2.3.x regression in auth_cert.c:call_get_cert_callback
Joe Orton
joe at manyfish.co.uk
Fri Mar 28 22:41:41 CET 2008
The test case in the neon test suite for neon's PKCS#11 interface is
broken with 2.3.4; it works with earlier versions (at least 2.3.0,
haven't tested the version in between).
In the test case, neon provides callbacks via both
a) gnutls_certificate_client_set_retrieve_function and
b) gnutls_sign_callback_set
The callback for (a) finds a keypair via a configured PKCS#11 provider,
and sets up st->cert.x509 et al as normal; st->key.x509 is set to NULL,
since the callback for (b) is used to delegate the signing operation via
PKCS#11.
GnuTLS now fails if st->key.x509 is NULL; if I avoid that code path as
below, it works again. Is this not the correct way to be using the
interface? There is nothing much else that could be returned in
key.x509 for this case, AFAICS.
diff -up ./lib/auth_cert.c.unbreak ./lib/auth_cert.c
--- ./lib/auth_cert.c.unbreak 2008-03-10 15:02:35.000000000 +0000
+++ ./lib/auth_cert.c 2008-03-28 21:31:57.000000000 +0000
@@ -456,7 +456,7 @@ call_get_cert_callback (gnutls_session_t
if (type == GNUTLS_CRT_X509)
{
local_certs = alloc_and_load_x509_certs (st.cert.x509, st.ncerts);
- if (local_certs != NULL)
+ if (local_certs != NULL && st.key.x509 != NULL)
{
local_key = alloc_and_load_x509_key (st.key.x509);
if (local_key == NULL)
More information about the Gnutls-devel
mailing list