diff options
author | Nikos Mavrogiannopoulos <nmav@redhat.com> | 2018-09-17 09:28:08 +0200 |
---|---|---|
committer | Nikos Mavrogiannopoulos <nmav@gnutls.org> | 2018-09-17 09:09:19 +0000 |
commit | ed3b6d9ac9e526541c1acfee5f5825c92e34e80a (patch) | |
tree | fb99f61899b10fffe1edfaefcae5880d3a2f8ce4 | |
parent | 55479c057e8224e065979bfb2beedc84f6fad701 (diff) | |
download | gnutls-ed3b6d9ac9e526541c1acfee5f5825c92e34e80a.tar.gz |
gnutls_x509_trust_list_add_trust_mem: fix behavior with unaccounted certs
If gnutls_x509_trust_list_add_cas returns less than clist_size, the additional
unaccounted certificates will never be freed.
Relates #552
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
-rw-r--r-- | lib/x509/verify-high2.c | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c index 8c75b26414..8ba2f2a3ee 100644 --- a/lib/x509/verify-high2.c +++ b/lib/x509/verify-high2.c @@ -58,6 +58,9 @@ * This function will add the given certificate authorities * to the trusted list. * + * If this function is used gnutls_x509_trust_list_deinit() must be called + * with parameter @all being 1. + * * Returns: The number of added elements is returned. * * Since: 3.1 @@ -76,6 +79,9 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list, unsigned int x509_ncas, x509_ncrls; unsigned int r = 0; + /* When adding CAs or CRLs, we use the GNUTLS_TL_NO_DUPLICATES flag to ensure + * that unaccounted certificates/CRLs are deinitialized. */ + if (cas != NULL && cas->data != NULL) { ret = gnutls_x509_crt_list_import2(&x509_ca_list, &x509_ncas, @@ -85,7 +91,7 @@ gnutls_x509_trust_list_add_trust_mem(gnutls_x509_trust_list_t list, ret = gnutls_x509_trust_list_add_cas(list, x509_ca_list, - x509_ncas, tl_flags); + x509_ncas, tl_flags|GNUTLS_TL_NO_DUPLICATES); gnutls_free(x509_ca_list); if (ret < 0) |