开源软件构建与测试

We truncated the diff of some files because they were too big. If you want to see the full diff for every file, click here.

Difference Between Revision 1 and Mega:24.03 / gnutls

_service:tar_scm:gnutls.spec Changed

@@ -1,6 +1,6 @@
 Name: gnutls
 Version: 3.8.2
-Release: 4
+Release: 1
 Summary: The GNU Secure Communication Protocol Library
 
 License: LGPLv2.1+ and GPLv3+
@@ -11,8 +11,6 @@
 Patch0: fix-ipv6-handshake-failed.patch
 Patch1: backport-CVE-2024-0553-rsa-psk-minimize-branching-after-decryption.patch
 Patch2: backport-CVE-2024-0567-x509-detect-loop-in-certificate-chain.patch
-Patch3: backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch
-Patch4: backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch 
 
 %bcond_without dane
 %bcond_with guile
@@ -38,8 +36,12 @@
 Recommends: trousers >= 0.3.11.2
 
 Provides: bundled(gnulib) = 20130424
+Provides: gnutls-utils = %{version}-%{release}
 Provides: gnutls-c++ = %{version}-%{release}
-Obsoletes: gnutls-c++ < %{version}-%{release}
+Provides: gnutls-dane = %{version}-%{release}
+Obsoletes: gnutls-utils < %{version}-%{release} 
+Obsoletes: gnutls-c++ < %{version}-%{release} 
+Obsoletes: gnutls-dane < %{version}-%{release}
 
 %description
 GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
@@ -55,47 +57,11 @@
 %package devel
 Summary: Development files for %{name}
 Requires: %{name}%{?_isa} = %{version}-%{release}
-%if %{with dane}
-Requires: %{name}-dane%{?_isa} = %{version}-%{release}
-%endif
 Requires: pkgconf
 
 %description devel
 This package contains files needed for developing applications with %{name}.
 
-%package utils
-License: GPL-3.0-or-later
-Summary: Command line tools for TLS protocol
-Requires: %{name}%{?_isa} = %{version}-%{release}
-%if %{with dane}
-Requires: %{name}-dane%{?_isa} = %{version}-%{release}
-%endif
-
-%description utils
-GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
-protocols and technologies around them. It provides a simple C language
-application programming interface (API) to access the secure communications
-protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
-other required structures.
-This package contains command line TLS client and server and certificate
-manipulation tools.
-
-%if %{with dane}
-%package dane
-Summary: A DANE protocol implementation for GnuTLS
-Requires: %{name}%{?_isa} = %{version}-%{release}
-
-%description dane
-GnuTLS is a secure communications library implementing the SSL, TLS and DTLS
-protocols and technologies around them. It provides a simple C language
-application programming interface (API) to access the secure communications
-protocols as well as APIs to parse and write X.509, PKCS #12, OpenPGP and
-other required structures.
-This package contains library that implements the DANE protocol for verifying
-TLS certificates through DNSSEC.
-
-%endif
-
 %package_help
 
 %if %{with guile}
@@ -123,10 +89,8 @@
 # via the crypto policies
 
 %build
-%if "%toolchain" != "clang"
 CCASFLAGS="$CCASFLAGS -Wa,--generate-missing-build-notes=yes"
 export CCASFLAGS
-%endif
 
 # These should be checked by m4/guile.m4 instead of configure.ac
 # taking into account of _guile_suffix
@@ -194,30 +158,21 @@
 %defattr(-,root,root)
 %doc README.md AUTHORS
 %license LICENSE doc/COPYING doc/COPYING.LESSER
-%{_libdir}/libgnutls.so.30*
-%{_libdir}/libgnutlsxx.so.*
-%if %{with fips}
-%{_libdir}/.libgnutls.so.*.hmac
-%endif
-
-%files utils
 %{_bindir}/certtool
 %{_bindir}/tpmtool
 %{_bindir}/ocsptool
 %{_bindir}/psktool
 %{_bindir}/p11tool
-%if %{with dane}
-%{_bindir}/danetool
-%endif
 %{_bindir}/gnutls*
-%{_mandir}/man1/*
-%doc doc/certtool.cfg
-
 %if %{with dane}
-%files dane
+%{_bindir}/danetool
 %{_libdir}/libgnutls-dane.so.*
 %endif
-
+%{_libdir}/libgnutls.so.30*
+%{_libdir}/libgnutlsxx.so.*
+%if %{with fips}
+%{_libdir}/.libgnutls.so.*.hmac
+%endif
 
 %files devel
 %defattr(-,root,root)
@@ -245,15 +200,6 @@
 %endif
 
 %changelog
-* Fri Mar 22 2024 wangyaoyong <yaoyong.oerv@isrc.iscas.ac.cn> - 3.8.2-4
-- support change CC to compile with clang
-
-* Fri Mar 22 2024 xuraoqing <xuraoqing@huawei.com> - 3.8.2-3
-- fix CVE-2024-28834 and CVE-2024-28835
-
-* Wed Feb 28 2024 duyiwei <duyiwei@kylinos.cn> - 3.8.2-2
-- detach the sub package gnutls-utils and gnutls-dane from gnutls
-
 * Mon Jan 29 2024 xuraoqing <xuraoqing@huawei.com> - 3.8.2-1
 - update to 3.8.2
 - some API and ABI modifications, see NEWS for details

_service:tar_scm:backport-fix-CVE-2024-28834-nettle-avoid-normalization-of-mpz_t-in-deterministic.patch Deleted

@@ -1,422 +0,0 @@
-From 1c4701ffc342259fc5965d5a0de90d87f780e3e5 Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Fri, 12 Jan 2024 17:56:58 +0900
-Subject: PATCH nettle: avoid normalization of mpz_t in deterministic ECDSA
-
-This removes function calls that potentially leak bit-length of a
-private key used to calculate a nonce in deterministic ECDSA.  Namely:
-
-- _gnutls_dsa_compute_k has been rewritten to work on always
-  zero-padded mp_limb_t arrays instead of mpz_t
-- rnd_mpz_func has been replaced with rnd_datum_func, which is backed
-  by a byte array instead of an mpz_t value
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
-
-Reference: https://gitlab.com/gnutls/gnutls/-/commit/1c4701ffc342259fc5965d5a0de90d87f780e3e5
-Conflict: NA
-
----
- lib/nettle/int/dsa-compute-k.c    | 70 +++++++++++++++++++++----------
- lib/nettle/int/dsa-compute-k.h    | 23 +++++++++-
- lib/nettle/int/ecdsa-compute-k.c  | 28 +++----------
- lib/nettle/int/ecdsa-compute-k.h  |  4 +-
- lib/nettle/pk.c                   | 65 +++++++++++++++++++++-------
- tests/sign-verify-deterministic.c |  2 +-
- 6 files changed, 127 insertions(+), 65 deletions(-)
-
-diff --git a/lib/nettle/int/dsa-compute-k.c b/lib/nettle/int/dsa-compute-k.c
-index 8ff5739c2..2fcb2bb80 100644
---- a/lib/nettle/int/dsa-compute-k.c
-+++ b/lib/nettle/int/dsa-compute-k.c
-@@ -31,19 +31,30 @@
- #include "mpn-base256.h"
- #include <string.h>
- 
--#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
-+/* For mini-gmp */
-+#ifndef GMP_LIMB_BITS
-+#define GMP_LIMB_BITS GMP_NUMB_BITS
-+#endif
- 
--/* The maximum size of q, chosen from the fact that we support
-- * 521-bit elliptic curve generator and 512-bit DSA subgroup at
-- * maximum. */
--#define MAX_Q_BITS 521
--#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
--#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
-+static inline int is_zero_limb(mp_limb_t x)
-+{
-+	x |= (x << 1);
-+	return ((x >> 1) - 1) >> (GMP_LIMB_BITS - 1);
-+}
-+
-+static int sec_zero_p(const mp_limb_t *ap, mp_size_t n)
-+{
-+	volatile mp_limb_t w;
-+	mp_size_t i;
- 
--#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
--#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
-+	for (i = 0, w = 0; i < n; i++)
-+		w |= api;
- 
--int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
-+	return is_zero_limb(w);
-+}
-+
-+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
-+			  mp_size_t qn, mp_bitcnt_t q_bits,
- 			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
- 			  size_t length)
- {
-@@ -51,9 +62,6 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
- 	uint8_t KMAX_HASH_SIZE;
- 	uint8_t xpMAX_Q_SIZE;
- 	uint8_t tpMAX_Q_SIZE;
--	mp_limb_t hMAX(MAX_Q_LIMBS, MAX_HASH_LIMBS);
--	mp_bitcnt_t q_bits = mpz_sizeinbase(q, 2);
--	mp_size_t qn = mpz_size(q);
- 	mp_bitcnt_t h_bits = length * 8;
- 	mp_size_t hn = BITS_TO_LIMBS(h_bits);
- 	size_t nbytes = (q_bits + 7) / 8;
-@@ -62,6 +70,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
- 	mp_limb_t cy;
- 	gnutls_hmac_hd_t hd;
- 	int ret = 0;
-+	mp_limb_t scratchMAX_Q_LIMBS;
- 
- 	if (unlikely(q_bits > MAX_Q_BITS))
- 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-@@ -69,7 +78,7 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
- 		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
- 
- 	/* int2octets(x) */
--	mpn_get_base256(xp, nbytes, mpz_limbs_read(x), qn);
-+	mpn_get_base256(xp, nbytes, x, qn);
- 
- 	/* bits2octets(h) */
- 	mpn_set_base256(h, hn, digest, length);
-@@ -93,12 +102,12 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
- 			mpn_rshift(h, h, hn, shift % GMP_NUMB_BITS);
- 	}
- 
--	cy = mpn_sub_n(h, h, mpz_limbs_read(q), qn);
-+	cy = mpn_sub_n(h, h, q, qn);
- 	/* Fall back to addmul_1, if nettle is linked with mini-gmp. */
- #ifdef mpn_cnd_add_n
--	mpn_cnd_add_n(cy, h, h, mpz_limbs_read(q), qn);
-+	mpn_cnd_add_n(cy, h, h, q, qn);
- #else
--	mpn_addmul_1(h, mpz_limbs_read(q), qn, cy != 0);
-+	mpn_addmul_1(h, q, qn, cy != 0);
- #endif
- 	mpn_get_base256(tp, nbytes, h, qn);
- 
-@@ -174,12 +183,8 @@ int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
- 		if (tlen * 8 > q_bits)
- 			mpn_rshift(h, h, qn, tlen * 8 - q_bits);
- 		/* Check if k is in 1,q-1 */
--		if (!mpn_zero_p(h, qn) &&
--		    mpn_cmp(h, mpz_limbs_read(q), qn) < 0) {
--			mpn_copyi(mpz_limbs_write(k, qn), h, qn);
--			mpz_limbs_finish(k, qn);
-+		if (!sec_zero_p(h, qn) && mpn_sub_n(scratch, h, q, qn))
- 			break;
--		}
- 
- 		ret = gnutls_hmac_init(&hd, mac, K, length);
- 		if (ret < 0)
-@@ -203,3 +208,24 @@ out:
- 
- 	return ret;
- }
-+
-+/* cancel-out dsa_sign's addition of 1 to random data */
-+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
-+				  mp_size_t n)
-+{
-+	/* Fall back to sub_1, if nettle is linked with mini-gmp. */
-+#ifdef mpn_sec_sub_1
-+	mp_limb_t tMAX_Q_LIMBS;
-+
-+	mpn_sec_sub_1(h, h, n, 1, t);
-+#else
-+	mpn_sub_1(h, h, n, 1);
-+#endif
-+	mpn_get_base256(k, nbytes, h, n);
-+}
-+
-+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
-+				    mp_size_t n)
-+{
-+	mpn_get_base256(k, nbytes, h, n);
-+}
-diff --git a/lib/nettle/int/dsa-compute-k.h b/lib/nettle/int/dsa-compute-k.h
-index 49d243acb..2f0667a01 100644
---- a/lib/nettle/int/dsa-compute-k.h
-+++ b/lib/nettle/int/dsa-compute-k.h
-@@ -26,8 +26,29 @@
- #include <gnutls/gnutls.h>
- #include <nettle/bignum.h> /* includes gmp.h */
- 
--int _gnutls_dsa_compute_k(mpz_t k, const mpz_t q, const mpz_t x,
-+#define BITS_TO_LIMBS(bits) (((bits) + GMP_NUMB_BITS - 1) / GMP_NUMB_BITS)
-+
-+/* The maximum size of q, chosen from the fact that we support
-+ * 521-bit elliptic curve generator and 512-bit DSA subgroup at
-+ * maximum. */
-+#define MAX_Q_BITS 521
-+#define MAX_Q_SIZE ((MAX_Q_BITS + 7) / 8)
-+#define MAX_Q_LIMBS BITS_TO_LIMBS(MAX_Q_BITS)
-+
-+#define MAX_HASH_BITS (MAX_HASH_SIZE * 8)
-+#define MAX_HASH_LIMBS BITS_TO_LIMBS(MAX_HASH_BITS)
-+
-+#define DSA_COMPUTE_K_ITCH MAX(MAX_Q_LIMBS, MAX_HASH_LIMBS)
-+
-+int _gnutls_dsa_compute_k(mp_limb_t *h, const mp_limb_t *q, const mp_limb_t *x,
-+			  mp_size_t qn, mp_bitcnt_t q_bits,
- 			  gnutls_mac_algorithm_t mac, const uint8_t *digest,
- 			  size_t length);
- 
-+void _gnutls_dsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
-+				  mp_size_t n);
-+
-+void _gnutls_ecdsa_compute_k_finish(uint8_t *k, size_t nbytes, mp_limb_t *h,
-+				    mp_size_t n);
-+
- #endif /* GNUTLS_LIB_NETTLE_INT_DSA_COMPUTE_K_H */
-diff --git a/lib/nettle/int/ecdsa-compute-k.c b/lib/nettle/int/ecdsa-compute-k.c
-index 3b7f88616..4e25235c4 100644
---- a/lib/nettle/int/ecdsa-compute-k.c
-+++ b/lib/nettle/int/ecdsa-compute-k.c
-@@ -29,38 +29,38 @@
- #include "dsa-compute-k.h"
- #include "gnutls_int.h"
- 
--static inline int _gnutls_ecc_curve_to_dsa_q(mpz_t *q, gnutls_ecc_curve_t curve)
-+int _gnutls_ecc_curve_to_dsa_q(mpz_t q, gnutls_ecc_curve_t curve)

_service:tar_scm:backport-fix-CVE-2024-28835-gnutls_x509_trust_list_verify_crt2-remove-length-lim.patch Deleted

@@ -1,414 +0,0 @@
-From e369e67a62f44561d417cb233acc566cc696d82d Mon Sep 17 00:00:00 2001
-From: Daiki Ueno <ueno@gnu.org>
-Date: Mon, 29 Jan 2024 13:52:46 +0900
-Subject: PATCH gnutls_x509_trust_list_verify_crt2: remove length limit of
- input
-
-Previously, if cert_list_size exceeded DEFAULT_MAX_VERIFY_DEPTH, the
-chain verification logic crashed with assertion failure.  This patch
-removes the restriction while keeping the maximum number of
-retrieved certificates being DEFAULT_MAX_VERIFY_DEPTH.
-
-Signed-off-by: Daiki Ueno <ueno@gnu.org>
-
-Reference: https://gitlab.com/gnutls/gnutls/-/commit/e369e67a62f44561d417cb233acc566cc696d82d
-Conflict: NA
-
----
- lib/gnutls_int.h       |   5 +-
- lib/x509/common.c      |  10 +-
- lib/x509/verify-high.c |  51 ++++++----
- tests/test-chains.h    | 211 ++++++++++++++++++++++++++++++++++++++++-
- 4 files changed, 258 insertions(+), 19 deletions(-)
-
-diff --git a/lib/gnutls_int.h b/lib/gnutls_int.h
-index d8561ebe3..8cf9a8715 100644
---- a/lib/gnutls_int.h
-+++ b/lib/gnutls_int.h
-@@ -232,7 +232,10 @@ typedef enum record_send_state_t {
- 
- #define MAX_PK_PARAM_SIZE 2048
- 
--/* defaults for verification functions
-+/* Defaults for verification functions.
-+ *
-+ * update many_icas in tests/test-chains.h when increasing
-+ * DEFAULT_MAX_VERIFY_DEPTH.
-  */
- #define DEFAULT_MAX_VERIFY_DEPTH 16
- #define DEFAULT_MAX_VERIFY_BITS (MAX_PK_PARAM_SIZE * 8)
-diff --git a/lib/x509/common.c b/lib/x509/common.c
-index 2cc83c915..705aa868b 100644
---- a/lib/x509/common.c
-+++ b/lib/x509/common.c
-@@ -1725,7 +1725,15 @@ unsigned int _gnutls_sort_clist(gnutls_x509_crt_t *clist,
- 	bool insortedDEFAULT_MAX_VERIFY_DEPTH; /* non zero if clisti used in sorted list */
- 	gnutls_x509_crt_t sortedDEFAULT_MAX_VERIFY_DEPTH;
- 
--	assert(clist_size <= DEFAULT_MAX_VERIFY_DEPTH);
-+	/* Limit the number of certificates in the chain, to avoid DoS
-+	 * because of the O(n^2) sorting below.  FIXME: Switch to a
-+	 * topological sort algorithm which should be linear to the
-+	 * number of certificates and subject-issuer relationships.
-+	 */
-+	if (clist_size > DEFAULT_MAX_VERIFY_DEPTH) {
-+		_gnutls_debug_log("too many certificates; skipping sorting\n");
-+		return 1;
-+	}
- 
- 	for (i = 0; i < DEFAULT_MAX_VERIFY_DEPTH; i++) {
- 		issueri = -1;
-diff --git a/lib/x509/verify-high.c b/lib/x509/verify-high.c
-index 4e7361eb6..aacc24a7d 100644
---- a/lib/x509/verify-high.c
-+++ b/lib/x509/verify-high.c
-@@ -25,7 +25,7 @@
- #include "errors.h"
- #include <libtasn1.h>
- #include "global.h"
--#include "num.h" /* MAX */
-+#include "num.h" /* MIN */
- #include "tls-sig.h"
- #include "str.h"
- #include "datum.h"
-@@ -1361,7 +1361,8 @@ int gnutls_x509_trust_list_verify_crt2(
- 	int ret = 0;
- 	unsigned int i;
- 	size_t hash;
--	gnutls_x509_crt_t sortedDEFAULT_MAX_VERIFY_DEPTH;
-+	gnutls_x509_crt_t *cert_list_copy = NULL;
-+	unsigned int cert_list_max_size = 0;
- 	gnutls_x509_crt_t retrievedDEFAULT_MAX_VERIFY_DEPTH;
- 	unsigned int retrieved_size = 0;
- 	const char *hostname = NULL, *purpose = NULL, *email = NULL;
-@@ -1421,16 +1422,28 @@ int gnutls_x509_trust_list_verify_crt2(
- 		}
- 	}
- 
--	memcpy(sorted, cert_list, cert_list_size * sizeof(gnutls_x509_crt_t));
--	cert_list = sorted;
-+	/* Allocate extra for retrieved certificates. */
-+	if (!INT_ADD_OK(cert_list_size, DEFAULT_MAX_VERIFY_DEPTH,
-+			&cert_list_max_size))
-+		return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST);
-+
-+	cert_list_copy = _gnutls_reallocarray(NULL, cert_list_max_size,
-+					      sizeof(gnutls_x509_crt_t));
-+	if (!cert_list_copy)
-+		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-+
-+	memcpy(cert_list_copy, cert_list,
-+	       cert_list_size * sizeof(gnutls_x509_crt_t));
-+	cert_list = cert_list_copy;
- 
- 	records = gl_list_nx_create_empty(GL_LINKEDHASH_LIST, cert_eq,
- 					  cert_hashcode, NULL, false);
--	if (records == NULL)
--		return gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-+	if (records == NULL) {
-+		ret = gnutls_assert_val(GNUTLS_E_MEMORY_ERROR);
-+		goto cleanup;
-+	}
- 
--	for (i = 0; i < cert_list_size &&
--		    cert_list_size <= DEFAULT_MAX_VERIFY_DEPTH;) {
-+	for (i = 0; i < cert_list_size;) {
- 		unsigned int sorted_size = 1;
- 		unsigned int j, k;
- 		gnutls_x509_crt_t issuer;
-@@ -1442,8 +1455,7 @@ int gnutls_x509_trust_list_verify_crt2(
- 
- 		assert(sorted_size > 0);
- 
--		/* Remove duplicates. Start with index 1, as the first element
--		 * may be re-checked after issuer retrieval. */
-+		/* Remove duplicates. */
- 		for (j = 0; j < sorted_size; j++) {
- 			if (gl_list_search(records, cert_listi + j)) {
- 				if (i + j < cert_list_size - 1) {
-@@ -1495,13 +1507,15 @@ int gnutls_x509_trust_list_verify_crt2(
- 
- 		ret = retrieve_issuers(
- 			list, cert_listi - 1, &retrievedretrieved_size,
--			DEFAULT_MAX_VERIFY_DEPTH -
--				MAX(retrieved_size, cert_list_size));
-+			MIN(DEFAULT_MAX_VERIFY_DEPTH - retrieved_size,
-+			    cert_list_max_size - cert_list_size));
- 		if (ret < 0) {
- 			break;
- 		} else if (ret > 0) {
- 			assert((unsigned int)ret <=
--			       DEFAULT_MAX_VERIFY_DEPTH - cert_list_size);
-+			       DEFAULT_MAX_VERIFY_DEPTH - retrieved_size);
-+			assert((unsigned int)ret <=
-+			       cert_list_max_size - cert_list_size);
- 			memmove(&cert_listi + ret, &cert_listi,
- 				(cert_list_size - i) *
- 					sizeof(gnutls_x509_crt_t));
-@@ -1517,8 +1531,10 @@ int gnutls_x509_trust_list_verify_crt2(
- 	}
- 
- 	cert_list_size = shorten_clist(list, cert_list, cert_list_size);
--	if (cert_list_size <= 0)
--		return gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
-+	if (cert_list_size <= 0) {
-+		ret = gnutls_assert_val(GNUTLS_E_INTERNAL_ERROR);
-+		goto cleanup;
-+	}
- 
- 	hash = hash_pjw_bare(cert_listcert_list_size - 1->raw_issuer_dn.data,
- 			     cert_listcert_list_size - 1->raw_issuer_dn.size);
-@@ -1661,10 +1677,13 @@ int gnutls_x509_trust_list_verify_crt2(
- 	}
- 
- cleanup:
-+	gnutls_free(cert_list_copy);
- 	for (i = 0; i < retrieved_size; i++) {
- 		gnutls_x509_crt_deinit(retrievedi);
- 	}
--	gl_list_free(records);
-+	if (records) {
-+		gl_list_free(records);
-+	}
- 	return ret;
- }
- 
-diff --git a/tests/test-chains.h b/tests/test-chains.h
-index 3e559fecd..a7fe1cdec 100644
---- a/tests/test-chains.h
-+++ b/tests/test-chains.h
-@@ -23,7 +23,7 @@
- #ifndef GNUTLS_TESTS_TEST_CHAINS_H
- #define GNUTLS_TESTS_TEST_CHAINS_H
- 
--#define MAX_CHAIN 10
-+#define MAX_CHAIN 17
- 
- static const char *chain_with_no_subject_id_in_ca_ok = {
- 	"-----BEGIN CERTIFICATE-----\n"
-@@ -4383,6 +4383,213 @@ static const char *cross_signed_ca = {
- 	NULL
- };
- 
-+/* This assumes DEFAULT_MAX_VERIFY_DEPTH to be 16 */
-+static const char *many_icas = {
-+	/* Server */
-+	"-----BEGIN CERTIFICATE-----\n"
-+	"MIIBqzCCAV2gAwIBAgIUIK3+SD3GmqJlRLZ/ESyhTzkSDL8wBQYDK2VwMB0xGzAZ\n"
-+	"BgNVBAMMEkdudVRMUyB0ZXN0IElDQSAkaTAgFw0yNDAzMTIyMjUzMzlaGA85OTk5\n"
-+	"MTIzMTIzNTk1OVowNzEbMBkGA1UEChMSR251VExTIHRlc3Qgc2VydmVyMRgwFgYD\n"