50 lines
1.8 KiB
Diff
50 lines
1.8 KiB
Diff
From 22f837ba0bc7d13c3d738a8583566368fc12aee1 Mon Sep 17 00:00:00 2001
|
|
From: Daiki Ueno <ueno@gnu.org>
|
|
Date: Sat, 30 Oct 2021 08:56:07 +0200
|
|
Subject: [PATCH] x509: fix thread-safety in gnutls_x509_trust_list_verify_crt2
|
|
|
|
This function previously used gnutls_x509_trust_list_get_issuer
|
|
without GNUTLS_TL_GET_COPY flag, which is required when the function
|
|
is called from multi-threaded application and PKCS #11 trust store is
|
|
in use.
|
|
|
|
Reported and the change suggested by Remi Gacogne in:
|
|
https://gitlab.com/gnutls/gnutls/-/issues/1277
|
|
|
|
Signed-off-by: Daiki Ueno <ueno@gnu.org>
|
|
|
|
Reference: https://gitlab.com/gnutls/gnutls/-/commit/22f837ba0bc7d13c3d738a8583566368fc12aee1
|
|
Conflict: NA
|
|
|
|
---
|
|
lib/x509/verify-high.c | 6 ++++--
|
|
1 file changed, 4 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
|
|
index ab8e006ca..5698d4f37 100644
|
|
--- a/lib/x509/verify-high.c
|
|
+++ b/lib/x509/verify-high.c
|
|
@@ -1102,7 +1102,8 @@ int trust_list_get_issuer_by_dn(gnutls_x509_trust_list_t list,
|
|
* gnutls_x509_trust_list_get_issuer:
|
|
* @list: The list
|
|
* @cert: is the certificate to find issuer for
|
|
- * @issuer: Will hold the issuer if any. Should be treated as constant.
|
|
+ * @issuer: Will hold the issuer if any. Should be treated as constant
|
|
+ * unless %GNUTLS_TL_GET_COPY is set in @flags.
|
|
* @flags: flags from %gnutls_trust_list_flags_t (%GNUTLS_TL_GET_COPY is applicable)
|
|
*
|
|
* This function will find the issuer of the given certificate.
|
|
@@ -1521,7 +1522,8 @@ gnutls_x509_trust_list_verify_crt2(gnutls_x509_trust_list_t list,
|
|
if (gnutls_x509_trust_list_get_issuer(list,
|
|
cert_list[i - 1],
|
|
&issuer,
|
|
- 0) == 0) {
|
|
+ GNUTLS_TL_GET_COPY) == 0) {
|
|
+ gnutls_x509_crt_deinit(issuer);
|
|
cert_list_size = i;
|
|
break;
|
|
}
|
|
--
|
|
2.33.0
|
|
|