addrblock: Support an optional non-strict mode accepting certs without addrblock
authorMartin Willi <martin@strongswan.org>
Wed, 22 Feb 2017 08:43:31 +0000 (09:43 +0100)
committerMartin Willi <martin@strongswan.org>
Thu, 2 Mar 2017 07:24:02 +0000 (08:24 +0100)
This allows a gateway to enforce the addrblock policy on certificates that
actually have the extension only. For (legacy) certificates not having the
extension, traffic selectors are validated/narrowed by other means, most
likely by the configuration.

conf/Makefile.am
conf/plugins/addrblock.opt [new file with mode: 0644]
src/libcharon/plugins/addrblock/addrblock_validator.c

index 80fa31e..41912c4 100644 (file)
@@ -28,6 +28,7 @@ options = \
        options/tnc.opt
 
 plugins = \
+       plugins/addrblock.opt \
        plugins/android_log.opt \
        plugins/attr.opt \
        plugins/attr-sql.opt \
diff --git a/conf/plugins/addrblock.opt b/conf/plugins/addrblock.opt
new file mode 100644 (file)
index 0000000..e35e4c5
--- /dev/null
@@ -0,0 +1,8 @@
+charon.plugins.addrblock.strict = yes
+       Whether to strictly require addrblock extension in subject certificates.
+
+       If set to yes, a subject certificate without an addrblock extension is
+       rejected if the issuer certificate has such an addrblock extension. If set
+       to no, subject certificates issued without the addrblock extension are
+       accepted without any traffic selector checks and no policy is enforced
+       by the plugin.
index 372c978..d16a117 100644 (file)
@@ -30,12 +30,18 @@ struct private_addrblock_validator_t {
         * Public addrblock_validator_t interface.
         */
        addrblock_validator_t public;
+
+       /**
+        * Whether to reject subject certificates not having a addrBlock extension
+        */
+       bool strict;
 };
 
 /**
  * Do the addrblock check for two x509 plugins
  */
-static bool check_addrblock(x509_t *subject, x509_t *issuer)
+static bool check_addrblock(private_addrblock_validator_t *this,
+                                                       x509_t *subject, x509_t *issuer)
 {
        bool subject_const, issuer_const, contained = TRUE;
        enumerator_t *subject_enumerator, *issuer_enumerator;
@@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
        if (!subject_const)
        {
                DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-               return FALSE;
+               return !this->strict;
        }
        if (!issuer_const)
        {
@@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool,
        if (subject->get_type(subject) == CERT_X509 &&
                issuer->get_type(issuer) == CERT_X509)
        {
-               if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+               if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
                {
                        lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
                                                                        subject);
@@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create()
                        },
                        .destroy = _destroy,
                },
+               .strict = lib->settings->get_bool(lib->settings,
+                                               "%s.plugins.addrblock.strict", TRUE, lib->ns),
        );
 
        return &this->public;