From 7aa2d10e0db82a55eba6b5723307d915939cb2fb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 22 Feb 2011 13:13:53 +0100 Subject: [PATCH] nss: do not ignore failure of SSL handshake Flaw introduced in fc77790 and present in curl-7.21.4. Bug: https://bugzilla.redhat.com/669702#c16 --- RELEASE-NOTES | 1 + lib/nss.c | 12 ++++++++---- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 363352a..5b6274c 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -14,6 +14,7 @@ This release includes the following changes: This release includes the following bugfixes: o nss: avoid memory leak on SSL connection failure + o nss: do not ignore failure of SSL handshake o This release includes the following known bugs: diff --git a/lib/nss.c b/lib/nss.c index d26ad5b..be26253 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -1157,7 +1157,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) struct SessionHandle *data = conn->data; curl_socket_t sockfd = conn->sock[sockindex]; struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - int curlerr; + CURLcode curlerr; const int *cipher_to_enable; PRSocketOptionData sock_opt; long time_left; @@ -1289,9 +1289,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) NULL) != SECSuccess) goto error; - if(data->set.ssl.verifypeer && (CURLE_OK != - (curlerr = nss_load_ca_certificates(conn, sockindex)))) - goto error; + if(data->set.ssl.verifypeer) { + const CURLcode rv = nss_load_ca_certificates(conn, sockindex); + if(CURLE_OK != rv) { + curlerr = rv; + goto error; + } + } if (data->set.ssl.CRLfile) { if(SECSuccess != nss_load_crl(data->set.ssl.CRLfile)) { -- 2.7.4