2.3.x regression in auth_cert.c:call_get_cert_callback

Joe Orton joe at manyfish.co.uk
Fri Mar 28 22:41:41 CET 2008

The test case in the neon test suite for neon's PKCS#11 interface is 
broken with 2.3.4; it works with earlier versions (at least 2.3.0, 
haven't tested the version in between).

In the test case, neon provides callbacks via both
a) gnutls_certificate_client_set_retrieve_function and
b) gnutls_sign_callback_set 

The callback for (a) finds a keypair via a configured PKCS#11 provider, 
and sets up st->cert.x509 et al as normal; st->key.x509 is set to NULL, 
since the callback for (b) is used to delegate the signing operation via 

GnuTLS now fails if st->key.x509 is NULL; if I avoid that code path as 
below, it works again.  Is this not the correct way to be using the 
interface?  There is nothing much else that could be returned in 
key.x509 for this case, AFAICS.

diff -up ./lib/auth_cert.c.unbreak ./lib/auth_cert.c
--- ./lib/auth_cert.c.unbreak	2008-03-10 15:02:35.000000000 +0000
+++ ./lib/auth_cert.c	2008-03-28 21:31:57.000000000 +0000
@@ -456,7 +456,7 @@ call_get_cert_callback (gnutls_session_t
   if (type == GNUTLS_CRT_X509)
       local_certs = alloc_and_load_x509_certs (st.cert.x509, st.ncerts);
-      if (local_certs != NULL) 
+      if (local_certs != NULL && st.key.x509 != NULL) 
 	  local_key = alloc_and_load_x509_key (st.key.x509);
  	  if (local_key == NULL)

More information about the Gnutls-devel mailing list