mirror of
https://github.com/moparisthebest/curl
synced 2024-11-11 20:15:03 -05:00
- Kamil Dudka fixed another NSS-related leak when client certs were used.
This commit is contained in:
Daniel Stenberg
parent
082b0d822c
commit
828a26286d
2
CHANGES
2
CHANGES
@ -7,6 +7,8 @@
|
|||||||
Changelog
|
Changelog
|
||||||
|
|
||||||
Daniel Stenberg (24 Apr 2009)
|
Daniel Stenberg (24 Apr 2009)
|
||||||
|
- Kamil Dudka fixed another NSS-related leak when client certs were used.
|
||||||
|
|
||||||
- bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer
|
- bug report #2779245 (http://curl.haxx.se/bug/view.cgi?id=2779245) by Rainer
|
||||||
Koenig pointed out that the man page didn't tell that the *_proxy
|
Koenig pointed out that the man page didn't tell that the *_proxy
|
||||||
environment variables can be specified lower case or UPPER CASE and the
|
environment variables can be specified lower case or UPPER CASE and the
|
||||||
|
|||||||
@ -26,7 +26,7 @@ This release includes the following bugfixes:
|
|||||||
o properly return an error code in curl_easy_recv
|
o properly return an error code in curl_easy_recv
|
||||||
o Sun compilers specific preprocessor block removed from curlbuild.h.dist
|
o Sun compilers specific preprocessor block removed from curlbuild.h.dist
|
||||||
o allow creation of four way fat libcurl Mac OS X Framework
|
o allow creation of four way fat libcurl Mac OS X Framework
|
||||||
o memory leaks in libcurl+NSS
|
o several memory leaks in libcurl+NSS
|
||||||
o improved the CURLOPT_NOBODY set to 0 confusions
|
o improved the CURLOPT_NOBODY set to 0 confusions
|
||||||
o persistent connections when doing FTP over a HTTP proxy
|
o persistent connections when doing FTP over a HTTP proxy
|
||||||
o --libcurl bogus strings where other data was pointed to
|
o --libcurl bogus strings where other data was pointed to
|
||||||
|
|||||||
32
lib/nss.c
32
lib/nss.c
@ -527,6 +527,7 @@ static int nss_load_key(struct connectdata *conn, int sockindex, char *key_file)
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
free(parg);
|
free(parg);
|
||||||
|
PK11_FreeSlot(slot);
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
#else
|
#else
|
||||||
@ -819,9 +820,9 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
|||||||
struct CERTCertificateStr **pRetCert,
|
struct CERTCertificateStr **pRetCert,
|
||||||
struct SECKEYPrivateKeyStr **pRetKey)
|
struct SECKEYPrivateKeyStr **pRetKey)
|
||||||
{
|
{
|
||||||
CERTCertificate *cert;
|
|
||||||
SECKEYPrivateKey *privKey;
|
SECKEYPrivateKey *privKey;
|
||||||
char *nickname = (char *)arg;
|
struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
|
||||||
|
char *nickname = connssl->client_nickname;
|
||||||
void *proto_win = NULL;
|
void *proto_win = NULL;
|
||||||
SECStatus secStatus = SECFailure;
|
SECStatus secStatus = SECFailure;
|
||||||
PK11SlotInfo *slot;
|
PK11SlotInfo *slot;
|
||||||
@ -832,34 +833,35 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
|||||||
if(!nickname)
|
if(!nickname)
|
||||||
return secStatus;
|
return secStatus;
|
||||||
|
|
||||||
cert = PK11_FindCertFromNickname(nickname, proto_win);
|
connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);
|
||||||
if(cert) {
|
if(connssl->client_cert) {
|
||||||
|
|
||||||
if(!strncmp(nickname, "PEM Token", 9)) {
|
if(!strncmp(nickname, "PEM Token", 9)) {
|
||||||
CK_SLOT_ID slotID = 1; /* hardcoded for now */
|
CK_SLOT_ID slotID = 1; /* hardcoded for now */
|
||||||
char slotname[SLOTSIZE];
|
char slotname[SLOTSIZE];
|
||||||
snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
|
snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
|
||||||
slot = PK11_FindSlotByName(slotname);
|
slot = PK11_FindSlotByName(slotname);
|
||||||
privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
|
privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);
|
||||||
PK11_FreeSlot(slot);
|
PK11_FreeSlot(slot);
|
||||||
if(privKey) {
|
if(privKey) {
|
||||||
secStatus = SECSuccess;
|
secStatus = SECSuccess;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
privKey = PK11_FindKeyByAnyCert(cert, proto_win);
|
privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);
|
||||||
if(privKey)
|
if(privKey)
|
||||||
secStatus = SECSuccess;
|
secStatus = SECSuccess;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if(secStatus == SECSuccess) {
|
if(secStatus == SECSuccess) {
|
||||||
*pRetCert = cert;
|
*pRetCert = connssl->client_cert;
|
||||||
*pRetKey = privKey;
|
*pRetKey = privKey;
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
if(cert)
|
if(connssl->client_cert)
|
||||||
CERT_DestroyCertificate(cert);
|
CERT_DestroyCertificate(connssl->client_cert);
|
||||||
|
connssl->client_cert = NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
return secStatus;
|
return secStatus;
|
||||||
@ -891,8 +893,12 @@ void Curl_nss_cleanup(void)
|
|||||||
* as a safety feature.
|
* as a safety feature.
|
||||||
*/
|
*/
|
||||||
PR_Lock(nss_initlock);
|
PR_Lock(nss_initlock);
|
||||||
if (initialized)
|
if (initialized) {
|
||||||
|
if(mod)
|
||||||
|
SECMOD_DestroyModule(mod);
|
||||||
|
mod = NULL;
|
||||||
NSS_Shutdown();
|
NSS_Shutdown();
|
||||||
|
}
|
||||||
PR_Unlock(nss_initlock);
|
PR_Unlock(nss_initlock);
|
||||||
|
|
||||||
PR_DestroyLock(nss_initlock);
|
PR_DestroyLock(nss_initlock);
|
||||||
@ -940,6 +946,8 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
|
|||||||
free(connssl->client_nickname);
|
free(connssl->client_nickname);
|
||||||
connssl->client_nickname = NULL;
|
connssl->client_nickname = NULL;
|
||||||
}
|
}
|
||||||
|
if(connssl->client_cert)
|
||||||
|
CERT_DestroyCertificate(connssl->client_cert);
|
||||||
if(connssl->key)
|
if(connssl->key)
|
||||||
(void)PK11_DestroyGenericObject(connssl->key);
|
(void)PK11_DestroyGenericObject(connssl->key);
|
||||||
if(connssl->cacert[1])
|
if(connssl->cacert[1])
|
||||||
@ -981,6 +989,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|||||||
if (connssl->state == ssl_connection_complete)
|
if (connssl->state == ssl_connection_complete)
|
||||||
return CURLE_OK;
|
return CURLE_OK;
|
||||||
|
|
||||||
|
connssl->client_cert = NULL;
|
||||||
connssl->cacert[0] = NULL;
|
connssl->cacert[0] = NULL;
|
||||||
connssl->cacert[1] = NULL;
|
connssl->cacert[1] = NULL;
|
||||||
connssl->key = NULL;
|
connssl->key = NULL;
|
||||||
@ -1207,8 +1216,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
|
|||||||
|
|
||||||
if(SSL_GetClientAuthDataHook(model,
|
if(SSL_GetClientAuthDataHook(model,
|
||||||
(SSLGetClientAuthData) SelectClientCert,
|
(SSLGetClientAuthData) SelectClientCert,
|
||||||
(void *)connssl->client_nickname) !=
|
(void *)connssl) != SECSuccess) {
|
||||||
SECSuccess) {
|
|
||||||
curlerr = CURLE_SSL_CERTPROBLEM;
|
curlerr = CURLE_SSL_CERTPROBLEM;
|
||||||
goto error;
|
goto error;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -211,6 +211,7 @@ struct ssl_connect_data {
|
|||||||
#ifdef USE_NSS
|
#ifdef USE_NSS
|
||||||
PRFileDesc *handle;
|
PRFileDesc *handle;
|
||||||
char *client_nickname;
|
char *client_nickname;
|
||||||
|
CERTCertificate *client_cert;
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
||||||
PK11GenericObject *key;
|
PK11GenericObject *key;
|
||||||
PK11GenericObject *cacert[2];
|
PK11GenericObject *cacert[2];
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user