Bug#744214: openconnect: PKCS#11 support broken with GnuTLS 2.12.x

[Thomas Uhle]

Package: libopenconnect2
Version: 5.03-1
Severity: important
Tags: patch upstream
X-Debbugs-CC: openconnect-devel at lists.infradead.org

The changes in gnutls.c from v5.01 to v5.02 concerning "support of CA 
certificates from PKCS#11 tokens (with GnuTLS 3.2.7+)" break functionality 
in openconnect at least if compiled with GnuTLS 2.12.x. Therefore, it also 
affects libopenconnect2 (= 5.02-1) in Ubuntu 14.04LTS.

I have tried to investigate on this issue with GDB and have come as far as 
to gnutls.c:1517 where err is not the return value of any call to 
gnutls_pkcs11_get_raw_issuer() or gnutls_x509_crt_import() within the 
code guarded by
#if defined(HAVE_P11KIT) && defined(HAVE_GNUTLS_PKCS11_GET_RAW_ISSUER)
if compiled with GnuTLS 2.12.x as in Debian and Ubuntu Linux. 
So I thought to shift the lines 1517-1518 "if (err) break;" upwards to 
its original position, but then it crashes in gnutls.c:1522 invoking 
function gnutls_x509_crt_check_issuer(). Finally, I have given up and, 
although I know this is far from being smart, I reverted all changes in 
gnutls.c to v5.01 which works perfectly for me. The patch for reverting 
changes in gnutls.c is attached.

Could you please find a smarter fix or at least apply the given patch 
temporarily.

Thank you in advance!


Thomas Uhle
-------------- next part --------------
A non-text attachment was scrubbed...
Name: gnutls.diff
Type: text/x-patch
Size: 10279 bytes
Desc: 
URL: <http://lists.infradead.org/pipermail/openconnect-devel/attachments/20140411/679fad00/attachment.bin>