From: Tobias Brunner <tobias@strongswan.org>
Date: Mon, 3 Oct 2016 10:15:10 +0000 (+0200)
Subject: pki: Don't remove zero bytes in CRL serials anymore
X-Git-Tag: 5.5.1rc1~1^2~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=790847d17c27c412b68a91a7f8505fbc083fa567;p=thirdparty%2Fstrongswan.git

pki: Don't remove zero bytes in CRL serials anymore

This was added a few years ago because pki --signcrl once encoded serials
incorrectly as eight byte blobs.  But still ensure we have can handle
overflows in case the serial is encoded incorrectly without zero-prefix.
---

diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 6d873d326f..b9cf9c4666 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -376,14 +376,15 @@ static int sign_crl()
 		lastenum = enumerator_create_empty();
 	}
 
-	/* remove superfluous leading zeros */
-	while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 &&
-		  (crl_serial.ptr[1] & 0x80) == 0x00)
+	if (!crl_serial.len || crl_serial.ptr[0] & 0x80)
+	{	/* add leading 0x00 to handle potential overflow if serial is encoded
+		 * incorrectly */
+		crl_serial = chunk_cat("cc", chunk_from_chars(0x00), crl_serial);
+	}
+	else
 	{
-		crl_serial = chunk_skip_zero(crl_serial);
+		crl_serial = chunk_clone(crl_serial);
 	}
-	crl_serial = chunk_clone(crl_serial);
-
 	/* increment the serial number by one */
 	chunk_increment(crl_serial);