Imported Upstream version 5.0.3

author: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
committer: Yves-Alexis Perez <corsac@debian.org> 2013-04-26 14:57:47 +0200
commit: 10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree: bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/scepclient
parent: 7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download: vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz
vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip
4 files changed, 84 insertions, 31 deletions
diff --git a/src/scepclient/Makefile.in b/src/scepclient/Makefile.in
index e67c8ebc3..7b11ae171 100644
--- a/src/scepclient/Makefile.in
+++ b/src/scepclient/Makefile.in
@@ -1,4 +1,4 @@
-# Makefile.in generated by automake 1.11.3 from Makefile.am.
+# Makefile.in generated by automake 1.11.6 from Makefile.am.
 # @configure_input@
 
 # Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002,
@@ -16,6 +16,23 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
+am__make_dryrun = \
+  { \
+    am__dry=no; \
+    case $$MAKEFLAGS in \
+      *\\[\ \	]*) \
+        echo 'am--echo: ; @echo "AM"  OK' | $(MAKE) -f - 2>/dev/null \
+          | grep '^AM OK$$' >/dev/null || am__dry=yes;; \
+      *) \
+        for am__flg in $$MAKEFLAGS; do \
+          case $$am__flg in \
+            *=*|--*) ;; \
+            *n*) am__dry=yes; break;; \
+          esac; \
+        done;; \
+    esac; \
+    test $$am__dry = yes; \
+  }
 pkgdatadir = $(datadir)/@PACKAGE@
 pkgincludedir = $(includedir)/@PACKAGE@
 pkglibdir = $(libdir)/@PACKAGE@
@@ -75,6 +92,11 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \
 	$(LDFLAGS) -o $@
 SOURCES = $(scepclient_SOURCES)
 DIST_SOURCES = $(scepclient_SOURCES)
+am__can_run_installinfo = \
+  case $$AM_UPDATE_INFO_DIR in \
+    n|no|NO) false;; \
+    *) (install-info --version) >/dev/null 2>&1;; \
+  esac
 am__vpath_adj_setup = srcdirstrip=`echo "$(srcdir)" | sed 's|.|.|g'`;
 am__vpath_adj = case $$p in \
     $(srcdir)/*) f=`echo "$$p" | sed "s|^$$srcdirstrip/||"`;; \
@@ -121,6 +143,8 @@ BTLIB = @BTLIB@
 CC = @CC@
 CCDEPMODE = @CCDEPMODE@
 CFLAGS = @CFLAGS@
+CHECK_CFLAGS = @CHECK_CFLAGS@
+CHECK_LIBS = @CHECK_LIBS@
 CPP = @CPP@
 CPPFLAGS = @CPPFLAGS@
 CYGPATH_W = @CYGPATH_W@
@@ -137,6 +161,7 @@ EGREP = @EGREP@
 EXEEXT = @EXEEXT@
 FGREP = @FGREP@
 GPERF = @GPERF@
+GPRBUILD = @GPRBUILD@
 GREP = @GREP@
 INSTALL = @INSTALL@
 INSTALL_DATA = @INSTALL_DATA@
@@ -205,8 +230,6 @@ am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
 attest_plugins = @attest_plugins@
-axis2c_CFLAGS = @axis2c_CFLAGS@
-axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -262,7 +285,6 @@ nm_ca_dir = @nm_ca_dir@
 nm_plugins = @nm_plugins@
 oldincludedir = @oldincludedir@
 openac_plugins = @openac_plugins@
-p_plugins = @p_plugins@
 pcsclite_CFLAGS = @pcsclite_CFLAGS@
 pcsclite_LIBS = @pcsclite_LIBS@
 pdfdir = @pdfdir@
@@ -347,8 +369,11 @@ $(ACLOCAL_M4):  $(am__aclocal_m4_deps)
 $(am__aclocal_m4_deps):
 install-ipsecPROGRAMS: $(ipsec_PROGRAMS)
 	@$(NORMAL_INSTALL)
-	test -z "$(ipsecdir)" || $(MKDIR_P) "$(DESTDIR)$(ipsecdir)"
 	@list='$(ipsec_PROGRAMS)'; test -n "$(ipsecdir)" || list=; \
+	if test -n "$$list"; then \
+	  echo " $(MKDIR_P) '$(DESTDIR)$(ipsecdir)'"; \
+	  $(MKDIR_P) "$(DESTDIR)$(ipsecdir)" || exit 1; \
+	fi; \
 	for p in $$list; do echo "$$p $$p"; done | \
 	sed 's/$(EXEEXT)$$//' | \
 	while read p p1; do if test -f $$p || test -f $$p1; \
@@ -429,11 +454,18 @@ clean-libtool:
 	-rm -rf .libs _libs
 install-man8: $(dist_man_MANS)
 	@$(NORMAL_INSTALL)
-	test -z "$(man8dir)" || $(MKDIR_P) "$(DESTDIR)$(man8dir)"
-	@list=''; test -n "$(man8dir)" || exit 0; \
-	{ for i in $$list; do echo "$$i"; done; \
-	l2='$(dist_man_MANS)'; for i in $$l2; do echo "$$i"; done | \
-	  sed -n '/\.8[a-z]*$$/p'; \
+	@list1=''; \
+	list2='$(dist_man_MANS)'; \
+	test -n "$(man8dir)" \
+	  && test -n "`echo $$list1$$list2`" \
+	  || exit 0; \
+	echo " $(MKDIR_P) '$(DESTDIR)$(man8dir)'"; \
+	$(MKDIR_P) "$(DESTDIR)$(man8dir)" || exit 1; \
+	{ for i in $$list1; do echo "$$i"; done;  \
+	if test -n "$$list2"; then \
+	  for i in $$list2; do echo "$$i"; done \
+	    | sed -n '/\.8[a-z]*$$/p'; \
+	fi; \
 	} | while read p; do \
 	  if test -f $$p; then d=; else d="$(srcdir)/"; fi; \
 	  echo "$$d$$p"; echo "$$p"; \
diff --git a/src/scepclient/scep.c b/src/scepclient/scep.c
index f2090274c..3fdcd6c28 100644
--- a/src/scepclient/scep.c
+++ b/src/scepclient/scep.c
@@ -151,8 +151,7 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 	chunk_t digest = chunk_alloca(HASH_SIZE_MD5);
 	chunk_t keyEncoding = chunk_empty, keyInfo;
 	hasher_t *hasher;
-	bool msb_set;
-	u_char *pos;
+	int zeros = 0, msb_set = 0;
 
 	key->get_encoding(key, PUBKEY_ASN1_DER, &keyEncoding);
 
@@ -168,20 +167,27 @@ void scep_generate_transaction_id(public_key_t *key, chunk_t *transID,
 	DESTROY_IF(hasher);
 	free(keyInfo.ptr);
 
-	/* is the most significant bit of the digest set? */
-	msb_set = (*digest.ptr & 0x80) == 0x80;
-
-	/* allocate space for the serialNumber */
-	serialNumber->len = msb_set + digest.len;
-	serialNumber->ptr = malloc(serialNumber->len);
-
-	/* the serial number as the two's complement of the digest */
-	pos = serialNumber->ptr;
+	/* the serialNumber should be valid ASN1 integer content:
+	 * remove leading zeros, add one if MSB is set (two's complement) */
+	while (zeros < digest.len)
+	{
+		if (digest.ptr[zeros])
+		{
+			if (digest.ptr[zeros] & 0x80)
+			{
+				msb_set = 1;
+			}
+			break;
+		}
+		zeros++;
+	}
+	*serialNumber = chunk_alloc(digest.len - zeros + msb_set);
 	if (msb_set)
 	{
-		*pos++ = 0x00;
+		serialNumber->ptr[0] = 0x00;
 	}
-	memcpy(pos, digest.ptr, digest.len);
+	memcpy(serialNumber->ptr + msb_set, digest.ptr + zeros,
+		   digest.len - zeros);
 
 	/* the transaction id is the serial number in hex format */
 	*transID = chunk_to_hex(digest, NULL, TRUE);
@@ -333,7 +339,7 @@ static char* escape_http_request(chunk_t req)
  * Send a SCEP request via HTTP and wait for a response
  */
 bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
-					   bool http_get_request, chunk_t *response)
+					   bool http_get_request, u_int timeout, chunk_t *response)
 {
 	int len;
 	status_t status;
@@ -361,6 +367,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
+										 FETCH_TIMEOUT, timeout,
 										 FETCH_REQUEST_HEADER, "Pragma:",
 										 FETCH_REQUEST_HEADER, "Host:",
 										 FETCH_REQUEST_HEADER, "Accept:",
@@ -375,6 +382,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 
 			status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 										 FETCH_HTTP_VERSION_1_0,
+										 FETCH_TIMEOUT, timeout,
 										 FETCH_REQUEST_DATA, msg,
 										 FETCH_REQUEST_TYPE, "",
 										 FETCH_REQUEST_HEADER, "Expect:",
@@ -403,6 +411,7 @@ bool scep_http_request(const char *url, chunk_t msg, scep_op_t op,
 
 		status = lib->fetcher->fetch(lib->fetcher, complete_url, response,
 									 FETCH_HTTP_VERSION_1_0,
+									 FETCH_TIMEOUT, timeout,
 									 FETCH_END);
 	}
 
diff --git a/src/scepclient/scep.h b/src/scepclient/scep.h
index 30551d2db..ec8fa6515 100644
--- a/src/scepclient/scep.h
+++ b/src/scepclient/scep.h
@@ -79,7 +79,7 @@ chunk_t scep_build_request(chunk_t data, chunk_t transID, scep_msg_t msg,
 						size_t key_size, certificate_t *signer_cert,
 						hash_algorithm_t digest_alg, private_key_t *private_key);
 bool scep_http_request(const char *url, chunk_t message, scep_op_t op,
-					   bool http_get_request, chunk_t *response);
+					   bool http_get_request, u_int timeout, chunk_t *response);
 err_t scep_parse_response(chunk_t response, chunk_t transID,
 						  container_t **out, scep_attributes_t *attrs);
 
diff --git a/src/scepclient/scepclient.c b/src/scepclient/scepclient.c
index 83b5d6219..26f210d12 100644
--- a/src/scepclient/scepclient.c
+++ b/src/scepclient/scepclient.c
@@ -113,6 +113,9 @@ long crl_check_interval = 0;
 /* by default pluto logs out after every smartcard use */
 bool pkcs11_keep_state = FALSE;
 
+/* by default HTTP fetch timeout is 30s */
+static u_int http_timeout = 30;
+
 /* options read by optionsfrom */
 options_t *options;
 
@@ -344,6 +347,7 @@ static void usage(const char *message)
 		"                                   - if no filename is given, default is used\n"
 		" --optionsfrom (-+) <filename>     reads additional options from given file\n"
 		" --force (-f)                      force existing file(s)\n"
+		" --httptimeout (-T)                timeout for HTTP operations (default: 30s)\n"
 		"\n"
 		"Options for key generation (pkcs1):\n"
 		" --keylength (-k) <bits>           key length for RSA key generation\n"
@@ -518,6 +522,7 @@ int main(int argc, char **argv)
 			{ "in", required_argument, NULL, 'i' },
 			{ "out", required_argument, NULL, 'o' },
 			{ "force", no_argument, NULL, 'f' },
+			{ "httptimeout", required_argument, NULL, 'T' },
 			{ "keylength", required_argument, NULL, 'k' },
 			{ "dn", required_argument, NULL, 'd' },
 			{ "days", required_argument, NULL, 'D' },
@@ -662,6 +667,14 @@ int main(int argc, char **argv)
 				force = TRUE;
 				continue;
 
+			case 'T':       /* --httptimeout */
+				http_timeout = atoi(optarg);
+				if (http_timeout <= 0)
+				{
+					usage("invalid httptimeout specified");
+				}
+				continue;
+
 			case '+':       /* --optionsfrom <filename> */
 				if (!options->from(options, optarg, &argc, &argv, optind))
 				{
@@ -939,7 +952,8 @@ int main(int argc, char **argv)
 		pkcs7_t *pkcs7;
 
 		if (!scep_http_request(scep_url, chunk_create(ca_name, strlen(ca_name)),
-							SCEP_GET_CA_CERT, http_get_request, &scep_response))
+							   SCEP_GET_CA_CERT, http_get_request,
+							   http_timeout, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1317,7 +1331,7 @@ int main(int argc, char **argv)
 		creds->add_cert(creds, TRUE, x509_ca_sig->get_ref(x509_ca_sig));
 
 		if (!scep_http_request(scep_url, pkcs7, SCEP_PKI_OPERATION,
-				http_get_request, &scep_response))
+							   http_get_request, http_timeout, &scep_response))
 		{
 			exit_scepclient("did not receive a valid scep response");
 		}
@@ -1337,7 +1351,7 @@ int main(int argc, char **argv)
 			poll_start = time_monotonic(NULL);
 			issuerAndSubject = asn1_wrap(ASN1_SEQUENCE, "cc",
 									issuer->get_encoding(issuer),
-									subject);
+									subject->get_encoding(subject));
 		}
 		while (attrs.pkiStatus == SCEP_PENDING)
 		{
@@ -1367,7 +1381,7 @@ int main(int argc, char **argv)
 				exit_scepclient("failed to build scep request");
 			}
 			if (!scep_http_request(scep_url, getCertInitial, SCEP_PKI_OPERATION,
-				http_get_request, &scep_response))
+							http_get_request, http_timeout, &scep_response))
 			{
 				exit_scepclient("did not receive a valid scep response");
 			}
@@ -1458,5 +1472,3 @@ int main(int argc, char **argv)
 	exit_scepclient(NULL);
 	return -1; /* should never be reached */
 }
-
-
author	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
committer	Yves-Alexis Perez <corsac@debian.org>	2013-04-26 14:57:47 +0200
commit	10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43 (patch)
tree	bf1d05a2e37dbd1911b86fcc026fbe49b0239c71 /src/scepclient
parent	7585facf05d927eb6df3929ce09ed5e60d905437 (diff)
download	vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.tar.gz vyos-strongswan-10e5fb2b9b2f27c83b3e5a1d048b158d5cf42a43.zip