From a8413cbc84cf08b1e90edfae7a088ac459a39b4f Mon Sep 17 00:00:00 2001 From: Nalin Dahyabhai Date: Mon, 27 Sep 2010 21:50:51 -0400 Subject: [PATCH 009/150] - CA and CRLs get loaded every time we process identity args, so they probably need to get stored in the identity context to keep the life cycle sane --- src/plugins/preauth/pkinit/pkinit_crypto_nss.c | 34 +++++++++++++++-------- 1 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c index 3556e5b..d737192 100644 --- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c +++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c @@ -52,7 +52,6 @@ struct _pkinit_plg_crypto_context { PLArenaPool *pool; NSSInitContext *ncontext; - CERTCertList *ca_certs, *other_certs; }; struct _pkinit_req_crypto_context { @@ -65,7 +64,7 @@ struct _pkinit_identity_crypto_context { PLArenaPool *pool; PK11SlotList *slots; PK11SlotInfo *slot; - CERTCertList *certs; + CERTCertList *id_certs, *ca_certs, *other_certs; CERTCertificate *cert; krb5_prompter_fct prompter; void *prompter_data; @@ -228,10 +227,23 @@ pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) *id_cryptoctx = PORT_ArenaZAlloc(pool, sizeof(*id_cryptoctx)); if (*id_cryptoctx != NULL) { (*id_cryptoctx)->pool = pool; - (*id_cryptoctx)->certs = CERT_NewCertList(); - if ((*id_cryptoctx)->certs != NULL) { + (*id_cryptoctx)->id_certs = CERT_NewCertList(); + (*id_cryptoctx)->ca_certs = CERT_NewCertList(); + (*id_cryptoctx)->other_certs = CERT_NewCertList(); + if (((*id_cryptoctx)->id_certs != NULL) && + ((*id_cryptoctx)->ca_certs != NULL) && + ((*id_cryptoctx)->other_certs != NULL)) { return 0; } + if ((*id_cryptoctx)->other_certs != NULL) { + CERT_DestroyCertList((*id_cryptoctx)->other_certs); + } + if ((*id_cryptoctx)->ca_certs != NULL) { + CERT_DestroyCertList((*id_cryptoctx)->ca_certs); + } + if ((*id_cryptoctx)->id_certs != NULL) { + CERT_DestroyCertList((*id_cryptoctx)->id_certs); + } } PORT_FreeArena(pool, PR_TRUE); } @@ -241,7 +253,9 @@ pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx) void pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx) { - CERT_DestroyCertList(id_cryptoctx->certs); + CERT_DestroyCertList(id_cryptoctx->other_certs); + CERT_DestroyCertList(id_cryptoctx->ca_certs); + CERT_DestroyCertList(id_cryptoctx->id_certs); PORT_FreeArena(id_cryptoctx->pool, PR_TRUE); } @@ -261,8 +275,6 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx) NULL, 0); if ((*plg_cryptoctx)->ncontext != NULL) { - (*plg_cryptoctx)->ca_certs = CERT_NewCertList(); - (*plg_cryptoctx)->other_certs = CERT_NewCertList(); return 0; } } @@ -274,8 +286,6 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx) void pkinit_fini_plg_crypto(pkinit_plg_crypto_context plg_cryptoctx) { - CERT_DestroyCertList(plg_cryptoctx->other_certs); - CERT_DestroyCertList(plg_cryptoctx->ca_certs); NSS_ShutdownContext(plg_cryptoctx->ncontext); PORT_FreeArena(plg_cryptoctx->pool, PR_TRUE); } @@ -893,8 +903,8 @@ create_krb5_trustedCertifiers(krb5_context context, /* Count the root certs. */ n = 0; - if (!CERT_LIST_EMPTY(plg_cryptoctx->ca_certs)) { - for (n = 0, node = CERT_LIST_HEAD(plg_cryptoctx->ca_certs); + if (!CERT_LIST_EMPTY(id_cryptoctx->ca_certs)) { + for (n = 0, node = CERT_LIST_HEAD(id_cryptoctx->ca_certs); (node != NULL) && (node->cert != NULL); node = CERT_LIST_NEXT(node)) { n++; @@ -907,7 +917,7 @@ create_krb5_trustedCertifiers(krb5_context context, if (ids == NULL) { return ENOMEM; } - node = CERT_LIST_HEAD(plg_cryptoctx->ca_certs); + node = CERT_LIST_HEAD(id_cryptoctx->ca_certs); for (i = 0; i < n; i++) { id = malloc(sizeof(*id)); if (id == NULL) { -- 1.7.6.4