[hopefully] fixed pathlen problem on ARM platforms
authorAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 10 Feb 2011 14:51:18 +0000 (15:51 +0100)
committerAndreas Steffen <andreas.steffen@strongswan.org>
Thu, 10 Feb 2011 14:51:18 +0000 (15:51 +0100)
src/libcharon/plugins/stroke/stroke_list.c
src/libstrongswan/credentials/cert_validator.h
src/libstrongswan/credentials/certificates/x509.h
src/libstrongswan/plugins/constraints/constraints_validator.c
src/libstrongswan/plugins/openssl/openssl_x509.c
src/libstrongswan/plugins/revocation/revocation_validator.c
src/libstrongswan/plugins/x509/x509_cert.c

index 2fa017d..36311f0 100644 (file)
@@ -754,7 +754,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                        enumerator_t *enumerator;
                        identification_t *altName;
                        bool first_altName = TRUE;
-                       int pathlen;
+                       u_int pathlen;
                        chunk_t serial, authkey;
                        time_t notBefore, notAfter;
                        public_key_t *public;
@@ -837,7 +837,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
                        pathlen = x509->get_constraint(x509, X509_PATH_LEN);
                        if (pathlen != X509_NO_CONSTRAINT)
                        {
-                               fprintf(out, "  pathlen:   %d\n", pathlen);
+                               fprintf(out, "  pathlen:   %u\n", pathlen);
                        }
 
                        /* list optional ipAddrBlocks */
index 3c1ebc9..733d9d6 100644 (file)
@@ -45,7 +45,7 @@ struct cert_validator_t {
         * @param auth                  container for resulting authentication info
         */
        bool (*validate)(cert_validator_t *this, certificate_t *subject,
-                                        certificate_t *issuer, bool online, int pathlen,
+                                        certificate_t *issuer, bool online, u_int pathlen,
                                         bool anchor, auth_cfg_t *auth);
 };
 
index 9f5865d..fec02db 100644 (file)
@@ -24,7 +24,8 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
-#define X509_NO_CONSTRAINT             -1
+/* constraints are currently restricted to the range 0..127 */
+#define X509_NO_CONSTRAINT     255
 
 typedef struct x509_t x509_t;
 typedef struct x509_cert_policy_t x509_cert_policy_t;
@@ -150,7 +151,7 @@ struct x509_t {
         * @param type          type of constraint to get
         * @return                      constraint, X509_NO_CONSTRAINT if none found
         */
-       int (*get_constraint)(x509_t *this, x509_constraint_t type);
+       u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
        /**
         * Create an enumerator over all subjectAltNames.
index 2089450..b54d813 100644 (file)
@@ -38,7 +38,7 @@ struct private_constraints_validator_t {
  */
 static bool check_pathlen(x509_t *issuer, int pathlen)
 {
-       int pathlen_constraint;
+       u_int pathlen_constraint;
 
        pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
        if (pathlen_constraint != X509_NO_CONSTRAINT &&
@@ -439,7 +439,7 @@ static bool has_no_any_policy(linked_list_t *chain, int len)
 /**
  * Check requireExplicitPolicy and inhibitPolicyMapping constraints
  */
-static bool check_policy_constraints(x509_t *issuer, int pathlen,
+static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
                                                                         auth_cfg_t *auth)
 {
        certificate_t *subject;
@@ -455,7 +455,8 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
                        certificate_t *cert;
                        auth_rule_t rule;
                        x509_t *x509;
-                       int len = 0, expl, inh;
+                       int len = 0;
+                       u_int expl, inh;
 
                        /* prepare trustchain to validate */
                        chain = linked_list_create();
@@ -524,7 +525,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
 
 METHOD(cert_validator_t, validate, bool,
        private_constraints_validator_t *this, certificate_t *subject,
-       certificate_t *issuer, bool online, int pathlen, bool anchor,
+       certificate_t *issuer, bool online, u_int pathlen, bool anchor,
        auth_cfg_t *auth)
 {
        if (issuer->get_type(issuer) == CERT_X509 &&
index f096b2b..f7495b2 100644 (file)
@@ -84,7 +84,7 @@ struct private_openssl_x509_t {
        /**
         * Pathlen constraint
         */
-       int pathlen;
+       u_char pathlen;
 
        /**
         * certificate subject
@@ -250,7 +250,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
        return chunk_empty;
 }
 
-METHOD(x509_t, get_constraint, int,
+METHOD(x509_t, get_constraint, u_int,
        private_openssl_x509_t *this, x509_constraint_t type)
 {
        switch (type)
@@ -586,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
                                                                           X509_EXTENSION *ext)
 {
        BASIC_CONSTRAINTS *constraints;
+       long pathlen;
 
        constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
        if (constraints)
@@ -596,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
                }
                if (constraints->pathlen)
                {
-                       this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
+                       
+                       pathlen = ASN1_INTEGER_get(constraints->pathlen);
+                       this->pathlen = (pathlen >= 0 && pathlen < 128) ?
+                                                        pathlen : X509_NO_CONSTRAINT;
                }
                BASIC_CONSTRAINTS_free(constraints);
                return TRUE;
index b08e309..def1692 100644 (file)
@@ -665,7 +665,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 
 METHOD(cert_validator_t, validate, bool,
        private_revocation_validator_t *this, certificate_t *subject,
-       certificate_t *issuer, bool online, int pathlen, bool anchor,
+       certificate_t *issuer, bool online, u_int pathlen, bool anchor,
        auth_cfg_t *auth)
 {
        if (subject->get_type(subject) == CERT_X509 &&
index c3bb4ea..526dbe8 100644 (file)
@@ -174,22 +174,22 @@ struct private_x509_cert_t {
        /**
         * Path Length Constraint
         */
-       char pathLenConstraint;
+       u_char pathLenConstraint;
 
        /**
         * requireExplicitPolicy Constraint
         */
-       char require_explicit;
+       u_char require_explicit;
 
        /**
         * inhibitPolicyMapping Constraint
         */
-       char inhibit_mapping;
+       u_char inhibit_mapping;
 
        /**
         * inhibitAnyPolicy Constraint
         */
-       char inhibit_any;
+       u_char inhibit_any;
 
        /**
         * x509 constraints and other flags
@@ -255,14 +255,14 @@ static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
 /**
  * Parse a length constraint from an unwrapped integer
  */
-static int parse_constraint(chunk_t object)
+static u_int parse_constraint(chunk_t object)
 {
        switch (object.len)
        {
                case 0:
                        return 0;
                case 1:
-                       return object.ptr[0];
+                       return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
                default:
                        return X509_NO_CONSTRAINT;
        }
@@ -1723,7 +1723,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
        return this->authKeyIdentifier;
 }
 
-METHOD(x509_t, get_constraint, int,
+METHOD(x509_t, get_constraint, u_int,
        private_x509_cert_t *this, x509_constraint_t type)
 {
        switch (type)
@@ -2390,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
        certificate_t *sign_cert = NULL;
        private_key_t *sign_key = NULL;
        hash_algorithm_t digest_alg = HASH_SHA1;
+       u_int constraint;
 
        cert = create_empty();
        while (TRUE)
@@ -2464,11 +2465,9 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
                                continue;
                        }
                        case BUILD_PATHLEN:
-                               cert->pathLenConstraint = va_arg(args, int);
-                               if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
-                               {
-                                       cert->pathLenConstraint = X509_NO_CONSTRAINT;
-                               }
+                               constraint = va_arg(args, u_int);
+                               cert->pathLenConstraint = (constraint < 128) ?
+                                                                                  constraint : X509_NO_CONSTRAINT;
                                continue;
                        case BUILD_PERMITTED_NAME_CONSTRAINTS:
                        {
@@ -2543,13 +2542,19 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
                                continue;
                        }
                        case BUILD_POLICY_REQUIRE_EXPLICIT:
-                               cert->require_explicit = va_arg(args, int);
+                               constraint = va_arg(args, u_int);
+                               cert->require_explicit = (constraint < 128) ?
+                                                                                 constraint : X509_NO_CONSTRAINT;
                                continue;
                        case BUILD_POLICY_INHIBIT_MAPPING:
-                               cert->inhibit_mapping = va_arg(args, int);
+                               constraint = va_arg(args, u_int);
+                               cert->inhibit_mapping = (constraint < 128) ?
+                                                                                constraint : X509_NO_CONSTRAINT;
                                continue;
                        case BUILD_POLICY_INHIBIT_ANY:
-                               cert->inhibit_any = va_arg(args, int);
+                               constraint = va_arg(args, u_int);
+                               cert->inhibit_any = (constraint < 128) ?
+                                                                        constraint : X509_NO_CONSTRAINT;
                                continue;
                        case BUILD_NOT_BEFORE_TIME:
                                cert->notBefore = va_arg(args, time_t);