Fail on critical extensions in openssl CRLs
authorMartin Willi <martin@revosec.ch>
Fri, 17 Dec 2010 10:40:01 +0000 (11:40 +0100)
committerMartin Willi <martin@revosec.ch>
Wed, 5 Jan 2011 15:46:03 +0000 (16:46 +0100)
src/libstrongswan/plugins/openssl/openssl_crl.c

index b9d97a9..793899d 100644 (file)
@@ -458,7 +458,12 @@ static bool parse_extensions(private_openssl_crl_t *this)
                                        ok = parse_crlNumber_ext(this, ext);
                                        break;
                                default:
-                                       ok = TRUE;
+                                       ok = X509_EXTENSION_get_critical(ext) != 0;
+                                       if (!ok)
+                                       {
+                                               DBG1(DBG_LIB, "found unsupported critical X.509 "
+                                                        "CRL extension");
+                                       }
                                        break;
                        }
                        if (!ok)