]> git.ipfire.org Git - thirdparty/strongswan.git/commitdiff
projects / thirdparty / strongswan.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 920366e)
openssl: Set IKE compliance flag depending on keyUsage
authorTobias Brunner <tobias@strongswan.org>
Wed, 25 Apr 2018 08:51:51 +0000 (10:51 +0200)
committerTobias Brunner <tobias@strongswan.org>
Tue, 22 May 2018 07:50:47 +0000 (09:50 +0200)
src/libstrongswan/plugins/openssl/openssl_x509.c patch | blob | blame | history

diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index 60c08770b2d2355b0e32a8a95d5447c4917cf2da..fae2d678fbe6528e430a9aaa8e3493e9bb1d4242 100644 (file)
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -668,6 +668,9 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
 {
        ASN1_BIT_STRING *usage;
 
+       /* to be compliant with RFC 4945 specific KUs have to be included */
+       this->flags &= ~X509_IKE_COMPLIANT;
+
        usage = X509V3_EXT_d2i(ext);
        if (usage)
        {
@@ -682,6 +685,11 @@ static bool parse_keyUsage_ext(private_openssl_x509_t *this,
                        {
                                this->flags |= X509_CRL_SIGN;
                        }
+                       if (flags & X509v3_KU_DIGITAL_SIGNATURE ||
+                               flags & X509v3_KU_NON_REPUDIATION)
+                       {
+                               this->flags |= X509_IKE_COMPLIANT;
+                       }
                        if (flags & X509v3_KU_KEY_CERT_SIGN)
                        {
                                /* we use the caBasicContraint, MUST be set */
@@ -988,6 +996,9 @@ static bool parse_extensions(private_openssl_x509_t *this)
        STACK_OF(X509_EXTENSION) *extensions;
        int i, num;
 
+       /* unless we see a keyUsage extension we are compliant with RFC 4945 */
+       this->flags |= X509_IKE_COMPLIANT;
+
        extensions = X509_get0_extensions(this->x509);
        if (extensions)
        {
Unnamed repository; edit this file 'description' to name the repository.