From: Kamil Dudka <kdudka@redhat.com>
Date: Tue, 6 Sep 2011 16:17:38 +0000 (+0200)
Subject: nss: avoid a SIGSEGV with immature version of NSS
X-Git-Tag: curl-7_23_0~66
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=491c5a497cc4cab0a488a0c94eec7d518d57d304;p=thirdparty%2Fcurl.git

nss: avoid a SIGSEGV with immature version of NSS

Bug: https://bugzilla.redhat.com/733685
---

diff --git a/lib/nss.c b/lib/nss.c
index 25293d5a59..f63d9718be 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -382,7 +382,29 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
   /* libnsspem.so leaks memory if the requested file does not exist.  For more
    * details, go to <https://bugzilla.redhat.com/734760>. */
   if(is_file(filename))
-    return nss_create_object(ssl, CKO_CERTIFICATE, filename, cacert);
+    err = nss_create_object(ssl, CKO_CERTIFICATE, filename, cacert);
+
+  if(CURLE_OK == err && !cacert) {
+    /* we have successfully loaded a client certificate */
+    CERTCertificate *cert;
+    char *nickname = NULL;
+    char *n = strrchr(filename, '/');
+    if(n)
+      n++;
+
+    /* The following undocumented magic helps to avoid a SIGSEGV on call
+     * of PK11_ReadRawAttribute() from SelectClientCert() when using an
+     * immature version of libnsspem.so.  For more details, go to
+     * <https://bugzilla.redhat.com/733685>. */
+    nickname = aprintf("PEM Token #1:%s", n);
+    if(nickname) {
+      cert = PK11_FindCertFromNickname(nickname, NULL);
+      if(cert)
+        CERT_DestroyCertificate(cert);
+
+      free(nickname);
+    }
+  }
 #endif
 
   return err;