New upstream version 5.6.3

author: Yves-Alexis Perez <corsac@debian.org> 2018-06-04 09:59:21 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2018-06-04 09:59:21 +0200
commit: 51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch)
tree: 2a03e117d072c55cfe2863d26b73e64d933e7ad8 /src/libstrongswan/plugins/x509
parent: 7793611ee71b576dd9c66dee327349fa64e38740 (diff)
download: vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz
vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip
10 files changed, 20 insertions, 11 deletions
diff --git a/src/libstrongswan/plugins/x509/x509_ac.h b/src/libstrongswan/plugins/x509/x509_ac.h
index da0988c6e..5e74fb80c 100644
--- a/src/libstrongswan/plugins/x509/x509_ac.h
+++ b/src/libstrongswan/plugins/x509/x509_ac.h
@@ -4,7 +4,7 @@
  * Copyright (C) 2002-2008 Andreas Steffen
  * Copyright (C) 2009 Martin Willi
  *
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index d1f9d9aac..bc3a44346 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -704,6 +704,9 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
 		KU_DECIPHER_ONLY =		8,
 	};
 
+	/* to be compliant with RFC 4945 specific KUs have to be included */
+	this->flags &= ~X509_IKE_COMPLIANT;
+
 	if (asn1_unwrap(&blob, &blob) == ASN1_BIT_STRING && blob.len)
 	{
 		int bit, byte, unused = blob.ptr[0];
@@ -724,10 +727,12 @@ static void parse_keyUsage(chunk_t blob, private_x509_cert_t *this)
 						case KU_CRL_SIGN:
 							this->flags |= X509_CRL_SIGN;
 							break;
-						case KU_KEY_CERT_SIGN:
-							/* we use the caBasicConstraint, MUST be set */
 						case KU_DIGITAL_SIGNATURE:
 						case KU_NON_REPUDIATION:
+							this->flags |= X509_IKE_COMPLIANT;
+							break;
+						case KU_KEY_CERT_SIGN:
+							/* we use the caBasicConstraint, MUST be set */
 						case KU_KEY_ENCIPHERMENT:
 						case KU_DATA_ENCIPHERMENT:
 						case KU_KEY_AGREEMENT:
@@ -1381,6 +1386,9 @@ static bool parse_certificate(private_x509_cert_t *this)
 
 	parser = asn1_parser_create(certObjects, this->encoding);
 
+	/* unless we see a keyUsage extension we are compliant with RFC 4945 */
+	this->flags |= X509_IKE_COMPLIANT;
+
 	while (parser->iterate(parser, &objectID, &object))
 	{
 		u_int level = parser->get_level(parser)+1;
diff --git a/src/libstrongswan/plugins/x509/x509_cert.h b/src/libstrongswan/plugins/x509/x509_cert.h
index 772117f1c..355b75fcf 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.h
+++ b/src/libstrongswan/plugins/x509/x509_cert.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/libstrongswan/plugins/x509/x509_crl.c b/src/libstrongswan/plugins/x509/x509_crl.c
index 699ac5a39..95cb11cf4 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.c
+++ b/src/libstrongswan/plugins/x509/x509_crl.c
@@ -302,6 +302,7 @@ static bool parse(private_x509_crl_t *this)
 						}
 						break;
 					case OID_AUTHORITY_KEY_ID:
+						chunk_free(&this->authKeyIdentifier);
 						this->authKeyIdentifier =
 							x509_parse_authorityKeyIdentifier(
 									object, level, &this->authKeySerialNumber);
@@ -545,7 +546,7 @@ METHOD(certificate_t, get_validity, bool,
 	{
 		*not_after = this->nextUpdate;
 	}
-	return (t <= this->nextUpdate);
+	return (t >= this->thisUpdate && t <= this->nextUpdate);
 }
 
 METHOD(certificate_t, get_encoding, bool,
diff --git a/src/libstrongswan/plugins/x509/x509_crl.h b/src/libstrongswan/plugins/x509/x509_crl.h
index e8fe74e81..301b1544b 100644
--- a/src/libstrongswan/plugins/x509/x509_crl.h
+++ b/src/libstrongswan/plugins/x509/x509_crl.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.c b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
index de22ab6be..50e3c6160 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.c
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.c
@@ -1,7 +1,7 @@
 /*
  * Copyright (C) 2008-2009 Martin Willi
  * Copyright (C) 2007-2014 Andreas Steffen
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  * Copyright (C) 2003 Christoph Gysin, Simon Zwahlen
  *
  * This program is free software; you can redistribute it and/or modify it
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_request.h b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
index 4c0e4b8f2..ca552b9ba 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_request.h
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_request.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/libstrongswan/plugins/x509/x509_ocsp_response.h b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
index 7a525626e..90efabe2b 100644
--- a/src/libstrongswan/plugins/x509/x509_ocsp_response.h
+++ b/src/libstrongswan/plugins/x509/x509_ocsp_response.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.c b/src/libstrongswan/plugins/x509/x509_plugin.c
index 54bef7357..1eb56cf00 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.c
+++ b/src/libstrongswan/plugins/x509/x509_plugin.c
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008-2009 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
diff --git a/src/libstrongswan/plugins/x509/x509_plugin.h b/src/libstrongswan/plugins/x509/x509_plugin.h
index e3f959ffa..3857ee313 100644
--- a/src/libstrongswan/plugins/x509/x509_plugin.h
+++ b/src/libstrongswan/plugins/x509/x509_plugin.h
@@ -1,6 +1,6 @@
 /*
  * Copyright (C) 2008 Martin Willi
- * Hochschule fuer Technik Rapperswil
+ * HSR Hochschule fuer Technik Rapperswil
  *
  * This program is free software; you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the
author	Yves-Alexis Perez <corsac@debian.org>	2018-06-04 09:59:21 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2018-06-04 09:59:21 +0200
commit	51a71ee15c1bcf0e82f363a16898f571e211f9c3 (patch)
tree	2a03e117d072c55cfe2863d26b73e64d933e7ad8 /src/libstrongswan/plugins/x509
parent	7793611ee71b576dd9c66dee327349fa64e38740 (diff)
download	vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.tar.gz vyos-strongswan-51a71ee15c1bcf0e82f363a16898f571e211f9c3.zip