[Pkg-swan-devel] [strongswan] 02/03: convert CVE-2017-9022_insufficient_input_validation_gmp_plugin and CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser to the UNIX file format.
Yves-Alexis Perez
corsac at moszumanska.debian.org
Sun Sep 3 13:23:51 UTC 2017
This is an automated email from the git hooks/post-receive script.
corsac pushed a commit to branch stretch-security
in repository strongswan.
commit 0348cb384f616b740526f034a0058d00e93064a3
Author: Yves-Alexis Perez <corsac at corsac.net>
Date: Thu Aug 3 21:27:09 2017 +0200
convert CVE-2017-9022_insufficient_input_validation_gmp_plugin and CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser to the UNIX file format.
---
debian/changelog | 3 +
..._insufficient_input_validation_gmp_plugin.patch | 82 +--
...t_handling_of_choice_types_in_asn1_parser.patch | 750 ++++++++++-----------
3 files changed, 419 insertions(+), 416 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 1b0ed22..919ad5c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,9 @@ strongswan (5.5.1-5) UNRELEASED; urgency=medium
* debian/patches:
- CVE-2017-11185 added, fix insufficient input validation in gmp plugin
which could lead to denial of service (CVE-2017-11185)
+ - convert CVE-2017-9022_insufficient_input_validation_gmp_plugin and
+ CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser to the
+ UNIX file format.
-- Yves-Alexis Perez <corsac at debian.org> Thu, 03 Aug 2017 21:24:33 +0200
diff --git a/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch b/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch
index ca8766a..f16b5bd 100644
--- a/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch
+++ b/debian/patches/CVE-2017-9022_insufficient_input_validation_gmp_plugin.patch
@@ -1,42 +1,42 @@
-From 1bf67b900fb4955a0b09f3c1cbe1ce7177adbe2f Mon Sep 17 00:00:00 2001
-From: Tobias Brunner <tobias at strongswan.org>
-Date: Wed, 29 Mar 2017 11:26:24 +0200
-Subject: [PATCH] gmp: Make sure the modulus is odd and the exponent not zero
+From 1bf67b900fb4955a0b09f3c1cbe1ce7177adbe2f Mon Sep 17 00:00:00 2001
+From: Tobias Brunner <tobias at strongswan.org>
+Date: Wed, 29 Mar 2017 11:26:24 +0200
+Subject: [PATCH] gmp: Make sure the modulus is odd and the exponent not zero
+
+Unlike mpz_powm() its secure replacement mpz_powm_sec() has the additional
+requirement that the exponent must be > 0 and the modulus has to be odd.
+Otherwise, it will crash with a floating-point exception.
+
+Fixes: CVE-2017-9022
+---
+ src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+index 2b2c7f249590..32a72ac9600b 100644
+--- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
++++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
+@@ -475,7 +475,7 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
+ }
+ break;
+ }
+- if (!e.ptr || !n.ptr)
++ if (!e.len || !n.len || (n.ptr[n.len-1] & 0x01) == 0)
+ {
+ return NULL;
+ }
+@@ -506,5 +506,10 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
+
+ this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
+
++ if (!mpz_sgn(this->e))
++ {
++ destroy(this);
++ return NULL;
++ }
+ return &this->public;
+ }
+--
+1.9.1
+
-Unlike mpz_powm() its secure replacement mpz_powm_sec() has the additional
-requirement that the exponent must be > 0 and the modulus has to be odd.
-Otherwise, it will crash with a floating-point exception.
-
-Fixes: CVE-2017-9022
----
- src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
-index 2b2c7f249590..32a72ac9600b 100644
---- a/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
-+++ b/src/libstrongswan/plugins/gmp/gmp_rsa_public_key.c
-@@ -475,7 +475,7 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
- }
- break;
- }
-- if (!e.ptr || !n.ptr)
-+ if (!e.len || !n.len || (n.ptr[n.len-1] & 0x01) == 0)
- {
- return NULL;
- }
-@@ -506,5 +506,10 @@ gmp_rsa_public_key_t *gmp_rsa_public_key_load(key_type_t type, va_list args)
-
- this->k = (mpz_sizeinbase(this->n, 2) + 7) / BITS_PER_BYTE;
-
-+ if (!mpz_sgn(this->e))
-+ {
-+ destroy(this);
-+ return NULL;
-+ }
- return &this->public;
- }
---
-1.9.1
-
-
\ No newline at end of file
diff --git a/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch b/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch
index 8342643..9850afe 100644
--- a/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch
+++ b/debian/patches/CVE-2017-9023_incorrect_handling_of_choice_types_in_asn1_parser.patch
@@ -1,376 +1,376 @@
-From e3d4fe2be3bda0d9acc985a6cd67efe249d8326c Mon Sep 17 00:00:00 2001
-From: Andreas Steffen <andreas.steffen at strongswan.org>
-Date: Fri, 5 May 2017 09:01:08 +0200
-Subject: [PATCH] asn1-parser: Fix CHOICE parsing
+From e3d4fe2be3bda0d9acc985a6cd67efe249d8326c Mon Sep 17 00:00:00 2001
+From: Andreas Steffen <andreas.steffen at strongswan.org>
+Date: Fri, 5 May 2017 09:01:08 +0200
+Subject: [PATCH] asn1-parser: Fix CHOICE parsing
+
+Also fixes the application in the x509 plugin and the parsing of
+nameConstraints, which doesn't require a loop.
+
+Fixes: CVE-2017-9023
+---
+ src/libstrongswan/asn1/asn1_parser.c | 70 +++++++++++++++---
+ src/libstrongswan/asn1/asn1_parser.h | 27 +++----
+ src/libstrongswan/plugins/x509/x509_cert.c | 115 +++++++++++++++--------------
+ 3 files changed, 135 insertions(+), 77 deletions(-)
+
+diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
+index e7b7a428d9a2..4d5f799b73a9 100644
+--- a/src/libstrongswan/asn1/asn1_parser.c
++++ b/src/libstrongswan/asn1/asn1_parser.c
+@@ -1,8 +1,7 @@
+ /*
+ * Copyright (C) 2006 Martin Will
+- * Copyright (C) 2000-2008 Andreas Steffen
+- *
+- * Hochschule fuer Technik Rapperswil
++ * Copyright (C) 2000-2017 Andreas Steffen
++ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+@@ -76,12 +75,18 @@ struct private_asn1_parser_t {
+ * Current parsing pointer for each level
+ */
+ chunk_t blobs[ASN1_MAX_LEVEL + 2];
++
++ /**
++ * Parsing a CHOICE on the current level ?
++ */
++ bool choice[ASN1_MAX_LEVEL + 2];
++
+ };
+
+ METHOD(asn1_parser_t, iterate, bool,
+ private_asn1_parser_t *this, int *objectID, chunk_t *object)
+ {
+- chunk_t *blob, *blob1;
++ chunk_t *blob, *blob1, blob_ori;
+ u_char *start_ptr;
+ u_int level;
+ asn1Object_t obj;
+@@ -97,7 +102,7 @@ METHOD(asn1_parser_t, iterate, bool,
+ return FALSE;
+ }
+
+- if (obj.flags & ASN1_END) /* end of loop or option found */
++ if (obj.flags & ASN1_END) /* end of loop or choice or option found */
+ {
+ if (this->loopAddr[obj.level] && this->blobs[obj.level+1].len > 0)
+ {
+@@ -106,13 +111,42 @@ METHOD(asn1_parser_t, iterate, bool,
+ }
+ else
+ {
+- this->loopAddr[obj.level] = 0; /* exit loop or option*/
++ this->loopAddr[obj.level] = 0; /* exit loop */
++
++ if (obj.flags & ASN1_CHOICE) /* end of choices */
++ {
++ if (this->choice[obj.level+1])
++ {
++ DBG1(DBG_ASN, "L%d - %s: incorrect choice encoding",
++ this->level0 + obj.level, obj.name);
++ this->success = FALSE;
++ goto end;
++ }
++ }
++
++ if (obj.flags & ASN1_CH) /* end of choice */
++ {
++ /* parsed a valid choice */
++ this->choice[obj.level] = FALSE;
++
++ /* advance to end of choices */
++ do
++ {
++ this->line++;
++ }
++ while (!((this->objects[this->line].flags & ASN1_END) &&
++ (this->objects[this->line].flags & ASN1_CHOICE) &&
++ (this->objects[this->line].level == obj.level-1)));
++ this->line--;
++ }
++
+ goto end;
+ }
+ }
+
+ level = this->level0 + obj.level;
+ blob = this->blobs + obj.level;
++ blob_ori = *blob;
+ blob1 = blob + 1;
+ start_ptr = blob->ptr;
+
+@@ -129,7 +163,6 @@ METHOD(asn1_parser_t, iterate, bool,
+ }
+
+ /* handle ASN.1 options */
+-
+ if ((obj.flags & ASN1_OPT)
+ && (blob->len == 0 || *start_ptr != obj.type))
+ {
+@@ -144,7 +177,6 @@ METHOD(asn1_parser_t, iterate, bool,
+ }
+
+ /* an ASN.1 object must possess at least a tag and length field */
+-
+ if (blob->len < 2)
+ {
+ DBG1(DBG_ASN, "L%d - %s: ASN.1 object smaller than 2 octets",
+@@ -167,8 +199,16 @@ METHOD(asn1_parser_t, iterate, bool,
+ blob->ptr += blob1->len;
+ blob->len -= blob1->len;
+
+- /* return raw ASN.1 object without prior type checking */
++ /* handle ASN.1 choice without explicit context encoding */
++ if ((obj.flags & ASN1_CHOICE) && obj.type == ASN1_EOC)
++ {
++ DBG2(DBG_ASN, "L%d - %s:", level, obj.name);
++ this->choice[obj.level+1] = TRUE;
++ *blob1 = blob_ori;
++ goto end;
++ }
+
++ /* return raw ASN.1 object without prior type checking */
+ if (obj.flags & ASN1_RAW)
+ {
+ DBG2(DBG_ASN, "L%d - %s:", level, obj.name);
+@@ -209,6 +249,18 @@ METHOD(asn1_parser_t, iterate, bool,
+ }
+ }
+
++ /* In case of a "CHOICE" start to scan for exactly one valid choice */
++ if (obj.flags & ASN1_CHOICE)
++ {
++ if (blob1->len == 0)
++ {
++ DBG1(DBG_ASN, "L%d - %s: contains no choice", level, obj.name);
++ this->success = FALSE;
++ goto end;
++ }
++ this->choice[obj.level+1] = TRUE;
++ }
++
+ if (obj.flags & ASN1_OBJ)
+ {
+ object->ptr = start_ptr;
+diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h
+index 0edc22c2378c..2ee1e892fc16 100644
+--- a/src/libstrongswan/asn1/asn1_parser.h
++++ b/src/libstrongswan/asn1/asn1_parser.h
+@@ -1,8 +1,7 @@
+ /*
+ * Copyright (C) 2006 Martin Will
+- * Copyright (C) 2000-2008 Andreas Steffen
+- *
+- * Hochschule fuer Technik Rapperswil
++ * Copyright (C) 2000-2017 Andreas Steffen
++ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+@@ -32,15 +31,17 @@
+ /**
+ * Definition of ASN.1 flags
+ */
+-#define ASN1_NONE 0x00
+-#define ASN1_DEF 0x01
+-#define ASN1_OPT 0x02
+-#define ASN1_LOOP 0x04
+-#define ASN1_END 0x08
+-#define ASN1_OBJ 0x10
+-#define ASN1_BODY 0x20
+-#define ASN1_RAW 0x40
+-#define ASN1_EXIT 0x80
++#define ASN1_NONE 0x0000
++#define ASN1_DEF 0x0001
++#define ASN1_OPT 0x0002
++#define ASN1_LOOP 0x0004
++#define ASN1_CHOICE 0x0008
++#define ASN1_CH 0x0010
++#define ASN1_END 0x0020
++#define ASN1_OBJ 0x0040
++#define ASN1_BODY 0x0080
++#define ASN1_RAW 0x0100
++#define ASN1_EXIT 0x0200
+
+ typedef struct asn1Object_t asn1Object_t;
+
+@@ -51,7 +52,7 @@ struct asn1Object_t{
+ u_int level;
+ const u_char *name;
+ asn1_t type;
+- u_char flags;
++ uint16_t flags;
+ };
+
+ typedef struct asn1_parser_t asn1_parser_t;
+diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
+index b3d90c5f61ef..f9573e953cbf 100644
+--- a/src/libstrongswan/plugins/x509/x509_cert.c
++++ b/src/libstrongswan/plugins/x509/x509_cert.c
+@@ -2,10 +2,10 @@
+ * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
+ * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
+ * Copyright (C) 2002 Mario Strasser
+- * Copyright (C) 2000-2006 Andreas Steffen
++ * Copyright (C) 2000-2017 Andreas Steffen
+ * Copyright (C) 2006-2009 Martin Willi
+ * Copyright (C) 2008 Tobias Brunner
+- * Hochschule fuer Technik Rapperswil
++ * HSR Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+@@ -789,20 +789,20 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0,
+ * ASN.1 definition of crlDistributionPoints
+ */
+ static const asn1Object_t crlDistributionPointsObjects[] = {
+- { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+- { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+- { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
+- { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
+- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
+- { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
+- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
+- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
+- { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
+- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
+- { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
+- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
+- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
+- { 0, "exit", ASN1_EOC, ASN1_EXIT }
++ { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
++ { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
++ { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_CHOICE }, /* 2 */
++ { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 4 */
++ { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 6 */
++ { 2, "end opt/choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 7 */
++ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
++ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
++ { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
++ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
++ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+ };
+ #define CRL_DIST_POINTS 1
+ #define CRL_DIST_POINTS_FULLNAME 3
+@@ -910,14 +910,13 @@ end:
+ * ASN.1 definition of nameConstraints
+ */
+ static const asn1Object_t nameConstraintsObjects[] = {
+- { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
++ { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
+ { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
+ { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
+ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
+ { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
+ { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
+ { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
+- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+ };
+ #define NAME_CONSTRAINT_PERMITTED 2
+@@ -974,25 +973,27 @@ end:
+ * ASN.1 definition of a certificatePolicies extension
+ */
+ static const asn1Object_t certificatePoliciesObject[] = {
+- { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+- { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+- { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
+- { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
+- { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
+- { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
+- { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
+- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
+- { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */
+- { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
+- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
+- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
+- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
+- { 0, "exit", ASN1_EOC, ASN1_EXIT }
++ { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
++ { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
++ { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
++ { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
++ { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
++ { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
++ { 4, "qualifier", ASN1_EOC, ASN1_CHOICE }, /* 6 */
++ { 5, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 7 */
++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 8 */
++ { 5, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 9 */
++ { 6, "explicitText", ASN1_EOC, ASN1_RAW }, /* 10 */
++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 11 */
++ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 12 */
++ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 13 */
++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 14 */
++ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+ };
+-#define CERT_POLICY_ID 2
+-#define CERT_POLICY_QUALIFIER_ID 5
+-#define CERT_POLICY_CPS_URI 6
+-#define CERT_POLICY_EXPLICIT_TEXT 9
++#define CERT_POLICY_ID 2
++#define CERT_POLICY_QUALIFIER_ID 5
++#define CERT_POLICY_CPS_URI 7
++#define CERT_POLICY_EXPLICIT_TEXT 10
+
+ /**
+ * Parse certificatePolicies
+@@ -1157,27 +1158,31 @@ static bool parse_policyConstraints(chunk_t blob, int level0,
+ * ASN.1 definition of ipAddrBlocks according to RFC 3779
+ */
+ static const asn1Object_t ipAddrBlocksObjects[] = {
+- { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
+- { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
+- { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
+- { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
+- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
+- { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
+- { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
+- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
+- { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
+- { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
+- { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
+- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
+- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
+- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
+- { 0, "exit", ASN1_EOC, ASN1_EXIT }
++ { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
++ { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
++ { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
++ { 2, "ipAddressChoice", ASN1_EOC, ASN1_CHOICE }, /* 3 */
++ { 3, "inherit", ASN1_NULL, ASN1_OPT }, /* 4 */
++ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 5 */
++ { 3, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 6 */
++ { 4, "addressOrRange", ASN1_EOC, ASN1_CHOICE }, /* 7 */
++ { 5, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 8 */
++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 9 */
++ { 5, "addressRange", ASN1_SEQUENCE, ASN1_OPT }, /* 10 */
++ { 6, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 11 */
++ { 6, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 12 */
++ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 13 */
++ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 14 */
++ { 3, "end loop/choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 15 */
++ { 2, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 16 */
++ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 17 */
++ { 0, "exit", ASN1_EOC, ASN1_EXIT }
+ };
+ #define IP_ADDR_BLOCKS_FAMILY 2
+-#define IP_ADDR_BLOCKS_INHERIT 3
+-#define IP_ADDR_BLOCKS_PREFIX 6
+-#define IP_ADDR_BLOCKS_MIN 9
+-#define IP_ADDR_BLOCKS_MAX 10
++#define IP_ADDR_BLOCKS_INHERIT 4
++#define IP_ADDR_BLOCKS_PREFIX 8
++#define IP_ADDR_BLOCKS_MIN 11
++#define IP_ADDR_BLOCKS_MAX 12
+
+ static bool check_address_object(ts_type_t ts_type, chunk_t object)
+ {
+--
+1.9.1
+
-Also fixes the application in the x509 plugin and the parsing of
-nameConstraints, which doesn't require a loop.
-
-Fixes: CVE-2017-9023
----
- src/libstrongswan/asn1/asn1_parser.c | 70 +++++++++++++++---
- src/libstrongswan/asn1/asn1_parser.h | 27 +++----
- src/libstrongswan/plugins/x509/x509_cert.c | 115 +++++++++++++++--------------
- 3 files changed, 135 insertions(+), 77 deletions(-)
-
-diff --git a/src/libstrongswan/asn1/asn1_parser.c b/src/libstrongswan/asn1/asn1_parser.c
-index e7b7a428d9a2..4d5f799b73a9 100644
---- a/src/libstrongswan/asn1/asn1_parser.c
-+++ b/src/libstrongswan/asn1/asn1_parser.c
-@@ -1,8 +1,7 @@
- /*
- * Copyright (C) 2006 Martin Will
-- * Copyright (C) 2000-2008 Andreas Steffen
-- *
-- * Hochschule fuer Technik Rapperswil
-+ * Copyright (C) 2000-2017 Andreas Steffen
-+ * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
-@@ -76,12 +75,18 @@ struct private_asn1_parser_t {
- * Current parsing pointer for each level
- */
- chunk_t blobs[ASN1_MAX_LEVEL + 2];
-+
-+ /**
-+ * Parsing a CHOICE on the current level ?
-+ */
-+ bool choice[ASN1_MAX_LEVEL + 2];
-+
- };
-
- METHOD(asn1_parser_t, iterate, bool,
- private_asn1_parser_t *this, int *objectID, chunk_t *object)
- {
-- chunk_t *blob, *blob1;
-+ chunk_t *blob, *blob1, blob_ori;
- u_char *start_ptr;
- u_int level;
- asn1Object_t obj;
-@@ -97,7 +102,7 @@ METHOD(asn1_parser_t, iterate, bool,
- return FALSE;
- }
-
-- if (obj.flags & ASN1_END) /* end of loop or option found */
-+ if (obj.flags & ASN1_END) /* end of loop or choice or option found */
- {
- if (this->loopAddr[obj.level] && this->blobs[obj.level+1].len > 0)
- {
-@@ -106,13 +111,42 @@ METHOD(asn1_parser_t, iterate, bool,
- }
- else
- {
-- this->loopAddr[obj.level] = 0; /* exit loop or option*/
-+ this->loopAddr[obj.level] = 0; /* exit loop */
-+
-+ if (obj.flags & ASN1_CHOICE) /* end of choices */
-+ {
-+ if (this->choice[obj.level+1])
-+ {
-+ DBG1(DBG_ASN, "L%d - %s: incorrect choice encoding",
-+ this->level0 + obj.level, obj.name);
-+ this->success = FALSE;
-+ goto end;
-+ }
-+ }
-+
-+ if (obj.flags & ASN1_CH) /* end of choice */
-+ {
-+ /* parsed a valid choice */
-+ this->choice[obj.level] = FALSE;
-+
-+ /* advance to end of choices */
-+ do
-+ {
-+ this->line++;
-+ }
-+ while (!((this->objects[this->line].flags & ASN1_END) &&
-+ (this->objects[this->line].flags & ASN1_CHOICE) &&
-+ (this->objects[this->line].level == obj.level-1)));
-+ this->line--;
-+ }
-+
- goto end;
- }
- }
-
- level = this->level0 + obj.level;
- blob = this->blobs + obj.level;
-+ blob_ori = *blob;
- blob1 = blob + 1;
- start_ptr = blob->ptr;
-
-@@ -129,7 +163,6 @@ METHOD(asn1_parser_t, iterate, bool,
- }
-
- /* handle ASN.1 options */
--
- if ((obj.flags & ASN1_OPT)
- && (blob->len == 0 || *start_ptr != obj.type))
- {
-@@ -144,7 +177,6 @@ METHOD(asn1_parser_t, iterate, bool,
- }
-
- /* an ASN.1 object must possess at least a tag and length field */
--
- if (blob->len < 2)
- {
- DBG1(DBG_ASN, "L%d - %s: ASN.1 object smaller than 2 octets",
-@@ -167,8 +199,16 @@ METHOD(asn1_parser_t, iterate, bool,
- blob->ptr += blob1->len;
- blob->len -= blob1->len;
-
-- /* return raw ASN.1 object without prior type checking */
-+ /* handle ASN.1 choice without explicit context encoding */
-+ if ((obj.flags & ASN1_CHOICE) && obj.type == ASN1_EOC)
-+ {
-+ DBG2(DBG_ASN, "L%d - %s:", level, obj.name);
-+ this->choice[obj.level+1] = TRUE;
-+ *blob1 = blob_ori;
-+ goto end;
-+ }
-
-+ /* return raw ASN.1 object without prior type checking */
- if (obj.flags & ASN1_RAW)
- {
- DBG2(DBG_ASN, "L%d - %s:", level, obj.name);
-@@ -209,6 +249,18 @@ METHOD(asn1_parser_t, iterate, bool,
- }
- }
-
-+ /* In case of a "CHOICE" start to scan for exactly one valid choice */
-+ if (obj.flags & ASN1_CHOICE)
-+ {
-+ if (blob1->len == 0)
-+ {
-+ DBG1(DBG_ASN, "L%d - %s: contains no choice", level, obj.name);
-+ this->success = FALSE;
-+ goto end;
-+ }
-+ this->choice[obj.level+1] = TRUE;
-+ }
-+
- if (obj.flags & ASN1_OBJ)
- {
- object->ptr = start_ptr;
-diff --git a/src/libstrongswan/asn1/asn1_parser.h b/src/libstrongswan/asn1/asn1_parser.h
-index 0edc22c2378c..2ee1e892fc16 100644
---- a/src/libstrongswan/asn1/asn1_parser.h
-+++ b/src/libstrongswan/asn1/asn1_parser.h
-@@ -1,8 +1,7 @@
- /*
- * Copyright (C) 2006 Martin Will
-- * Copyright (C) 2000-2008 Andreas Steffen
-- *
-- * Hochschule fuer Technik Rapperswil
-+ * Copyright (C) 2000-2017 Andreas Steffen
-+ * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
-@@ -32,15 +31,17 @@
- /**
- * Definition of ASN.1 flags
- */
--#define ASN1_NONE 0x00
--#define ASN1_DEF 0x01
--#define ASN1_OPT 0x02
--#define ASN1_LOOP 0x04
--#define ASN1_END 0x08
--#define ASN1_OBJ 0x10
--#define ASN1_BODY 0x20
--#define ASN1_RAW 0x40
--#define ASN1_EXIT 0x80
-+#define ASN1_NONE 0x0000
-+#define ASN1_DEF 0x0001
-+#define ASN1_OPT 0x0002
-+#define ASN1_LOOP 0x0004
-+#define ASN1_CHOICE 0x0008
-+#define ASN1_CH 0x0010
-+#define ASN1_END 0x0020
-+#define ASN1_OBJ 0x0040
-+#define ASN1_BODY 0x0080
-+#define ASN1_RAW 0x0100
-+#define ASN1_EXIT 0x0200
-
- typedef struct asn1Object_t asn1Object_t;
-
-@@ -51,7 +52,7 @@ struct asn1Object_t{
- u_int level;
- const u_char *name;
- asn1_t type;
-- u_char flags;
-+ uint16_t flags;
- };
-
- typedef struct asn1_parser_t asn1_parser_t;
-diff --git a/src/libstrongswan/plugins/x509/x509_cert.c b/src/libstrongswan/plugins/x509/x509_cert.c
-index b3d90c5f61ef..f9573e953cbf 100644
---- a/src/libstrongswan/plugins/x509/x509_cert.c
-+++ b/src/libstrongswan/plugins/x509/x509_cert.c
-@@ -2,10 +2,10 @@
- * Copyright (C) 2000 Andreas Hess, Patric Lichtsteiner, Roger Wegmann
- * Copyright (C) 2001 Marco Bertossa, Andreas Schleiss
- * Copyright (C) 2002 Mario Strasser
-- * Copyright (C) 2000-2006 Andreas Steffen
-+ * Copyright (C) 2000-2017 Andreas Steffen
- * Copyright (C) 2006-2009 Martin Willi
- * Copyright (C) 2008 Tobias Brunner
-- * Hochschule fuer Technik Rapperswil
-+ * HSR Hochschule fuer Technik Rapperswil
- *
- * This program is free software; you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the
-@@ -789,20 +789,20 @@ static bool parse_extendedKeyUsage(chunk_t blob, int level0,
- * ASN.1 definition of crlDistributionPoints
- */
- static const asn1Object_t crlDistributionPointsObjects[] = {
-- { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
-- { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
-- { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 2 */
-- { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
-- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
-- { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
-- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 6 */
-- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 7 */
-- { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
-- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
-- { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
-- { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
-- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
-- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-+ { 0, "crlDistributionPoints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
-+ { 1, "DistributionPoint", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
-+ { 2, "distributionPoint", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_CHOICE }, /* 2 */
-+ { 3, "fullName", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_OBJ }, /* 3 */
-+ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 4 */
-+ { 3, "nameRelToCRLIssuer",ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 5 */
-+ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 6 */
-+ { 2, "end opt/choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 7 */
-+ { 2, "reasons", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_BODY }, /* 8 */
-+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 9 */
-+ { 2, "crlIssuer", ASN1_CONTEXT_C_2, ASN1_OPT|ASN1_OBJ }, /* 10 */
-+ { 2, "end opt", ASN1_EOC, ASN1_END }, /* 11 */
-+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 12 */
-+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
- };
- #define CRL_DIST_POINTS 1
- #define CRL_DIST_POINTS_FULLNAME 3
-@@ -910,14 +910,13 @@ end:
- * ASN.1 definition of nameConstraints
- */
- static const asn1Object_t nameConstraintsObjects[] = {
-- { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
-+ { 0, "nameConstraints", ASN1_SEQUENCE, ASN1_NONE }, /* 0 */
- { 1, "permittedSubtrees", ASN1_CONTEXT_C_0, ASN1_OPT|ASN1_LOOP }, /* 1 */
- { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 2 */
- { 1, "end loop", ASN1_EOC, ASN1_END }, /* 3 */
- { 1, "excludedSubtrees", ASN1_CONTEXT_C_1, ASN1_OPT|ASN1_LOOP }, /* 4 */
- { 2, "generalSubtree", ASN1_SEQUENCE, ASN1_BODY }, /* 5 */
- { 1, "end loop", ASN1_EOC, ASN1_END }, /* 6 */
-- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 7 */
- { 0, "exit", ASN1_EOC, ASN1_EXIT }
- };
- #define NAME_CONSTRAINT_PERMITTED 2
-@@ -974,25 +973,27 @@ end:
- * ASN.1 definition of a certificatePolicies extension
- */
- static const asn1Object_t certificatePoliciesObject[] = {
-- { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
-- { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
-- { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
-- { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
-- { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
-- { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
-- { 4, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
-- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
-- { 4, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 8 */
-- { 5, "explicitText", ASN1_EOC, ASN1_RAW }, /* 9 */
-- { 4, "end choice", ASN1_EOC, ASN1_END }, /* 10 */
-- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
-- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
-- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-+ { 0, "certificatePolicies", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
-+ { 1, "policyInformation", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
-+ { 2, "policyId", ASN1_OID, ASN1_BODY }, /* 2 */
-+ { 2, "qualifiers", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 3 */
-+ { 3, "qualifierInfo", ASN1_SEQUENCE, ASN1_NONE }, /* 4 */
-+ { 4, "qualifierId", ASN1_OID, ASN1_BODY }, /* 5 */
-+ { 4, "qualifier", ASN1_EOC, ASN1_CHOICE }, /* 6 */
-+ { 5, "cPSuri", ASN1_IA5STRING, ASN1_OPT|ASN1_BODY }, /* 7 */
-+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 8 */
-+ { 5, "userNotice", ASN1_SEQUENCE, ASN1_OPT|ASN1_BODY }, /* 9 */
-+ { 6, "explicitText", ASN1_EOC, ASN1_RAW }, /* 10 */
-+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 11 */
-+ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 12 */
-+ { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 13 */
-+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 14 */
-+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
- };
--#define CERT_POLICY_ID 2
--#define CERT_POLICY_QUALIFIER_ID 5
--#define CERT_POLICY_CPS_URI 6
--#define CERT_POLICY_EXPLICIT_TEXT 9
-+#define CERT_POLICY_ID 2
-+#define CERT_POLICY_QUALIFIER_ID 5
-+#define CERT_POLICY_CPS_URI 7
-+#define CERT_POLICY_EXPLICIT_TEXT 10
-
- /**
- * Parse certificatePolicies
-@@ -1157,27 +1158,31 @@ static bool parse_policyConstraints(chunk_t blob, int level0,
- * ASN.1 definition of ipAddrBlocks according to RFC 3779
- */
- static const asn1Object_t ipAddrBlocksObjects[] = {
-- { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
-- { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
-- { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
-- { 2, "inherit", ASN1_NULL, ASN1_OPT|ASN1_NONE }, /* 3 */
-- { 2, "end choice", ASN1_EOC, ASN1_END }, /* 4 */
-- { 2, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 5 */
-- { 3, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 6 */
-- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 7 */
-- { 3, "addressRange", ASN1_SEQUENCE, ASN1_OPT|ASN1_NONE }, /* 8 */
-- { 4, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 9 */
-- { 4, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 10 */
-- { 3, "end choice", ASN1_EOC, ASN1_END }, /* 11 */
-- { 2, "end opt/loop", ASN1_EOC, ASN1_END }, /* 12 */
-- { 0, "end loop", ASN1_EOC, ASN1_END }, /* 13 */
-- { 0, "exit", ASN1_EOC, ASN1_EXIT }
-+ { 0, "ipAddrBlocks", ASN1_SEQUENCE, ASN1_LOOP }, /* 0 */
-+ { 1, "ipAddressFamily", ASN1_SEQUENCE, ASN1_NONE }, /* 1 */
-+ { 2, "addressFamily", ASN1_OCTET_STRING, ASN1_BODY }, /* 2 */
-+ { 2, "ipAddressChoice", ASN1_EOC, ASN1_CHOICE }, /* 3 */
-+ { 3, "inherit", ASN1_NULL, ASN1_OPT }, /* 4 */
-+ { 3, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 5 */
-+ { 3, "addressesOrRanges", ASN1_SEQUENCE, ASN1_OPT|ASN1_LOOP }, /* 6 */
-+ { 4, "addressOrRange", ASN1_EOC, ASN1_CHOICE }, /* 7 */
-+ { 5, "addressPrefix", ASN1_BIT_STRING, ASN1_OPT|ASN1_BODY }, /* 8 */
-+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 9 */
-+ { 5, "addressRange", ASN1_SEQUENCE, ASN1_OPT }, /* 10 */
-+ { 6, "min", ASN1_BIT_STRING, ASN1_BODY }, /* 11 */
-+ { 6, "max", ASN1_BIT_STRING, ASN1_BODY }, /* 12 */
-+ { 5, "end choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 13 */
-+ { 4, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 14 */
-+ { 3, "end loop/choice", ASN1_EOC, ASN1_END|ASN1_CH }, /* 15 */
-+ { 2, "end choices", ASN1_EOC, ASN1_END|ASN1_CHOICE }, /* 16 */
-+ { 0, "end loop", ASN1_EOC, ASN1_END }, /* 17 */
-+ { 0, "exit", ASN1_EOC, ASN1_EXIT }
- };
- #define IP_ADDR_BLOCKS_FAMILY 2
--#define IP_ADDR_BLOCKS_INHERIT 3
--#define IP_ADDR_BLOCKS_PREFIX 6
--#define IP_ADDR_BLOCKS_MIN 9
--#define IP_ADDR_BLOCKS_MAX 10
-+#define IP_ADDR_BLOCKS_INHERIT 4
-+#define IP_ADDR_BLOCKS_PREFIX 8
-+#define IP_ADDR_BLOCKS_MIN 11
-+#define IP_ADDR_BLOCKS_MAX 12
-
- static bool check_address_object(ts_type_t ts_type, chunk_t object)
- {
---
-1.9.1
-
-
\ No newline at end of file
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-swan/strongswan.git
More information about the Pkg-swan-devel
mailing list