Imported Upstream version 5.0.1

1 files changed, 40 insertions, 24 deletions

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 4859f4310..2269eb453 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -752,6 +752,9 @@ static void parse_extendedKeyUsage(chunk_t blob, int level0,
 				case OID_CLIENT_AUTH:
 					this->flags |= X509_CLIENT_AUTH;
 					break;
+				case OID_IKE_INTERMEDIATE:
+					this->flags |= X509_IKE_INTERMEDIATE;
+					break;
 				case OID_OCSP_SIGNING:
 					this->flags |= X509_OCSP_SIGNER;
 					break;
@@ -1105,19 +1108,19 @@ static void parse_policyConstraints(chunk_t blob, int level0,
  * ASN.1 definition of ipAddrBlocks according to RFC 3779
  */
 static const asn1Object_t ipAddrBlocksObjects[] = {
-	{ 0, "ipAddrBlocks",	        ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
+	{ 0, "ipAddrBlocks",			ASN1_SEQUENCE,		ASN1_LOOP			}, /*  0 */
 	{ 1,   "ipAddressFamily",		ASN1_SEQUENCE,		ASN1_NONE			}, /*  1 */
-	{ 2,     "addressFamily",	    ASN1_OCTET_STRING,	ASN1_BODY			}, /*  2 */
-	{ 2,     "inherit",             ASN1_NULL,          ASN1_OPT|ASN1_NONE  }, /*  3 */
-	{ 2,     "end choice",          ASN1_EOC,           ASN1_END            }, /*  4 */
-	{ 2,     "addressesOrRanges",	ASN1_SEQUENCE,	    ASN1_OPT|ASN1_LOOP	}, /*  5 */
-	{ 3,       "addressPrefix",	    ASN1_BIT_STRING,	ASN1_OPT|ASN1_BODY  }, /*  6 */
-	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /*  7 */
-	{ 3,       "addressRange",      ASN1_SEQUENCE,      ASN1_OPT|ASN1_NONE  }, /*  8 */
-	{ 4,         "min",             ASN1_BIT_STRING,    ASN1_BODY           }, /*  9 */
-	{ 4,         "max",             ASN1_BIT_STRING,    ASN1_BODY           }, /* 10 */
-	{ 3,       "end choice",        ASN1_EOC,           ASN1_END            }, /* 11 */
-	{ 2,     "end opt/loop",        ASN1_EOC,           ASN1_END            }, /* 12 */
+	{ 2,     "addressFamily",		ASN1_OCTET_STRING,	ASN1_BODY			}, /*  2 */
+	{ 2,     "inherit",				ASN1_NULL,			ASN1_OPT|ASN1_NONE	}, /*  3 */
+	{ 2,     "end choice",			ASN1_EOC,			ASN1_END			}, /*  4 */
+	{ 2,     "addressesOrRanges",	ASN1_SEQUENCE,		ASN1_OPT|ASN1_LOOP	}, /*  5 */
+	{ 3,       "addressPrefix",		ASN1_BIT_STRING,	ASN1_OPT|ASN1_BODY  }, /*  6 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /*  7 */
+	{ 3,       "addressRange",		ASN1_SEQUENCE,		ASN1_OPT|ASN1_NONE	}, /*  8 */
+	{ 4,         "min",				ASN1_BIT_STRING,	ASN1_BODY			}, /*  9 */
+	{ 4,         "max",				ASN1_BIT_STRING,	ASN1_BODY			}, /* 10 */
+	{ 3,       "end choice",		ASN1_EOC,			ASN1_END			}, /* 11 */
+	{ 2,     "end opt/loop",		ASN1_EOC,			ASN1_END			}, /* 12 */
 	{ 0, "end loop",				ASN1_EOC,			ASN1_END			}, /* 13 */
 	{ 0, "exit",					ASN1_EOC,			ASN1_EXIT			}
 };
@@ -1480,18 +1483,20 @@ end:
 		/* check if the certificate is self-signed */
 		if (this->public.interface.interface.issued_by(
 											&this->public.interface.interface,
-											&this->public.interface.interface))
+											&this->public.interface.interface,
+											NULL))
 		{
 			this->flags |= X509_SELF_SIGNED;
 		}
 		/* create certificate hash */
 		hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-		if (hasher == NULL)
+		if (!hasher ||
+			!hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash))
 		{
+			DESTROY_IF(hasher);
 			DBG1(DBG_ASN, "  unable to create hash of certificate, SHA1 not supported");
 			return FALSE;
 		}
-		hasher->allocate_hash(hasher, this->encoding, &this->encoding_hash);
 		hasher->destroy(hasher);
 	}
 	return success;
@@ -1565,7 +1570,8 @@ METHOD(certificate_t, has_issuer, id_match_t,
 }
 
 METHOD(certificate_t, issued_by, bool,
-	private_x509_cert_t *this, certificate_t *issuer)
+	private_x509_cert_t *this, certificate_t *issuer,
+	signature_scheme_t *schemep)
 {
 	public_key_t *key;
 	signature_scheme_t scheme;
@@ -1609,6 +1615,10 @@ METHOD(certificate_t, issued_by, bool,
 	}
 	valid = key->verify(key, scheme, this->tbsCertificate, this->signature);
 	key->destroy(key);
+	if (valid && schemep)
+	{
+		*schemep = scheme;
+	}
 	return valid;
 }
 
@@ -1994,6 +2004,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	chunk_t subjectKeyIdentifier = chunk_empty, authKeyIdentifier = chunk_empty;
 	chunk_t crlDistributionPoints = chunk_empty, authorityInfoAccess = chunk_empty;
 	chunk_t policyConstraints = chunk_empty, inhibitAnyPolicy = chunk_empty;
+	chunk_t ikeIntermediate = chunk_empty;
 	identification_t *issuer, *subject;
 	chunk_t key_info;
 	signature_scheme_t scheme;
@@ -2107,7 +2118,7 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 							asn1_wrap(ASN1_BIT_STRING, "c", keyUsageBits)));
 	}
 
-	/* add serverAuth extendedKeyUsage flag */
+	/* add extendedKeyUsage flags */
 	if (cert->flags & X509_SERVER_AUTH)
 	{
 		serverAuth = asn1_build_known_oid(OID_SERVER_AUTH);
@@ -2116,20 +2127,24 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 	{
 		clientAuth = asn1_build_known_oid(OID_CLIENT_AUTH);
 	}
-
-	/* add ocspSigning extendedKeyUsage flag */
+	if (cert->flags & X509_IKE_INTERMEDIATE)
+	{
+		ikeIntermediate = asn1_build_known_oid(OID_IKE_INTERMEDIATE);
+	}
 	if (cert->flags & X509_OCSP_SIGNER)
 	{
 		ocspSigning = asn1_build_known_oid(OID_OCSP_SIGNING);
 	}
 
-	if (serverAuth.ptr || clientAuth.ptr || ocspSigning.ptr)
+	if (serverAuth.ptr || clientAuth.ptr || ikeIntermediate.ptr ||
+		ocspSigning.ptr)
 	{
 		extendedKeyUsage = asn1_wrap(ASN1_SEQUENCE, "mm",
 								asn1_build_known_oid(OID_EXTENDED_KEY_USAGE),
 								asn1_wrap(ASN1_OCTET_STRING, "m",
-									asn1_wrap(ASN1_SEQUENCE, "mmm",
-										serverAuth, clientAuth, ocspSigning)));
+									asn1_wrap(ASN1_SEQUENCE, "mmmm",
+										serverAuth, clientAuth, ikeIntermediate,
+										ocspSigning)));
 	}
 
 	/* add subjectKeyIdentifier to CA and OCSP signer certificates */
@@ -2330,11 +2345,12 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
 							   asn1_bitstring("c", cert->signature));
 
 	hasher = lib->crypto->create_hasher(lib->crypto, HASH_SHA1);
-	if (!hasher)
+	if (!hasher ||
+		!hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash))
 	{
+		DESTROY_IF(hasher);
 		return FALSE;
 	}
-	hasher->allocate_hash(hasher, cert->encoding, &cert->encoding_hash);
 	hasher->destroy(hasher);
 	return TRUE;
 }