diff options
| author | Kamil Dudka <kdudka@redhat.com> | 2010-05-11 14:10:27 +0200 | 
|---|---|---|
| committer | Kamil Dudka <kdudka@redhat.com> | 2010-05-11 14:37:43 +0200 | 
| commit | 2e8b21833a581cc5389833ec4fdeeaa6fb7be538 (patch) | |
| tree | ca8e56355c51c11873a764751335f702eade28ef | |
| parent | 54b0e87796b2bd84399e4d3db75fbb7760c3703d (diff) | |
nss: add CRL to cache instead of read-only NSS db
| -rw-r--r-- | lib/nss.c | 42 | 
1 files changed, 30 insertions, 12 deletions
| @@ -63,6 +63,7 @@  #include <secport.h>  #include <certdb.h>  #include <base64.h> +#include <cert.h>  #include "curl_memory.h"  #include "rawstr.h" @@ -79,6 +80,7 @@  PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);  PRLock * nss_initlock = NULL; +PRLock * nss_crllock = NULL;  volatile int initialized = 0; @@ -411,6 +413,31 @@ static int nss_load_cert(struct ssl_connect_data *ssl,    return 1;  } +/* add given CRL to cache if it is not already there */ +static SECStatus nss_cache_crl(SECItem *crlDER) +{ +  CERTCertDBHandle *db = CERT_GetDefaultCertDB(); +  CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0); +  if(crl) { +    /* CRL already cached */ +    SEC_DestroyCrl(crl); +    return SECSuccess; +  } + +  /* acquire lock before call of CERT_CacheCRL() */ +  PR_Lock(nss_crllock); +  if(SECSuccess != CERT_CacheCRL(db, crlDER)) { +    /* unable to cache CRL */ +    PR_Unlock(nss_crllock); +    return SECFailure; +  } + +  /* we need to clear session cache, so that the CRL could take effect */ +  SSL_ClearSessionCache(); +  PR_Unlock(nss_crllock); +  return SECSuccess; +} +  static int nss_load_crl(const char* crlfilename, PRBool ascii)  {    PRFileDesc *infile; @@ -419,8 +446,6 @@ static int nss_load_crl(const char* crlfilename, PRBool ascii)    PRInt32     nb;    int rv;    SECItem crlDER; -  CERTSignedCrl *crl=NULL; -  PK11SlotInfo *slot=NULL;    infile = PR_Open(crlfilename,PR_RDONLY,0);    if (!infile) { @@ -473,16 +498,7 @@ static int nss_load_crl(const char* crlfilename, PRBool ascii)        return 0;    } -  slot = PK11_GetInternalKeySlot(); -  crl  = PK11_ImportCRL(slot,&crlDER, -                        NULL,SEC_CRL_TYPE, -                        NULL,CRL_IMPORT_DEFAULT_OPTIONS, -                        NULL,(CRL_DECODE_DEFAULT_OPTIONS| -                              CRL_DECODE_DONT_COPY_DER)); -  if (slot) PK11_FreeSlot(slot); -  if (!crl) return 0; -  SEC_DestroyCrl(crl); -  return 1; +  return (SECSuccess == nss_cache_crl(&crlDER));  }  static int nss_load_key(struct connectdata *conn, int sockindex, @@ -889,6 +905,7 @@ int Curl_nss_init(void)    if (nss_initlock == NULL) {      PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);      nss_initlock = PR_NewLock(); +    nss_crllock = PR_NewLock();    }    /* We will actually initialize NSS later */ @@ -918,6 +935,7 @@ void Curl_nss_cleanup(void)    PR_Unlock(nss_initlock);    PR_DestroyLock(nss_initlock); +  PR_DestroyLock(nss_crllock);    nss_initlock = NULL;    initialized = 0; | 
