introduced libstrongswan.x509.enforce_critical parameter

author: Andreas Steffen <andreas.steffen@strongswan.org> 2011-02-05 09:01:18 +0100
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2011-02-05 09:01:18 +0100
commit: c4fd3b2f42a489f8e6328bd7e9400cbca35f0d09 (patch)
tree: b3b187ce633dfe2352487b65f89f762c9f78b572
parent: 8d13c12eac39e7750dbdc24f0a5d83436bdd0407 (diff)
download: strongswan-c4fd3b2f42a489f8e6328bd7e9400cbca35f0d09.tar.bz2
strongswan-c4fd3b2f42a489f8e6328bd7e9400cbca35f0d09.tar.xz
5 files changed, 14 insertions, 12 deletions
diff --git a/man/strongswan.conf.5.in b/man/strongswan.conf.5.in
index 88d14ae3f..47aa6d552 100644
--- a/man/strongswan.conf.5.in
+++ b/man/strongswan.conf.5.in
@@ -460,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
+.TP
+.BR libstrongswan.x509.enforce_critical " [yes]"
+Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
@@ -475,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 ENGINE ID to use in the OpenSSL plugin
 .TP
 .BR libstrongswan.plugins.pkcs11.modules
-
 .TP
 .BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-
-.TP
-.BR libstrongswan.plugins.x509.enforce_critical " [no]"
-Discard certificates with unsupported or unknown critical extensions
 .SS libtls section
 .TP
 .BR libtls.cipher
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index 7786b7fbb..58401faa5 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -460,7 +460,9 @@ static bool parse_extensions(private_openssl_crl_t *this)
 					ok = parse_crlNumber_ext(this, ext);
 					break;
 				default:
-					ok = X509_EXTENSION_get_critical(ext) != 0;
+					ok = X509_EXTENSION_get_critical(ext) == 0 ||
+						 !lib->settings->get_bool(lib->settings,
+								"libstrongswan.x509.enforce_critical", TRUE);
 					if (!ok)
 					{
 						DBG1(DBG_LIB, "found unsupported critical X.509 "
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index ddc9d5b6e..f096b2b5b 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -804,7 +804,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
 					ok = parse_crlDistributionPoints_ext(this, ext);
 					break;
 				default:
-					ok = X509_EXTENSION_get_critical(ext) == 0;
+					ok = X509_EXTENSION_get_critical(ext) == 0 ||
+						 !lib->settings->get_bool(lib->settings,
+								"libstrongswan.x509.enforce_critical", TRUE);
 					if (!ok)
 					{
 						DBG1(DBG_LIB, "found unsupported critical X.509 extension");
@@ -916,7 +918,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 
 	if (!parse_extensions(this))
 	{
-		return TRUE;
+		return FALSE;
 	}
 	parse_extKeyUsage(this);
 
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 4c9d042e7..d4fb4e075 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -1443,9 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this)
 						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.x509.enforce_critical", FALSE))
+							"libstrongswan.x509.enforce_critical", TRUE))
 						{
-							DBG1(DBG_LIB, "critical %s extension not supported",
+							DBG1(DBG_LIB, "critical '%s' extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
 								 (char*)oid_names[extn_oid].name);
 							goto end;
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index afb8ebdba..758505ab5 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -322,9 +322,9 @@ static bool parse(private_x509_crl_t *this)
 						break;
 					default:
 						if (critical && lib->settings->get_bool(lib->settings,
-							"libstrongswan.plugins.x509.enforce_critical", FALSE))
+							"libstrongswan.x509.enforce_critical", TRUE))
 						{
-							DBG1(DBG_LIB, "critical %s extension not supported",
+							DBG1(DBG_LIB, "critical '%s' extension not supported",
 								 (extn_oid == OID_UNKNOWN) ? "unknown" :
 								 (char*)oid_names[extn_oid].name);
 							goto end;
author	Andreas Steffen <andreas.steffen@strongswan.org>	2011-02-05 09:01:18 +0100
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2011-02-05 09:01:18 +0100
commit	c4fd3b2f42a489f8e6328bd7e9400cbca35f0d09 (patch)
tree	b3b187ce633dfe2352487b65f89f762c9f78b572
parent	8d13c12eac39e7750dbdc24f0a5d83436bdd0407 (diff)
download	strongswan-c4fd3b2f42a489f8e6328bd7e9400cbca35f0d09.tar.bz2 strongswan-c4fd3b2f42a489f8e6328bd7e9400cbca35f0d09.tar.xz