Skip to content
Permalink
Browse files

nss: only cache valid CRL entries

Change the logic around such that we only keep CRLs that NSS actually
ended up caching around for later deletion.  If CERT_CacheCRL() fails
then there is little point in delaying the freeing of the CRL as it
is not used.

Closes #4053
  • Loading branch information...
danielgustafsson authored and jay committed Jun 20, 2019
1 parent cf4255c commit 2028a1a977e91e5eae4852a778ab67bda3d3b9ad
Showing with 8 additions and 6 deletions.
  1. +8 −6 lib/vtls/nss.c
@@ -578,17 +578,19 @@ static CURLcode nss_cache_crl(SECItem *crl_der)
/* acquire lock before call of CERT_CacheCRL() and accessing nss_crl_list */
PR_Lock(nss_crllock);

/* store the CRL item so that we can free it in Curl_nss_cleanup() */
if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) {
if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
/* unable to cache CRL */
SECITEM_FreeItem(crl_der, PR_TRUE);
PR_Unlock(nss_crllock);
return CURLE_OUT_OF_MEMORY;
return CURLE_SSL_CRL_BADFILE;
}

if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
/* unable to cache CRL */
/* store the CRL item so that we can free it in Curl_nss_cleanup() */
if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) {
if(SECSuccess == CERT_UncacheCRL(db, crl_der))
SECITEM_FreeItem(crl_der, PR_TRUE);
PR_Unlock(nss_crllock);
return CURLE_SSL_CRL_BADFILE;
return CURLE_OUT_OF_MEMORY;
}

/* we need to clear session cache, so that the CRL could take effect */

0 comments on commit 2028a1a

Please sign in to comment.
You can’t perform that action at this time.