- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
issue with client certs that caused issues like segfaults. http://curl.haxx.se/mail/lib-2009-05/0316.html
This commit is contained in:
Родитель
f90551ff41
Коммит
3e0c067e43
4
CHANGES
4
CHANGES
|
@ -7,6 +7,10 @@
|
||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
Daniel Stenberg (8 Jun 2009)
|
Daniel Stenberg (8 Jun 2009)
|
||||||
|
- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
|
||||||
|
issue with client certs that caused issues like segfaults.
|
||||||
|
http://curl.haxx.se/mail/lib-2009-05/0316.html
|
||||||
|
|
||||||
- Triggered by bug report #2798852 and the patch in there, I fixed configure
|
- Triggered by bug report #2798852 and the patch in there, I fixed configure
|
||||||
to detect gnutls build options with pkg-config only and not libgnutls-config
|
to detect gnutls build options with pkg-config only and not libgnutls-config
|
||||||
anymore since GnuTLS has stopped distributing that tool. If an explicit path
|
anymore since GnuTLS has stopped distributing that tool. If an explicit path
|
||||||
|
|
|
@ -18,7 +18,6 @@ This release includes the following bugfixes:
|
||||||
o build fix for Symbian
|
o build fix for Symbian
|
||||||
o CURLOPT_USERPWD set to NULL clears auth credentials
|
o CURLOPT_USERPWD set to NULL clears auth credentials
|
||||||
o libcurl-NSS build fixes
|
o libcurl-NSS build fixes
|
||||||
o libcurl-NSS build fix
|
|
||||||
o configure script fixed for VMS
|
o configure script fixed for VMS
|
||||||
o set Content-Length: with POST and PUT failed with NTLM auth
|
o set Content-Length: with POST and PUT failed with NTLM auth
|
||||||
o allow building libcurl for VxWorks
|
o allow building libcurl for VxWorks
|
||||||
|
@ -26,6 +25,7 @@ This release includes the following bugfixes:
|
||||||
o --no-buffer treated correctly
|
o --no-buffer treated correctly
|
||||||
o djgpp build fix
|
o djgpp build fix
|
||||||
o configure detection of GnuTLS now based on pkg-config
|
o configure detection of GnuTLS now based on pkg-config
|
||||||
|
o libcurl-NSS client cert handling segfaults
|
||||||
|
|
||||||
This release includes the following known bugs:
|
This release includes the following known bugs:
|
||||||
|
|
||||||
|
|
30
lib/nss.c
30
lib/nss.c
|
@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
||||||
struct CERTCertificateStr **pRetCert,
|
struct CERTCertificateStr **pRetCert,
|
||||||
struct SECKEYPrivateKeyStr **pRetKey)
|
struct SECKEYPrivateKeyStr **pRetKey)
|
||||||
{
|
{
|
||||||
SECKEYPrivateKey *privKey;
|
SECKEYPrivateKey *privKey = NULL;
|
||||||
|
CERTCertificate *cert;
|
||||||
struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
|
struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
|
||||||
char *nickname = connssl->client_nickname;
|
char *nickname = connssl->client_nickname;
|
||||||
void *proto_win = NULL;
|
void *proto_win = NULL;
|
||||||
|
@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
||||||
if(!nickname)
|
if(!nickname)
|
||||||
return secStatus;
|
return secStatus;
|
||||||
|
|
||||||
connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);
|
cert = PK11_FindCertFromNickname(nickname, proto_win);
|
||||||
if(connssl->client_cert) {
|
if(cert) {
|
||||||
|
|
||||||
if(!strncmp(nickname, "PEM Token", 9)) {
|
if(!strncmp(nickname, "PEM Token", 9)) {
|
||||||
CK_SLOT_ID slotID = 1; /* hardcoded for now */
|
CK_SLOT_ID slotID = 1; /* hardcoded for now */
|
||||||
char slotname[SLOTSIZE];
|
char slotname[SLOTSIZE];
|
||||||
snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
|
snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
|
||||||
slot = PK11_FindSlotByName(slotname);
|
slot = PK11_FindSlotByName(slotname);
|
||||||
privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);
|
privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
|
||||||
PK11_FreeSlot(slot);
|
PK11_FreeSlot(slot);
|
||||||
if(privKey) {
|
if(privKey) {
|
||||||
secStatus = SECSuccess;
|
secStatus = SECSuccess;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);
|
privKey = PK11_FindKeyByAnyCert(cert, proto_win);
|
||||||
if(privKey)
|
if(privKey)
|
||||||
secStatus = SECSuccess;
|
secStatus = SECSuccess;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(secStatus == SECSuccess) {
|
*pRetCert = cert;
|
||||||
*pRetCert = connssl->client_cert;
|
*pRetKey = privKey;
|
||||||
*pRetKey = privKey;
|
|
||||||
}
|
/* There's no need to destroy either cert or privKey as
|
||||||
else {
|
* NSS will do that for us even if returning SECFailure
|
||||||
if(connssl->client_cert)
|
*/
|
||||||
CERT_DestroyCertificate(connssl->client_cert);
|
|
||||||
connssl->client_cert = NULL;
|
|
||||||
}
|
|
||||||
|
|
||||||
return secStatus;
|
return secStatus;
|
||||||
}
|
}
|
||||||
|
@ -912,8 +909,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
|
||||||
free(connssl->client_nickname);
|
free(connssl->client_nickname);
|
||||||
connssl->client_nickname = NULL;
|
connssl->client_nickname = NULL;
|
||||||
}
|
}
|
||||||
if(connssl->client_cert)
|
|
||||||
CERT_DestroyCertificate(connssl->client_cert);
|
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
||||||
if(connssl->key)
|
if(connssl->key)
|
||||||
(void)PK11_DestroyGenericObject(connssl->key);
|
(void)PK11_DestroyGenericObject(connssl->key);
|
||||||
|
@ -957,7 +952,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
||||||
if (connssl->state == ssl_connection_complete)
|
if (connssl->state == ssl_connection_complete)
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
|
|
||||||
connssl->client_cert = NULL;
|
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
||||||
connssl->cacert[0] = NULL;
|
connssl->cacert[0] = NULL;
|
||||||
connssl->cacert[1] = NULL;
|
connssl->cacert[1] = NULL;
|
||||||
|
|
|
@ -211,7 +211,6 @@ struct ssl_connect_data {
|
||||||
#ifdef USE_NSS
|
#ifdef USE_NSS
|
||||||
PRFileDesc *handle;
|
PRFileDesc *handle;
|
||||||
char *client_nickname;
|
char *client_nickname;
|
||||||
CERTCertificate *client_cert;
|
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
||||||
PK11GenericObject *key;
|
PK11GenericObject *key;
|
||||||
PK11GenericObject *cacert[2];
|
PK11GenericObject *cacert[2];
|
||||||
|
|
Загрузка…
Ссылка в новой задаче