[gnutls-devel] [PATCH 1/3] Return an error if multiple PKCS11 URLs are added to a trust list
Armin Burgmeier
armin at arbur.net
Mon Oct 6 23:22:28 CEST 2014
Before, the new URL would overwrite the old URL, and the memory of theold URL
would be leaked. It is documented that only one URL can be used, so it should
be safe to reject any attempt to add another one.
Signed-off-by: Armin Burgmeier <armin at arbur.net>
---
lib/x509/verify-high2.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/lib/x509/verify-high2.c b/lib/x509/verify-high2.c
index 776a854..e6dd884 100644
--- a/lib/x509/verify-high2.c
+++ b/lib/x509/verify-high2.c
@@ -258,6 +258,8 @@ gnutls_x509_trust_list_add_trust_file(gnutls_x509_trust_list_t list,
if (strncmp(ca_file, "pkcs11:", 7) == 0) {
unsigned pcrt_list_size = 0;
+ if (list->pkcs11_token != NULL)
+ return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
list->pkcs11_token = gnutls_strdup(ca_file);
/* enumerate the certificates */
--
2.1.1
More information about the Gnutls-devel
mailing list