diff options
author | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 11:56:26 +0000 |
---|---|---|
committer | Leonardo Arena <rnalrd@alpinelinux.org> | 2017-06-15 12:04:30 +0000 |
commit | 73c141f3470739c757e59dc00b5a6c58861f9365 (patch) | |
tree | 67a30a690ecf833e3267fca5a1f98a5ca37ef7ae | |
parent | 9ee60284bf43844b66bb000070cc8cff672140a1 (diff) | |
download | aports-73c141f3470739c757e59dc00b5a6c58861f9365.tar.bz2 aports-73c141f3470739c757e59dc00b5a6c58861f9365.tar.xz |
main/strongswan: security fixes (CVE-2017-9022, CVE-2017-9023)
-rw-r--r-- | main/strongswan/APKBUILD | 20 | ||||
-rw-r--r-- | main/strongswan/CVE-2017-9022.patch | 41 | ||||
-rw-r--r-- | main/strongswan/CVE-2017-9023.patch | 375 |
3 files changed, 433 insertions, 3 deletions
diff --git a/main/strongswan/APKBUILD b/main/strongswan/APKBUILD index b351751f58..063155ac16 100644 --- a/main/strongswan/APKBUILD +++ b/main/strongswan/APKBUILD @@ -3,7 +3,7 @@ pkgname=strongswan pkgver=5.3.5 _pkgver=${pkgver//_rc/rc} -pkgrel=1 +pkgrel=2 pkgdesc="IPsec-based VPN solution focused on security and ease of use, supporting IKEv1/IKEv2 and MOBIKE" url="http://www.strongswan.org/" arch="all" @@ -23,11 +23,19 @@ source="http://download.strongswan.org/$pkgname-$_pkgver.tar.bz2 1003-vici-add-support-for-individual-sa-state-changes.patch 1004-vici-support-asynchronous-initiation.patch 2001-support-gre-key-in-ikev1.patch + CVE-2017-9022.patch + CVE-2017-9023.patch strongswan.initd - charon.initd" - + charon.initd + " _builddir="$srcdir/$pkgname-$_pkgver" + +# secfixes: +# 5.3.5-r2: +# - CVE-2017-9022 +# - CVE-2017-9023 + prepare() { local i cd "$srcdir/$pkgname-$_pkgver" @@ -121,6 +129,8 @@ md5sums="a2f9ea185f27e7f8413d4cd2ee61efe4 strongswan-5.3.5.tar.bz2 2fb36e79e83640044d0010fd23db27bf 1003-vici-add-support-for-individual-sa-state-changes.patch 12089aa81c7bdd472d1be27371e0effe 1004-vici-support-asynchronous-initiation.patch ccb77ee342e1b3108a49262549bbbf36 2001-support-gre-key-in-ikev1.patch +e86511ed5f224224cc479d34d7690f51 CVE-2017-9022.patch +54049b04a17893f0042509b1f5751bfe CVE-2017-9023.patch 72a956819c451931d3d31a528a0d1b9c strongswan.initd a7993f28e4eacc61f51722044645587e charon.initd" sha256sums="2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 strongswan-5.3.5.tar.bz2 @@ -130,6 +140,8 @@ sha256sums="2c84b663da652b1ff180a1a73c24a3d7b9fc4b9b8ba6bd07f94a1e33092e6350 st 55418460a0fde9429b1f2f0138a3723f9b0a51502fd5eb71329fb6d945a585d7 1003-vici-add-support-for-individual-sa-state-changes.patch 15954f7b3b357806f32bc1cfc1afd6a0832e97bffc2bfc3aee4b522016f3aa51 1004-vici-support-asynchronous-initiation.patch bbdbc73ba6cafaaab1ea303eec6d026ebb50ecd12b7c32be0b4dfeaf8ae24245 2001-support-gre-key-in-ikev1.patch +f5ba7f46cf7ae81dd81bc86f9e4cfa0c5c7c6987149b3bc9c0b8bf08598a1063 CVE-2017-9022.patch +03db8c7a4133e877e8992e155c046dd27ec4810d50f239abf55595f0280caf31 CVE-2017-9023.patch fdb781fa59700ca83b9fd2f2ff0b9c45467448ebd82da96286b3e2aa477ef7f4 strongswan.initd 7bcc57e4a778f87645c6b9d76ba2c04e1c11c326bc9a4968561788711c7fe58a charon.initd" sha512sums="4e6dd124d9a73ad5baf08998a284aba5c02c9dc79e4377e2cbd14c285d1df8e29c0548d347a0fdfa19341b1ae27b560ae9d8d25260898630351230b11c6eb2bb strongswan-5.3.5.tar.bz2 @@ -139,5 +151,7 @@ dd6d8bad4de89d77d92c93c890935880eaa55dc056eac92100fe034c1c045e0771995db58f9787a9 4c538557b21621ebcdac6d57a3e9997e1c3780c926eea28f0d3b762826dddc9f1e748cee6fe136f6b568f4c49740e2262110fe4038030463d1b9ee1b6f658154 1003-vici-add-support-for-individual-sa-state-changes.patch 82ac04c4f093e19f031538de3da7632d7126f87fcbffb41461022a707f89c24f9388b1ba71138572f7a437065f6347cfabd86474884c86ffff50267facfc580d 1004-vici-support-asynchronous-initiation.patch 0e554a6117f51a564a1b269c9ed2f2858d22ef61df483e2eb09997a3075444deb10df9d0cc8b9ddbe2bb2f740640860c21b1492a9ec28657844fa9c41b822bfc 2001-support-gre-key-in-ikev1.patch +667bbce53de819ac1c885d451b821520d70384d9c4d6d437c6bac571b9e5ab0a74344249aa967f625f4665bcd3d9d2cb62b465838d68aea2dae5e4f52e3e64fd CVE-2017-9022.patch +44bc2802bf5bf093e3ea17fedc7b50d3ee3d7bf22c097b02a368c9ddf9772e2c13efe72c8b41ff173d2ef4c80cd1981a3db892c5cb2f05ccac627b294cde3e3d CVE-2017-9023.patch 8b61e3ffbb39b837733e602ec329e626dc519bf7308d3d4192b497d18f38176789d23ef5afec51f8463ee1ddaf4d74546b965c03184132e217cbc27017e886c9 strongswan.initd 1c44c801f66305c0331f76e580c0d60f1b7d5cd3cc371be55826b06c3899f542664628a912a7fb48626e34d864f72ca5dcd34b2f0d507c4f19c510d0047054c1 charon.initd" diff --git a/main/strongswan/CVE-2017-9022.patch b/main/strongswan/CVE-2017-9022.patch new file mode 100644 index 0000000000..99319fc611 --- /dev/null +++ b/main/strongswan/CVE-2017-9022.patch @@ -0,0 +1,41 @@ +From 1bf67b900fb4955a0b09f3c1cbe1ce7177adbe2f Mon Sep 17 00:00:00 2001 +From: Tobias Brunner <tobias@strongswan.org> +Date: Wed, 29 Mar 2017 11:26:24 +0200 +Subject: [PATCH] gmp: Make sure the modulus is odd and the exponent not zero + +Unlike mpz_powm() its secure replacement mpz_powm_sec() has the additional +requirement that the exponent must be > 0 and the modulus has to be odd. +Otherwise, it will crash with a floating-point exception. + +Fixes: CVE-2017-9022 +--- + src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +index 2b2c7f249590..32a72ac9600b 100644 +--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c ++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c +@@ -475,7 +475,7 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) + } + break; + } +- if (!e.ptr || !n.ptr) ++ if (!e.len || !n.len || (n.ptr[n.len-1] & 0x01) == 0) + { + return NULL; + } +@@ -506,5 +506,10 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args) + + this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE; + ++ if (!mpz_sgn(this->e)) ++ { ++ destroy(this); ++ return NULL; ++ } + return &this->public; + } +-- +1.9.1 + diff --git a/main/strongswan/CVE-2017-9023.patch b/main/strongswan/CVE-2017-9023.patch new file mode 100644 index 0000000000..ed1b36c843 --- /dev/null +++ b/main/strongswan/CVE-2017-9023.patch @@ -0,0 +1,375 @@ +From e3d4fe2be3bda0d9acc985a6cd67efe249d8326c Mon Sep 17 00:00:00 2001 +From: Andreas Steffen <andreas.steffen@strongswan.org> +Date: Fri, 5 May 2017 09:01:08 +0200 +Subject: [PATCH] asn1-parser: Fix CHOICE parsing + +Also fixes the application in the x509 plugin and the parsing of +nameConstraints, which doesn't require a loop. + +Fixes: CVE-2017-9023 +--- + src/libstrongswan/asn1/asn1_parser.c | 70 +++++++++++++++--- + src/libstrongswan/asn1/asn1_parser.h | 27 +++---- + src/libstrongswan/plugins/x509/x509_cert.c | 115 +++++++++++++++-------------- + 3 files changed, 135 insertions(+), 77 deletions(-) + +diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c +index e7b7a428d9a2..4d5f799b73a9 100644 +--- a/src/libstrongswan/asn1/asn1_parser.c ++++ b/src/libstrongswan/asn1/asn1_parser.c +@@ -1,8 +1,7 @@ + /* + * Copyright (C) 2006 Martin Will +- * Copyright (C) 2000-2008 Andreas Steffen +- * +- * Hochschule fuer Technik Rapperswil ++ * Copyright (C) 2000-2017 Andreas Steffen ++ * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -76,12 +75,18 @@ struct private_asn1_parser_t { + * Current parsing pointer for each level + */ + chunk_t blobs[ASN1_MAX_LEVEL + 2]; ++ ++ /** ++ * Parsing a CHOICE on the current level ? ++ */ ++ bool choice[ASN1_MAX_LEVEL + 2]; ++ + }; + + METHOD(asn1_parser_t, iterate, bool, + private_asn1_parser_t *this, int *objectID, chunk_t *object) + { +- chunk_t *blob, *blob1; ++ chunk_t *blob, *blob1, blob_ori; + u_char *start_ptr; + u_int level; + asn1Object_t obj; +@@ -97,7 +102,7 @@ METHOD(asn1_parser_t, iterate, bool, + return FALSE; + } + +- if (obj.flags & ASN1_END) /* end of loop or option found */ ++ if (obj.flags & ASN1_END) /* end of loop or choice or option found */ + { + if (this->loopAddr[obj.level] && this->blobs[obj.level+1].len > 0) + { +@@ -106,13 +111,42 @@ METHOD(asn1_parser_t, iterate, bool, + } + else + { +- this->loopAddr[obj.level] = 0; /* exit loop or option*/ ++ this->loopAddr[obj.level] = 0; /* exit loop */ ++ ++ if (obj.flags & ASN1_CHOICE) /* end of choices */ ++ { ++ if (this->choice[obj.level+1]) ++ { ++ DBG1(DBG_ASN, "L%d - %s: incorrect choice encoding", ++ this->level0 + obj.level, obj.name); ++ this->success = FALSE; ++ goto end; ++ } ++ } ++ ++ if (obj.flags & ASN1_CH) /* end of choice */ ++ { ++ /* parsed a valid choice */ ++ this->choice[obj.level] = FALSE; ++ ++ /* advance to end of choices */ ++ do ++ { ++ this->line++; ++ } ++ while (!((this->objects[this->line].flags & ASN1_END) && ++ (this->objects[this->line].flags & ASN1_CHOICE) && ++ (this->objects[this->line].level == obj.level-1))); ++ this->line--; ++ } ++ + goto end; + } + } + + level = this->level0 + obj.level; + blob = this->blobs + obj.level; ++ blob_ori = *blob; + blob1 = blob + 1; + start_ptr = blob->ptr; + +@@ -129,7 +163,6 @@ METHOD(asn1_parser_t, iterate, bool, + } + + /* handle ASN.1 options */ +- + if ((obj.flags & ASN1_OPT) + && (blob->len == 0 || *start_ptr != obj.type)) + { +@@ -144,7 +177,6 @@ METHOD(asn1_parser_t, iterate, bool, + } + + /* an ASN.1 object must possess at least a tag and length field */ +- + if (blob->len < 2) + { + DBG1(DBG_ASN, "L%d - %s: ASN.1 object smaller than 2 octets", +@@ -167,8 +199,16 @@ METHOD(asn1_parser_t, iterate, bool, + blob->ptr += blob1->len; + blob->len -= blob1->len; + +- /* return raw ASN.1 object without prior type checking */ ++ /* handle ASN.1 choice without explicit context encoding */ ++ if ((obj.flags & ASN1_CHOICE) && obj.type == ASN1_EOC) ++ { ++ DBG2(DBG_ASN, "L%d - %s:", level, obj.name); ++ this->choice[obj.level+1] = TRUE; ++ *blob1 = blob_ori; ++ goto end; ++ } + ++ /* return raw ASN.1 object without prior type checking */ + if (obj.flags & ASN1_RAW) + { + DBG2(DBG_ASN, "L%d - %s:", level, obj.name); +@@ -209,6 +249,18 @@ METHOD(asn1_parser_t, iterate, bool, + } + } + ++ /* In case of a "CHOICE" start to scan for exactly one valid choice */ ++ if (obj.flags & ASN1_CHOICE) ++ { ++ if (blob1->len == 0) ++ { ++ DBG1(DBG_ASN, "L%d - %s: contains no choice", level, obj.name); ++ this->success = FALSE; ++ goto end; ++ } ++ this->choice[obj.level+1] = TRUE; ++ } ++ + if (obj.flags & ASN1_OBJ) + { + object->ptr = start_ptr; +diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h +index 0edc22c2378c..2ee1e892fc16 100644 +--- a/src/libstrongswan/asn1/asn1_parser.h ++++ b/src/libstrongswan/asn1/asn1_parser.h +@@ -1,8 +1,7 @@ + /* + * Copyright (C) 2006 Martin Will +- * Copyright (C) 2000-2008 Andreas Steffen +- * +- * Hochschule fuer Technik Rapperswil ++ * Copyright (C) 2000-2017 Andreas Steffen ++ * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -32,15 +31,17 @@ + /** + * Definition of ASN.1 flags + */ +-#define ASN1_NONE 0x00 +-#define ASN1_DEF 0x01 +-#define ASN1_OPT 0x02 +-#define ASN1_LOOP 0x04 +-#define ASN1_END 0x08 +-#define ASN1_OBJ 0x10 +-#define ASN1_BODY 0x20 +-#define ASN1_RAW 0x40 +-#define ASN1_EXIT 0x80 ++#define ASN1_NONE 0x0000 ++#define ASN1_DEF 0x0001 ++#define ASN1_OPT 0x0002 ++#define ASN1_LOOP 0x0004 ++#define ASN1_CHOICE 0x0008 ++#define ASN1_CH 0x0010 ++#define ASN1_END 0x0020 ++#define ASN1_OBJ 0x0040 ++#define ASN1_BODY 0x0080 ++#define ASN1_RAW 0x0100 ++#define ASN1_EXIT 0x0200 + + typedef struct asn1Object_t asn1Object_t; + +@@ -51,7 +52,7 @@ struct asn1Object_t{ + u_int level; + const u_char *name; + asn1_t type; +- u_char flags; ++ uint16_t flags; + }; + + typedef struct asn1_parser_t asn1_parser_t; +diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c +index b3d90c5f61ef..f9573e953cbf 100644 +--- a/src/libstrongswan/plugins/x509/x509_cert.c ++++ b/src/libstrongswan/plugins/x509/x509_cert.c +@@ -2,10 +2,10 @@ + * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann + * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss + * Copyright (C) 2002 Mario Strasser +- * Copyright (C) 2000-2006 Andreas Steffen ++ * Copyright (C) 2000-2017 Andreas Steffen + * Copyright (C) 2006-2009 Martin Willi + * Copyright (C) 2008 Tobias Brunner +- * Hochschule fuer Technik Rapperswil ++ * HSR Hochschule fuer Technik Rapperswil + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the +@@ -789,20 +789,20 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0, + * ASN.1 definition of crlDistributionPoints + */ + static const asn1Object_t crlDistributionPointsObjects[] = { +- { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ +- { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ +- { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */ +- { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */ +- { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */ +- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */ +- { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ +- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ +- { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ +- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } ++ { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ ++ { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_CHOICE }, /* 2 */ ++ { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 4 */ ++ { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 6 */ ++ { 2, "end opt/choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 7 */ ++ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */ ++ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */ ++ { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */ ++ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */ ++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */ ++ { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; + #define CRL_DIST_POINTS 1 + #define CRL_DIST_POINTS_FULLNAME 3 +@@ -910,14 +910,13 @@ end: + * ASN.1 definition of nameConstraints + */ + static const asn1Object_t nameConstraintsObjects[] = { +- { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */ + { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */ + { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */ + { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */ + { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */ + { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; + #define NAME_CONSTRAINT_PERMITTED 2 +@@ -974,25 +973,27 @@ end: + * ASN.1 definition of a certificatePolicies extension + */ + static const asn1Object_t certificatePoliciesObject[] = { +- { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ +- { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ +- { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */ +- { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */ +- { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */ +- { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */ +- { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */ +- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ +- { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */ +- { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */ +- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */ +- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } ++ { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ ++ { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */ ++ { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */ ++ { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */ ++ { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */ ++ { 4, "qualifier", ASN1_EOC, ASN1_CHOICE }, /* 6 */ ++ { 5, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 7 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 8 */ ++ { 5, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 9 */ ++ { 6, "explicitText", ASN1_EOC, ASN1_RAW }, /* 10 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 11 */ ++ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 12 */ ++ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 13 */ ++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 14 */ ++ { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; +-#define CERT_POLICY_ID 2 +-#define CERT_POLICY_QUALIFIER_ID 5 +-#define CERT_POLICY_CPS_URI 6 +-#define CERT_POLICY_EXPLICIT_TEXT 9 ++#define CERT_POLICY_ID 2 ++#define CERT_POLICY_QUALIFIER_ID 5 ++#define CERT_POLICY_CPS_URI 7 ++#define CERT_POLICY_EXPLICIT_TEXT 10 + + /** + * Parse certificatePolicies +@@ -1157,27 +1158,31 @@ static bool parse_policyConstraints(chunk_t blob, int level0, + * ASN.1 definition of ipAddrBlocks according to RFC 3779 + */ + static const asn1Object_t ipAddrBlocksObjects[] = { +- { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ +- { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ +- { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */ +- { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */ +- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */ +- { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */ +- { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */ +- { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */ +- { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */ +- { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */ +- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */ +- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */ +- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */ +- { 0, "exit", ASN1_EOC, ASN1_EXIT } ++ { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */ ++ { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */ ++ { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */ ++ { 2, "ipAddressChoice", ASN1_EOC, ASN1_CHOICE }, /* 3 */ ++ { 3, "inherit", ASN1_NULL, ASN1_OPT }, /* 4 */ ++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 5 */ ++ { 3, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 6 */ ++ { 4, "addressOrRange", ASN1_EOC, ASN1_CHOICE }, /* 7 */ ++ { 5, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 8 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 9 */ ++ { 5, "addressRange", ASN1_SEQUENCE, ASN1_OPT }, /* 10 */ ++ { 6, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 11 */ ++ { 6, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 12 */ ++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 13 */ ++ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 14 */ ++ { 3, "end loop/choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 15 */ ++ { 2, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 16 */ ++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 17 */ ++ { 0, "exit", ASN1_EOC, ASN1_EXIT } + }; + #define IP_ADDR_BLOCKS_FAMILY 2 +-#define IP_ADDR_BLOCKS_INHERIT 3 +-#define IP_ADDR_BLOCKS_PREFIX 6 +-#define IP_ADDR_BLOCKS_MIN 9 +-#define IP_ADDR_BLOCKS_MAX 10 ++#define IP_ADDR_BLOCKS_INHERIT 4 ++#define IP_ADDR_BLOCKS_PREFIX 8 ++#define IP_ADDR_BLOCKS_MIN 11 ++#define IP_ADDR_BLOCKS_MAX 12 + + static bool check_address_object(ts_type_t ts_type, chunk_t object) + { +-- +1.9.1 + |