From 22f837ba0bc7d13c3d738a8583566368fc12aee1 Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Sat, 30 Oct 2021 08:56:07 +0200 Subject: x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2 This function previously used gnutls_x509_trust_list_get_issuer without GNUTLS_TL_GET_COPY flag, which is required when the function is called from multi-threaded application and PKCS #11 trust store is in use. Reported and the change suggested by Remi Gacogne in: https://gitlab.com/gnutls/gnutls/-/issues/1277 Signed-off-by: Daiki Ueno --- lib/x509/verify-high.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c index ab8e006ca7..5698d4f372 100644 --- a/lib/x509/verify-high.c +++ b/lib/x509/verify-high.c @@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list, * gnutls_x509_trust_list_get_issuer: * @list: The list * @cert: is the certificate to find issuer for - * @issuer: Will hold the issuer if any. Should be treated as constant. + * @issuer: Will hold the issuer if any. Should be treated as constant + * unless %GNUTLS_TL_GET_COPY is set in @flags. * @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable) * * This function will find the issuer of the given certificate. @@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list, if (gnutls_x509_trust_list_get_issuer(list, cert_list[i - 1], &issuer, - 0) == 0) { + GNUTLS_TL_GET_COPY) == 0) { + gnutls_x509_crt_deinit(issuer); cert_list_size = i; break; } -- cgit v1.2.1