1 diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c
2 --- curl-7.19.4.orig/lib/nss.c 2009-04-10 12:51:24.940363000 +0200
3 +++ curl-7.19.4/lib/nss.c 2009-04-10 12:51:59.268700902 +0200
4 @@ -282,13 +282,12 @@ static int is_file(const char *filename)
9 -nss_load_cert(const char *filename, PRBool cacert)
10 +static int nss_load_cert(struct ssl_connect_data *ssl,
11 + const char *filename, PRBool cacert)
13 #ifdef HAVE_PK11_CREATEGENERICOBJECT
15 PK11SlotInfo * slot = NULL;
16 - PK11GenericObject *rv;
18 CK_ATTRIBUTE theTemplate[20];
19 CK_BBOOL cktrue = CK_TRUE;
20 @@ -363,11 +362,12 @@ nss_load_cert(const char *filename, PRBo
21 /* This load the certificate in our PEM module into the appropriate
24 - rv = PK11_CreateGenericObject(slot, theTemplate, 4, PR_FALSE /* isPerm */);
25 + ssl->cacert[slotID] = PK11_CreateGenericObject(slot, theTemplate, 4,
26 + PR_FALSE /* isPerm */);
31 + if(ssl->cacert[slotID] == NULL) {
35 @@ -474,11 +474,10 @@ static int nss_load_crl(const char* crlf
39 -static int nss_load_key(struct connectdata *conn, char *key_file)
40 +static int nss_load_key(struct connectdata *conn, int sockindex, char *key_file)
42 #ifdef HAVE_PK11_CREATEGENERICOBJECT
43 PK11SlotInfo * slot = NULL;
44 - PK11GenericObject *rv;
46 CK_ATTRIBUTE theTemplate[20];
47 CK_BBOOL cktrue = CK_TRUE;
48 @@ -486,6 +485,7 @@ static int nss_load_key(struct connectda
50 pphrase_arg_t *parg = NULL;
51 char slotname[SLOTSIZE];
52 + struct ssl_connect_data *sslconn = &conn->ssl[sockindex];
56 @@ -505,8 +505,9 @@ static int nss_load_key(struct connectda
57 strlen(key_file)+1); attrs++;
59 /* When adding an encrypted key the PKCS#11 will be set as removed */
60 - rv = PK11_CreateGenericObject(slot, theTemplate, 3, PR_FALSE /* isPerm */);
62 + sslconn->key = PK11_CreateGenericObject(slot, theTemplate, 3,
63 + PR_FALSE /* isPerm */);
64 + if(sslconn->key == NULL) {
65 PR_SetError(SEC_ERROR_BAD_KEY, 0);
68 @@ -554,13 +555,14 @@ static int display_error(struct connectd
69 return 0; /* The caller will print a generic error */
72 -static int cert_stuff(struct connectdata *conn, char *cert_file, char *key_file)
73 +static int cert_stuff(struct connectdata *conn,
74 + int sockindex, char *cert_file, char *key_file)
76 struct SessionHandle *data = conn->data;
80 - rv = nss_load_cert(cert_file, PR_FALSE);
81 + rv = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
83 if(!display_error(conn, PR_GetError(), cert_file))
84 failf(data, "Unable to load client cert %d.", PR_GetError());
85 @@ -569,10 +571,10 @@ static int cert_stuff(struct connectdata
87 if(key_file || (is_file(cert_file))) {
89 - rv = nss_load_key(conn, key_file);
90 + rv = nss_load_key(conn, sockindex, key_file);
92 /* In case the cert file also has the key */
93 - rv = nss_load_key(conn, cert_file);
94 + rv = nss_load_key(conn, sockindex, cert_file);
96 if(!display_error(conn, PR_GetError(), key_file))
97 failf(data, "Unable to load client key %d.", PR_GetError());
98 @@ -938,6 +940,12 @@ void Curl_nss_close(struct connectdata *
99 free(connssl->client_nickname);
100 connssl->client_nickname = NULL;
103 + (void)PK11_DestroyGenericObject(connssl->key);
104 + if(connssl->cacert[1])
105 + (void)PK11_DestroyGenericObject(connssl->cacert[1]);
106 + if(connssl->cacert[0])
107 + (void)PK11_DestroyGenericObject(connssl->cacert[0]);
108 connssl->handle = NULL;
111 @@ -973,6 +981,10 @@ CURLcode Curl_nss_connect(struct connect
112 if (connssl->state == ssl_connection_complete)
115 + connssl->cacert[0] = NULL;
116 + connssl->cacert[1] = NULL;
117 + connssl->key = NULL;
119 /* FIXME. NSS doesn't support multiple databases open at the same time. */
120 PR_Lock(nss_initlock);
122 @@ -1100,7 +1112,8 @@ CURLcode Curl_nss_connect(struct connect
123 /* skip the verifying of the peer */
125 else if(data->set.ssl.CAfile) {
126 - int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
127 + int rc = nss_load_cert(&conn->ssl[sockindex], data->set.ssl.CAfile,
130 curlerr = CURLE_SSL_CACERT_BADFILE;
132 @@ -1128,7 +1141,7 @@ CURLcode Curl_nss_connect(struct connect
134 snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath,
136 - rc = nss_load_cert(fullpath, PR_TRUE);
137 + rc = nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE);
138 /* FIXME: check this return value! */
140 /* This is purposefully tolerant of errors so non-PEM files
141 @@ -1178,7 +1191,7 @@ CURLcode Curl_nss_connect(struct connect
145 - if(!cert_stuff(conn, data->set.str[STRING_CERT],
146 + if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
147 data->set.str[STRING_KEY])) {
148 /* failf() is already done in cert_stuff() */
150 diff -ruNp curl-7.19.4.orig/lib/urldata.h curl-7.19.4/lib/urldata.h
151 --- curl-7.19.4.orig/lib/urldata.h 2009-03-03 00:05:31.000000000 +0100
152 +++ curl-7.19.4/lib/urldata.h 2009-04-10 12:51:59.270700921 +0200
157 +#include <pk11pub.h>
161 @@ -210,6 +211,10 @@ struct ssl_connect_data {
164 char *client_nickname;
165 +#ifdef HAVE_PK11_CREATEGENERICOBJECT
166 + PK11GenericObject *key;
167 + PK11GenericObject *cacert[2];