|
|
d004d8 |
From 664776a2f8b4574ab8c80e7bc6986ef62ef24b77 Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Thu, 3 Jul 2014 23:53:44 +0200
|
|
|
d004d8 |
Subject: [PATCH 1/5] nss: let nss_{cache,load}_crl return CURLcode
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: 2968f957aa025003d15a4fa42c3138e99c6d2e3f
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
lib/nss.c | 21 ++++++++++-----------
|
|
|
d004d8 |
1 file changed, 10 insertions(+), 11 deletions(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
d004d8 |
index 86775b4..a82fc64 100644
|
|
|
d004d8 |
--- a/lib/nss.c
|
|
|
d004d8 |
+++ b/lib/nss.c
|
|
|
d004d8 |
@@ -471,7 +471,7 @@ static SECStatus nss_cache_crl(SECItem *crlDER)
|
|
|
d004d8 |
/* CRL already cached */
|
|
|
d004d8 |
SEC_DestroyCrl(crl);
|
|
|
d004d8 |
SECITEM_FreeItem(crlDER, PR_FALSE);
|
|
|
d004d8 |
- return SECSuccess;
|
|
|
d004d8 |
+ return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
/* acquire lock before call of CERT_CacheCRL() */
|
|
|
d004d8 |
@@ -480,16 +480,16 @@ static SECStatus nss_cache_crl(SECItem *crlDER)
|
|
|
d004d8 |
/* unable to cache CRL */
|
|
|
d004d8 |
PR_Unlock(nss_crllock);
|
|
|
d004d8 |
SECITEM_FreeItem(crlDER, PR_FALSE);
|
|
|
d004d8 |
- return SECFailure;
|
|
|
d004d8 |
+ return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
/* we need to clear session cache, so that the CRL could take effect */
|
|
|
d004d8 |
SSL_ClearSessionCache();
|
|
|
d004d8 |
PR_Unlock(nss_crllock);
|
|
|
d004d8 |
- return SECSuccess;
|
|
|
d004d8 |
+ return CURLE_OK;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
-static SECStatus nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
+static CURLcode nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
{
|
|
|
d004d8 |
PRFileDesc *infile;
|
|
|
d004d8 |
PRFileInfo info;
|
|
|
d004d8 |
@@ -499,7 +499,7 @@ static SECStatus nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
|
|
|
d004d8 |
infile = PR_Open(crlfilename, PR_RDONLY, 0);
|
|
|
d004d8 |
if(!infile)
|
|
|
d004d8 |
- return SECFailure;
|
|
|
d004d8 |
+ return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
|
|
|
d004d8 |
if(PR_SUCCESS != PR_GetOpenFileInfo(infile, &info))
|
|
|
d004d8 |
goto fail;
|
|
|
d004d8 |
@@ -545,7 +545,7 @@ static SECStatus nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
fail:
|
|
|
d004d8 |
PR_Close(infile);
|
|
|
d004d8 |
SECITEM_FreeItem(&filedata, PR_FALSE);
|
|
|
d004d8 |
- return SECFailure;
|
|
|
d004d8 |
+ return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
|
|
|
d004d8 |
@@ -1463,13 +1463,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
if(data->set.ssl.CRLfile) {
|
|
|
d004d8 |
- if(SECSuccess != nss_load_crl(data->set.ssl.CRLfile)) {
|
|
|
d004d8 |
- curlerr = CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
+ const CURLcode rv = nss_load_crl(data->set.ssl.CRLfile);
|
|
|
d004d8 |
+ if(CURLE_OK != rv) {
|
|
|
d004d8 |
+ curlerr = rv;
|
|
|
d004d8 |
goto error;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
- infof(data,
|
|
|
d004d8 |
- " CRLfile: %s\n",
|
|
|
d004d8 |
- data->set.ssl.CRLfile ? data->set.ssl.CRLfile : "none");
|
|
|
d004d8 |
+ infof(data, " CRLfile: %s\n", data->set.ssl.CRLfile);
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
if(data->set.str[STRING_CERT]) {
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|
|
|
d004d8 |
|
|
|
d004d8 |
From 9efc8373f8190581b5463ebcb38f52ddaa89db51 Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Fri, 4 Jul 2014 00:36:21 +0200
|
|
|
d004d8 |
Subject: [PATCH 2/5] nss: make crl_der allocated on heap
|
|
|
d004d8 |
|
|
|
d004d8 |
... and spell it as crl_der instead of crlDER
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: caa4db8a51e2b02e43ee85e63bc3fec232986699
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
lib/nss.c | 23 ++++++++++++++---------
|
|
|
d004d8 |
1 file changed, 14 insertions(+), 9 deletions(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
d004d8 |
index a82fc64..4e210bb 100644
|
|
|
d004d8 |
--- a/lib/nss.c
|
|
|
d004d8 |
+++ b/lib/nss.c
|
|
|
d004d8 |
@@ -463,23 +463,23 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
/* add given CRL to cache if it is not already there */
|
|
|
d004d8 |
-static SECStatus nss_cache_crl(SECItem *crlDER)
|
|
|
d004d8 |
+static CURLcode nss_cache_crl(SECItem *crl_der)
|
|
|
d004d8 |
{
|
|
|
d004d8 |
CERTCertDBHandle *db = CERT_GetDefaultCertDB();
|
|
|
d004d8 |
- CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0);
|
|
|
d004d8 |
+ CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crl_der, 0);
|
|
|
d004d8 |
if(crl) {
|
|
|
d004d8 |
/* CRL already cached */
|
|
|
d004d8 |
SEC_DestroyCrl(crl);
|
|
|
d004d8 |
- SECITEM_FreeItem(crlDER, PR_FALSE);
|
|
|
d004d8 |
+ SECITEM_FreeItem(crl_der, PR_TRUE);
|
|
|
d004d8 |
return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
/* acquire lock before call of CERT_CacheCRL() */
|
|
|
d004d8 |
PR_Lock(nss_crllock);
|
|
|
d004d8 |
- if(SECSuccess != CERT_CacheCRL(db, crlDER)) {
|
|
|
d004d8 |
+ if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
|
|
|
d004d8 |
/* unable to cache CRL */
|
|
|
d004d8 |
PR_Unlock(nss_crllock);
|
|
|
d004d8 |
- SECITEM_FreeItem(crlDER, PR_FALSE);
|
|
|
d004d8 |
+ SECITEM_FreeItem(crl_der, PR_TRUE);
|
|
|
d004d8 |
return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
@@ -494,7 +494,7 @@ static CURLcode nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
PRFileDesc *infile;
|
|
|
d004d8 |
PRFileInfo info;
|
|
|
d004d8 |
SECItem filedata = { 0, NULL, 0 };
|
|
|
d004d8 |
- SECItem crlDER = { 0, NULL, 0 };
|
|
|
d004d8 |
+ SECItem *crl_der = NULL;
|
|
|
d004d8 |
char *body;
|
|
|
d004d8 |
|
|
|
d004d8 |
infile = PR_Open(crlfilename, PR_RDONLY, 0);
|
|
|
d004d8 |
@@ -510,6 +510,10 @@ static CURLcode nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
if(info.size != PR_Read(infile, filedata.data, info.size))
|
|
|
d004d8 |
goto fail;
|
|
|
d004d8 |
|
|
|
d004d8 |
+ crl_der = SECITEM_AllocItem(NULL, NULL, 0U);
|
|
|
d004d8 |
+ if(!crl_der)
|
|
|
d004d8 |
+ goto fail;
|
|
|
d004d8 |
+
|
|
|
d004d8 |
/* place a trailing zero right after the visible data */
|
|
|
d004d8 |
body = (char*)filedata.data;
|
|
|
d004d8 |
body[--filedata.len] = '\0';
|
|
|
d004d8 |
@@ -530,20 +534,21 @@ static CURLcode nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
|
|
|
d004d8 |
/* retrieve DER from ASCII */
|
|
|
d004d8 |
*trailer = '\0';
|
|
|
d004d8 |
- if(ATOB_ConvertAsciiToItem(&crlDER, begin))
|
|
|
d004d8 |
+ if(ATOB_ConvertAsciiToItem(crl_der, begin))
|
|
|
d004d8 |
goto fail;
|
|
|
d004d8 |
|
|
|
d004d8 |
SECITEM_FreeItem(&filedata, PR_FALSE);
|
|
|
d004d8 |
}
|
|
|
d004d8 |
else
|
|
|
d004d8 |
/* assume DER */
|
|
|
d004d8 |
- crlDER = filedata;
|
|
|
d004d8 |
+ *crl_der = filedata;
|
|
|
d004d8 |
|
|
|
d004d8 |
PR_Close(infile);
|
|
|
d004d8 |
- return nss_cache_crl(&crlDER);
|
|
|
d004d8 |
+ return nss_cache_crl(crl_der);
|
|
|
d004d8 |
|
|
|
d004d8 |
fail:
|
|
|
d004d8 |
PR_Close(infile);
|
|
|
d004d8 |
+ SECITEM_FreeItem(crl_der, PR_TRUE);
|
|
|
d004d8 |
SECITEM_FreeItem(&filedata, PR_FALSE);
|
|
|
d004d8 |
return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|
|
|
d004d8 |
|
|
|
d004d8 |
From f2c35b7b7f50b691d3019783ce19cc6a8dd5b484 Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Fri, 4 Jul 2014 00:39:23 +0200
|
|
|
d004d8 |
Subject: [PATCH 3/5] nss: fix a memory leak when CURLOPT_CRLFILE is used
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: 52cd5ac21cdfdc0a6c016de97fe70d3a50baa526
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
lib/nss.c | 38 +++++++++++++++++++++++++++++++++-----
|
|
|
d004d8 |
lib/urldata.h | 1 +
|
|
|
d004d8 |
2 files changed, 34 insertions(+), 5 deletions(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
d004d8 |
index 4e210bb..c3247c8 100644
|
|
|
d004d8 |
--- a/lib/nss.c
|
|
|
d004d8 |
+++ b/lib/nss.c
|
|
|
d004d8 |
@@ -425,6 +425,14 @@ static void nss_destroy_object(void *user, void *ptr)
|
|
|
d004d8 |
PK11_DestroyGenericObject(obj);
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
+/* same as nss_destroy_object() but for CRL items */
|
|
|
d004d8 |
+static void nss_destroy_crl_item(void *user, void *ptr)
|
|
|
d004d8 |
+{
|
|
|
d004d8 |
+ SECItem *crl_der = (SECItem *)ptr;
|
|
|
d004d8 |
+ (void) user;
|
|
|
d004d8 |
+ SECITEM_FreeItem(crl_der, PR_TRUE);
|
|
|
d004d8 |
+}
|
|
|
d004d8 |
+
|
|
|
d004d8 |
static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
|
|
|
d004d8 |
const char *filename, PRBool cacert)
|
|
|
d004d8 |
{
|
|
|
d004d8 |
@@ -463,7 +471,7 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
/* add given CRL to cache if it is not already there */
|
|
|
d004d8 |
-static CURLcode nss_cache_crl(SECItem *crl_der)
|
|
|
d004d8 |
+static CURLcode nss_cache_crl(struct ssl_connect_data *ssl, SECItem *crl_der)
|
|
|
d004d8 |
{
|
|
|
d004d8 |
CERTCertDBHandle *db = CERT_GetDefaultCertDB();
|
|
|
d004d8 |
CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crl_der, 0);
|
|
|
d004d8 |
@@ -474,12 +482,17 @@ static CURLcode nss_cache_crl(SECItem *crl_der)
|
|
|
d004d8 |
return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
+ /* store the CRL item so that we can free it in Curl_nss_close() */
|
|
|
d004d8 |
+ if(!Curl_llist_insert_next(ssl->crl_list, ssl->crl_list->tail, crl_der)) {
|
|
|
d004d8 |
+ SECITEM_FreeItem(crl_der, PR_FALSE);
|
|
|
d004d8 |
+ return CURLE_OUT_OF_MEMORY;
|
|
|
d004d8 |
+ }
|
|
|
d004d8 |
+
|
|
|
d004d8 |
/* acquire lock before call of CERT_CacheCRL() */
|
|
|
d004d8 |
PR_Lock(nss_crllock);
|
|
|
d004d8 |
if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
|
|
|
d004d8 |
/* unable to cache CRL */
|
|
|
d004d8 |
PR_Unlock(nss_crllock);
|
|
|
d004d8 |
- SECITEM_FreeItem(crl_der, PR_TRUE);
|
|
|
d004d8 |
return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
@@ -489,7 +502,8 @@ static CURLcode nss_cache_crl(SECItem *crl_der)
|
|
|
d004d8 |
return CURLE_OK;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
-static CURLcode nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
+static CURLcode nss_load_crl(struct ssl_connect_data *connssl,
|
|
|
d004d8 |
+ const char* crlfilename)
|
|
|
d004d8 |
{
|
|
|
d004d8 |
PRFileDesc *infile;
|
|
|
d004d8 |
PRFileInfo info;
|
|
|
d004d8 |
@@ -544,7 +558,7 @@ static CURLcode nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
*crl_der = filedata;
|
|
|
d004d8 |
|
|
|
d004d8 |
PR_Close(infile);
|
|
|
d004d8 |
- return nss_cache_crl(crl_der);
|
|
|
d004d8 |
+ return nss_cache_crl(connssl, crl_der);
|
|
|
d004d8 |
|
|
|
d004d8 |
fail:
|
|
|
d004d8 |
PR_Close(infile);
|
|
|
d004d8 |
@@ -1147,6 +1161,10 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
|
|
|
d004d8 |
connssl->obj_list = NULL;
|
|
|
d004d8 |
connssl->obj_clicert = NULL;
|
|
|
d004d8 |
|
|
|
d004d8 |
+ /* destroy all CRL items */
|
|
|
d004d8 |
+ Curl_llist_destroy(connssl->crl_list, NULL);
|
|
|
d004d8 |
+ connssl->crl_list = NULL;
|
|
|
d004d8 |
+
|
|
|
d004d8 |
PR_Close(connssl->handle);
|
|
|
d004d8 |
connssl->handle = NULL;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
@@ -1325,6 +1343,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
|
|
|
d004d8 |
/* cleanup on connection failure */
|
|
|
d004d8 |
Curl_llist_destroy(connssl->obj_list, NULL);
|
|
|
d004d8 |
connssl->obj_list = NULL;
|
|
|
d004d8 |
+ Curl_llist_destroy(connssl->crl_list, NULL);
|
|
|
d004d8 |
+ connssl->crl_list = NULL;
|
|
|
d004d8 |
return curlerr;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
@@ -1367,6 +1387,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
d004d8 |
if(!connssl->obj_list)
|
|
|
d004d8 |
return CURLE_OUT_OF_MEMORY;
|
|
|
d004d8 |
|
|
|
d004d8 |
+ /* list of all CRL items we need to destroy in Curl_nss_close() */
|
|
|
d004d8 |
+ connssl->crl_list = Curl_llist_alloc(nss_destroy_crl_item);
|
|
|
d004d8 |
+ if(!connssl->crl_list) {
|
|
|
d004d8 |
+ Curl_llist_destroy(connssl->obj_list, NULL);
|
|
|
d004d8 |
+ connssl->obj_list = NULL;
|
|
|
d004d8 |
+ return CURLE_OUT_OF_MEMORY;
|
|
|
d004d8 |
+ }
|
|
|
d004d8 |
+
|
|
|
d004d8 |
/* FIXME. NSS doesn't support multiple databases open at the same time. */
|
|
|
d004d8 |
PR_Lock(nss_initlock);
|
|
|
d004d8 |
curlerr = nss_init(conn->data);
|
|
|
d004d8 |
@@ -1468,7 +1496,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
if(data->set.ssl.CRLfile) {
|
|
|
d004d8 |
- const CURLcode rv = nss_load_crl(data->set.ssl.CRLfile);
|
|
|
d004d8 |
+ const CURLcode rv = nss_load_crl(connssl, data->set.ssl.CRLfile);
|
|
|
d004d8 |
if(CURLE_OK != rv) {
|
|
|
d004d8 |
curlerr = rv;
|
|
|
d004d8 |
goto error;
|
|
|
d004d8 |
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
|
d004d8 |
index f4c6222..3624af1 100644
|
|
|
d004d8 |
--- a/lib/urldata.h
|
|
|
d004d8 |
+++ b/lib/urldata.h
|
|
|
d004d8 |
@@ -301,6 +301,7 @@ struct ssl_connect_data {
|
|
|
d004d8 |
PRFileDesc *handle;
|
|
|
d004d8 |
char *client_nickname;
|
|
|
d004d8 |
struct SessionHandle *data;
|
|
|
d004d8 |
+ struct curl_llist *crl_list;
|
|
|
d004d8 |
struct curl_llist *obj_list;
|
|
|
d004d8 |
PK11GenericObject *obj_clicert;
|
|
|
d004d8 |
ssl_connect_state connecting_state;
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|
|
|
d004d8 |
|
|
|
d004d8 |
From 6f93eefb3361e430274eb9e76ff84380289c6164 Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Fri, 4 Jul 2014 12:41:53 +0200
|
|
|
d004d8 |
Subject: [PATCH 4/5] nss: make the list of CRL items global
|
|
|
d004d8 |
|
|
|
d004d8 |
Otherwise NSS could use an already freed item for another connection.
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: ca2aa61b66d684a1076d43025048f1a43d5755b6
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
lib/nss.c | 46 ++++++++++++++++++++++------------------------
|
|
|
d004d8 |
lib/urldata.h | 1 -
|
|
|
d004d8 |
2 files changed, 22 insertions(+), 25 deletions(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
d004d8 |
index c3247c8..acbd09a 100644
|
|
|
d004d8 |
--- a/lib/nss.c
|
|
|
d004d8 |
+++ b/lib/nss.c
|
|
|
d004d8 |
@@ -77,6 +77,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
|
|
|
d004d8 |
static PRLock *nss_initlock = NULL;
|
|
|
d004d8 |
static PRLock *nss_crllock = NULL;
|
|
|
d004d8 |
static PRLock *nss_findslot_lock = NULL;
|
|
|
d004d8 |
+struct curl_llist *nss_crl_list = NULL;
|
|
|
d004d8 |
NSSInitContext * nss_context = NULL;
|
|
|
d004d8 |
|
|
|
d004d8 |
volatile int initialized = 0;
|
|
|
d004d8 |
@@ -471,7 +472,7 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
/* add given CRL to cache if it is not already there */
|
|
|
d004d8 |
-static CURLcode nss_cache_crl(struct ssl_connect_data *ssl, SECItem *crl_der)
|
|
|
d004d8 |
+static CURLcode nss_cache_crl(SECItem *crl_der)
|
|
|
d004d8 |
{
|
|
|
d004d8 |
CERTCertDBHandle *db = CERT_GetDefaultCertDB();
|
|
|
d004d8 |
CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crl_der, 0);
|
|
|
d004d8 |
@@ -482,14 +483,16 @@ static CURLcode nss_cache_crl(struct ssl_connect_data *ssl, SECItem *crl_der)
|
|
|
d004d8 |
return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
- /* store the CRL item so that we can free it in Curl_nss_close() */
|
|
|
d004d8 |
- if(!Curl_llist_insert_next(ssl->crl_list, ssl->crl_list->tail, crl_der)) {
|
|
|
d004d8 |
- SECITEM_FreeItem(crl_der, PR_FALSE);
|
|
|
d004d8 |
+ /* acquire lock before call of CERT_CacheCRL() and accessing nss_crl_list */
|
|
|
d004d8 |
+ PR_Lock(nss_crllock);
|
|
|
d004d8 |
+
|
|
|
d004d8 |
+ /* store the CRL item so that we can free it in Curl_nss_cleanup() */
|
|
|
d004d8 |
+ if(!Curl_llist_insert_next(nss_crl_list, nss_crl_list->tail, crl_der)) {
|
|
|
d004d8 |
+ SECITEM_FreeItem(crl_der, PR_TRUE);
|
|
|
d004d8 |
+ PR_Unlock(nss_crllock);
|
|
|
d004d8 |
return CURLE_OUT_OF_MEMORY;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
- /* acquire lock before call of CERT_CacheCRL() */
|
|
|
d004d8 |
- PR_Lock(nss_crllock);
|
|
|
d004d8 |
if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
|
|
|
d004d8 |
/* unable to cache CRL */
|
|
|
d004d8 |
PR_Unlock(nss_crllock);
|
|
|
d004d8 |
@@ -502,8 +505,7 @@ static CURLcode nss_cache_crl(struct ssl_connect_data *ssl, SECItem *crl_der)
|
|
|
d004d8 |
return CURLE_OK;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
-static CURLcode nss_load_crl(struct ssl_connect_data *connssl,
|
|
|
d004d8 |
- const char* crlfilename)
|
|
|
d004d8 |
+static CURLcode nss_load_crl(const char* crlfilename)
|
|
|
d004d8 |
{
|
|
|
d004d8 |
PRFileDesc *infile;
|
|
|
d004d8 |
PRFileInfo info;
|
|
|
d004d8 |
@@ -558,7 +560,7 @@ static CURLcode nss_load_crl(struct ssl_connect_data *connssl,
|
|
|
d004d8 |
*crl_der = filedata;
|
|
|
d004d8 |
|
|
|
d004d8 |
PR_Close(infile);
|
|
|
d004d8 |
- return nss_cache_crl(connssl, crl_der);
|
|
|
d004d8 |
+ return nss_cache_crl(crl_der);
|
|
|
d004d8 |
|
|
|
d004d8 |
fail:
|
|
|
d004d8 |
PR_Close(infile);
|
|
|
d004d8 |
@@ -996,6 +998,11 @@ static CURLcode nss_init(struct SessionHandle *data)
|
|
|
d004d8 |
if(initialized)
|
|
|
d004d8 |
return CURLE_OK;
|
|
|
d004d8 |
|
|
|
d004d8 |
+ /* list of all CRL items we need to destroy in Curl_nss_cleanup() */
|
|
|
d004d8 |
+ nss_crl_list = Curl_llist_alloc(nss_destroy_crl_item);
|
|
|
d004d8 |
+ if(!nss_crl_list)
|
|
|
d004d8 |
+ return CURLE_OUT_OF_MEMORY;
|
|
|
d004d8 |
+
|
|
|
d004d8 |
/* First we check if $SSL_DIR points to a valid dir */
|
|
|
d004d8 |
cert_dir = getenv("SSL_DIR");
|
|
|
d004d8 |
if(cert_dir) {
|
|
|
d004d8 |
@@ -1096,6 +1103,11 @@ void Curl_nss_cleanup(void)
|
|
|
d004d8 |
NSS_ShutdownContext(nss_context);
|
|
|
d004d8 |
nss_context = NULL;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
+
|
|
|
d004d8 |
+ /* destroy all CRL items */
|
|
|
d004d8 |
+ Curl_llist_destroy(nss_crl_list, NULL);
|
|
|
d004d8 |
+ nss_crl_list = NULL;
|
|
|
d004d8 |
+
|
|
|
d004d8 |
PR_Unlock(nss_initlock);
|
|
|
d004d8 |
|
|
|
d004d8 |
PR_DestroyLock(nss_initlock);
|
|
|
d004d8 |
@@ -1161,10 +1173,6 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
|
|
|
d004d8 |
connssl->obj_list = NULL;
|
|
|
d004d8 |
connssl->obj_clicert = NULL;
|
|
|
d004d8 |
|
|
|
d004d8 |
- /* destroy all CRL items */
|
|
|
d004d8 |
- Curl_llist_destroy(connssl->crl_list, NULL);
|
|
|
d004d8 |
- connssl->crl_list = NULL;
|
|
|
d004d8 |
-
|
|
|
d004d8 |
PR_Close(connssl->handle);
|
|
|
d004d8 |
connssl->handle = NULL;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
@@ -1343,8 +1351,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
|
|
|
d004d8 |
/* cleanup on connection failure */
|
|
|
d004d8 |
Curl_llist_destroy(connssl->obj_list, NULL);
|
|
|
d004d8 |
connssl->obj_list = NULL;
|
|
|
d004d8 |
- Curl_llist_destroy(connssl->crl_list, NULL);
|
|
|
d004d8 |
- connssl->crl_list = NULL;
|
|
|
d004d8 |
return curlerr;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
@@ -1387,14 +1393,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
d004d8 |
if(!connssl->obj_list)
|
|
|
d004d8 |
return CURLE_OUT_OF_MEMORY;
|
|
|
d004d8 |
|
|
|
d004d8 |
- /* list of all CRL items we need to destroy in Curl_nss_close() */
|
|
|
d004d8 |
- connssl->crl_list = Curl_llist_alloc(nss_destroy_crl_item);
|
|
|
d004d8 |
- if(!connssl->crl_list) {
|
|
|
d004d8 |
- Curl_llist_destroy(connssl->obj_list, NULL);
|
|
|
d004d8 |
- connssl->obj_list = NULL;
|
|
|
d004d8 |
- return CURLE_OUT_OF_MEMORY;
|
|
|
d004d8 |
- }
|
|
|
d004d8 |
-
|
|
|
d004d8 |
/* FIXME. NSS doesn't support multiple databases open at the same time. */
|
|
|
d004d8 |
PR_Lock(nss_initlock);
|
|
|
d004d8 |
curlerr = nss_init(conn->data);
|
|
|
d004d8 |
@@ -1496,7 +1494,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
if(data->set.ssl.CRLfile) {
|
|
|
d004d8 |
- const CURLcode rv = nss_load_crl(connssl, data->set.ssl.CRLfile);
|
|
|
d004d8 |
+ const CURLcode rv = nss_load_crl(data->set.ssl.CRLfile);
|
|
|
d004d8 |
if(CURLE_OK != rv) {
|
|
|
d004d8 |
curlerr = rv;
|
|
|
d004d8 |
goto error;
|
|
|
d004d8 |
diff --git a/lib/urldata.h b/lib/urldata.h
|
|
|
d004d8 |
index 3624af1..f4c6222 100644
|
|
|
d004d8 |
--- a/lib/urldata.h
|
|
|
d004d8 |
+++ b/lib/urldata.h
|
|
|
d004d8 |
@@ -301,7 +301,6 @@ struct ssl_connect_data {
|
|
|
d004d8 |
PRFileDesc *handle;
|
|
|
d004d8 |
char *client_nickname;
|
|
|
d004d8 |
struct SessionHandle *data;
|
|
|
d004d8 |
- struct curl_llist *crl_list;
|
|
|
d004d8 |
struct curl_llist *obj_list;
|
|
|
d004d8 |
PK11GenericObject *obj_clicert;
|
|
|
d004d8 |
ssl_connect_state connecting_state;
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|
|
|
d004d8 |
|
|
|
d004d8 |
From de0742d4141ede4d1849ff1ebffd820faea53ad7 Mon Sep 17 00:00:00 2001
|
|
|
d004d8 |
From: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
Date: Wed, 8 Oct 2014 17:13:59 +0200
|
|
|
d004d8 |
Subject: [PATCH 5/5] nss: do not fail if a CRL is already cached
|
|
|
d004d8 |
|
|
|
d004d8 |
This fixes a copy-paste mistake from commit 2968f957.
|
|
|
d004d8 |
|
|
|
d004d8 |
Upstream-commit: 9e37a7f9a5cd141c717aa0262e8dee7713c25200
|
|
|
d004d8 |
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
|
|
d004d8 |
---
|
|
|
d004d8 |
lib/nss.c | 2 +-
|
|
|
d004d8 |
1 file changed, 1 insertion(+), 1 deletion(-)
|
|
|
d004d8 |
|
|
|
d004d8 |
diff --git a/lib/nss.c b/lib/nss.c
|
|
|
d004d8 |
index acbd09a..1b8abd3 100644
|
|
|
d004d8 |
--- a/lib/nss.c
|
|
|
d004d8 |
+++ b/lib/nss.c
|
|
|
d004d8 |
@@ -480,7 +480,7 @@ static CURLcode nss_cache_crl(SECItem *crl_der)
|
|
|
d004d8 |
/* CRL already cached */
|
|
|
d004d8 |
SEC_DestroyCrl(crl);
|
|
|
d004d8 |
SECITEM_FreeItem(crl_der, PR_TRUE);
|
|
|
d004d8 |
- return CURLE_SSL_CRL_BADFILE;
|
|
|
d004d8 |
+ return CURLE_OK;
|
|
|
d004d8 |
}
|
|
|
d004d8 |
|
|
|
d004d8 |
/* acquire lock before call of CERT_CacheCRL() and accessing nss_crl_list */
|
|
|
d004d8 |
--
|
|
|
d004d8 |
2.13.5
|
|
|
d004d8 |
|