Imported Upstream version 4.6.4

6 files changed, 40 insertions, 15 deletions

diff --git a/src/pki/Makefile.in b/src/pki/Makefile.in
index b29174680..f9c417658 100644
--- a/src/pki/Makefile.in
+++ b/src/pki/Makefile.in
@@ -169,6 +169,9 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+attest_plugins = @attest_plugins@
+axis2c_CFLAGS = @axis2c_CFLAGS@
+axis2c_LIBS = @axis2c_LIBS@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -177,6 +180,7 @@ build_os = @build_os@
 build_vendor = @build_vendor@
 builddir = @builddir@
 c_plugins = @c_plugins@
+clearsilver_LIBS = @clearsilver_LIBS@
 datadir = @datadir@
 datarootdir = @datarootdir@
 dbusservicedir = @dbusservicedir@
@@ -193,11 +197,13 @@ host_cpu = @host_cpu@
 host_os = @host_os@
 host_vendor = @host_vendor@
 htmldir = @htmldir@
+imcvdir = @imcvdir@
 includedir = @includedir@
 infodir = @infodir@
 install_sh = @install_sh@
 ipsecdir = @ipsecdir@
 ipsecgroup = @ipsecgroup@
+ipseclibdir = @ipseclibdir@
 ipsecuser = @ipsecuser@
 libcharon_plugins = @libcharon_plugins@
 libdir = @libdir@
@@ -241,6 +247,7 @@ sharedstatedir = @sharedstatedir@
 soup_CFLAGS = @soup_CFLAGS@
 soup_LIBS = @soup_LIBS@
 srcdir = @srcdir@
+starter_plugins = @starter_plugins@
 strongswan_conf = @strongswan_conf@
 sysconfdir = @sysconfdir@
 systemdsystemunitdir = @systemdsystemunitdir@
diff --git a/src/pki/command.c b/src/pki/command.c
index 0142b4ab7..07ba5bb1d 100644
--- a/src/pki/command.c
+++ b/src/pki/command.c
@@ -176,6 +176,13 @@ int command_usage(char *error)
 		fprintf(out, "Error: %s\n", error);
 	}
 	fprintf(out, "strongSwan %s PKI tool\n", VERSION);
+
+	if (active == help_idx)
+	{
+		fprintf(out, "loaded plugins: %s\n",
+				lib->plugins->loaded_plugins(lib->plugins));
+	}
+
 	fprintf(out, "usage:\n");
 	if (active == help_idx)
 	{
diff --git a/src/pki/commands/issue.c b/src/pki/commands/issue.c
index 6a5686d92..20163edf2 100644
--- a/src/pki/commands/issue.c
+++ b/src/pki/commands/issue.c
@@ -67,11 +67,11 @@ static int issue()
 	char *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *cdps, *ocsp, *permitted, *excluded, *policies, *mappings;
-	int lifetime = 1095;
 	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
 	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
+	time_t lifetime = 1095;
 	time_t not_before, not_after;
 	x509_flag_t flags = 0;
 	x509_t *x509;
diff --git a/src/pki/commands/print.c b/src/pki/commands/print.c
index ee6f30c98..a7f02bfac 100644
--- a/src/pki/commands/print.c
+++ b/src/pki/commands/print.c
@@ -79,7 +79,7 @@ static void print_x509(x509_t *x509)
 	x509_cert_policy_t *policy;
 	x509_policy_mapping_t *mapping;
 
-	chunk = x509->get_serial(x509);
+	chunk = chunk_skip_zero(x509->get_serial(x509));
 	printf("serial:    %#B\n", &chunk);
 
 	first = TRUE;
@@ -329,10 +329,12 @@ static void print_crl(crl_t *crl)
 	struct tm tm;
 	x509_cdp_t *cdp;
 
-	chunk = crl->get_serial(crl);
+	chunk = chunk_skip_zero(crl->get_serial(crl));
 	printf("serial:    %#B\n", &chunk);
+
 	if (crl->is_delta_crl(crl, &chunk))
 	{
+		chunk = chunk_skip_zero(chunk);		
 		printf("delta CRL: for serial %#B\n", &chunk);
 	}
 	chunk = crl->get_authKeyIdentifier(crl);
@@ -371,6 +373,7 @@ static void print_crl(crl_t *crl)
 	enumerator = crl->create_enumerator(crl);
 	while (enumerator->enumerate(enumerator, &chunk, &ts, &reason))
 	{
+		chunk = chunk_skip_zero(chunk);
 		localtime_r(&ts, &tm);
 		strftime(buf, sizeof(buf), "%F %T", &tm);
 		printf("    %#B %N %s\n", &chunk, crl_reason_names, reason, buf);
diff --git a/src/pki/commands/self.c b/src/pki/commands/self.c
index c7788ff62..c4508a671 100644
--- a/src/pki/commands/self.c
+++ b/src/pki/commands/self.c
@@ -55,11 +55,11 @@ static int self()
 	char *file = NULL, *dn = NULL, *hex = NULL, *error = NULL, *keyid = NULL;
 	identification_t *id = NULL;
 	linked_list_t *san, *ocsp, *permitted, *excluded, *policies, *mappings;
-	int lifetime = 1095;
 	int pathlen = X509_NO_CONSTRAINT, inhibit_any = X509_NO_CONSTRAINT;
 	int inhibit_mapping = X509_NO_CONSTRAINT, require_explicit = X509_NO_CONSTRAINT;
 	chunk_t serial = chunk_empty;
 	chunk_t encoding = chunk_empty;
+	time_t lifetime = 1095;
 	time_t not_before, not_after;
 	x509_flag_t flags = 0;
 	x509_cert_policy_t *policy = NULL;
diff --git a/src/pki/commands/signcrl.c b/src/pki/commands/signcrl.c
index 9a21bd99c..153734f53 100644
--- a/src/pki/commands/signcrl.c
+++ b/src/pki/commands/signcrl.c
@@ -120,21 +120,20 @@ static int sign_crl()
 	hash_algorithm_t digest = HASH_SHA1;
 	char *arg, *cacert = NULL, *cakey = NULL, *lastupdate = NULL, *error = NULL;
 	char *basecrl = NULL;
-	char serial[512], crl_serial[8], *keyid = NULL;
+	char serial[512], *keyid = NULL;
 	int serial_len = 0;
 	crl_reason_t reason = CRL_REASON_UNSPECIFIED;
 	time_t thisUpdate, nextUpdate, date = time(NULL);
-	int lifetime = 15;
+	time_t lifetime = 15;
 	linked_list_t *list, *cdps;
 	enumerator_t *enumerator, *lastenum = NULL;
 	x509_cdp_t *cdp;
-	chunk_t encoding = chunk_empty, baseCrlNumber = chunk_empty;
+	chunk_t crl_serial = chunk_empty, baseCrlNumber = chunk_empty;
+	chunk_t encoding = chunk_empty;
 
 	list = linked_list_create();
 	cdps = linked_list_create();
 
-	memset(crl_serial, 0, sizeof(crl_serial));
-
 	while (TRUE)
 	{
 		switch (command_getopt(&arg))
@@ -334,9 +333,8 @@ static int sign_crl()
 			error = "loading base CRL failed";
 			goto error;
 		}
-		memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr,
-			   min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial)));
 		baseCrlNumber = chunk_clone(lastcrl->get_serial(lastcrl));
+		crl_serial = baseCrlNumber;
 		DESTROY_IF((certificate_t*)lastcrl);
 		lastcrl = NULL;
 	}
@@ -350,22 +348,31 @@ static int sign_crl()
 			error = "loading lastUpdate CRL failed";
 			goto error;
 		}
-		memcpy(crl_serial, lastcrl->get_serial(lastcrl).ptr,
-			   min(lastcrl->get_serial(lastcrl).len, sizeof(crl_serial)));
+		crl_serial = lastcrl->get_serial(lastcrl);
 		lastenum = lastcrl->create_enumerator(lastcrl);
 	}
 	else
 	{
+		crl_serial = chunk_from_chars(0x00);
 		lastenum = enumerator_create_empty();
 	}
 
-	chunk_increment(chunk_create(crl_serial, sizeof(crl_serial)));
+	/* remove superfluous leading zeros */
+	while (crl_serial.len > 1 && crl_serial.ptr[0] == 0x00 &&
+		  (crl_serial.ptr[1] & 0x80) == 0x00)
+	{
+		crl_serial = chunk_skip_zero(crl_serial);
+	}
+	crl_serial = chunk_clone(crl_serial);
+
+	/* increment the serial number by one */
+	chunk_increment(crl_serial);
 
 	enumerator = enumerator_create_filter(list->create_enumerator(list),
 										  (void*)filter, NULL, NULL);
 	crl = lib->creds->create(lib->creds, CRED_CERTIFICATE, CERT_X509_CRL,
 			BUILD_SIGNING_KEY, private, BUILD_SIGNING_CERT, ca,
-			BUILD_SERIAL, chunk_create(crl_serial, sizeof(crl_serial)),
+			BUILD_SERIAL, crl_serial,
 			BUILD_NOT_BEFORE_TIME, thisUpdate, BUILD_NOT_AFTER_TIME, nextUpdate,
 			BUILD_REVOKED_ENUMERATOR, enumerator,
 			BUILD_REVOKED_ENUMERATOR, lastenum, BUILD_DIGEST_ALG, digest,
@@ -374,6 +381,7 @@ static int sign_crl()
 	enumerator->destroy(enumerator);
 	lastenum->destroy(lastenum);
 	DESTROY_IF((certificate_t*)lastcrl);
+	free(crl_serial.ptr);
 
 	if (!crl)
 	{