diff --git a/CHANGES b/CHANGES index 43af81859..fba25bbed 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,10 @@ Changelog Daniel Stenberg (8 Jun 2009) +- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount + issue with client certs that caused issues like segfaults. + http://curl.haxx.se/mail/lib-2009-05/0316.html + - Triggered by bug report #2798852 and the patch in there, I fixed configure to detect gnutls build options with pkg-config only and not libgnutls-config anymore since GnuTLS has stopped distributing that tool. If an explicit path diff --git a/RELEASE-NOTES b/RELEASE-NOTES index ff8d30029..fa76d9afb 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -18,7 +18,6 @@ This release includes the following bugfixes: o build fix for Symbian o CURLOPT_USERPWD set to NULL clears auth credentials o libcurl-NSS build fixes - o libcurl-NSS build fix o configure script fixed for VMS o set Content-Length: with POST and PUT failed with NTLM auth o allow building libcurl for VxWorks @@ -26,6 +25,7 @@ This release includes the following bugfixes: o --no-buffer treated correctly o djgpp build fix o configure detection of GnuTLS now based on pkg-config + o libcurl-NSS client cert handling segfaults This release includes the following known bugs: diff --git a/lib/nss.c b/lib/nss.c index 3bfaf7109..a976b71ca 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, struct CERTCertificateStr **pRetCert, struct SECKEYPrivateKeyStr **pRetKey) { - SECKEYPrivateKey *privKey; + SECKEYPrivateKey *privKey = NULL; + CERTCertificate *cert; struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg; char *nickname = connssl->client_nickname; void *proto_win = NULL; @@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, if(!nickname) return secStatus; - connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win); - if(connssl->client_cert) { - + cert = PK11_FindCertFromNickname(nickname, proto_win); + if(cert) { if(!strncmp(nickname, "PEM Token", 9)) { CK_SLOT_ID slotID = 1; /* hardcoded for now */ char slotname[SLOTSIZE]; snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); slot = PK11_FindSlotByName(slotname); - privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL); + privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL); PK11_FreeSlot(slot); if(privKey) { secStatus = SECSuccess; } } else { - privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win); + privKey = PK11_FindKeyByAnyCert(cert, proto_win); if(privKey) secStatus = SECSuccess; } } - if(secStatus == SECSuccess) { - *pRetCert = connssl->client_cert; - *pRetKey = privKey; - } - else { - if(connssl->client_cert) - CERT_DestroyCertificate(connssl->client_cert); - connssl->client_cert = NULL; - } + *pRetCert = cert; + *pRetKey = privKey; + + /* There's no need to destroy either cert or privKey as + * NSS will do that for us even if returning SECFailure + */ return secStatus; } @@ -912,8 +909,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) free(connssl->client_nickname); connssl->client_nickname = NULL; } - if(connssl->client_cert) - CERT_DestroyCertificate(connssl->client_cert); #ifdef HAVE_PK11_CREATEGENERICOBJECT if(connssl->key) (void)PK11_DestroyGenericObject(connssl->key); @@ -957,7 +952,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if (connssl->state == ssl_connection_complete) return CURLE_OK; - connssl->client_cert = NULL; #ifdef HAVE_PK11_CREATEGENERICOBJECT connssl->cacert[0] = NULL; connssl->cacert[1] = NULL; diff --git a/lib/urldata.h b/lib/urldata.h index e686b18ff..f41b6583e 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -211,7 +211,6 @@ struct ssl_connect_data { #ifdef USE_NSS PRFileDesc *handle; char *client_nickname; - CERTCertificate *client_cert; #ifdef HAVE_PK11_CREATEGENERICOBJECT PK11GenericObject *key; PK11GenericObject *cacert[2];