x509: Replace problematic calls of chunk_from_chars() for keyUsage extension

As noted in 8ea13bbc5ccd newer compilers might optimize out the
assignment leading to invalid values in the keyUsage extension (as the
length was still set, the extension was encoded, just not with the
intended values).

Fixes #3249.

diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index 731170886b66ed4b2725d82f3dbbec4b4f46e418..5a3f83817b3403c169280b1700072923aee8a5bd 100644 (file)
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -2198,6 +2198,8 @@ static chunk_t generate_ts(traffic_selector_t *ts)
 static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                         private_key_t *sign_key, int digest_alg)
 {
+       const chunk_t keyUsageCrlSign = chunk_from_chars(0x01, 0x02);
+       const chunk_t keyUsageCertSignCrlSign = chunk_from_chars(0x01, 0x06);
        chunk_t extensions = chunk_empty, extendedKeyUsage = chunk_empty;
        chunk_t serverAuth = chunk_empty, clientAuth = chunk_empty;
        chunk_t ocspSigning = chunk_empty, certPolicies = chunk_empty;
@@ -2317,11 +2319,11 @@ static bool generate(private_x509_cert_t *cert, certificate_t *sign_cert,
                                                                                                chunk_from_chars(0xFF)),
                                                                                        pathLenConstraint)));
                /* set CertificateSign and implicitly CRLsign */
-               keyUsageBits = chunk_from_chars(0x01, 0x06);
+               keyUsageBits = keyUsageCertSignCrlSign;
        }
        else if (cert->flags & X509_CRL_SIGN)
        {
-               keyUsageBits = chunk_from_chars(0x01, 0x02);
+               keyUsageBits = keyUsageCrlSign;
        }
        if (keyUsageBits.len)
        {