From 3e0c067e43d548bee09b836e95deb0278e96d203 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 8 Jun 2009 21:25:16 +0000 Subject: - Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount issue with client certs that caused issues like segfaults. http://curl.haxx.se/mail/lib-2009-05/0316.html --- lib/nss.c | 30 ++++++++++++------------------ lib/urldata.h | 1 - 2 files changed, 12 insertions(+), 19 deletions(-) (limited to 'lib') diff --git a/lib/nss.c b/lib/nss.c index 3bfaf7109..a976b71ca 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, struct CERTCertificateStr **pRetCert, struct SECKEYPrivateKeyStr **pRetKey) { - SECKEYPrivateKey *privKey; + SECKEYPrivateKey *privKey = NULL; + CERTCertificate *cert; struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg; char *nickname = connssl->client_nickname; void *proto_win = NULL; @@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, if(!nickname) return secStatus; - connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win); - if(connssl->client_cert) { - + cert = PK11_FindCertFromNickname(nickname, proto_win); + if(cert) { if(!strncmp(nickname, "PEM Token", 9)) { CK_SLOT_ID slotID = 1; /* hardcoded for now */ char slotname[SLOTSIZE]; snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); slot = PK11_FindSlotByName(slotname); - privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL); + privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL); PK11_FreeSlot(slot); if(privKey) { secStatus = SECSuccess; } } else { - privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win); + privKey = PK11_FindKeyByAnyCert(cert, proto_win); if(privKey) secStatus = SECSuccess; } } - if(secStatus == SECSuccess) { - *pRetCert = connssl->client_cert; - *pRetKey = privKey; - } - else { - if(connssl->client_cert) - CERT_DestroyCertificate(connssl->client_cert); - connssl->client_cert = NULL; - } + *pRetCert = cert; + *pRetKey = privKey; + + /* There's no need to destroy either cert or privKey as + * NSS will do that for us even if returning SECFailure + */ return secStatus; } @@ -912,8 +909,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) free(connssl->client_nickname); connssl->client_nickname = NULL; } - if(connssl->client_cert) - CERT_DestroyCertificate(connssl->client_cert); #ifdef HAVE_PK11_CREATEGENERICOBJECT if(connssl->key) (void)PK11_DestroyGenericObject(connssl->key); @@ -957,7 +952,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if (connssl->state == ssl_connection_complete) return CURLE_OK; - connssl->client_cert = NULL; #ifdef HAVE_PK11_CREATEGENERICOBJECT connssl->cacert[0] = NULL; connssl->cacert[1] = NULL; diff --git a/lib/urldata.h b/lib/urldata.h index e686b18ff..f41b6583e 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -211,7 +211,6 @@ struct ssl_connect_data { #ifdef USE_NSS PRFileDesc *handle; char *client_nickname; - CERTCertificate *client_cert; #ifdef HAVE_PK11_CREATEGENERICOBJECT PK11GenericObject *key; PK11GenericObject *cacert[2]; -- cgit v1.2.3