sharpetronics/strongswan
1
0
Fork 0
mirror of https://github.com/strongswan/strongswan.git synced 2025-10-06 00:00:47 -04:00
Code Issues Projects Releases Wiki Activity

Added an option to load CA certificates without CA basic constraint.

Browse Source 
Enabling this option treats all certificates in ipsec.d/cacerts and
ipsec.conf ca sections as CA certificates even if they do not contain a
CA basic constraint.
This commit is contained in:
Tobias Brunner 2012-02-01 14:34:52 +01:00
parent a895801270
commit 9ec66bc1a5
2 changed files with 38 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
man/strongswan.conf.5.in
View File

@ -469,6 +469,10 @@ Database URI for charons SQL plugin
.BR charon.plugins.sql.loglevel " [-1]" .BR charon.plugins.sql.loglevel " [-1]"
Loglevel for logging to SQL database Loglevel for logging to SQL database
.TP .TP
.BR charon.plugins.stroke.ignore_missing_ca_basic_constraint " [no]"
Treat certificates in ipsec.d/cacerts and ipsec.conf ca sections as CA
certificates even if they don't contain a CA basic constraint.
.TP
.BR charon.plugins.stroke.max_concurrent " [4]" .BR charon.plugins.stroke.max_concurrent " [4]"
Maximum number of stroke messages handled concurrently Maximum number of stroke messages handled concurrently
.TP .TP

38
src/libcharon/plugins/stroke/stroke_cred.c
View File

@ -70,6 +70,12 @@ struct private_stroke_cred_t {
*/ */
mem_cred_t *creds; mem_cred_t *creds;
/**
* ignore missing CA basic constraint (i.e. treat all certificates in
* ipsec.conf ca sections and ipsec.d/cacert as CA certificates)
*/
bool force_ca_cert;
/** /**
* cache CRLs to disk? * cache CRLs to disk?
*/ */
@ -91,10 +97,21 @@ METHOD(stroke_cred_t, load_ca, certificate_t*,
snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename); snprintf(path, sizeof(path), "%s/%s", CA_CERTIFICATE_DIR, filename);
} }
cert = lib->creds->create(lib->creds, if (this->force_ca_cert)
{ /* we treat this certificate as a CA certificate even if it has no
* CA basic constraint */
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path, BUILD_X509_FLAG, X509_CA,
BUILD_END);
}
else
{
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, path, BUILD_FROM_FILE, path,
BUILD_END); BUILD_END);
}
if (cert) if (cert)
{ {
x509_t *x509 = (x509_t*)cert; x509_t *x509 = (x509_t*)cert;
@ -171,11 +188,21 @@ static void load_certdir(private_stroke_cred_t *this, char *path,
{ {
case CERT_X509: case CERT_X509:
if (flag & X509_CA) if (flag & X509_CA)
{ /* for CA certificates, we strictly require {
* the CA basic constraint to be set */ if (this->force_ca_cert)
cert = lib->creds->create(lib->creds, { /* treat this certificate as CA cert even it has no
* CA basic constraint */
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, file, BUILD_X509_FLAG,
X509_CA, BUILD_END);
}
else
{
cert = lib->creds->create(lib->creds,
CRED_CERTIFICATE, CERT_X509, CRED_CERTIFICATE, CERT_X509,
BUILD_FROM_FILE, file, BUILD_END); BUILD_FROM_FILE, file, BUILD_END);
}
if (cert) if (cert)
{ {
x509_t *x509 = (x509_t*)cert; x509_t *x509 = (x509_t*)cert;
@ -1073,6 +1100,9 @@ stroke_cred_t *stroke_cred_create()
lib->credmgr->add_set(lib->credmgr, &this->creds->set); lib->credmgr->add_set(lib->credmgr, &this->creds->set);
this->force_ca_cert = lib->settings->get_bool(lib->settings,
"charon.plugins.stroke.ignore_missing_ca_basic_constraint", FALSE);
load_certs(this); load_certs(this);
load_secrets(this, SECRETS_FILE, 0, NULL); load_secrets(this, SECRETS_FILE, 0, NULL);