aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDaniel Gustafsson <daniel@yesql.se>2019-06-20 12:11:59 +0200
committerJay Satiro <raysatiro@yahoo.com>2019-07-06 23:32:39 -0400
commit2028a1a977e91e5eae4852a778ab67bda3d3b9ad (patch)
tree26be812203a81c54984a52299b052d7f7667532b
parentcf4255c8476ba919456a69099d02245419ff6ac3 (diff)
nss: only cache valid CRL entries
Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053
-rw-r--r--lib/vtls/nss.c14
1 files changed, 8 insertions, 6 deletions
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 3125f0b70..7a5213b2b 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -578,17 +578,19 @@ static CURLcode nss_cache_crl(SECItem *crl_der)
/* acquire lock before call of CERT_CacheCRL() and accessing nss_crl_list */
PR_Lock(nss_crllock);
- /* store the CRL item so that we can free it in Curl_nss_cleanup() */
- if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) {
+ if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
+ /* unable to cache CRL */
SECITEM_FreeItem(crl_der, PR_TRUE);
PR_Unlock(nss_crllock);
- return CURLE_OUT_OF_MEMORY;
+ return CURLE_SSL_CRL_BADFILE;
}
- if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
- /* unable to cache CRL */
+ /* store the CRL item so that we can free it in Curl_nss_cleanup() */
+ if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) {
+ if(SECSuccess == CERT_UncacheCRL(db, crl_der))
+ SECITEM_FreeItem(crl_der, PR_TRUE);
PR_Unlock(nss_crllock);
- return CURLE_SSL_CRL_BADFILE;
+ return CURLE_OUT_OF_MEMORY;
}
/* we need to clear session cache, so that the CRL could take effect */