Bug#744214: openconnect: PKCS#11 support broken with GnuTLS 2.12.x

Sat, 12 Apr 2014 10:24:19 -0700 

On Fri, 11 Apr 2014, David Woodhouse wrote:


Thanks for the bug report. Please could you describe the exact failure
mode? Can you provide output with '-v' both before and after the
offending change?

[...]

Please could you confirm that building that version from git is failing,
and building the previous version from before that patch is working? I'd
like to be sure it isn't one of the other changes in gnutls.c between
v5.01 and v5.02.
Thank you for the immediate response! So, to cut a long story short: I have spent some more time on debugging the code changes in gnutls.c, and you were right. Both versions from git are failing. The bug was hiding in the code you had changed before. Eventually, the bug was found in the function assign_privkey() (line 510), please see the attached patch. 

Regards,


Thomas Uhle
--- openconnect-5.03/gnutls.c~	2014-02-03 14:11:19 +0100
+++ openconnect-5.03/gnutls.c	2014-04-12 18:14:56 +0200
@@ -501,14 +501,12 @@ static int assign_privkey(struct opencon
 			  unsigned int nr_certs,
 			  uint8_t *free_certs)
 {
-	int i;
-
 	vpninfo->my_certs = gnutls_calloc(nr_certs, sizeof(*certs));
 	if (!vpninfo->my_certs)
 		return GNUTLS_E_MEMORY_ERROR;
 
 	vpninfo->free_my_certs = gnutls_malloc(nr_certs);
-	if (vpninfo->free_my_certs) {
+	if (!vpninfo->free_my_certs) {
 		gnutls_free(vpninfo->my_certs);
 		vpninfo->my_certs = NULL;
 		return GNUTLS_E_MEMORY_ERROR;
@@ -1004,6 +1002,8 @@ static int load_certificate(struct openc
 				cert = supporting_certs[0];
 				free_supporting_certs = gnutls_malloc(nr_supporting_certs);
 				if (!free_supporting_certs) {
+					vpn_progress(vpninfo, PRG_ERR,
+						     _("Failed to allocate memory for supporting certificates\n"));
 					ret = -ENOMEM;
 					goto out;
 				}
@@ -1437,7 +1437,7 @@ static int load_certificate(struct openc
 		supporting_certs = gnutls_malloc(sizeof(*supporting_certs));
 		if (!supporting_certs) {
 			vpn_progress(vpninfo, PRG_ERR,
-				     _("Failed to allocate memory for certificate\n"));
+				     _("Failed to allocate memory for supporting certificates\n"));
 			ret = -ENOMEM;
 			goto out;
 		}
@@ -1447,7 +1447,7 @@ static int load_certificate(struct openc
 		free_supporting_certs = gnutls_malloc(1);
 		if (!free_supporting_certs) {
 			vpn_progress(vpninfo, PRG_ERR,
-				     _("Failed to allocate memory for certificate\n"));
+				     _("Failed to allocate memory for supporting certificates\n"));
 			ret = -ENOMEM;
 			goto out;
 		}
@@ -1514,9 +1514,9 @@ static int load_certificate(struct openc
 				gnutls_free(t.data);
 			}
 #endif
+
 			if (err)
 				break;
-
 		}
 
 		if (gnutls_x509_crt_check_issuer(issuer, issuer)) {

Reply via email to