From: Kamil Dudka Date: Mon, 22 Aug 2016 08:24:35 +0000 (+0200) Subject: nss: refuse previously loaded certificate from file X-Git-Tag: curl-7_50_2~32 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7700fcba64bf5806de28f6c1c7da3b4f0b38567d;p=curl nss: refuse previously loaded certificate from file ... when we are not asked to use a certificate from file --- diff --git a/RELEASE-NOTES b/RELEASE-NOTES index ae49a0588..b8a98a99e 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -37,6 +37,7 @@ This release includes the following bugfixes: o SOCKS: display the hostname returned by the SOCKS5 proxy server o sasl: Don't use GSSAPI authentication when domain name not specified [16] o win: Basic support for Universal Windows Platform apps [17] + o nss: fix incorrect use of a previously loaded certificate from file This release includes the following known bugs: diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 20c4277ce..cfb226328 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1002,10 +1002,10 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg; struct Curl_easy *data = connssl->data; const char *nickname = connssl->client_nickname; + static const char pem_slotname[] = "PEM Token #1"; if(connssl->obj_clicert) { /* use the cert/key provided by PEM reader */ - static const char pem_slotname[] = "PEM Token #1"; SECItem cert_der = { 0, NULL, 0 }; void *proto_win = SSL_RevealPinArg(sock); struct CERTCertificateStr *cert; @@ -1067,6 +1067,12 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, if(NULL == nickname) nickname = "[unknown]"; + if(!strncmp(nickname, pem_slotname, sizeof(pem_slotname) - 1U)) { + failf(data, "NSS: refusing previously loaded certificate from file: %s", + nickname); + return SECFailure; + } + if(NULL == *pRetKey) { failf(data, "NSS: private key not found for certificate: %s", nickname); return SECFailure;