diff --git a/curl-7.19.5-cc_refcnt-1.patch b/curl-7.19.5-cc_refcnt-1.patch new file mode 100644 index 0000000..8d92be9 --- /dev/null +++ b/curl-7.19.5-cc_refcnt-1.patch @@ -0,0 +1,101 @@ +diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c +--- curl-7.19.5.orig/lib/nss.c 2009-05-11 11:13:49.000000000 +0200 ++++ curl-7.19.5/lib/nss.c 2009-07-10 13:26:15.000000000 +0200 +@@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void * + struct CERTCertificateStr **pRetCert, + struct SECKEYPrivateKeyStr **pRetKey) + { +- SECKEYPrivateKey *privKey; ++ SECKEYPrivateKey *privKey = NULL; ++ CERTCertificate *cert; + struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg; + char *nickname = connssl->client_nickname; + void *proto_win = NULL; +@@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void * + if(!nickname) + return secStatus; + +- connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win); +- if(connssl->client_cert) { +- ++ cert = PK11_FindCertFromNickname(nickname, proto_win); ++ if(cert) { + if(!strncmp(nickname, "PEM Token", 9)) { + CK_SLOT_ID slotID = 1; /* hardcoded for now */ + char slotname[SLOTSIZE]; + snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); + slot = PK11_FindSlotByName(slotname); +- privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL); ++ privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL); + PK11_FreeSlot(slot); + if(privKey) { + secStatus = SECSuccess; + } + } + else { +- privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win); ++ privKey = PK11_FindKeyByAnyCert(cert, proto_win); + if(privKey) + secStatus = SECSuccess; + } + } + +- if(secStatus == SECSuccess) { +- *pRetCert = connssl->client_cert; +- *pRetKey = privKey; +- } +- else { +- if(connssl->client_cert) +- CERT_DestroyCertificate(connssl->client_cert); +- connssl->client_cert = NULL; +- } ++ *pRetCert = cert; ++ *pRetKey = privKey; ++ ++ /* There's no need to destroy either cert or privKey as ++ * NSS will do that for us even if returning SECFailure ++ */ + + return secStatus; + } +@@ -912,14 +909,14 @@ void Curl_nss_close(struct connectdata * + free(connssl->client_nickname); + connssl->client_nickname = NULL; + } +- if(connssl->client_cert) +- CERT_DestroyCertificate(connssl->client_cert); ++#ifdef HAVE_PK11_CREATEGENERICOBJECT + if(connssl->key) + (void)PK11_DestroyGenericObject(connssl->key); + if(connssl->cacert[1]) + (void)PK11_DestroyGenericObject(connssl->cacert[1]); + if(connssl->cacert[0]) + (void)PK11_DestroyGenericObject(connssl->cacert[0]); ++#endif + connssl->handle = NULL; + } + } +@@ -955,10 +952,11 @@ CURLcode Curl_nss_connect(struct connect + if (connssl->state == ssl_connection_complete) + return CURLE_OK; + +- connssl->client_cert = NULL; ++#ifdef HAVE_PK11_CREATEGENERICOBJECT + connssl->cacert[0] = NULL; + connssl->cacert[1] = NULL; + connssl->key = NULL; ++#endif + + /* FIXME. NSS doesn't support multiple databases open at the same time. */ + PR_Lock(nss_initlock); +diff -ruNp curl-7.19.5.orig/lib/urldata.h curl-7.19.5/lib/urldata.h +--- curl-7.19.5.orig/lib/urldata.h 2009-05-11 09:53:38.000000000 +0200 ++++ curl-7.19.5/lib/urldata.h 2009-07-10 13:30:55.000000000 +0200 +@@ -211,7 +211,6 @@ struct ssl_connect_data { + #ifdef USE_NSS + PRFileDesc *handle; + char *client_nickname; +- CERTCertificate *client_cert; + #ifdef HAVE_PK11_CREATEGENERICOBJECT + PK11GenericObject *key; + PK11GenericObject *cacert[2]; diff --git a/curl-7.19.5-cc_refcnt-2.patch b/curl-7.19.5-cc_refcnt-2.patch new file mode 100644 index 0000000..e6ab230 --- /dev/null +++ b/curl-7.19.5-cc_refcnt-2.patch @@ -0,0 +1,22 @@ +diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c +--- curl-7.19.5.orig/lib/nss.c 2009-07-10 13:54:34.592293130 +0200 ++++ curl-7.19.5/lib/nss.c 2009-07-10 13:54:48.250293559 +0200 +@@ -856,9 +856,17 @@ void Curl_nss_cleanup(void) + * as a safety feature. + */ + PR_Lock(nss_initlock); ++ ++ /* Free references to client certificates held in the SSL session cache. ++ * Omitting this hampers destruction of the security module owning ++ * the certificates. */ ++ SSL_ClearSessionCache(); ++ + if (initialized) { +- if(mod) ++ if(mod) { ++ SECMOD_UnloadUserModule(mod); + SECMOD_DestroyModule(mod); ++ } + mod = NULL; + NSS_Shutdown(); + } diff --git a/curl.spec b/curl.spec index a1698d8..4d69513 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.19.5 -Release: 6%{?dist} +Release: 7%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 @@ -10,6 +10,8 @@ Patch1: curl-7.15.3-multilib.patch Patch2: curl-7.16.0-privlibs.patch Patch3: curl-7.17.1-badsocket.patch Patch4: curl-7.19.4-debug.patch +Patch5: curl-7.19.5-cc_refcnt-1.patch +Patch6: curl-7.19.5-cc_refcnt-2.patch Provides: webclient URL: http://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -54,6 +56,8 @@ use cURL's capabilities internally. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 +%patch6 -p1 # Convert docs to UTF-8 for f in CHANGES README; do @@ -136,6 +140,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 +- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson + * Sun Jul 05 2009 Kamil Dudka 7.19.5-6 - force test suite to use the just built libcurl, thanks to Paul Howarth