG1(DBG_LIB, "found unsupported critical X.509 " diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c index ddc9d5b6e7..f096b2b5b2 100644 --- a/src/libstrongswan/plugins/openssl/openssl_x509.c +++ b/src/libstrongswan/plugins/openssl/openssl_x509.c @@ -804,7 +804,9 @@ static bool parse_extensions(private_openssl_x509_t *this) ok = parse_crlDistributionPoints_ext(this, ext); break; default: - ok = X509_EXTENSION_get_critical(ext) == 0; + ok = X509_EXTENSION_get_critical(ext) == 0 || + !lib->settings->get_bool(lib->settings, + "libstrongswan.x509.enforce_critical", TRUE); if (!ok) { DBG1(DBG_LIB, "found unsupported critical X.509 extension"); @@ -916,7 +918,7 @@ static bool parse_certificate(private_openssl_x509_t *this) if (!parse_extensions(this)) { - return TRUE; + return FALSE; } parse_extKeyUsage(this); diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c index 4c9d042e7a..d4fb4e0753 100644 --- a/src/libstrongswan/plugins/x509/x509_cert.c +++ b/src/libstrongswan/plugins/x509/x509_cert.c @@ -1443,9 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.x509.enforce_critical", FALSE)) + "libstrongswan.x509.enforce_critical", TRUE)) { - DBG1(DBG_LIB, "critical %s extension not supported", + DBG1(DBG_LIB, "critical '%s' extension not supported", (extn_oid == OID_UNKNOWN) ? "unknown" : (char*)oid_names[extn_oid].name); goto end; diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c index afb8ebdba5..758505ab54 100644 --- a/src/libstrongswan/plugins/x509/x509_crl.c +++ b/src/libstrongswan/plugins/x509/x509_crl.c @@ -322,9 +322,9 @@ static bool parse(private_x509_crl_t *this) break; default: if (critical && lib->settings->get_bool(lib->settings, - "libstrongswan.plugins.x509.enforce_critical", FALSE)) + "libstrongswan.x509.enforce_critical", TRUE)) { - DBG1(DBG_LIB, "critical %s extension not supported", + DBG1(DBG_LIB, "critical '%s' extension not supported", (extn_oid == OID_UNKNOWN) ? "unknown" : (char*)oid_names[extn_oid].name); goto end;