- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount

issue with client certs that caused issues like segfaults.
  http://curl.haxx.se/mail/lib-2009-05/0316.html
This commit is contained in:
Daniel Stenberg 2009-06-08 21:25:16 +00:00
Родитель f90551ff41
Коммит 3e0c067e43
4 изменённых файлов: 17 добавлений и 20 удалений

Просмотреть файл

@ -7,6 +7,10 @@
Changelog Changelog
Daniel Stenberg (8 Jun 2009) Daniel Stenberg (8 Jun 2009)
- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
issue with client certs that caused issues like segfaults.
http://curl.haxx.se/mail/lib-2009-05/0316.html
- Triggered by bug report #2798852 and the patch in there, I fixed configure - Triggered by bug report #2798852 and the patch in there, I fixed configure
to detect gnutls build options with pkg-config only and not libgnutls-config to detect gnutls build options with pkg-config only and not libgnutls-config
anymore since GnuTLS has stopped distributing that tool. If an explicit path anymore since GnuTLS has stopped distributing that tool. If an explicit path

Просмотреть файл

@ -18,7 +18,6 @@ This release includes the following bugfixes:
o build fix for Symbian o build fix for Symbian
o CURLOPT_USERPWD set to NULL clears auth credentials o CURLOPT_USERPWD set to NULL clears auth credentials
o libcurl-NSS build fixes o libcurl-NSS build fixes
o libcurl-NSS build fix
o configure script fixed for VMS o configure script fixed for VMS
o set Content-Length: with POST and PUT failed with NTLM auth o set Content-Length: with POST and PUT failed with NTLM auth
o allow building libcurl for VxWorks o allow building libcurl for VxWorks
@ -26,6 +25,7 @@ This release includes the following bugfixes:
o --no-buffer treated correctly o --no-buffer treated correctly
o djgpp build fix o djgpp build fix
o configure detection of GnuTLS now based on pkg-config o configure detection of GnuTLS now based on pkg-config
o libcurl-NSS client cert handling segfaults
This release includes the following known bugs: This release includes the following known bugs:

Просмотреть файл

@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
struct CERTCertificateStr **pRetCert, struct CERTCertificateStr **pRetCert,
struct SECKEYPrivateKeyStr **pRetKey) struct SECKEYPrivateKeyStr **pRetKey)
{ {
SECKEYPrivateKey *privKey; SECKEYPrivateKey *privKey = NULL;
CERTCertificate *cert;
struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg; struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
char *nickname = connssl->client_nickname; char *nickname = connssl->client_nickname;
void *proto_win = NULL; void *proto_win = NULL;
@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
if(!nickname) if(!nickname)
return secStatus; return secStatus;
connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win); cert = PK11_FindCertFromNickname(nickname, proto_win);
if(connssl->client_cert) { if(cert) {
if(!strncmp(nickname, "PEM Token", 9)) { if(!strncmp(nickname, "PEM Token", 9)) {
CK_SLOT_ID slotID = 1; /* hardcoded for now */ CK_SLOT_ID slotID = 1; /* hardcoded for now */
char slotname[SLOTSIZE]; char slotname[SLOTSIZE];
snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
slot = PK11_FindSlotByName(slotname); slot = PK11_FindSlotByName(slotname);
privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL); privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
PK11_FreeSlot(slot); PK11_FreeSlot(slot);
if(privKey) { if(privKey) {
secStatus = SECSuccess; secStatus = SECSuccess;
} }
} }
else { else {
privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win); privKey = PK11_FindKeyByAnyCert(cert, proto_win);
if(privKey) if(privKey)
secStatus = SECSuccess; secStatus = SECSuccess;
} }
} }
if(secStatus == SECSuccess) { *pRetCert = cert;
*pRetCert = connssl->client_cert; *pRetKey = privKey;
*pRetKey = privKey;
} /* There's no need to destroy either cert or privKey as
else { * NSS will do that for us even if returning SECFailure
if(connssl->client_cert) */
CERT_DestroyCertificate(connssl->client_cert);
connssl->client_cert = NULL;
}
return secStatus; return secStatus;
} }
@ -912,8 +909,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
free(connssl->client_nickname); free(connssl->client_nickname);
connssl->client_nickname = NULL; connssl->client_nickname = NULL;
} }
if(connssl->client_cert)
CERT_DestroyCertificate(connssl->client_cert);
#ifdef HAVE_PK11_CREATEGENERICOBJECT #ifdef HAVE_PK11_CREATEGENERICOBJECT
if(connssl->key) if(connssl->key)
(void)PK11_DestroyGenericObject(connssl->key); (void)PK11_DestroyGenericObject(connssl->key);
@ -957,7 +952,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if (connssl->state == ssl_connection_complete) if (connssl->state == ssl_connection_complete)
return CURLE_OK; return CURLE_OK;
connssl->client_cert = NULL;
#ifdef HAVE_PK11_CREATEGENERICOBJECT #ifdef HAVE_PK11_CREATEGENERICOBJECT
connssl->cacert[0] = NULL; connssl->cacert[0] = NULL;
connssl->cacert[1] = NULL; connssl->cacert[1] = NULL;

Просмотреть файл

@ -211,7 +211,6 @@ struct ssl_connect_data {
#ifdef USE_NSS #ifdef USE_NSS
PRFileDesc *handle; PRFileDesc *handle;
char *client_nickname; char *client_nickname;
CERTCertificate *client_cert;
#ifdef HAVE_PK11_CREATEGENERICOBJECT #ifdef HAVE_PK11_CREATEGENERICOBJECT
PK11GenericObject *key; PK11GenericObject *key;
PK11GenericObject *cacert[2]; PK11GenericObject *cacert[2];