revocation: Skip any zero bytes when comparing serials in CRLs
authorTobias Brunner <tobias@strongswan.org>
Wed, 24 Jan 2018 13:42:28 +0000 (14:42 +0100)
committerTobias Brunner <tobias@strongswan.org>
Wed, 31 Jan 2018 09:50:41 +0000 (10:50 +0100)
Depending on the plugins that eventually parse the certificate and CRL,
serials with MSB set (i.e. negative numbers that have a zero byte prefixed
when encoded as ASN.1 INTEGER) might have (x509 plugin) or not have
(openssl plugin) a zero byte prefix when returned by get_serial() or
enumerated from the CRL.  Strip them before doing the comparison or
revocation checking might fail if not both credentials are parsed by the
same plugin (which should be rare and only happen if parsing of either
cert or CRL fails with one of the plugins and there is a fallback to the
implementation provided by the other plugin).

Fixes #2509.

src/libstrongswan/plugins/revocation/revocation_validator.c

index 16ee0ec..1b68320 100644 (file)
@@ -444,7 +444,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
        enumerator_t *enumerator;
        time_t revocation;
        crl_reason_t reason;
-       chunk_t serial;
+       chunk_t subject_serial, serial;
        crl_t *crl = (crl_t*)cand;
 
        if (base)
@@ -473,10 +473,11 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best,
                return best;
        }
 
+       subject_serial = chunk_skip_zero(subject->get_serial(subject));
        enumerator = crl->create_enumerator(crl);
        while (enumerator->enumerate(enumerator, &serial, &revocation, &reason))
        {
-               if (chunk_equals(serial, subject->get_serial(subject)))
+               if (chunk_equals(subject_serial, chunk_skip_zero(serial)))
                {
                        if (reason != CRL_REASON_CERTIFICATE_HOLD)
                        {