[Pidgin] #6500: NSS plugin doesn't verify SSL certificates

Pidgin trac at pidgin.im
Wed Aug 6 08:24:46 EDT 2008 

#6500: NSS plugin doesn't verify SSL certificates
------------------------+---------------------------------------------------
  Reporter:  ari        |       Owner:  wehlhard
      Type:  patch      |      Status:  assigned
  Priority:  minor      |   Milestone:  2.5.0   
 Component:  libpurple  |     Version:  2.4.3   
Resolution:             |    Keywords:          
   Pending:  0          |  
------------------------+---------------------------------------------------
Changes (by wehlhard):

  * status:  new => assigned
  * milestone:  => 2.5.0

Comment:

 Thank you for submitting this patch; this has been sitting on my TODO list
 for a long time, and now you have resolved it.

 I have a couple things that I would like to see corrected before I put
 this into the main tree, though:

 1. Around line 281 of the revised ssl-nss.c, there is the following:
 {{{
         cert = SSL_PeerCertificate(socket);
         curcert = CERT_DupCertificate(cert);
 }}}
 While there is a call to CERT_DestroyCertificate for curcert later on,
 there is no corresponding call for cert itself. Since SSL_PeerCertificate
 returns a CERT_DupCertificate and returns its result, I think this is a
 memory leak. Can you double-check this?

 See
 http://mxr.mozilla.org/security/source/security/nss/lib/ssl/sslauth.c#46




 2. I get the following when compiling the revised ssl-nss.c:
 {{{
 ssl-nss.c: In function 'x509_import_from_nss':
 ssl-nss.c:264: warning: passing argument 1 of 'CERT_DupCertificate'
 discards qualifiers from pointer target type
 ssl-nss.c: In function 'ssl_nss_get_peer_certificates':
 ssl-nss.c:291: warning: ISO C90 forbids mixed declarations and code
 ssl-nss.c:299: warning: too many arguments for format
 ssl-nss.c: In function 'x509_signed_by':
 ssl-nss.c:675: warning: 'return' with no value, in function returning non-
 void
 ssl-nss.c:678: warning: 'return' with no value, in function returning non-
 void
 ssl-nss.c:684: warning: this function may return with or without a value
 }}}
 I don't like warnings. The third block of them is particularly worrisome.

 3. I put the portion touching the Jabber protocol as its own patch #6516


 I have attached a revised patch that covers the above issues. Please
 double-check that I have made no mistakes, and if I hear back from you in
 the next few days, this will make it into next week's release.

-- 
Ticket URL: <http://developer.pidgin.im/ticket/6500#comment:3>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list