diff options
| author | Martin Willi <martin@strongswan.org> | 2017-02-22 09:43:31 +0100 |
|---|---|---|
| committer | Martin Willi <martin@strongswan.org> | 2017-03-02 08:24:02 +0100 |
| commit | d1317adb9a45166cdc8f44117a5fa85ecd053552 (patch) | |
| tree | c8e856c9269fc1f00b8e6122f973f52f20bf8901 /src/libcharon | |
| parent | da82786b2d8cef68ca6462bf7898a6b19c0b4608 (diff) | |
| download | strongswan-d1317adb9a45166cdc8f44117a5fa85ecd053552.tar.bz2 strongswan-d1317adb9a45166cdc8f44117a5fa85ecd053552.tar.xz | |
addrblock: Support an optional non-strict mode accepting certs without addrblock
This allows a gateway to enforce the addrblock policy on certificates that
actually have the extension only. For (legacy) certificates not having the
extension, traffic selectors are validated/narrowed by other means, most
likely by the configuration.
Diffstat (limited to 'src/libcharon')
| -rw-r--r-- | src/libcharon/plugins/addrblock/addrblock_validator.c | 14 |
1 files changed, 11 insertions, 3 deletions
diff --git a/src/libcharon/plugins/addrblock/addrblock_validator.c b/src/libcharon/plugins/addrblock/addrblock_validator.c index 372c978a2..d16a1170c 100644 --- a/src/libcharon/plugins/addrblock/addrblock_validator.c +++ b/src/libcharon/plugins/addrblock/addrblock_validator.c @@ -30,12 +30,18 @@ struct private_addrblock_validator_t { * Public addrblock_validator_t interface. */ addrblock_validator_t public; + + /** + * Whether to reject subject certificates not having a addrBlock extension + */ + bool strict; }; /** * Do the addrblock check for two x509 plugins */ -static bool check_addrblock(x509_t *subject, x509_t *issuer) +static bool check_addrblock(private_addrblock_validator_t *this, + x509_t *subject, x509_t *issuer) { bool subject_const, issuer_const, contained = TRUE; enumerator_t *subject_enumerator, *issuer_enumerator; @@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer) if (!subject_const) { DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension"); - return FALSE; + return !this->strict; } if (!issuer_const) { @@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool, if (subject->get_type(subject) == CERT_X509 && issuer->get_type(issuer) == CERT_X509) { - if (!check_addrblock((x509_t*)subject, (x509_t*)issuer)) + if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer)) { lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION, subject); @@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create() }, .destroy = _destroy, }, + .strict = lib->settings->get_bool(lib->settings, + "%s.plugins.addrblock.strict", TRUE, lib->ns), ); return &this->public; |