Bug 1155901

Summary: gnutls_certificate_get_issuer() returning zero without actually filling in the certificate pointer
Product: [Fedora] Fedora Reporter: Nikos Mavrogiannopoulos <nmavrogi>
Component: gnutlsAssignee: Nikos Mavrogiannopoulos <nmavrogi>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 21CC: nmavrogi, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnutls-3.3.9-2.fc21 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-11-01 16:40:33 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nikos Mavrogiannopoulos 2014-10-23 06:55:58 UTC 
Description of problem:

[by David Woohouse]
In F21 I seem to see gnutls_certificate_get_issuer() returning zero without
actually filling in the certificate pointer that it was given.

So this triggers:

diff --git a/gnutls.c b/gnutls.c
index 346da3c..99a5f11 100644
--- a/gnutls.c
+++ b/gnutls.c
@@ -1467,6 +1467,7 @@ static int load_certificate(struct openconnect_info *vpninfo)
                        free_issuer = 1;
                } else {
                        /* Look for it in the system trust cafile too. */
+                       issuer = (void *)0xdeadbeef;
                        err = gnutls_certificate_get_issuer(vpninfo->https_cred,
                                                            last_cert, &issuer, 0);
                        /* The check_issuer_sanity() function works fine as a workaround where
@@ -1474,7 +1475,13 @@ static int load_certificate(struct openconnect_info *vpninfo)
                           a bogus cert, there's nothing we can do to fix it up. We don't get
                           to iterate over all the available certs like we can over our own
                           list. */
-                       if (!err && check_issuer_sanity(last_cert, issuer)) {
+                       if (!err && issuer == (void *)0xdeadbeef) {
+                               /* WTF */
+                               vpn_progress(vpninfo, PRG_ERR,
+                                            _("WARNING: GnuTLS broke. wtf?\n"));
+                               break;
+                       }
+                       if (!err && issuer && check_issuer_sanity(last_cert, issuer)) {
                                vpn_progress(vpninfo, PRG_ERR,
                                             _("WARNING: GnuTLS returned incorrect issuer certs; authentication may fail!\n"));
                                break;
Comment 1 Fedora Update System 2014-10-23 07:25:59 UTC 
gnutls-3.3.9-2.fc21 has been submitted as an update for Fedora 21.
https://admin.fedoraproject.org/updates/gnutls-3.3.9-2.fc21
Comment 2 Fedora Update System 2014-10-23 16:21:48 UTC 
Package gnutls-3.3.9-2.fc21:
* should fix your issue,
* was pushed to the Fedora 21 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing gnutls-3.3.9-2.fc21'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2014-13540/gnutls-3.3.9-2.fc21
then log in and leave karma (feedback).
Comment 3 Fedora Update System 2014-11-01 16:40:33 UTC 
gnutls-3.3.9-2.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.