From b4d5a85714dc37d3aa0aa6ed7b37d95205b0f13a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 24 Feb 2015 15:10:15 +0100 Subject: [PATCH] nss: improve error handling in Curl_nss_random() The vtls layer now checks the return value, so it is no longer necessary to abort if a random number cannot be provided by NSS. This also fixes the following Coverity report: Error: FORWARD_NULL (CWE-476): lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null. lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it. lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data". Upstream-commit: 7a1538d9cc0736e0a9ab13cf115db40a0bfbb152 Signed-off-by: Kamil Dudka --- lib/vtls/nss.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 16b9124..1dd56ba 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1918,11 +1918,9 @@ int Curl_nss_random(struct SessionHandle *data, if(data) Curl_nss_seed(data); /* Initiate the seed if not already done */ - if(SECSuccess != PK11_GenerateRandom(entropy, curlx_uztosi(length))) { - /* no way to signal a failure from here, we have to abort */ - failf(data, "PK11_GenerateRandom() failed, calling abort()..."); - abort(); - } + if(SECSuccess != PK11_GenerateRandom(entropy, curlx_uztosi(length))) + /* signal a failure */ + return -1; return 0; } -- 2.1.0 From 6d5b40e46ec36a19bc4ee76ec674058088bec8ba Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 24 Feb 2015 15:18:45 +0100 Subject: [PATCH] nss: do not skip Curl_nss_seed() if data is NULL In that case, we only skip writing the error message for failed NSS initialization (while still returning the correct error code). Upstream-commit: 4909f7c795a4490dbb29e89b8b1564af86ee5999 Signed-off-by: Kamil Dudka --- lib/vtls/nss.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 1dd56ba..e201dec 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1034,6 +1034,7 @@ static PRStatus nspr_io_close(PRFileDesc *fd) return close_fn(fd); } +/* data might be NULL */ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) { NSSInitParameters initparams; @@ -1071,6 +1072,7 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) return CURLE_SSL_CACERT_BADFILE; } +/* data might be NULL */ static CURLcode nss_init(struct SessionHandle *data) { char *cert_dir; @@ -1149,12 +1151,14 @@ int Curl_nss_init(void) return 1; } +/* data might be NULL */ CURLcode Curl_nss_force_init(struct SessionHandle *data) { CURLcode result; if(!nss_initlock) { - failf(data, "unable to initialize NSS, curl_global_init() should have " - "been called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL"); + if(data) + failf(data, "unable to initialize NSS, curl_global_init() should have " + "been called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL"); return CURLE_FAILED_INIT; } @@ -1904,6 +1908,7 @@ size_t Curl_nss_version(char *buffer, size_t size) return snprintf(buffer, size, "NSS/%s", NSS_VERSION); } +/* data might be NULL */ int Curl_nss_seed(struct SessionHandle *data) { /* make sure that NSS is initialized */ @@ -1915,8 +1920,7 @@ int Curl_nss_random(struct SessionHandle *data, unsigned char *entropy, size_t length) { - if(data) - Curl_nss_seed(data); /* Initiate the seed if not already done */ + Curl_nss_seed(data); /* Initiate the seed if not already done */ if(SECSuccess != PK11_GenerateRandom(entropy, curlx_uztosi(length))) /* signal a failure */ -- 2.1.0 From abe5470533db524abfbb7f7e078c15c159aa66d9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 24 Feb 2015 18:58:55 +0100 Subject: [PATCH] curl-config.in: eliminate double quotes around CURL_CA_BUNDLE Otherwise it expands to: echo ""/etc/pki/tls/certs/ca-bundle.crt"" Detected by ShellCheck: curl-config:74:16: warning: The double quotes around this do nothing. Remove or escape them. [SC2140] Upstream-commit: e47b8306db14ed1ccd66f774bded2d59602d2c88 Signed-off-by: Kamil Dudka --- curl-config.in | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/curl-config.in b/curl-config.in index 1ddf4c2..9398722 100644 --- a/curl-config.in +++ b/curl-config.in @@ -71,7 +71,7 @@ while test $# -gt 0; do ;; --ca) - echo "@CURL_CA_BUNDLE@" + echo @CURL_CA_BUNDLE@ ;; --cc) -- 2.1.0