[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
2.3.x regression in auth_cert.c:call_get_cert_callback
|
From: |
Joe Orton |
|
Subject: |
2.3.x regression in auth_cert.c:call_get_cert_callback |
|
Date: |
Fri, 28 Mar 2008 21:41:41 +0000 |
|
User-agent: |
Mutt/1.5.17 (2007-11-01) |
The test case in the neon test suite for neon's PKCS#11 interface is
broken with 2.3.4; it works with earlier versions (at least 2.3.0,
haven't tested the version in between).
In the test case, neon provides callbacks via both
a) gnutls_certificate_client_set_retrieve_function and
b) gnutls_sign_callback_set
The callback for (a) finds a keypair via a configured PKCS#11 provider,
and sets up st->cert.x509 et al as normal; st->key.x509 is set to NULL,
since the callback for (b) is used to delegate the signing operation via
PKCS#11.
GnuTLS now fails if st->key.x509 is NULL; if I avoid that code path as
below, it works again. Is this not the correct way to be using the
interface? There is nothing much else that could be returned in
key.x509 for this case, AFAICS.
diff -up ./lib/auth_cert.c.unbreak ./lib/auth_cert.c
--- ./lib/auth_cert.c.unbreak 2008-03-10 15:02:35.000000000 +0000
+++ ./lib/auth_cert.c 2008-03-28 21:31:57.000000000 +0000
@@ -456,7 +456,7 @@ call_get_cert_callback (gnutls_session_t
if (type == GNUTLS_CRT_X509)
{
local_certs = alloc_and_load_x509_certs (st.cert.x509, st.ncerts);
- if (local_certs != NULL)
+ if (local_certs != NULL && st.key.x509 != NULL)
{
local_key = alloc_and_load_x509_key (st.key.x509);
if (local_key == NULL)
- 2.3.x regression in auth_cert.c:call_get_cert_callback,
Joe Orton <=