nss: avoid a SIGSEGV with immature version of NSS

Bug: https://bugzilla.redhat.com/733685
2025-03-31 16:00:35 +08:00 · 2011-09-06 18:17:38 +02:00 · 2011-09-06 18:17:38 +02:00 · 491c5a497c
commit 491c5a497c
parent 06e6755e87
1 changed files with 23 additions and 1 deletions
--- a/lib/nss.c
+++ b/lib/nss.c
@ -382,7 +382,29 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
  /* libnsspem.so leaks memory if the requested file does not exist.  For more
   * details, go to <https://bugzilla.redhat.com/734760>. */
  if(is_file(filename))
-    return nss_create_object(ssl, CKO_CERTIFICATE, filename, cacert);
+    err = nss_create_object(ssl, CKO_CERTIFICATE, filename, cacert);
+
+  if(CURLE_OK == err && !cacert) {
+    /* we have successfully loaded a client certificate */
+    CERTCertificate *cert;
+    char *nickname = NULL;
+    char *n = strrchr(filename, '/');
+    if(n)
+      n++;
+
+    /* The following undocumented magic helps to avoid a SIGSEGV on call
+     * of PK11_ReadRawAttribute() from SelectClientCert() when using an
+     * immature version of libnsspem.so.  For more details, go to
+     * <https://bugzilla.redhat.com/733685>. */
+    nickname = aprintf("PEM Token #1:%s", n);
+    if(nickname) {
+      cert = PK11_FindCertFromNickname(nickname, NULL);
+      if(cert)
+        CERT_DestroyCertificate(cert);
+
+      free(nickname);
+    }
+  }
 #endif

  return err;