- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount

                                  Changelog

Daniel Stenberg (8 Jun 2009)

- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcount

  issue with client certs that caused issues like segfaults.

  http://curl.haxx.se/mail/lib-2009-05/0316.html

- Triggered by bug report #2798852 and the patch in there, I fixed configure

  to detect gnutls build options with pkg-config only and not libgnutls-config

  anymore since GnuTLS has stopped distributing that tool. If an explicit path

 o build fix for Symbian

 o CURLOPT_USERPWD set to NULL clears auth credentials

 o libcurl-NSS build fixes

 o libcurl-NSS build fix

 o configure script fixed for VMS

 o set Content-Length: with POST and PUT failed with NTLM auth

 o allow building libcurl for VxWorks

 o --no-buffer treated correctly

 o djgpp build fix

 o configure detection of GnuTLS now based on pkg-config

 o libcurl-NSS client cert handling segfaults

This release includes the following known bugs:

                                  struct CERTCertificateStr **pRetCert,

                                  struct SECKEYPrivateKeyStr **pRetKey)

{

  SECKEYPrivateKey *privKey;

  SECKEYPrivateKey *privKey = NULL;

  CERTCertificate *cert;

  struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;

  char *nickname = connssl->client_nickname;

  void *proto_win = NULL;

  if(!nickname)

    return secStatus;

  connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);

  if(connssl->client_cert) {

  cert = PK11_FindCertFromNickname(nickname, proto_win);

  if(cert) {

    if(!strncmp(nickname, "PEM Token", 9)) {

      CK_SLOT_ID slotID = 1; /* hardcoded for now */

      char slotname[SLOTSIZE];

      snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);

      slot = PK11_FindSlotByName(slotname);

      privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);

      privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);

      PK11_FreeSlot(slot);

      if(privKey) {

        secStatus = SECSuccess;

      }

    }

    else {

      privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);

      privKey = PK11_FindKeyByAnyCert(cert, proto_win);

      if(privKey)

        secStatus = SECSuccess;

    }

  }

  if(secStatus == SECSuccess) {

    *pRetCert = connssl->client_cert;

  *pRetCert = cert;

  *pRetKey = privKey;

  }

  else {

    if(connssl->client_cert)

      CERT_DestroyCertificate(connssl->client_cert);

    connssl->client_cert = NULL;

  }

  /* There's no need to destroy either cert or privKey as 

   * NSS will do that for us even if returning SECFailure

   */

  return secStatus;

}

      free(connssl->client_nickname);

      connssl->client_nickname = NULL;

    }

    if(connssl->client_cert)

      CERT_DestroyCertificate(connssl->client_cert);

#ifdef HAVE_PK11_CREATEGENERICOBJECT      

    if(connssl->key)

      (void)PK11_DestroyGenericObject(connssl->key);

  if (connssl->state == ssl_connection_complete)

    return CURLE_OK;

  connssl->client_cert = NULL;

#ifdef HAVE_PK11_CREATEGENERICOBJECT  

  connssl->cacert[0] = NULL;

  connssl->cacert[1] = NULL;

#ifdef USE_NSS

  PRFileDesc *handle;

  char *client_nickname;

  CERTCertificate *client_cert;

#ifdef HAVE_PK11_CREATEGENERICOBJECT

  PK11GenericObject *key;

  PK11GenericObject *cacert[2];