Fail on critical extensions in openssl CRLs

author: Martin Willi <martin@revosec.ch> 2010-12-17 11:40:01 +0100
committer: Martin Willi <martin@revosec.ch> 2011-01-05 16:46:03 +0100
commit: e24a02a28fbde4efcba79da0bcf7068ad4127dae (patch)
tree: f85d9aef25dd41da158df4a3955e65090c0b0fa1 /src/libstrongswan/plugins/openssl/openssl_crl.c
parent: 51b7e9ce728e73fff05c5f6712e3603e720da9b4 (diff)
download: strongswan-e24a02a28fbde4efcba79da0bcf7068ad4127dae.tar.bz2
strongswan-e24a02a28fbde4efcba79da0bcf7068ad4127dae.tar.xz
1 files changed, 6 insertions, 1 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_crl.c b/src/libstrongswan/plugins/openssl/openssl_crl.c
index b9d97a901..793899d33 100644
--- a/src/libstrongswan/plugins/openssl/openssl_crl.c
+++ b/src/libstrongswan/plugins/openssl/openssl_crl.c
@@ -458,7 +458,12 @@ static bool parse_extensions(private_openssl_crl_t *this)
 					ok = parse_crlNumber_ext(this, ext);
 					break;
 				default:
-					ok = TRUE;
+					ok = X509_EXTENSION_get_critical(ext) != 0;
+					if (!ok)
+					{
+						DBG1(DBG_LIB, "found unsupported critical X.509 "
+							 "CRL extension");
+					}
 					break;
 			}
 			if (!ok)
author	Martin Willi <martin@revosec.ch>	2010-12-17 11:40:01 +0100
committer	Martin Willi <martin@revosec.ch>	2011-01-05 16:46:03 +0100
commit	e24a02a28fbde4efcba79da0bcf7068ad4127dae (patch)
tree	f85d9aef25dd41da158df4a3955e65090c0b0fa1 /src/libstrongswan/plugins/openssl/openssl_crl.c
parent	51b7e9ce728e73fff05c5f6712e3603e720da9b4 (diff)
download	strongswan-e24a02a28fbde4efcba79da0bcf7068ad4127dae.tar.bz2 strongswan-e24a02a28fbde4efcba79da0bcf7068ad4127dae.tar.xz