From: Tobias Brunner Date: Wed, 24 Jan 2018 13:42:28 +0000 (+0100) Subject: revocation: Skip any zero bytes when comparing serials in CRLs X-Git-Tag: 5.6.2dr4~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=432358cf49cbdfab507bec5341c9f5f36f390470;p=thirdparty%2Fstrongswan.git revocation: Skip any zero bytes when comparing serials in CRLs Depending on the plugins that eventually parse the certificate and CRL, serials with MSB set (i.e. negative numbers that have a zero byte prefixed when encoded as ASN.1 INTEGER) might have (x509 plugin) or not have (openssl plugin) a zero byte prefix when returned by get_serial() or enumerated from the CRL. Strip them before doing the comparison or revocation checking might fail if not both credentials are parsed by the same plugin (which should be rare and only happen if parsing of either cert or CRL fails with one of the plugins and there is a fallback to the implementation provided by the other plugin). Fixes #2509. --- diff --git a/src/libstrongswan/plugins/revocation/revocation_validator.c b/src/libstrongswan/plugins/revocation/revocation_validator.c index 16ee0ecc73..1b68320dfc 100644 --- a/src/libstrongswan/plugins/revocation/revocation_validator.c +++ b/src/libstrongswan/plugins/revocation/revocation_validator.c @@ -444,7 +444,7 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, enumerator_t *enumerator; time_t revocation; crl_reason_t reason; - chunk_t serial; + chunk_t subject_serial, serial; crl_t *crl = (crl_t*)cand; if (base) @@ -473,10 +473,11 @@ static certificate_t *get_better_crl(certificate_t *cand, certificate_t *best, return best; } + subject_serial = chunk_skip_zero(subject->get_serial(subject)); enumerator = crl->create_enumerator(crl); while (enumerator->enumerate(enumerator, &serial, &revocation, &reason)) { - if (chunk_equals(serial, subject->get_serial(subject))) + if (chunk_equals(subject_serial, chunk_skip_zero(serial))) { if (reason != CRL_REASON_CERTIFICATE_HOLD) {