cURL / Mailing Lists / curl-library / Single Mail

curl-library

Re: [PATCH] Correct refcount issues when using client certs in NSS

From: Claes Jakobsson <claes_at_versed.se>
Date: Sat, 30 May 2009 13:15:30 +0200

Hi Kamil.

On 30 maj 2009, at 13.01, Kamil Dudka wrote:
> Hi Claes,
>
> can you give me some steps to reproduce the segmentation fault? Do
> you have
> the client certificate in NSS database or a PEM certificate in file?

The certificate I'm using is stored on a smartcard that is accessed
via Nexus Personal PKCS11 module. This is with NSS 3.12 on OS X 10.5.7

> The patch triggers a memory leak for me:
>
> 524,203 bytes in 1,881 blocks are possibly lost in loss record 44 of
> 44
> at 0x4A04D1F: calloc (vg_replace_malloc.c:279)
> by 0x4C1EACF: nss_ZAlloc (arena.c:892)
> by 0x4C1ED5C: nssArena_Create (arena.c:412)
> by 0x4C11B52: nssCKFWInstance_Create (instance.c:217)
> by 0x4C1C8D1: NSSCKFWC_Initialize (wrap.c:205)
> by 0x50EB816: secmod_ModuleInit (pk11load.c:146)
> by 0x50EBF33: SECMOD_LoadPKCS11Module (pk11load.c:378)
> by 0x50FE973: SECMOD_LoadModule (pk11pars.c:323)
> by 0x50FEB77: SECMOD_LoadUserModule (pk11pars.c:391)
> by 0x4E6C457: Curl_nss_connect (nss.c:1008)
> by 0x4E652EA: Curl_ssl_connect (sslgen.c:185)
> by 0x4E4512B: Curl_http_connect (http.c:1804)
>
> It probably hampers the PEM module destruction by non-zero reference
> count.

Looking at the code for nss.c, is there any good reason why the client
cert should be kept around outside the SSLGetClientAuthData callback?

/Claes
Received on 2009-05-30