generic-library/curl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

nss: add CRL to cache instead of read-only NSS db

Browse Source
This commit is contained in:
Kamil Dudka 2010-05-11 14:10:27 +02:00
parent 54b0e87796
commit 2e8b21833a
1 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
lib/nss.c
View File

@ -63,6 +63,7 @@
#include <secport.h> #include <secport.h>
#include <certdb.h> #include <certdb.h>
#include <base64.h> #include <base64.h>
#include <cert.h>
#include "curl_memory.h" #include "curl_memory.h"
#include "rawstr.h" #include "rawstr.h"
@ -79,6 +80,7 @@
PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
PRLock * nss_initlock = NULL; PRLock * nss_initlock = NULL;
PRLock * nss_crllock = NULL;
volatile int initialized = 0; volatile int initialized = 0;
@ -411,6 +413,31 @@ static int nss_load_cert(struct ssl_connect_data *ssl,
return 1; return 1;
} }
/* add given CRL to cache if it is not already there */
static SECStatus nss_cache_crl(SECItem *crlDER)
{
CERTCertDBHandle *db = CERT_GetDefaultCertDB();
CERTSignedCrl *crl = SEC_FindCrlByDERCert(db, crlDER, 0);
if(crl) {
/* CRL already cached */
SEC_DestroyCrl(crl);
return SECSuccess;
}
/* acquire lock before call of CERT_CacheCRL() */
PR_Lock(nss_crllock);
if(SECSuccess != CERT_CacheCRL(db, crlDER)) {
/* unable to cache CRL */
PR_Unlock(nss_crllock);
return SECFailure;
}
/* we need to clear session cache, so that the CRL could take effect */
SSL_ClearSessionCache();
PR_Unlock(nss_crllock);
return SECSuccess;
}
static int nss_load_crl(const char* crlfilename, PRBool ascii) static int nss_load_crl(const char* crlfilename, PRBool ascii)
{ {
PRFileDesc *infile; PRFileDesc *infile;
@ -419,8 +446,6 @@ static int nss_load_crl(const char* crlfilename, PRBool ascii)
PRInt32 nb; PRInt32 nb;
int rv; int rv;
SECItem crlDER; SECItem crlDER;
CERTSignedCrl *crl=NULL;
PK11SlotInfo *slot=NULL;
infile = PR_Open(crlfilename,PR_RDONLY,0); infile = PR_Open(crlfilename,PR_RDONLY,0);
if (!infile) { if (!infile) {
@ -473,16 +498,7 @@ static int nss_load_crl(const char* crlfilename, PRBool ascii)
return 0; return 0;
} }
slot = PK11_GetInternalKeySlot(); return (SECSuccess == nss_cache_crl(&crlDER));
crl = PK11_ImportCRL(slot,&crlDER,
NULL,SEC_CRL_TYPE,
NULL,CRL_IMPORT_DEFAULT_OPTIONS,
NULL,(CRL_DECODE_DEFAULT_OPTIONS|
CRL_DECODE_DONT_COPY_DER));
if (slot) PK11_FreeSlot(slot);
if (!crl) return 0;
SEC_DestroyCrl(crl);
return 1;
} }
static int nss_load_key(struct connectdata *conn, int sockindex, static int nss_load_key(struct connectdata *conn, int sockindex,
@ -889,6 +905,7 @@ int Curl_nss_init(void)
if (nss_initlock == NULL) { if (nss_initlock == NULL) {
PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256); PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
nss_initlock = PR_NewLock(); nss_initlock = PR_NewLock();
nss_crllock = PR_NewLock();
} }
/* We will actually initialize NSS later */ /* We will actually initialize NSS later */
@ -918,6 +935,7 @@ void Curl_nss_cleanup(void)
PR_Unlock(nss_initlock); PR_Unlock(nss_initlock);
PR_DestroyLock(nss_initlock); PR_DestroyLock(nss_initlock);
PR_DestroyLock(nss_crllock);
nss_initlock = NULL; nss_initlock = NULL;
initialized = 0; initialized = 0;