introduced libstrongswan.x509.enforce_critical parameter
authorAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 5 Feb 2011 08:01:18 +0000 (09:01 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Sat, 5 Feb 2011 08:01:18 +0000 (09:01 +0100)
man/strongswan.conf.5.in
src/libstrongswan/plugins/openssl/openssl_crl.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/x509/x509_cert.c
src/libstrongswan/plugins/x509/x509_crl.c

index 88d14ae..47aa6d5 100644 (file)
@@ -460,6 +460,9 @@ Check daemon, libstrongswan and plugin integrity at startup
 .TP
 .BR libstrongswan.leak_detective.detailed " [yes]"
 Includes source file names and line numbers in leak detective output
+.TP
+.BR libstrongswan.x509.enforce_critical " [yes]"
+Discard certificates with unsupported or unknown critical extensions
 .SS libstrongswan.plugins subsection
 .TP
 .BR libstrongswan.plugins.attr-sql.database
@@ -475,13 +478,8 @@ Use faster random numbers in gcrypt; for testing only, produces weak keys!
 ENGINE ID to use in the OpenSSL plugin
 .TP
 .BR libstrongswan.plugins.pkcs11.modules
-
 .TP
 .BR libstrongswan.plugins.pkcs11.use_hasher " [no]"
-
-.TP
-.BR libstrongswan.plugins.x509.enforce_critical " [no]"
-Discard certificates with unsupported or unknown critical extensions
 .SS libtls section
 .TP
 .BR libtls.cipher
index 7786b7f..58401fa 100644 (file)
@@ -460,7 +460,9 @@ static bool parse_extensions(private_openssl_crl_t *this)
                                        ok = parse_crlNumber_ext(this, ext);
                                        break;
                                default:
-                                       ok = X509_EXTENSION_get_critical(ext) != 0;
+                                       ok = X509_EXTENSION_get_critical(ext) == 0 ||
+                                                !lib->settings->get_bool(lib->settings,
+                                                               "libstrongswan.x509.enforce_critical", TRUE);
                                        if (!ok)
                                        {
                                                DBG1(DBG_LIB, "found unsupported critical X.509 "
index ddc9d5b..f096b2b 100644 (file)
@@ -804,7 +804,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
                                        ok = parse_crlDistributionPoints_ext(this, ext);
                                        break;
                                default:
-                                       ok = X509_EXTENSION_get_critical(ext) == 0;
+                                       ok = X509_EXTENSION_get_critical(ext) == 0 ||
+                                                !lib->settings->get_bool(lib->settings,
+                                                               "libstrongswan.x509.enforce_critical", TRUE);
                                        if (!ok)
                                        {
                                                DBG1(DBG_LIB, "found unsupported critical X.509 extension");
@@ -916,7 +918,7 @@ static bool parse_certificate(private_openssl_x509_t *this)
 
        if (!parse_extensions(this))
        {
-               return TRUE;
+               return FALSE;
        }
        parse_extKeyUsage(this);
 
index 4c9d042..d4fb4e0 100644 (file)
@@ -1443,9 +1443,9 @@ static bool parse_certificate(private_x509_cert_t *this)
                                                break;
                                        default:
                                                if (critical && lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.x509.enforce_critical", FALSE))
+                                                       "libstrongswan.x509.enforce_critical", TRUE))
                                                {
-                                                       DBG1(DBG_LIB, "critical %s extension not supported",
+                                                       DBG1(DBG_LIB, "critical '%s' extension not supported",
                                                                 (extn_oid == OID_UNKNOWN) ? "unknown" :
                                                                 (char*)oid_names[extn_oid].name);
                                                        goto end;
index afb8ebd..758505a 100644 (file)
@@ -322,9 +322,9 @@ static bool parse(private_x509_crl_t *this)
                                                break;
                                        default:
                                                if (critical && lib->settings->get_bool(lib->settings,
-                                                       "libstrongswan.plugins.x509.enforce_critical", FALSE))
+                                                       "libstrongswan.x509.enforce_critical", TRUE))
                                                {
-                                                       DBG1(DBG_LIB, "critical %s extension not supported",
+                                                       DBG1(DBG_LIB, "critical '%s' extension not supported",
                                                                 (extn_oid == OID_UNKNOWN) ? "unknown" :
                                                                 (char*)oid_names[extn_oid].name);
                                                        goto end;