[hopefully] fixed pathlen problem on ARM platforms

7 files changed, 39 insertions, 28 deletions

diff --git a/src/libcharon/plugins/stroke/stroke_list.c b/src/libcharon/plugins/stroke/stroke_list.c
index 2fa017de1..36311f092 100644
--- a/src/libcharon/plugins/stroke/stroke_list.c
+++ b/src/libcharon/plugins/stroke/stroke_list.c
@@ -754,7 +754,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			enumerator_t *enumerator;
 			identification_t *altName;
 			bool first_altName = TRUE;
-			int pathlen;
+			u_int pathlen;
 			chunk_t serial, authkey;
 			time_t notBefore, notAfter;
 			public_key_t *public;
@@ -837,7 +837,7 @@ static void stroke_list_certs(linked_list_t *list, char *label,
 			pathlen = x509->get_constraint(x509, X509_PATH_LEN);
 			if (pathlen != X509_NO_CONSTRAINT)
 			{
-				fprintf(out, "  pathlen:   %d\n", pathlen);
+				fprintf(out, "  pathlen:   %u\n", pathlen);
 			}
 
 			/* list optional ipAddrBlocks */
diff --git a/src/libstrongswan/credentials/cert_validator.h b/src/libstrongswan/credentials/cert_validator.h
index 3c1ebc9f2..733d9d612 100644
--- a/src/libstrongswan/credentials/cert_validator.h
+++ b/src/libstrongswan/credentials/cert_validator.h
@@ -45,7 +45,7 @@ struct cert_validator_t {
 	 * @param auth			container for resulting authentication info
 	 */
 	bool (*validate)(cert_validator_t *this, certificate_t *subject,
-					 certificate_t *issuer, bool online, int pathlen,
+					 certificate_t *issuer, bool online, u_int pathlen,
 					 bool anchor, auth_cfg_t *auth);
 };
 
diff --git a/src/libstrongswan/credentials/certificates/x509.h b/src/libstrongswan/credentials/certificates/x509.h
index 9f5865da8..fec02dbad 100644
--- a/src/libstrongswan/credentials/certificates/x509.h
+++ b/src/libstrongswan/credentials/certificates/x509.h
@@ -24,7 +24,8 @@
 #include <utils/enumerator.h>
 #include <credentials/certificates/certificate.h>
 
-#define X509_NO_CONSTRAINT		-1
+/* constraints are currently restricted to the range 0..127 */
+#define X509_NO_CONSTRAINT	255
 
 typedef struct x509_t x509_t;
 typedef struct x509_cert_policy_t x509_cert_policy_t;
@@ -150,7 +151,7 @@ struct x509_t {
 	 * @param type		type of constraint to get
 	 * @return			constraint, X509_NO_CONSTRAINT if none found
 	 */
-	int (*get_constraint)(x509_t *this, x509_constraint_t type);
+	u_int (*get_constraint)(x509_t *this, x509_constraint_t type);
 
 	/**
 	 * Create an enumerator over all subjectAltNames.
diff --git a/src/libstrongswan/plugins/constraints/constraints_validator.c b/src/libstrongswan/plugins/constraints/constraints_validator.c
index 20894507a..b54d813df 100644
--- a/src/libstrongswan/plugins/constraints/constraints_validator.c
+++ b/src/libstrongswan/plugins/constraints/constraints_validator.c
@@ -38,7 +38,7 @@ struct private_constraints_validator_t {
  */
 static bool check_pathlen(x509_t *issuer, int pathlen)
 {
-	int pathlen_constraint;
+	u_int pathlen_constraint;
 
 	pathlen_constraint = issuer->get_constraint(issuer, X509_PATH_LEN);
 	if (pathlen_constraint != X509_NO_CONSTRAINT &&
@@ -439,7 +439,7 @@ static bool has_no_any_policy(linked_list_t *chain, int len)
 /**
  * Check requireExplicitPolicy and inhibitPolicyMapping constraints
  */
-static bool check_policy_constraints(x509_t *issuer, int pathlen,
+static bool check_policy_constraints(x509_t *issuer, u_int pathlen,
 									 auth_cfg_t *auth)
 {
 	certificate_t *subject;
@@ -455,7 +455,8 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
 			certificate_t *cert;
 			auth_rule_t rule;
 			x509_t *x509;
-			int len = 0, expl, inh;
+			int len = 0;
+			u_int expl, inh;
 
 			/* prepare trustchain to validate */
 			chain = linked_list_create();
@@ -524,7 +525,7 @@ static bool check_policy_constraints(x509_t *issuer, int pathlen,
 
 METHOD(cert_validator_t, validate, bool,
 	private_constraints_validator_t *this, certificate_t *subject,
-	certificate_t *issuer, bool online, int pathlen, bool anchor,
+	certificate_t *issuer, bool online, u_int pathlen, bool anchor,
 	auth_cfg_t *auth)
 {
 	if (issuer->get_type(issuer) == CERT_X509 &&
diff --git a/src/libstrongswan/plugins/openssl/openssl_x509.c b/src/libstrongswan/plugins/openssl/openssl_x509.c
index f096b2b5b..f7495b2ae 100644
--- a/src/libstrongswan/plugins/openssl/openssl_x509.c
+++ b/src/libstrongswan/plugins/openssl/openssl_x509.c
@@ -84,7 +84,7 @@ struct private_openssl_x509_t {
 	/**
 	 * Pathlen constraint
 	 */
-	int pathlen;
+	u_char pathlen;
 
 	/**
 	 * certificate subject
@@ -250,7 +250,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
 	return chunk_empty;
 }
 
-METHOD(x509_t, get_constraint, int,
+METHOD(x509_t, get_constraint, u_int,
 	private_openssl_x509_t *this, x509_constraint_t type)
 {
 	switch (type)
@@ -586,6 +586,7 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
 									   X509_EXTENSION *ext)
 {
 	BASIC_CONSTRAINTS *constraints;
+	long pathlen;
 
 	constraints = (BASIC_CONSTRAINTS*)X509V3_EXT_d2i(ext);
 	if (constraints)
@@ -596,7 +597,10 @@ static bool parse_basicConstraints_ext(private_openssl_x509_t *this,
 		}
 		if (constraints->pathlen)
 		{
-			this->pathlen = ASN1_INTEGER_get(constraints->pathlen);
+			
+			pathlen = ASN1_INTEGER_get(constraints->pathlen);
+			this->pathlen = (pathlen >= 0 && pathlen < 128) ?
+							 pathlen : X509_NO_CONSTRAINT;
 		}
 		BASIC_CONSTRAINTS_free(constraints);
 		return TRUE;
diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c
index b08e30933..def169275 100644
--- a/src/libstrongswan/plugins/revocation/revocation_validator.c
+++ b/src/libstrongswan/plugins/revocation/revocation_validator.c
@@ -665,7 +665,7 @@ static cert_validation_t check_crl(x509_t *subject, x509_t *issuer,
 
 METHOD(cert_validator_t, validate, bool,
 	private_revocation_validator_t *this, certificate_t *subject,
-	certificate_t *issuer, bool online, int pathlen, bool anchor,
+	certificate_t *issuer, bool online, u_int pathlen, bool anchor,
 	auth_cfg_t *auth)
 {
 	if (subject->get_type(subject) == CERT_X509 &&
diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
index c3bb4ea5b..526dbe8c6 100644
--- a/src/libstrongswan/plugins/x509/x509_cert.c
+++ b/src/libstrongswan/plugins/x509/x509_cert.c
@@ -174,22 +174,22 @@ struct private_x509_cert_t {
 	/**
 	 * Path Length Constraint
 	 */
-	char pathLenConstraint;
+	u_char pathLenConstraint;
 
 	/**
 	 * requireExplicitPolicy Constraint
 	 */
-	char require_explicit;
+	u_char require_explicit;
 
 	/**
 	 * inhibitPolicyMapping Constraint
 	 */
-	char inhibit_mapping;
+	u_char inhibit_mapping;
 
 	/**
 	 * inhibitAnyPolicy Constraint
 	 */
-	char inhibit_any;
+	u_char inhibit_any;
 
 	/**
 	 * x509 constraints and other flags
@@ -255,14 +255,14 @@ static void policy_mapping_destroy(x509_policy_mapping_t *mapping)
 /**
  * Parse a length constraint from an unwrapped integer
  */
-static int parse_constraint(chunk_t object)
+static u_int parse_constraint(chunk_t object)
 {
 	switch (object.len)
 	{
 		case 0:
 			return 0;
 		case 1:
-			return object.ptr[0];
+			return (object.ptr[0] & 0x80) ? X509_NO_CONSTRAINT : object.ptr[0];
 		default:
 			return X509_NO_CONSTRAINT;
 	}
@@ -1723,7 +1723,7 @@ METHOD(x509_t, get_authKeyIdentifier, chunk_t,
 	return this->authKeyIdentifier;
 }
 
-METHOD(x509_t, get_constraint, int,
+METHOD(x509_t, get_constraint, u_int,
 	private_x509_cert_t *this, x509_constraint_t type)
 {
 	switch (type)
@@ -2390,6 +2390,7 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 	certificate_t *sign_cert = NULL;
 	private_key_t *sign_key = NULL;
 	hash_algorithm_t digest_alg = HASH_SHA1;
+	u_int constraint;
 
 	cert = create_empty();
 	while (TRUE)
@@ -2464,11 +2465,9 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 				continue;
 			}
 			case BUILD_PATHLEN:
-				cert->pathLenConstraint = va_arg(args, int);
-				if (cert->pathLenConstraint < 0 || cert->pathLenConstraint > 127)
-				{
-					cert->pathLenConstraint = X509_NO_CONSTRAINT;
-				}
+				constraint = va_arg(args, u_int);
+				cert->pathLenConstraint = (constraint < 128) ?
+										   constraint : X509_NO_CONSTRAINT;
 				continue;
 			case BUILD_PERMITTED_NAME_CONSTRAINTS:
 			{
@@ -2543,13 +2542,19 @@ x509_cert_t *x509_cert_gen(certificate_type_t type, va_list args)
 				continue;
 			}
 			case BUILD_POLICY_REQUIRE_EXPLICIT:
-				cert->require_explicit = va_arg(args, int);
+				constraint = va_arg(args, u_int);
+				cert->require_explicit = (constraint < 128) ?
+										  constraint : X509_NO_CONSTRAINT;
 				continue;
 			case BUILD_POLICY_INHIBIT_MAPPING:
-				cert->inhibit_mapping = va_arg(args, int);
+				constraint = va_arg(args, u_int);
+				cert->inhibit_mapping = (constraint < 128) ?
+										 constraint : X509_NO_CONSTRAINT;
 				continue;
 			case BUILD_POLICY_INHIBIT_ANY:
-				cert->inhibit_any = va_arg(args, int);
+				constraint = va_arg(args, u_int);
+				cert->inhibit_any = (constraint < 128) ?
+									 constraint : X509_NO_CONSTRAINT;
 				continue;
 			case BUILD_NOT_BEFORE_TIME:
 				cert->notBefore = va_arg(args, time_t);