Fail when parsing unsupported critical extensions in openssl_x509

author: Martin Willi <martin@revosec.ch> 2010-12-14 17:34:34 +0100
committer: Martin Willi <martin@revosec.ch> 2011-01-05 16:46:02 +0100
commit: b0892d094c4295c0d02e2a7c026304020d86a847 (patch)
tree: ba4545964fb9803603e58f3b6bffed20288bbb2f /src/libstrongswan/plugins/openssl/openssl_x509.c
parent: 2d3ae93832c4f9e7a7789806df1f06b0d8fea9ee (diff)
download: strongswan-b0892d094c4295c0d02e2a7c026304020d86a847.tar.bz2
strongswan-b0892d094c4295c0d02e2a7c026304020d86a847.tar.xz
1 files changed, 5 insertions, 1 deletions
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 80639ddc0..80e421ab6 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -841,7 +841,11 @@ static bool parse_extensions(private_openssl_x509_t *this)
 					ok = parse_crlDistributionPoints_ext(this, ext);
 					break;
 				default:
-					ok = TRUE;
+					ok = X509_EXTENSION_get_critical(ext) != 0;
+					if (!ok)
+					{
+						DBG1(DBG_LIB, "found unsupported critical X.509 extension");
+					}
 					break;
 			}
 			if (!ok)
author	Martin Willi <martin@revosec.ch>	2010-12-14 17:34:34 +0100
committer	Martin Willi <martin@revosec.ch>	2011-01-05 16:46:02 +0100
commit	b0892d094c4295c0d02e2a7c026304020d86a847 (patch)
tree	ba4545964fb9803603e58f3b6bffed20288bbb2f /src/libstrongswan/plugins/openssl/openssl_x509.c
parent	2d3ae93832c4f9e7a7789806df1f06b0d8fea9ee (diff)
download	strongswan-b0892d094c4295c0d02e2a7c026304020d86a847.tar.bz2 strongswan-b0892d094c4295c0d02e2a7c026304020d86a847.tar.xz