diff options
author | Daiki Ueno <ueno@gnu.org> | 2021-10-30 08:56:07 +0200 |
---|---|---|
committer | Daiki Ueno <ueno@gnu.org> | 2022-01-17 18:57:30 +0100 |
commit | 22f837ba0bc7d13c3d738a8583566368fc12aee1 (patch) | |
tree | a4f385e685d9079763395cc96957c2b3ff2c6bc1 /lib/x509 | |
parent | 34c6c97bd77975b96597e1e4c03e4d0465dda22a (diff) | |
download | gnutls-22f837ba0bc7d13c3d738a8583566368fc12aee1.tar.gz |
x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2
This function previously used gnutls_x509_trust_list_get_issuer
without GNUTLS_TL_GET_COPY flag, which is required when the function
is called from multi-threaded application and PKCS #11 trust store is
in use.
Reported and the change suggested by Remi Gacogne in:
https://gitlab.com/gnutls/gnutls/-/issues/1277
Signed-off-by: Daiki Ueno <ueno@gnu.org>
Diffstat (limited to 'lib/x509')
-rw-r--r-- | lib/x509/verify-high.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index ab8e006ca7..5698d4f372 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, * gnutls_x509_trust_list_get_issuer: * @list: The list * @cert: is the certificate to find issuer for - * @issuer: Will hold the issuer if any. Should be treated as constant. + * @issuer: Will hold the issuer if any. Should be treated as constant + * unless %GNUTLS_TL_GET_COPY is set in @flags. * @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable) * * This function will find the issuer of the given certificate. @@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (gnutls_x509_trust_list_get_issuer(list, cert_list[i - 1], &issuer, - 0) == 0) { + GNUTLS_TL_GET_COPY) == 0) { + gnutls_x509_crt_deinit(issuer); cert_list_size = i; break; } |