nss: only cache valid CRL entries

Change the logic around such that we only keep CRLs that NSS actually ended up caching around for later deletion. If CERT_CacheCRL() fails then there is little point in delaying the freeing of the CRL as it is not used. Closes #4053
curl · Jul 7, 2019 · 2028a1a · 2028a1a
1 parent cf4255c
commit 2028a1a
Showing 1 changed file with 8 additions and 6 deletions.
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
@@ -578,17 +578,19 @@ static CURLcode nss_cache_crl(SECItem *crl_der)
   /* acquire lock before call of CERT_CacheCRL() and accessing nss_crl_list */
   PR_Lock(nss_crllock);
 
-  /* store the CRL item so that we can free it in Curl_nss_cleanup() */
+  if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
-  if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) {
+    /* unable to cache CRL */
     SECITEM_FreeItem(crl_der, PR_TRUE);
     PR_Unlock(nss_crllock);
-    return CURLE_OUT_OF_MEMORY;
+    return CURLE_SSL_CRL_BADFILE;
   }
 
-  if(SECSuccess != CERT_CacheCRL(db, crl_der)) {
+  /* store the CRL item so that we can free it in Curl_nss_cleanup() */
-    /* unable to cache CRL */
+  if(insert_wrapped_ptr(&nss_crl_list, crl_der) != CURLE_OK) {
+    if(SECSuccess == CERT_UncacheCRL(db, crl_der))
+      SECITEM_FreeItem(crl_der, PR_TRUE);
     PR_Unlock(nss_crllock);
-    return CURLE_SSL_CRL_BADFILE;
+    return CURLE_OUT_OF_MEMORY;
   }
 
   /* we need to clear session cache, so that the CRL could take effect */