[hopefully] fixed pathlen problem on ARM platforms
This commit is contained in:
parent
afddd6a7e8
commit
d390b3b901
|
@ -754,7 +754,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
|
|||
enumerator_t *enumerator;
|
||||
identification_t *altName;
|
||||
bool first_altName = TRUE;
|
||||
int pathlen;
|
||||
u_int pathlen;
|
||||
chunk_t serial, authkey;
|
||||
time_t notBefore, notAfter;
|
||||
public_key_t *public;
|
||||
|
@ -837,7 +837,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
|
|||
pathlen = x509->get_constraint(x509, X509_PATH_LEN);
|
||||
if (pathlen != X509_NO_CONSTRAINT)
|
||||
{
|
||||
fprintf(out, " pathlen: %d\n", pathlen);
|
||||
fprintf(out, " pathlen: %u\n", pathlen);
|
||||
}
|
||||
|
||||
/* list optional ipAddrBlocks */
|
||||
|
|
|
@ -45,7 +45,7 @@ struct cert_validator_t {
|
|||
* @param auth container for resulting authentication info
|
||||
*/
|
||||
bool (*validate)(cert_validator_t *this, certificate_t *subject,
|
||||
certificate_t *issuer, bool online, int pathlen,
|
||||
certificate_t *issuer, bool online, u_int pathlen,
|
||||
bool anchor, auth_cfg_t *auth);
|
||||
};
|
||||
|
||||
|
|
|
@ -24,7 +24,8 @@
|
|||
#include <utils/enumerator.h>
|
||||
#include <credentials/certificates/certificate.h>
|
||||
|
||||
#define X509_NO_CONSTRAINT -1
|
||||
/* constraints are currently restricted to the range 0..127 */
|
||||
#define X509_NO_CONSTRAINT 255
|
||||
|
||||
typedef struct x509_t x509_t;
|
||||
typedef struct x509_cert_policy_t x509_cert_policy_t;
|
||||
|
@ -150,7 +151,7 @@ struct x509_t {
|
|||
* @param type type of constraint to get
|
||||
* @return constraint, X509_NO_CONSTRAINT if none found
|
||||
*/
|
||||
int (*get_constraint)(x509_t *this, x509_constraint_t type);
|
||||
u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
|
||||
|
||||
/**
|
||||
* Create an enumerator over all subjectAltNames.
|
||||
|
|
|
@ -38,7 +38,7 @@ struct private_constraints_validator_t {
|
|||
*/
|
||||
static bool check_pathlen(x509_t *issuer, int pathlen)
|
||||
{
|
||||
int pathlen_constraint;
|
||||
u_int pathlen_constraint;
|
||||
|
||||
pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
|
||||
if (pathlen_constraint != X509_NO_CONSTRAINT &&
|
||||
|
@ -439,7 +439,7 @@ static bool has_no_any_policy(linked_list_t *chain, int len)
|
|||
/**
|
||||
* Check requireExplicitPolicy and inhibitPolicyMapping constraints
|
||||
*/
|
||||
static bool check_policy_constraints(x509_t *issuer, int pathlen,
|
||||
static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
|
||||
auth_cfg_t *auth)
|
||||
{
|
||||
certificate_t *subject;
|
||||
|
@ -455,7 +455,8 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
|
|||
certificate_t *cert;
|
||||
auth_rule_t rule;
|
||||
x509_t *x509;
|
||||
int len = 0, expl, inh;
|
||||
int len = 0;
|
||||
u_int expl, inh;
|
||||
|
||||
/* prepare trustchain to validate */
|
||||
chain = linked_list_create();
|
||||
|
@ -524,7 +525,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
|
|||
|
||||
METHOD(cert_validator_t, validate, bool,
|
||||
private_constraints_validator_t *this, certificate_t *subject,
|
||||
certificate_t *issuer, bool online, int pathlen, bool anchor,
|
||||
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
|
||||
auth_cfg_t *auth)
|
||||
{
|
||||
if (issuer->get_type(issuer) == CERT_X509 &&
|
||||
|
|
|
@ -84,7 +84,7 @@ struct private_openssl_x509_t {
|
|||
/**
|
||||
* Pathlen constraint
|
||||
*/
|
||||
int pathlen;
|
||||
u_char pathlen;
|
||||
|
||||
/**
|
||||
* certificate subject
|
||||
|
@ -250,7 +250,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
|
|||
return chunk_empty;
|
||||
}
|
||||
|
||||
METHOD(x509_t, get_constraint, int,
|
||||
METHOD(x509_t, get_constraint, u_int,
|
||||
private_openssl_x509_t *this, x509_constraint_t type)
|
||||
{
|
||||
switch (type)
|
||||
|
@ -586,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
|
|||
X509_EXTENSION *ext)
|
||||
{
|
||||
BASIC_CONSTRAINTS *constraints;
|
||||
long pathlen;
|
||||
|
||||
constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
|
||||
if (constraints)
|
||||
|
@ -596,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
|
|||
}
|
||||
if (constraints->pathlen)
|
||||
{
|
||||
this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
|
||||
|
||||
pathlen = ASN1_INTEGER_get(constraints->pathlen);
|
||||
this->pathlen = (pathlen >= 0 && pathlen < 128) ?
|
||||
pathlen : X509_NO_CONSTRAINT;
|
||||
}
|
||||
BASIC_CONSTRAINTS_free(constraints);
|
||||
return TRUE;
|
||||
|
|
|
@ -665,7 +665,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
|
|||
|
||||
METHOD(cert_validator_t, validate, bool,
|
||||
private_revocation_validator_t *this, certificate_t *subject,
|
||||
certificate_t *issuer, bool online, int pathlen, bool anchor,
|
||||
certificate_t *issuer, bool online, u_int pathlen, bool anchor,
|
||||
auth_cfg_t *auth)
|
||||
{
|
||||
if (subject->get_type(subject) == CERT_X509 &&
|
||||
|
|
|
@ -174,22 +174,22 @@ struct private_x509_cert_t {
|
|||
/**
|
||||
* Path Length Constraint
|
||||
*/
|
||||
char pathLenConstraint;
|
||||
u_char pathLenConstraint;
|
||||
|
||||
/**
|
||||
* requireExplicitPolicy Constraint
|
||||
*/
|
||||
char require_explicit;
|
||||
u_char require_explicit;
|
||||
|
||||
/**
|
||||
* inhibitPolicyMapping Constraint
|
||||
*/
|
||||
char inhibit_mapping;
|
||||
u_char inhibit_mapping;
|
||||
|
||||
/**
|
||||
* inhibitAnyPolicy Constraint
|
||||
*/
|
||||
char inhibit_any;
|
||||
u_char inhibit_any;
|
||||
|
||||
/**
|
||||
* x509 constraints and other flags
|
||||
|
@ -255,14 +255,14 @@ static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
|
|||
/**
|
||||
* Parse a length constraint from an unwrapped integer
|
||||
*/
|
||||
static int parse_constraint(chunk_t object)
|
||||
static u_int parse_constraint(chunk_t object)
|
||||
{
|
||||
switch (object.len)
|
||||
{
|
||||
case 0:
|
||||
return 0;
|
||||
case 1:
|
||||
return object.ptr[0];
|
||||
return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
|
||||
default:
|
||||
return X509_NO_CONSTRAINT;
|
||||
}
|
||||
|
@ -1723,7 +1723,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
|
|||
return this->authKeyIdentifier;
|
||||
}
|
||||
|
||||
METHOD(x509_t, get_constraint, int,
|
||||
METHOD(x509_t, get_constraint, u_int,
|
||||
private_x509_cert_t *this, x509_constraint_t type)
|
||||
{
|
||||
switch (type)
|
||||
|
@ -2390,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
|
|||
certificate_t *sign_cert = NULL;
|
||||
private_key_t *sign_key = NULL;
|
||||
hash_algorithm_t digest_alg = HASH_SHA1;
|
||||
u_int constraint;
|
||||
|
||||
cert = create_empty();
|
||||
while (TRUE)
|
||||
|
@ -2464,11 +2465,9 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
|
|||
continue;
|
||||
}
|
||||
case BUILD_PATHLEN:
|
||||
cert->pathLenConstraint = va_arg(args, int);
|
||||
if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
|
||||
{
|
||||
cert->pathLenConstraint = X509_NO_CONSTRAINT;
|
||||
}
|
||||
constraint = va_arg(args, u_int);
|
||||
cert->pathLenConstraint = (constraint < 128) ?
|
||||
constraint : X509_NO_CONSTRAINT;
|
||||
continue;
|
||||
case BUILD_PERMITTED_NAME_CONSTRAINTS:
|
||||
{
|
||||
|
@ -2543,13 +2542,19 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
|
|||
continue;
|
||||
}
|
||||
case BUILD_POLICY_REQUIRE_EXPLICIT:
|
||||
cert->require_explicit = va_arg(args, int);
|
||||
constraint = va_arg(args, u_int);
|
||||
cert->require_explicit = (constraint < 128) ?
|
||||
constraint : X509_NO_CONSTRAINT;
|
||||
continue;
|
||||
case BUILD_POLICY_INHIBIT_MAPPING:
|
||||
cert->inhibit_mapping = va_arg(args, int);
|
||||
constraint = va_arg(args, u_int);
|
||||
cert->inhibit_mapping = (constraint < 128) ?
|
||||
constraint : X509_NO_CONSTRAINT;
|
||||
continue;
|
||||
case BUILD_POLICY_INHIBIT_ANY:
|
||||
cert->inhibit_any = va_arg(args, int);
|
||||
constraint = va_arg(args, u_int);
|
||||
cert->inhibit_any = (constraint < 128) ?
|
||||
constraint : X509_NO_CONSTRAINT;
|
||||
continue;
|
||||
case BUILD_NOT_BEFORE_TIME:
|
||||
cert->notBefore = va_arg(args, time_t);
|
||||
|
|
Loading…
Reference in New Issue