151 lines
4.7 KiB
Diff
151 lines
4.7 KiB
Diff
From b4d5a85714dc37d3aa0aa6ed7b37d95205b0f13a Mon Sep 17 00:00:00 2001
|
|
From: Kamil Dudka <kdudka@redhat.com>
|
|
Date: Tue, 24 Feb 2015 15:10:15 +0100
|
|
Subject: [PATCH] nss: improve error handling in Curl_nss_random()
|
|
|
|
The vtls layer now checks the return value, so it is no longer necessary
|
|
to abort if a random number cannot be provided by NSS. This also fixes
|
|
the following Coverity report:
|
|
|
|
Error: FORWARD_NULL (CWE-476):
|
|
lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null.
|
|
lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it.
|
|
lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".
|
|
|
|
Upstream-commit: 7a1538d9cc0736e0a9ab13cf115db40a0bfbb152
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
---
|
|
lib/vtls/nss.c | 8 +++-----
|
|
1 file changed, 3 insertions(+), 5 deletions(-)
|
|
|
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
|
index 16b9124..1dd56ba 100644
|
|
--- a/lib/vtls/nss.c
|
|
+++ b/lib/vtls/nss.c
|
|
@@ -1918,11 +1918,9 @@ int Curl_nss_random(struct SessionHandle *data,
|
|
if(data)
|
|
Curl_nss_seed(data); /* Initiate the seed if not already done */
|
|
|
|
- if(SECSuccess != PK11_GenerateRandom(entropy, curlx_uztosi(length))) {
|
|
- /* no way to signal a failure from here, we have to abort */
|
|
- failf(data, "PK11_GenerateRandom() failed, calling abort()...");
|
|
- abort();
|
|
- }
|
|
+ if(SECSuccess != PK11_GenerateRandom(entropy, curlx_uztosi(length)))
|
|
+ /* signal a failure */
|
|
+ return -1;
|
|
|
|
return 0;
|
|
}
|
|
--
|
|
2.1.0
|
|
|
|
From 6d5b40e46ec36a19bc4ee76ec674058088bec8ba Mon Sep 17 00:00:00 2001
|
|
From: Kamil Dudka <kdudka@redhat.com>
|
|
Date: Tue, 24 Feb 2015 15:18:45 +0100
|
|
Subject: [PATCH] nss: do not skip Curl_nss_seed() if data is NULL
|
|
|
|
In that case, we only skip writing the error message for failed NSS
|
|
initialization (while still returning the correct error code).
|
|
|
|
Upstream-commit: 4909f7c795a4490dbb29e89b8b1564af86ee5999
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
---
|
|
lib/vtls/nss.c | 12 ++++++++----
|
|
1 file changed, 8 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
|
|
index 1dd56ba..e201dec 100644
|
|
--- a/lib/vtls/nss.c
|
|
+++ b/lib/vtls/nss.c
|
|
@@ -1034,6 +1034,7 @@ static PRStatus nspr_io_close(PRFileDesc *fd)
|
|
return close_fn(fd);
|
|
}
|
|
|
|
+/* data might be NULL */
|
|
static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
|
|
{
|
|
NSSInitParameters initparams;
|
|
@@ -1071,6 +1072,7 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
|
|
return CURLE_SSL_CACERT_BADFILE;
|
|
}
|
|
|
|
+/* data might be NULL */
|
|
static CURLcode nss_init(struct SessionHandle *data)
|
|
{
|
|
char *cert_dir;
|
|
@@ -1149,12 +1151,14 @@ int Curl_nss_init(void)
|
|
return 1;
|
|
}
|
|
|
|
+/* data might be NULL */
|
|
CURLcode Curl_nss_force_init(struct SessionHandle *data)
|
|
{
|
|
CURLcode result;
|
|
if(!nss_initlock) {
|
|
- failf(data, "unable to initialize NSS, curl_global_init() should have "
|
|
- "been called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL");
|
|
+ if(data)
|
|
+ failf(data, "unable to initialize NSS, curl_global_init() should have "
|
|
+ "been called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL");
|
|
return CURLE_FAILED_INIT;
|
|
}
|
|
|
|
@@ -1904,6 +1908,7 @@ size_t Curl_nss_version(char *buffer, size_t size)
|
|
return snprintf(buffer, size, "NSS/%s", NSS_VERSION);
|
|
}
|
|
|
|
+/* data might be NULL */
|
|
int Curl_nss_seed(struct SessionHandle *data)
|
|
{
|
|
/* make sure that NSS is initialized */
|
|
@@ -1915,8 +1920,7 @@ int Curl_nss_random(struct SessionHandle *data,
|
|
unsigned char *entropy,
|
|
size_t length)
|
|
{
|
|
- if(data)
|
|
- Curl_nss_seed(data); /* Initiate the seed if not already done */
|
|
+ Curl_nss_seed(data); /* Initiate the seed if not already done */
|
|
|
|
if(SECSuccess != PK11_GenerateRandom(entropy, curlx_uztosi(length)))
|
|
/* signal a failure */
|
|
--
|
|
2.1.0
|
|
|
|
From abe5470533db524abfbb7f7e078c15c159aa66d9 Mon Sep 17 00:00:00 2001
|
|
From: Kamil Dudka <kdudka@redhat.com>
|
|
Date: Tue, 24 Feb 2015 18:58:55 +0100
|
|
Subject: [PATCH] curl-config.in: eliminate double quotes around CURL_CA_BUNDLE
|
|
|
|
Otherwise it expands to:
|
|
|
|
echo ""/etc/pki/tls/certs/ca-bundle.crt""
|
|
|
|
Detected by ShellCheck:
|
|
|
|
curl-config:74:16: warning: The double quotes around this do
|
|
nothing. Remove or escape them. [SC2140]
|
|
|
|
Upstream-commit: e47b8306db14ed1ccd66f774bded2d59602d2c88
|
|
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
---
|
|
curl-config.in | 2 +-
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
|
diff --git a/curl-config.in b/curl-config.in
|
|
index 1ddf4c2..9398722 100644
|
|
--- a/curl-config.in
|
|
+++ b/curl-config.in
|
|
@@ -71,7 +71,7 @@ while test $# -gt 0; do
|
|
;;
|
|
|
|
--ca)
|
|
- echo "@CURL_CA_BUNDLE@"
|
|
+ echo @CURL_CA_BUNDLE@
|
|
;;
|
|
|
|
--cc)
|
|
--
|
|
2.1.0
|
|
|