x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2

This function previously used gnutls_x509_trust_list_get_issuer
without GNUTLS_TL_GET_COPY flag, which is required when the function
is called from multi-threaded application and PKCS #11 trust store is
in use.

Reported and the change suggested by Remi Gacogne in:
https://gitlab.com/gnutls/gnutls/-/issues/1277

Signed-off-by: Daiki Ueno <ueno@gnu.org>

1 files changed, 4 insertions, 2 deletions

diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
index ab8e006ca7..5698d4f372 100644
--- a/lib/x509/verify-high.c
+++ b/lib/x509/verify-high.c
@@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
  * gnutls_x509_trust_list_get_issuer:
  * @list: The list
  * @cert: is the certificate to find issuer for
- * @issuer: Will hold the issuer if any. Should be treated as constant.
+ * @issuer: Will hold the issuer if any. Should be treated as constant
+ *   unless %GNUTLS_TL_GET_COPY is set in @flags.
  * @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable)
  *
  * This function will find the issuer of the given certificate.
@@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
 		if (gnutls_x509_trust_list_get_issuer(list,
 						      cert_list[i - 1],
 						      &issuer,
-						      0) == 0) {
+						      GNUTLS_TL_GET_COPY) == 0) {
+			gnutls_x509_crt_deinit(issuer);
 			cert_list_size = i;
 			break;
 		}