discard certificate with unknown critical extensions

author: Andreas Steffen <andreas.steffen@strongswan.org> 2009-12-20 15:53:39 +0100
committer: Andreas Steffen <andreas.steffen@strongswan.org> 2009-12-20 15:53:39 +0100
commit: 28c25485baf30aeee2ea84ca5dee81639697fb47 (patch)
tree: 28499fb3254eef91f6e050001de47a2bb32ccd12 /src
parent: f3e366a9a0cacef2acf9c7e3411b958435de6a08 (diff)
download: strongswan-28c25485baf30aeee2ea84ca5dee81639697fb47.tar.bz2
strongswan-28c25485baf30aeee2ea84ca5dee81639697fb47.tar.xz
1 files changed, 8 insertions, 0 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 623a26803..fc68cdc7b 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -905,6 +905,14 @@ static bool parse_certificate(private_x509_cert_t *this)
 						}
 						break;
 					default:
+						if (critical && lib->settings->get_bool(lib->settings,
+							"libstrongswan.plugins.x509_cert.enforce_critical", FALSE))
+						{
+							DBG1("critical %s extension not supported",
+								 (extn_oid == OID_UNKNOWN) ? "unknown" :
+								 (char*)oid_names[extn_oid].name); 
+							goto end;
+						}
 						break;
 				}
 				break;
author	Andreas Steffen <andreas.steffen@strongswan.org>	2009-12-20 15:53:39 +0100
committer	Andreas Steffen <andreas.steffen@strongswan.org>	2009-12-20 15:53:39 +0100
commit	28c25485baf30aeee2ea84ca5dee81639697fb47 (patch)
tree	28499fb3254eef91f6e050001de47a2bb32ccd12 /src
parent	f3e366a9a0cacef2acf9c7e3411b958435de6a08 (diff)
download	strongswan-28c25485baf30aeee2ea84ca5dee81639697fb47.tar.bz2 strongswan-28c25485baf30aeee2ea84ca5dee81639697fb47.tar.xz