From 1ded3ae173d93082a46628511615b22c8ff5c1ab Mon Sep 17 00:00:00 2001
From: Nikos Mavrogiannopoulos <nmav@redhat.com>
Date: Wed, 5 Apr 2017 13:30:22 +0200
Subject: is_level_acceptable: ensure issuer is not dereferenced when null

Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
---
 lib/x509/verify.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/x509/verify.c b/lib/x509/verify.c
index 03416758dc..7a922a68b8 100644
--- a/lib/x509/verify.c
+++ b/lib/x509/verify.c
@@ -405,7 +405,7 @@ static unsigned is_level_acceptable(
 {
 	gnutls_certificate_verification_profiles_t profile = GNUTLS_VFLAGS_TO_PROFILE(flags);
 	const mac_entry_st *entry;
-	int issuer_pkalg, pkalg, ret;
+	int issuer_pkalg = 0, pkalg, ret;
 	unsigned bits = 0, issuer_bits = 0, sym_bits = 0;
 	gnutls_pk_params_st params;
 	gnutls_sec_param_t sp;
@@ -418,9 +418,11 @@ static unsigned is_level_acceptable(
 	if (pkalg < 0)
 		return gnutls_assert_val(0);
 
-	issuer_pkalg = gnutls_x509_crt_get_pk_algorithm(crt, &issuer_bits);
-	if (issuer_pkalg < 0)
-		return gnutls_assert_val(0);
+	if (issuer) {
+		issuer_pkalg = gnutls_x509_crt_get_pk_algorithm(issuer, &issuer_bits);
+		if (issuer_pkalg < 0)
+			return gnutls_assert_val(0);
+	}
 
 	switch (profile) {
 		CASE_SEC_PARAM(GNUTLS_PROFILE_VERY_WEAK, GNUTLS_SEC_PARAM_VERY_WEAK);
-- 
cgit v1.2.1