- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount

  issue with client certs that caused issues like segfaults.
  http://curl.haxx.se/mail/lib-2009-05/0316.html

CHANGES

@@ -7,6 +7,10 @@
                                   Changelog
 
 Daniel Stenberg (8 Jun 2009)
+- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount
+  issue with client certs that caused issues like segfaults.
+  http://curl.haxx.se/mail/lib-2009-05/0316.html
+
 - Triggered by bug report #2798852 and the patch in there, I fixed configure
   to detect gnutls build options with pkg-config only and not libgnutls-config
   anymore since GnuTLS has stopped distributing that tool. If an explicit path

RELEASE-NOTES

@@ -18,7 +18,6 @@ This release includes the following bugfixes:
  o build fix for Symbian
  o CURLOPT_USERPWD set to NULL clears auth credentials
  o libcurl-NSS build fixes
- o libcurl-NSS build fix
  o configure script fixed for VMS
  o set Content-Length: with POST and PUT failed with NTLM auth
  o allow building libcurl for VxWorks
@@ -26,6 +25,7 @@ This release includes the following bugfixes:
  o --no-buffer treated correctly
  o djgpp build fix
  o configure detection of GnuTLS now based on pkg-config
+ o libcurl-NSS client cert handling segfaults
 
 This release includes the following known bugs:
 

lib/nss.c

@@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
                                   struct CERTCertificateStr **pRetCert,
                                   struct SECKEYPrivateKeyStr **pRetKey)
 {
-  SECKEYPrivateKey *privKey;
+  SECKEYPrivateKey *privKey = NULL;
+  CERTCertificate *cert;
   struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
   char *nickname = connssl->client_nickname;
   void *proto_win = NULL;
@@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
   if(!nickname)
     return secStatus;
 
-  connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);
-  if(connssl->client_cert) {
-
+  cert = PK11_FindCertFromNickname(nickname, proto_win);
+  if(cert) {
     if(!strncmp(nickname, "PEM Token", 9)) {
       CK_SLOT_ID slotID = 1; /* hardcoded for now */
       char slotname[SLOTSIZE];
       snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
       slot = PK11_FindSlotByName(slotname);
-      privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);
+      privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
       PK11_FreeSlot(slot);
       if(privKey) {
         secStatus = SECSuccess;
       }
     }
     else {
-      privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);
+      privKey = PK11_FindKeyByAnyCert(cert, proto_win);
       if(privKey)
         secStatus = SECSuccess;
     }
   }
 
-  if(secStatus == SECSuccess) {
-    *pRetCert = connssl->client_cert;
-    *pRetKey = privKey;
-  }
-  else {
-    if(connssl->client_cert)
-      CERT_DestroyCertificate(connssl->client_cert);
-    connssl->client_cert = NULL;
-  }
+  *pRetCert = cert;
+  *pRetKey = privKey;
+  
+  /* There's no need to destroy either cert or privKey as 
+   * NSS will do that for us even if returning SECFailure
+   */
 
   return secStatus;
 }
@@ -912,8 +909,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
       free(connssl->client_nickname);
       connssl->client_nickname = NULL;
     }
-    if(connssl->client_cert)
-      CERT_DestroyCertificate(connssl->client_cert);
 #ifdef HAVE_PK11_CREATEGENERICOBJECT      
     if(connssl->key)
       (void)PK11_DestroyGenericObject(connssl->key);
@@ -957,7 +952,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   if (connssl->state == ssl_connection_complete)
     return CURLE_OK;
 
-  connssl->client_cert = NULL;
 #ifdef HAVE_PK11_CREATEGENERICOBJECT  
   connssl->cacert[0] = NULL;
   connssl->cacert[1] = NULL;

lib/urldata.h

@@ -211,7 +211,6 @@ struct ssl_connect_data {
 #ifdef USE_NSS
   PRFileDesc *handle;
   char *client_nickname;
-  CERTCertificate *client_cert;
 #ifdef HAVE_PK11_CREATEGENERICOBJECT
   PK11GenericObject *key;
   PK11GenericObject *cacert[2];