[gnutls-devel] [PATCH 2/5] Fix gnutls_pkcs12_simple_parse to always extract the complete chain

Mon Aug 8 16:14:20 CEST 2016

Hi,
 Thank you for the patch set. Do you have some test that would detect
and uncover this behavior that we can include in our test suite?

regards,
Nikos

On Mon, Aug 8, 2016 at 1:31 PM, Stefan Sørensen
<stefan.sorensen at spectralink.com> wrote:
> gnutls_pkcs12_simple_parse was only collecting extra certificates that was
> possible elements of the certificate chain when the extra_certs argument was
> not NULL. Fix by allways collecting all the certificates, any unneeded
> certificates are released before returning if extra_certs is NULL anyway.
>
> Signed-off-by: Stefan Sørensen <stefan.sorensen at spectralink.com>
> ---
>  lib/x509/pkcs12.c | 35 +++++++++++++++--------------------
>  1 file changed, 15 insertions(+), 20 deletions(-)
>
> diff --git a/lib/x509/pkcs12.c b/lib/x509/pkcs12.c
> index 5b072dd..e39dcde 100644
> --- a/lib/x509/pkcs12.c
> +++ b/lib/x509/pkcs12.c
> @@ -1683,27 +1683,22 @@ gnutls_pkcs12_simple_parse(gnutls_pkcs12_t p12,
>                                 }
>
>                                 if (memcmp(cert_id, key_id, cert_id_size) != 0) {       /* they don't match - skip the certificate */
> -                                       if (extra_certs) {
> -                                               _extra_certs =
> -                                                   gnutls_realloc_fast
> -                                                   (_extra_certs,
> -                                                    sizeof(_extra_certs
> -                                                           [0]) *
> -                                                    ++_extra_certs_len);
> -                                               if (!_extra_certs) {
> -                                                       gnutls_assert();
> -                                                       ret =
> -                                                           GNUTLS_E_MEMORY_ERROR;
> -                                                       goto done;
> -                                               }
> -                                               _extra_certs
> -                                                   [_extra_certs_len -
> -                                                    1] = this_cert;
> -                                               this_cert = NULL;
> -                                       } else {
> -                                               gnutls_x509_crt_deinit
> -                                                   (this_cert);
> +                                       _extra_certs =
> +                                               gnutls_realloc_fast
> +                                               (_extra_certs,
> +                                                sizeof(_extra_certs
> +                                                       [0]) *
> +                                                ++_extra_certs_len);
> +                                       if (!_extra_certs) {
> +                                               gnutls_assert();
> +                                               ret =
> +                                                       GNUTLS_E_MEMORY_ERROR;
> +                                               goto done;
>                                         }
> +                                       _extra_certs
> +                                               [_extra_certs_len -
> +                                                1] = this_cert;
> +                                       this_cert = NULL;
>                                 } else {
>                                         if (chain && _chain_len == 0) {
>                                                 _chain =
> --
> 2.7.4
>
>
> _______________________________________________
> Gnutls-devel mailing list
> Gnutls-devel at lists.gnutls.org
> http://lists.gnupg.org/mailman/listinfo/gnutls-devel