From 2028a1a977e91e5eae4852a778ab67bda3d3b9ad Mon Sep 17 00:00:00 2001 From: Daniel Gustafsson Date: Thu, 20 Jun 2019 12:11:59 +0200 Subject: nss: only cache valid CRL entries Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes https://github.com/curl/curl/pull/4053 --- lib/vtls/nss.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 3125f0b70..7a5213b2b 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -578,17 +578,19 @@ static CURLcode nss_cache_crl(SECItem *crl_der) /* acquire lock before call of CERT_CacheCRL() and accessing nss_crl_list */ PR_Lock(nss_crllock); - /* store the CRL item so that we can free it in Curl_nss_cleanup() */ - if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) { + if(SECSuccess != CERT_CacheCRL(db, crl_der)) { + /* unable to cache CRL */ SECITEM_FreeItem(crl_der, PR_TRUE); PR_Unlock(nss_crllock); - return CURLE_OUT_OF_MEMORY; + return CURLE_SSL_CRL_BADFILE; } - if(SECSuccess != CERT_CacheCRL(db, crl_der)) { - /* unable to cache CRL */ + /* store the CRL item so that we can free it in Curl_nss_cleanup() */ + if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) { + if(SECSuccess == CERT_UncacheCRL(db, crl_der)) + SECITEM_FreeItem(crl_der, PR_TRUE); PR_Unlock(nss_crllock); - return CURLE_SSL_CRL_BADFILE; + return CURLE_OUT_OF_MEMORY; } /* we need to clear session cache, so that the CRL could take effect */ -- cgit v1.2.3