addrblock: Support an optional non-strict mode accepting certs without addrblock

This allows a gateway to enforce the addrblock policy on certificates that actually have the extension only. For (legacy) certificates not having the extension, traffic selectors are validated/narrowed by other means, most likely by the configuration.
2017-02-22 09:43:31 +01:00 · 2017-02-22 09:43:31 +01:00 · d1317adb9a
parent da82786b2d
commit d1317adb9a
3 changed files with 20 additions and 3 deletions
--- a/conf/Makefile.am
+++ b/conf/Makefile.am
@ -28,6 +28,7 @@ options = \
 	options/tnc.opt

 plugins = \
+	plugins/addrblock.opt \
 	plugins/android_log.opt \
 	plugins/attr.opt \
 	plugins/attr-sql.opt \
--- a/conf/plugins/addrblock.opt
+++ b/conf/plugins/addrblock.opt
@ -0,0 +1,8 @@
+charon.plugins.addrblock.strict = yes
+	Whether to strictly require addrblock extension in subject certificates.
+
+	If set to yes, a subject certificate without an addrblock extension is
+	rejected if the issuer certificate has such an addrblock extension. If set
+	to no, subject certificates issued without the addrblock extension are
+	accepted without any traffic selector checks and no policy is enforced
+	by the plugin.
--- a/src/libcharon/plugins/addrblock/addrblock_validator.c
+++ b/src/libcharon/plugins/addrblock/addrblock_validator.c
@ -30,12 +30,18 @@ struct private_addrblock_validator_t {
 	 * Public addrblock_validator_t interface.
 	 */
 	addrblock_validator_t public;
+
+	/**
+	 * Whether to reject subject certificates not having a addrBlock extension
+	 */
+	bool strict;
 };

 /**
 * Do the addrblock check for two x509 plugins
 */
-static bool check_addrblock(x509_t *subject, x509_t *issuer)
+static bool check_addrblock(private_addrblock_validator_t *this,
+							x509_t *subject, x509_t *issuer)
 {
 	bool subject_const, issuer_const, contained = TRUE;
 	enumerator_t *subject_enumerator, *issuer_enumerator;
@ -51,7 +57,7 @@ static bool check_addrblock(x509_t *subject, x509_t *issuer)
 	if (!subject_const)
 	{
 		DBG1(DBG_CFG, "subject certficate lacks ipAddrBlocks extension");
-		return FALSE;
+		return !this->strict;
 	}
 	if (!issuer_const)
 	{
@ -94,7 +100,7 @@ METHOD(cert_validator_t, validate, bool,
 	if (subject->get_type(subject) == CERT_X509 &&
 		issuer->get_type(issuer) == CERT_X509)
 	{
-		if (!check_addrblock((x509_t*)subject, (x509_t*)issuer))
+		if (!check_addrblock(this, (x509_t*)subject, (x509_t*)issuer))
 		{
 			lib->credmgr->call_hook(lib->credmgr, CRED_HOOK_POLICY_VIOLATION,
 									subject);
@ -124,6 +130,8 @@ addrblock_validator_t *addrblock_validator_create()
 			},
 			.destroy = _destroy,
 		},
+		.strict = lib->settings->get_bool(lib->settings,
+						"%s.plugins.addrblock.strict", TRUE, lib->ns),
 	);

 	return &this->public;