fix curl/nss memory leaks while using client certificate (#453612)
This commit is contained in:
parent
091f78c70f
commit
c059575de3
|
@ -0,0 +1,118 @@
|
||||||
|
diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c
|
||||||
|
--- curl-7.19.4.orig/lib/nss.c 2009-04-27 09:48:12.548102000 +0200
|
||||||
|
+++ curl-7.19.4/lib/nss.c 2009-04-27 09:48:32.993420443 +0200
|
||||||
|
@@ -527,6 +527,7 @@ static int nss_load_key(struct connectda
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
free(parg);
|
||||||
|
+ PK11_FreeSlot(slot);
|
||||||
|
|
||||||
|
return 1;
|
||||||
|
#else
|
||||||
|
@@ -819,9 +820,9 @@ static SECStatus SelectClientCert(void *
|
||||||
|
struct CERTCertificateStr **pRetCert,
|
||||||
|
struct SECKEYPrivateKeyStr **pRetKey)
|
||||||
|
{
|
||||||
|
- CERTCertificate *cert;
|
||||||
|
SECKEYPrivateKey *privKey;
|
||||||
|
- char *nickname = (char *)arg;
|
||||||
|
+ struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
|
||||||
|
+ char *nickname = connssl->client_nickname;
|
||||||
|
void *proto_win = NULL;
|
||||||
|
SECStatus secStatus = SECFailure;
|
||||||
|
PK11SlotInfo *slot;
|
||||||
|
@@ -832,34 +833,35 @@ static SECStatus SelectClientCert(void *
|
||||||
|
if(!nickname)
|
||||||
|
return secStatus;
|
||||||
|
|
||||||
|
- cert = PK11_FindCertFromNickname(nickname, proto_win);
|
||||||
|
- if(cert) {
|
||||||
|
+ connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);
|
||||||
|
+ if(connssl->client_cert) {
|
||||||
|
|
||||||
|
if(!strncmp(nickname, "PEM Token", 9)) {
|
||||||
|
CK_SLOT_ID slotID = 1; /* hardcoded for now */
|
||||||
|
char slotname[SLOTSIZE];
|
||||||
|
snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
|
||||||
|
slot = PK11_FindSlotByName(slotname);
|
||||||
|
- privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
|
||||||
|
+ privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);
|
||||||
|
PK11_FreeSlot(slot);
|
||||||
|
if(privKey) {
|
||||||
|
secStatus = SECSuccess;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- privKey = PK11_FindKeyByAnyCert(cert, proto_win);
|
||||||
|
+ privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);
|
||||||
|
if(privKey)
|
||||||
|
secStatus = SECSuccess;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
if(secStatus == SECSuccess) {
|
||||||
|
- *pRetCert = cert;
|
||||||
|
+ *pRetCert = connssl->client_cert;
|
||||||
|
*pRetKey = privKey;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
- if(cert)
|
||||||
|
- CERT_DestroyCertificate(cert);
|
||||||
|
+ if(connssl->client_cert)
|
||||||
|
+ CERT_DestroyCertificate(connssl->client_cert);
|
||||||
|
+ connssl->client_cert = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
return secStatus;
|
||||||
|
@@ -891,8 +893,12 @@ void Curl_nss_cleanup(void)
|
||||||
|
* as a safety feature.
|
||||||
|
*/
|
||||||
|
PR_Lock(nss_initlock);
|
||||||
|
- if (initialized)
|
||||||
|
+ if (initialized) {
|
||||||
|
+ if(mod)
|
||||||
|
+ SECMOD_DestroyModule(mod);
|
||||||
|
+ mod = NULL;
|
||||||
|
NSS_Shutdown();
|
||||||
|
+ }
|
||||||
|
PR_Unlock(nss_initlock);
|
||||||
|
|
||||||
|
PR_DestroyLock(nss_initlock);
|
||||||
|
@@ -940,6 +946,8 @@ void Curl_nss_close(struct connectdata *
|
||||||
|
free(connssl->client_nickname);
|
||||||
|
connssl->client_nickname = NULL;
|
||||||
|
}
|
||||||
|
+ if(connssl->client_cert)
|
||||||
|
+ CERT_DestroyCertificate(connssl->client_cert);
|
||||||
|
if(connssl->key)
|
||||||
|
(void)PK11_DestroyGenericObject(connssl->key);
|
||||||
|
if(connssl->cacert[1])
|
||||||
|
@@ -981,6 +989,7 @@ CURLcode Curl_nss_connect(struct connect
|
||||||
|
if (connssl->state == ssl_connection_complete)
|
||||||
|
return CURLE_OK;
|
||||||
|
|
||||||
|
+ connssl->client_cert = NULL;
|
||||||
|
connssl->cacert[0] = NULL;
|
||||||
|
connssl->cacert[1] = NULL;
|
||||||
|
connssl->key = NULL;
|
||||||
|
@@ -1207,8 +1216,7 @@ CURLcode Curl_nss_connect(struct connect
|
||||||
|
|
||||||
|
if(SSL_GetClientAuthDataHook(model,
|
||||||
|
(SSLGetClientAuthData) SelectClientCert,
|
||||||
|
- (void *)connssl->client_nickname) !=
|
||||||
|
- SECSuccess) {
|
||||||
|
+ (void *)connssl) != SECSuccess) {
|
||||||
|
curlerr = CURLE_SSL_CERTPROBLEM;
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
|
diff -ruNp curl-7.19.4.orig/lib/urldata.h curl-7.19.4/lib/urldata.h
|
||||||
|
--- curl-7.19.4.orig/lib/urldata.h 2009-04-27 09:48:12.550102000 +0200
|
||||||
|
+++ curl-7.19.4/lib/urldata.h 2009-04-27 09:48:19.821215391 +0200
|
||||||
|
@@ -211,6 +211,7 @@ struct ssl_connect_data {
|
||||||
|
#ifdef USE_NSS
|
||||||
|
PRFileDesc *handle;
|
||||||
|
char *client_nickname;
|
||||||
|
+ CERTCertificate *client_cert;
|
||||||
|
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
||||||
|
PK11GenericObject *key;
|
||||||
|
PK11GenericObject *cacert[2];
|
|
@ -1,7 +1,7 @@
|
||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.19.4
|
Version: 7.19.4
|
||||||
Release: 9%{?dist}
|
Release: 10%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
|
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
|
||||||
|
@ -12,6 +12,7 @@ Patch4: curl-7.19.4-tool-leak.patch
|
||||||
Patch5: curl-7.19.4-enable-aes.patch
|
Patch5: curl-7.19.4-enable-aes.patch
|
||||||
Patch6: curl-7.19.4-nss-leak.patch
|
Patch6: curl-7.19.4-nss-leak.patch
|
||||||
Patch7: curl-7.19.4-debug.patch
|
Patch7: curl-7.19.4-debug.patch
|
||||||
|
Patch8: curl-7.19.4-nss-leak2.patch
|
||||||
Provides: webclient
|
Provides: webclient
|
||||||
URL: http://curl.haxx.se/
|
URL: http://curl.haxx.se/
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
|
@ -58,6 +59,7 @@ use cURL's capabilities internally.
|
||||||
%patch5 -p1 -b .enableaes
|
%patch5 -p1 -b .enableaes
|
||||||
%patch6 -p1 -b .nssleak
|
%patch6 -p1 -b .nssleak
|
||||||
%patch7 -p1 -b .debug
|
%patch7 -p1 -b .debug
|
||||||
|
%patch8 -p1 -b .nssleak2
|
||||||
|
|
||||||
# Convert docs to UTF-8
|
# Convert docs to UTF-8
|
||||||
for f in CHANGES README; do
|
for f in CHANGES README; do
|
||||||
|
@ -150,6 +152,10 @@ rm -rf $RPM_BUILD_ROOT
|
||||||
%{_datadir}/aclocal/libcurl.m4
|
%{_datadir}/aclocal/libcurl.m4
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 27 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-10
|
||||||
|
- fix curl/nss memory leaks while using client certificate (#453612, accepted
|
||||||
|
by upstream)
|
||||||
|
|
||||||
* Wed Apr 22 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-9
|
* Wed Apr 22 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-9
|
||||||
- add missing BuildRequire for autoconf
|
- add missing BuildRequire for autoconf
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue