x509: Replace problematic calls of chunk_from_chars() for keyUsage extension
authorTobias Brunner <tobias@strongswan.org>
Wed, 29 Jan 2020 10:12:12 +0000 (11:12 +0100)
committerTobias Brunner <tobias@strongswan.org>
Thu, 30 Jan 2020 17:18:28 +0000 (18:18 +0100)
As noted in 8ea13bbc5ccd newer compilers might optimize out the
assignment leading to invalid values in the keyUsage extension (as the
length was still set, the extension was encoded, just not with the
intended values).

Fixes #3249.

src/libstrongswan/plugins/x509/x509_cert.c

index 7311708..5a3f838 100644 (file)
@@ -2198,6 +2198,8 @@ static chunk_t generate_ts(traffic_selector_t *ts)
 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                         private_key_t *sign_key, int digest_alg)
 {
+       const chunk_t keyUsageCrlSign = chunk_from_chars(0x01, 0x02);
+       const chunk_t keyUsageCertSignCrlSign = chunk_from_chars(0x01, 0x06);
        chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
        chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
        chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
@@ -2317,11 +2319,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                                                                chunk_from_chars(0xFF)),
                                                                                        pathLenConstraint)));
                /* set CertificateSign and implicitly CRLsign */
-               keyUsageBits = chunk_from_chars(0x01, 0x06);
+               keyUsageBits = keyUsageCertSignCrlSign;
        }
        else if (cert->flags & X509_CRL_SIGN)
        {
-               keyUsageBits = chunk_from_chars(0x01, 0x02);
+               keyUsageBits = keyUsageCrlSign;
        }
        if (keyUsageBits.len)
        {