]> git.ipfire.org Git - people/ms/strongswan.git/commit
projects / people / ms / strongswan.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1bb0500) | patch
addrblock: Allow limiting validation depth of issuer addrblock extensions
authorMartin Willi <martin@strongswan.org>
Wed, 12 Jan 2022 10:00:20 +0000 (11:00 +0100)
committerTobias Brunner <tobias@strongswan.org>
Mon, 24 Jan 2022 16:32:06 +0000 (17:32 +0100)
commite3d1766aff96324a48612fa64e6fb36475c71afc
treefa1b6548be38a97d09e4aa7c16cb93f848e2087dtree | snapshot
parent1bb05006d3b751532ab77b4c5c0501c0afb655bdcommit | diff
addrblock: Allow limiting validation depth of issuer addrblock extensions

RFC3779 requires to validate the addrblocks of issuer certificates strictly,
that is, they must contain the extension and the claimed addrblock, up to
the root CA.

When working with third party root CAs that do not have the extension,
this makes using the plugin impossible. So add a depth setting that limits
the number of issuer certificates to check bottom-up towards the root CA.
A depth value of 0 disables any issuer check, the default value of -1
checks all issuers in the chain, keeping the existing behavior.

Closes strongswan/strongswan#860
conf/plugins/addrblock.opt diff | blob | blame | history
src/libcharon/plugins/addrblock/addrblock_validator.c diff | blob | blame | history
Michael's strongswan development tree