[curl] clear session cache if a client cert from file is used
Kamil Dudka
kdudka at fedoraproject.org
Tue Jan 15 13:01:28 UTC 2013
commit 513526c871871b6d20b72e4bbb3ace1753abc532
Author: Kamil Dudka <kdudka at redhat.com>
Date: Tue Jan 15 13:49:48 2013 +0100
clear session cache if a client cert from file is used
0002-curl-7.28.1-b36f1d26.patch | 55 +++++++++++++++++++++++++++++++++++++++
curl.spec | 5 +++
2 files changed, 60 insertions(+), 0 deletions(-)
---
diff --git a/0002-curl-7.28.1-b36f1d26.patch b/0002-curl-7.28.1-b36f1d26.patch
new file mode 100644
index 0000000..c712da0
--- /dev/null
+++ b/0002-curl-7.28.1-b36f1d26.patch
@@ -0,0 +1,55 @@
+From fefd7cdcde39c56651f6e2c32be9cd79354ffdc4 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Fri, 11 Jan 2013 10:24:21 +0100
+Subject: [PATCH 2/3] nss: clear session cache if a client cert from file is used
+
+This commit fixes a regression introduced in 052a08ff.
+
+NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback
+and if we connect second time to the same server, the cached cert/key
+pair is used. If we use multiple client certificates for different
+paths on the same server, we need to clear the session cache to force
+NSS to call the hook again. The commit 052a08ff prevented the session
+cache from being cleared if a client certificate from file was used.
+
+The condition is now fixed to cover both cases: consssl->client_nickname
+is not NULL if a client certificate from the NSS database is used and
+connssl->obj_clicert is not NULL if a client certificate from file is
+used.
+
+Review by: Kai Engert
+
+[upstream commit b36f1d26f830453ebaa17238f9bd1e396f618720]
+---
+ lib/nss.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 794eccb..f97090a 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1058,13 +1058,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
+ as closed to avoid double close */
+ fake_sclose(conn->sock[sockindex]);
+ conn->sock[sockindex] = CURL_SOCKET_BAD;
++
++ if((connssl->client_nickname != NULL) || (connssl->obj_clicert != NULL))
++ /* A server might require different authentication based on the
++ * particular path being requested by the client. To support this
++ * scenario, we must ensure that a connection will never reuse the
++ * authentication data from a previous connection. */
++ SSL_InvalidateSession(connssl->handle);
++
+ if(connssl->client_nickname != NULL) {
+ free(connssl->client_nickname);
+ connssl->client_nickname = NULL;
+-
+- /* force NSS to ask again for a client cert when connecting
+- * next time to the same server */
+- SSL_InvalidateSession(connssl->handle);
+ }
+ /* destroy all NSS objects in order to avoid failure of NSS shutdown */
+ Curl_llist_destroy(connssl->obj_list, NULL);
+--
+1.7.1
+
diff --git a/curl.spec b/curl.spec
index 7e314b1..7f6b7f1 100644
--- a/curl.spec
+++ b/curl.spec
@@ -11,6 +11,9 @@ Source3: hide_selinux.c
# prevent NSS from crashing on client auth hook failure
Patch1: 0001-curl-7.28.1-68d2830e.patch
+# clear session cache if a client cert from file is used
+Patch2: 0002-curl-7.28.1-b36f1d26.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.27.0-multilib.patch
@@ -105,6 +108,7 @@ documentation of the library, too.
# upstream patches
%patch1 -p1
+%patch2 -p1
# Fedora patches
%patch101 -p1
@@ -230,6 +234,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Tue Jan 15 2013 Kamil Dudka <kdudka at redhat.com> 7.28.1-2
- prevent NSS from crashing on client auth hook failure
+- clear session cache if a client cert from file is used
* Tue Nov 20 2012 Kamil Dudka <kdudka at redhat.com> 7.28.1-1
- new upstream release
More information about the scm-commits
mailing list