From 49d801727856998cf6230f1a18d971649376d5a7 Mon Sep 17 00:00:00 2001 From: Peter Wang Date: Fri, 26 Aug 2016 16:28:39 +1000 Subject: [PATCH 1/2] nss: work around race condition in PK11_FindSlotByName() Serialise the call to PK11_FindSlotByName() to avoid spurious errors in a multi-threaded environment. The underlying cause is a race condition in nssSlot_IsTokenPresent(). Bug: https://bugzilla.mozilla.org/1297397 Closes #985 Upstream-commit: 3a5d5de9ef52ebe8ca2bda2165edc1b34c242e54 Signed-off-by: Kamil Dudka --- lib/nss.c | 26 +++++++++++++++++++++----- 1 file changed, 21 insertions(+), 5 deletions(-) diff --git a/lib/nss.c b/lib/nss.c index cf45f3a..3f88ea7 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -74,8 +74,9 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); -PRLock * nss_initlock = NULL; -PRLock * nss_crllock = NULL; +static PRLock *nss_initlock = NULL; +static PRLock *nss_crllock = NULL; +static PRLock *nss_findslot_lock = NULL; NSSInitContext * nss_context = NULL; volatile int initialized = 0; @@ -347,6 +348,19 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind) return NULL; } +/* Lock/unlock wrapper for PK11_FindSlotByName() to work around race condition + * in nssSlot_IsTokenPresent() causing spurious SEC_ERROR_NO_TOKEN. For more + * details, go to . + */ +static PK11SlotInfo* nss_find_slot_by_name(const char *slot_name) +{ + PK11SlotInfo *slot; + PR_Lock(nss_initlock); + slot = PK11_FindSlotByName(slot_name); + PR_Unlock(nss_initlock); + return slot; +} + /* Call PK11_CreateGenericObject() with the given obj_class and filename. If * the call succeeds, append the object handle to the list of objects so that * the object can be destroyed in Curl_nss_close(). */ @@ -369,7 +383,7 @@ static CURLcode nss_create_object(struct ssl_connect_data *ssl, if(!slot_name) return CURLE_OUT_OF_MEMORY; - slot = PK11_FindSlotByName(slot_name); + slot = nss_find_slot_by_name(slot_name); free(slot_name); if(!slot) return err; @@ -549,7 +563,7 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex, return rv; } - slot = PK11_FindSlotByName("PEM Token #1"); + slot = nss_find_slot_by_name("PEM Token #1"); if(!slot) return CURLE_SSL_CERTPROBLEM; @@ -788,7 +802,7 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, struct CERTCertificateStr *cert; struct SECKEYPrivateKeyStr *key; - PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname); + PK11SlotInfo *slot = nss_find_slot_by_name(pem_slotname); if(NULL == slot) { failf(data, "NSS: PK11 slot not found: %s", pem_slotname); return SECFailure; @@ -1017,6 +1031,7 @@ int Curl_nss_init(void) PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256); nss_initlock = PR_NewLock(); nss_crllock = PR_NewLock(); + nss_findslot_lock = PR_NewLock(); } /* We will actually initialize NSS later */ @@ -1064,6 +1079,7 @@ void Curl_nss_cleanup(void) PR_DestroyLock(nss_initlock); PR_DestroyLock(nss_crllock); + PR_DestroyLock(nss_findslot_lock); nss_initlock = NULL; initialized = 0; -- 2.9.3 From 610ca3bc8549cf907147b22c67c0062225ec58a7 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sun, 15 Jan 2017 13:10:43 +0100 Subject: [PATCH 2/2] nss: use the correct lock in nss_find_slot_by_name() Upstream-commit: 25ed9ea51257c0561237d1b725c4ff3d59b3f32c Signed-off-by: Kamil Dudka --- lib/nss.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/nss.c b/lib/nss.c index 3f88ea7..9e0e373 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -355,9 +355,9 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind) static PK11SlotInfo* nss_find_slot_by_name(const char *slot_name) { PK11SlotInfo *slot; - PR_Lock(nss_initlock); + PR_Lock(nss_findslot_lock); slot = PK11_FindSlotByName(slot_name); - PR_Unlock(nss_initlock); + PR_Unlock(nss_findslot_lock); return slot; } -- 2.9.3