diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2009-06-08 21:25:16 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2009-06-08 21:25:16 +0000 |
| commit | 3e0c067e43d548bee09b836e95deb0278e96d203 (patch) | |
| tree | 8bc3d723c4088010ca3349389e241a14aea37d7e /lib | |
| parent | f90551ff413b9c343443eecaea56c9503442ed31 (diff) | |
- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
issue with client certs that caused issues like segfaults.
http://curl.haxx.se/mail/lib-2009-05/0316.html
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/nss.c | 30 | ||||
| -rw-r--r-- | lib/urldata.h | 1 |
2 files changed, 12 insertions, 19 deletions
@@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, struct CERTCertificateStr **pRetCert, struct SECKEYPrivateKeyStr **pRetKey) { - SECKEYPrivateKey *privKey; + SECKEYPrivateKey *privKey = NULL; + CERTCertificate *cert; struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg; char *nickname = connssl->client_nickname; void *proto_win = NULL; @@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, if(!nickname) return secStatus; - connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win); - if(connssl->client_cert) { - + cert = PK11_FindCertFromNickname(nickname, proto_win); + if(cert) { if(!strncmp(nickname, "PEM Token", 9)) { CK_SLOT_ID slotID = 1; /* hardcoded for now */ char slotname[SLOTSIZE]; snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); slot = PK11_FindSlotByName(slotname); - privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL); + privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL); PK11_FreeSlot(slot); if(privKey) { secStatus = SECSuccess; } } else { - privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win); + privKey = PK11_FindKeyByAnyCert(cert, proto_win); if(privKey) secStatus = SECSuccess; } } - if(secStatus == SECSuccess) { - *pRetCert = connssl->client_cert; - *pRetKey = privKey; - } - else { - if(connssl->client_cert) - CERT_DestroyCertificate(connssl->client_cert); - connssl->client_cert = NULL; - } + *pRetCert = cert; + *pRetKey = privKey; + + /* There's no need to destroy either cert or privKey as + * NSS will do that for us even if returning SECFailure + */ return secStatus; } @@ -912,8 +909,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) free(connssl->client_nickname); connssl->client_nickname = NULL; } - if(connssl->client_cert) - CERT_DestroyCertificate(connssl->client_cert); #ifdef HAVE_PK11_CREATEGENERICOBJECT if(connssl->key) (void)PK11_DestroyGenericObject(connssl->key); @@ -957,7 +952,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if (connssl->state == ssl_connection_complete) return CURLE_OK; - connssl->client_cert = NULL; #ifdef HAVE_PK11_CREATEGENERICOBJECT connssl->cacert[0] = NULL; connssl->cacert[1] = NULL; diff --git a/lib/urldata.h b/lib/urldata.h index e686b18ff..f41b6583e 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -211,7 +211,6 @@ struct ssl_connect_data { #ifdef USE_NSS PRFileDesc *handle; char *client_nickname; - CERTCertificate *client_cert; #ifdef HAVE_PK11_CREATEGENERICOBJECT PK11GenericObject *key; PK11GenericObject *cacert[2]; |