From 2e8b21833a581cc5389833ec4fdeeaa6fb7be538 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Tue, 11 May 2010 14:10:27 +0200 Subject: [PATCH] nss: add CRL to cache instead of read-only NSS db --- lib/nss.c | 42 ++++++++++++++++++++++++++++++------------ 1 file changed, 30 insertions(+), 12 deletions(-) diff --git a/lib/nss.c b/lib/nss.c index a2488d04b..b273b667b 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -63,6 +63,7 @@ #include #include #include +#include #include "curl_memory.h" #include "rawstr.h" @@ -79,6 +80,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); PRLock * nss_initlock = NULL; +PRLock * nss_crllock = NULL; volatile int initialized = 0; @@ -411,6 +413,31 @@ static int nss_load_cert(struct ssl_connect_data *ssl, return 1; } +/* add given CRL to cache if it is not already there */ +static SECStatus nss_cache_crl(SECItem *crlDER) +{ + CERTCertDBHandle *db = CERT_GetDefaultCertDB(); + CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0); + if(crl) { + /* CRL already cached */ + SEC_DestroyCrl(crl); + return SECSuccess; + } + + /* acquire lock before call of CERT_CacheCRL() */ + PR_Lock(nss_crllock); + if(SECSuccess != CERT_CacheCRL(db, crlDER)) { + /* unable to cache CRL */ + PR_Unlock(nss_crllock); + return SECFailure; + } + + /* we need to clear session cache, so that the CRL could take effect */ + SSL_ClearSessionCache(); + PR_Unlock(nss_crllock); + return SECSuccess; +} + static int nss_load_crl(const char* crlfilename, PRBool ascii) { PRFileDesc *infile; @@ -419,8 +446,6 @@ static int nss_load_crl(const char* crlfilename, PRBool ascii) PRInt32 nb; int rv; SECItem crlDER; - CERTSignedCrl *crl=NULL; - PK11SlotInfo *slot=NULL; infile = PR_Open(crlfilename,PR_RDONLY,0); if (!infile) { @@ -473,16 +498,7 @@ static int nss_load_crl(const char* crlfilename, PRBool ascii) return 0; } - slot = PK11_GetInternalKeySlot(); - crl = PK11_ImportCRL(slot,&crlDER, - NULL,SEC_CRL_TYPE, - NULL,CRL_IMPORT_DEFAULT_OPTIONS, - NULL,(CRL_DECODE_DEFAULT_OPTIONS| - CRL_DECODE_DONT_COPY_DER)); - if (slot) PK11_FreeSlot(slot); - if (!crl) return 0; - SEC_DestroyCrl(crl); - return 1; + return (SECSuccess == nss_cache_crl(&crlDER)); } static int nss_load_key(struct connectdata *conn, int sockindex, @@ -889,6 +905,7 @@ int Curl_nss_init(void) if (nss_initlock == NULL) { PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256); nss_initlock = PR_NewLock(); + nss_crllock = PR_NewLock(); } /* We will actually initialize NSS later */ @@ -918,6 +935,7 @@ void Curl_nss_cleanup(void) PR_Unlock(nss_initlock); PR_DestroyLock(nss_initlock); + PR_DestroyLock(nss_crllock); nss_initlock = NULL; initialized = 0;