|
|
a2d4e1 |
From 49d801727856998cf6230f1a18d971649376d5a7 Mon Sep 17 00:00:00 2001
|
|
|
a2d4e1 |
From: Peter Wang <novalazy@gmail.com>
|
|
|
a2d4e1 |
Date: Fri, 26 Aug 2016 16:28:39 +1000
|
|
|
a2d4e1 |
Subject: [PATCH 1/2] nss: work around race condition in PK11_FindSlotByName()
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
Serialise the call to PK11_FindSlotByName() to avoid spurious errors in
|
|
|
a2d4e1 |
a multi-threaded environment. The underlying cause is a race condition
|
|
|
a2d4e1 |
in nssSlot_IsTokenPresent().
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
Bug: https://bugzilla.mozilla.org/1297397
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
Closes #985
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
Upstream-commit: 3a5d5de9ef52ebe8ca2bda2165edc1b34c242e54
|
|
|
a2d4e1 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
a2d4e1 |
---
|
|
|
a2d4e1 |
lib/nss.c | 26 +++++++++++++++++++++-----
|
|
|
a2d4e1 |
1 file changed, 21 insertions(+), 5 deletions(-)
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
a2d4e1 |
index cf45f3a..3f88ea7 100644
|
|
|
a2d4e1 |
--- a/lib/nss.c
|
|
|
a2d4e1 |
+++ b/lib/nss.c
|
|
|
a2d4e1 |
@@ -74,8 +74,9 @@
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
-PRLock * nss_initlock = NULL;
|
|
|
a2d4e1 |
-PRLock * nss_crllock = NULL;
|
|
|
a2d4e1 |
+static PRLock *nss_initlock = NULL;
|
|
|
a2d4e1 |
+static PRLock *nss_crllock = NULL;
|
|
|
a2d4e1 |
+static PRLock *nss_findslot_lock = NULL;
|
|
|
a2d4e1 |
NSSInitContext * nss_context = NULL;
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
volatile int initialized = 0;
|
|
|
a2d4e1 |
@@ -347,6 +348,19 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind)
|
|
|
a2d4e1 |
return NULL;
|
|
|
a2d4e1 |
}
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
+/* Lock/unlock wrapper for PK11_FindSlotByName() to work around race condition
|
|
|
a2d4e1 |
+ * in nssSlot_IsTokenPresent() causing spurious SEC_ERROR_NO_TOKEN. For more
|
|
|
a2d4e1 |
+ * details, go to <https://bugzilla.mozilla.org/1297397>.
|
|
|
a2d4e1 |
+ */
|
|
|
a2d4e1 |
+static PK11SlotInfo* nss_find_slot_by_name(const char *slot_name)
|
|
|
a2d4e1 |
+{
|
|
|
a2d4e1 |
+ PK11SlotInfo *slot;
|
|
|
a2d4e1 |
+ PR_Lock(nss_initlock);
|
|
|
a2d4e1 |
+ slot = PK11_FindSlotByName(slot_name);
|
|
|
a2d4e1 |
+ PR_Unlock(nss_initlock);
|
|
|
a2d4e1 |
+ return slot;
|
|
|
a2d4e1 |
+}
|
|
|
a2d4e1 |
+
|
|
|
a2d4e1 |
/* Call PK11_CreateGenericObject() with the given obj_class and filename. If
|
|
|
a2d4e1 |
* the call succeeds, append the object handle to the list of objects so that
|
|
|
a2d4e1 |
* the object can be destroyed in Curl_nss_close(). */
|
|
|
a2d4e1 |
@@ -369,7 +383,7 @@ static CURLcode nss_create_object(struct ssl_connect_data *ssl,
|
|
|
a2d4e1 |
if(!slot_name)
|
|
|
a2d4e1 |
return CURLE_OUT_OF_MEMORY;
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
- slot = PK11_FindSlotByName(slot_name);
|
|
|
a2d4e1 |
+ slot = nss_find_slot_by_name(slot_name);
|
|
|
a2d4e1 |
free(slot_name);
|
|
|
a2d4e1 |
if(!slot)
|
|
|
a2d4e1 |
return err;
|
|
|
a2d4e1 |
@@ -549,7 +563,7 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
|
|
|
a2d4e1 |
return rv;
|
|
|
a2d4e1 |
}
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
- slot = PK11_FindSlotByName("PEM Token #1");
|
|
|
a2d4e1 |
+ slot = nss_find_slot_by_name("PEM Token #1");
|
|
|
a2d4e1 |
if(!slot)
|
|
|
a2d4e1 |
return CURLE_SSL_CERTPROBLEM;
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
@@ -788,7 +802,7 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
|
|
|
a2d4e1 |
struct CERTCertificateStr *cert;
|
|
|
a2d4e1 |
struct SECKEYPrivateKeyStr *key;
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
- PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname);
|
|
|
a2d4e1 |
+ PK11SlotInfo *slot = nss_find_slot_by_name(pem_slotname);
|
|
|
a2d4e1 |
if(NULL == slot) {
|
|
|
a2d4e1 |
failf(data, "NSS: PK11 slot not found: %s", pem_slotname);
|
|
|
a2d4e1 |
return SECFailure;
|
|
|
a2d4e1 |
@@ -1017,6 +1031,7 @@ int Curl_nss_init(void)
|
|
|
a2d4e1 |
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
|
|
|
a2d4e1 |
nss_initlock = PR_NewLock();
|
|
|
a2d4e1 |
nss_crllock = PR_NewLock();
|
|
|
a2d4e1 |
+ nss_findslot_lock = PR_NewLock();
|
|
|
a2d4e1 |
}
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
/* We will actually initialize NSS later */
|
|
|
a2d4e1 |
@@ -1064,6 +1079,7 @@ void Curl_nss_cleanup(void)
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
PR_DestroyLock(nss_initlock);
|
|
|
a2d4e1 |
PR_DestroyLock(nss_crllock);
|
|
|
a2d4e1 |
+ PR_DestroyLock(nss_findslot_lock);
|
|
|
a2d4e1 |
nss_initlock = NULL;
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
initialized = 0;
|
|
|
a2d4e1 |
--
|
|
|
a2d4e1 |
2.9.3
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
From 610ca3bc8549cf907147b22c67c0062225ec58a7 Mon Sep 17 00:00:00 2001
|
|
|
a2d4e1 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
a2d4e1 |
Date: Sun, 15 Jan 2017 13:10:43 +0100
|
|
|
a2d4e1 |
Subject: [PATCH 2/2] nss: use the correct lock in nss_find_slot_by_name()
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
Upstream-commit: 25ed9ea51257c0561237d1b725c4ff3d59b3f32c
|
|
|
a2d4e1 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
a2d4e1 |
---
|
|
|
a2d4e1 |
lib/nss.c | 4 ++--
|
|
|
a2d4e1 |
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
a2d4e1 |
index 3f88ea7..9e0e373 100644
|
|
|
a2d4e1 |
--- a/lib/nss.c
|
|
|
a2d4e1 |
+++ b/lib/nss.c
|
|
|
a2d4e1 |
@@ -355,9 +355,9 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind)
|
|
|
a2d4e1 |
static PK11SlotInfo* nss_find_slot_by_name(const char *slot_name)
|
|
|
a2d4e1 |
{
|
|
|
a2d4e1 |
PK11SlotInfo *slot;
|
|
|
a2d4e1 |
- PR_Lock(nss_initlock);
|
|
|
a2d4e1 |
+ PR_Lock(nss_findslot_lock);
|
|
|
a2d4e1 |
slot = PK11_FindSlotByName(slot_name);
|
|
|
a2d4e1 |
- PR_Unlock(nss_initlock);
|
|
|
a2d4e1 |
+ PR_Unlock(nss_findslot_lock);
|
|
|
a2d4e1 |
return slot;
|
|
|
a2d4e1 |
}
|
|
|
a2d4e1 |
|
|
|
a2d4e1 |
--
|
|
|
a2d4e1 |
2.9.3
|
|
|
a2d4e1 |
|