discard certificate with unknown critical extensions

author Andreas Steffen <andreas.steffen@strongswan.org>

Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)

committer Andreas Steffen <andreas.steffen@strongswan.org>

Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)
author Andreas Steffen <andreas.steffen@strongswan.org>
Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)
committer Andreas Steffen <andreas.steffen@strongswan.org>
Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c

index 623a268..fc68cdc 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -905,6 +905,14 @@ static bool parse_certificate(private_x509_cert_t *this)
                                                 }
                                                 break;
                                         default:
+                                               if (critical && lib->settings->get_bool(lib->settings,
+                                                       "libstrongswan.plugins.x509_cert.enforce_critical", FALSE))
+                                               {
+                                                       DBG1("critical %s extension not supported",
+                                                                (extn_oid == OID_UNKNOWN) ? "unknown" :
+                                                                (char*)oid_names[extn_oid].name); 
+                                                       goto end;
+                                               }
                                                 break;
                                 }
                                 break;
author	Andreas Steffen <andreas.steffen@strongswan.org>
	Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)
committer	Andreas Steffen <andreas.steffen@strongswan.org>
	Sun, 20 Dec 2009 14:53:39 +0000 (15:53 +0100)