fix SIGSEGV when using NSS client certificates

2009-07-10 12:27:52 +00:00 · 2009-07-10 12:27:52 +00:00 · 3c25d2d576
commit 3c25d2d576
parent 83e314d115
3 changed files with 131 additions and 1 deletions
--- a/curl-7.19.5-cc_refcnt-1.patch
+++ b/curl-7.19.5-cc_refcnt-1.patch
@ -0,0 +1,101 @@
+diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c
+--- curl-7.19.5.orig/lib/nss.c	2009-05-11 11:13:49.000000000 +0200
+++ curl-7.19.5/lib/nss.c	2009-07-10 13:26:15.000000000 +0200
+@@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *
+                                   struct CERTCertificateStr **pRetCert,
+                                   struct SECKEYPrivateKeyStr **pRetKey)
+ {
+-  SECKEYPrivateKey *privKey;
+  SECKEYPrivateKey *privKey = NULL;
+  CERTCertificate *cert;
+   struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
+   char *nickname = connssl->client_nickname;
+   void *proto_win = NULL;
+@@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *
+   if(!nickname)
+     return secStatus;
+ 
+-  connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);
+-  if(connssl->client_cert) {
+-
+  cert = PK11_FindCertFromNickname(nickname, proto_win);
+  if(cert) {
+     if(!strncmp(nickname, "PEM Token", 9)) {
+       CK_SLOT_ID slotID = 1; /* hardcoded for now */
+       char slotname[SLOTSIZE];
+       snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
+       slot = PK11_FindSlotByName(slotname);
+-      privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);
+      privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
+       PK11_FreeSlot(slot);
+       if(privKey) {
+         secStatus = SECSuccess;
+       }
+     }
+     else {
+-      privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);
+      privKey = PK11_FindKeyByAnyCert(cert, proto_win);
+       if(privKey)
+         secStatus = SECSuccess;
+     }
+   }
+ 
+-  if(secStatus == SECSuccess) {
+-    *pRetCert = connssl->client_cert;
+-    *pRetKey = privKey;
+-  }
+-  else {
+-    if(connssl->client_cert)
+-      CERT_DestroyCertificate(connssl->client_cert);
+-    connssl->client_cert = NULL;
+-  }
+  *pRetCert = cert;
+  *pRetKey = privKey;
+  
+  /* There's no need to destroy either cert or privKey as 
+   * NSS will do that for us even if returning SECFailure
+   */
+ 
+   return secStatus;
+ }
+@@ -912,14 +909,14 @@ void Curl_nss_close(struct connectdata *
+       free(connssl->client_nickname);
+       connssl->client_nickname = NULL;
+     }
+-    if(connssl->client_cert)
+-      CERT_DestroyCertificate(connssl->client_cert);
+#ifdef HAVE_PK11_CREATEGENERICOBJECT      
+     if(connssl->key)
+       (void)PK11_DestroyGenericObject(connssl->key);
+     if(connssl->cacert[1])
+       (void)PK11_DestroyGenericObject(connssl->cacert[1]);
+     if(connssl->cacert[0])
+       (void)PK11_DestroyGenericObject(connssl->cacert[0]);
+#endif
+     connssl->handle = NULL;
+   }
+ }
+@@ -955,10 +952,11 @@ CURLcode Curl_nss_connect(struct connect
+   if (connssl->state == ssl_connection_complete)
+     return CURLE_OK;
+ 
+-  connssl->client_cert = NULL;
+#ifdef HAVE_PK11_CREATEGENERICOBJECT  
+   connssl->cacert[0] = NULL;
+   connssl->cacert[1] = NULL;
+   connssl->key = NULL;
+#endif
+ 
+   /* FIXME. NSS doesn't support multiple databases open at the same time. */
+   PR_Lock(nss_initlock);
+diff -ruNp curl-7.19.5.orig/lib/urldata.h curl-7.19.5/lib/urldata.h
+--- curl-7.19.5.orig/lib/urldata.h	2009-05-11 09:53:38.000000000 +0200
+++ curl-7.19.5/lib/urldata.h	2009-07-10 13:30:55.000000000 +0200
+@@ -211,7 +211,6 @@ struct ssl_connect_data {
+ #ifdef USE_NSS
+   PRFileDesc *handle;
+   char *client_nickname;
+-  CERTCertificate *client_cert;
+ #ifdef HAVE_PK11_CREATEGENERICOBJECT
+   PK11GenericObject *key;
+   PK11GenericObject *cacert[2];
--- a/curl-7.19.5-cc_refcnt-2.patch
+++ b/curl-7.19.5-cc_refcnt-2.patch
@ -0,0 +1,22 @@
+diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c
+--- curl-7.19.5.orig/lib/nss.c	2009-07-10 13:54:34.592293130 +0200
+++ curl-7.19.5/lib/nss.c	2009-07-10 13:54:48.250293559 +0200
+@@ -856,9 +856,17 @@ void Curl_nss_cleanup(void)
+    * as a safety feature.
+    */
+   PR_Lock(nss_initlock);
+
+  /* Free references to client certificates held in the SSL session cache.
+   * Omitting this hampers destruction of the security module owning
+   * the certificates. */
+  SSL_ClearSessionCache();
+
+   if (initialized) {
+-    if(mod)
+    if(mod) {
+      SECMOD_UnloadUserModule(mod);
+       SECMOD_DestroyModule(mod);
+    }
+     mod = NULL;
+     NSS_Shutdown();
+   }
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.19.5
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
@ -10,6 +10,8 @@ Patch1: curl-7.15.3-multilib.patch
 Patch2: curl-7.16.0-privlibs.patch
 Patch3: curl-7.17.1-badsocket.patch
 Patch4: curl-7.19.4-debug.patch
+Patch5: curl-7.19.5-cc_refcnt-1.patch
+Patch6: curl-7.19.5-cc_refcnt-2.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -54,6 +56,8 @@ use cURL's capabilities internally.
 %patch2 -p1
 %patch3 -p1
 %patch4 -p1
+%patch5 -p1
+%patch6 -p1

 # Convert docs to UTF-8
 for f in CHANGES README; do
@ -136,6 +140,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4

 %changelog
+* Fri Jul 10 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-7
+- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson
+
 * Sun Jul 05 2009 Kamil Dudka <kdudka@redhat.com> 7.19.5-6
 - force test suite to use the just built libcurl, thanks to Paul Howarth