[gnutls-devel] [PATCH 2/5] Fix gnutls_pkcs12_simple_parse to always extract the complete chain

Stefan Sørensen stefan.sorensen at spectralink.com
Mon Aug 8 13:31:15 CEST 2016


gnutls_pkcs12_simple_parse was only collecting extra certificates that was
possible elements of the certificate chain when the extra_certs argument was
not NULL. Fix by allways collecting all the certificates, any unneeded
certificates are released before returning if extra_certs is NULL anyway.

Signed-off-by: Stefan Sørensen <stefan.sorensen at spectralink.com>
---
 lib/x509/pkcs12.c | 35 +++++++++++++++--------------------
 1 file changed, 15 insertions(+), 20 deletions(-)

diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
index 5b072dd..e39dcde 100644
--- a/lib/x509/pkcs12.c
+++ b/lib/x509/pkcs12.c
@@ -1683,27 +1683,22 @@ gnutls_pkcs12_simple_parse(gnutls_pkcs12_t p12,
 				}
 
 				if (memcmp(cert_id, key_id, cert_id_size) != 0) {	/* they don't match - skip the certificate */
-					if (extra_certs) {
-						_extra_certs =
-						    gnutls_realloc_fast
-						    (_extra_certs,
-						     sizeof(_extra_certs
-							    [0]) *
-						     ++_extra_certs_len);
-						if (!_extra_certs) {
-							gnutls_assert();
-							ret =
-							    GNUTLS_E_MEMORY_ERROR;
-							goto done;
-						}
-						_extra_certs
-						    [_extra_certs_len -
-						     1] = this_cert;
-						this_cert = NULL;
-					} else {
-						gnutls_x509_crt_deinit
-						    (this_cert);
+					_extra_certs =
+						gnutls_realloc_fast
+						(_extra_certs,
+						 sizeof(_extra_certs
+							[0]) *
+						 ++_extra_certs_len);
+					if (!_extra_certs) {
+						gnutls_assert();
+						ret =
+							GNUTLS_E_MEMORY_ERROR;
+						goto done;
 					}
+					_extra_certs
+						[_extra_certs_len -
+						 1] = this_cert;
+					this_cert = NULL;
 				} else {
 					if (chain && _chain_len == 0) {
 						_chain =
-- 
2.7.4




More information about the Gnutls-devel mailing list