From 88c1b6a295222e315aaf12b5fb9e25d5195ca367 Mon Sep 17 00:00:00 2001
From: Nalin Dahyabhai <nalin@dahyabhai.net>
Date: Mon, 1 Nov 2010 15:03:31 -0400
Subject: [PATCH 089/150] - track generic objects and clean them up properly

---
 src/plugins/preauth/pkinit/pkinit_crypto_nss.c |   84 ++++++++++++++++++++----
 1 files changed, 71 insertions(+), 13 deletions(-)

diff --git a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
index 0e92bcd..24c918f 100644
--- a/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
+++ b/src/plugins/preauth/pkinit/pkinit_crypto_nss.c
@@ -234,6 +234,7 @@ struct _pkinit_identity_crypto_context {
 	SECMODModule *pem_module;
 	SECMODModule **id_modules;
 	PK11SlotInfo **id_userdbs;
+	PK11GenericObject **id_objects;
 	CERTCertList *id_certs, *ca_certs;
 	CERTCertificate *id_cert;
 	struct {
@@ -647,16 +648,20 @@ pkinit_init_identity_crypto(pkinit_identity_crypto_context *id_cryptoctx)
 void
 pkinit_fini_identity_crypto(pkinit_identity_crypto_context id_cryptoctx)
 {
+	int i;
 	CERT_DestroyCertList(id_cryptoctx->ca_certs);
 	CERT_DestroyCertList(id_cryptoctx->id_certs);
+	if (id_cryptoctx->id_objects != NULL) {
+		for (i = 0; id_cryptoctx->id_objects[i] != NULL; i++) {
+			PK11_DestroyGenericObjects(id_cryptoctx->id_objects[i]);
+		}
+	}
 	if (id_cryptoctx->id_userdbs != NULL) {
-		int i;
 		for (i = 0; id_cryptoctx->id_userdbs[i] != NULL; i++) {
 			SECMOD_CloseUserDB(id_cryptoctx->id_userdbs[i]);
 		}
 	}
 	if (id_cryptoctx->id_modules != NULL) {
-		int i;
 		for (i = 0; id_cryptoctx->id_modules[i] != NULL; i++) {
 			SECMOD_UnloadUserModule(id_cryptoctx->id_modules[i]);
 		}
@@ -732,7 +737,9 @@ pkinit_init_plg_crypto(pkinit_plg_crypto_context *plg_cryptoctx)
 void
 pkinit_fini_plg_crypto(pkinit_plg_crypto_context plg_cryptoctx)
 {
-	NSS_ShutdownContext(plg_cryptoctx->ncontext);
+	if (NSS_ShutdownContext(plg_cryptoctx->ncontext) != SECSuccess) {
+		pkiDebug("%s: error shutting down context\n", __FUNCTION__);
+	}
 	PORT_FreeArena(plg_cryptoctx->pool, PR_TRUE);
 }
 
@@ -2057,7 +2064,7 @@ crypto_load_files(krb5_context context,
 		  pkinit_identity_crypto_context id_cryptoctx)
 {
 	PK11SlotInfo *slot;
-	PK11GenericObject *obj;
+	PK11GenericObject *obj, **id_objects;
 	PRBool permanent, match;
 	CERTCertificate *cert;
 	CERTCertList *before, *after;
@@ -2067,7 +2074,7 @@ crypto_load_files(krb5_context context,
 	CK_OBJECT_CLASS keyclass = CKO_PRIVATE_KEY, certclass = CKO_CERTIFICATE;
 	SECItem a, b;
 	SECStatus status;
-	int n_attrs;
+	int n_attrs, i, n_objs;
 
 	if (id_cryptoctx->pem_module == NULL) {
 		if (certfile != NULL) {
@@ -2106,12 +2113,38 @@ crypto_load_files(krb5_context context,
 				      (char *) keyfile, strlen(keyfile) + 1);
 		permanent = PR_FALSE;
 		obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent);
-		if (obj != NULL) {
+		if (obj == NULL) {
+			status = SECFailure;
+		} else {
 			pkiDebug("%s: loaded key \"%s\"\n",
 				 __FUNCTION__, keyfile);
-			status = SECFailure;
+			status = SECSuccess;
+			/* Add it to the list of objects that we're keeping. */
+			if (id_cryptoctx->id_objects != NULL) {
+				for (i = 0;
+				     id_cryptoctx->id_objects[i] != NULL;
+				     i++) {
+					continue;
+				}
+			} else {
+				i = 0;
+			}
+			id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool,
+						      sizeof(id_objects[0]) *
+						      (i + 2));
+			if (id_objects != NULL) {
+				n_objs = i;
+				for (i = 0; i < n_objs; i++) {
+					id_objects[i] =
+						id_cryptoctx->id_objects[i];
+				}
+				id_objects[i++] = obj;
+				id_objects[i++] = NULL;
+				id_cryptoctx->id_objects = id_objects;
+			}
 		}
 	}
+
 	if ((status == SECSuccess) && (certfile != NULL)) {
 		before = PK11_ListCertsInSlot(slot);
 		n_attrs = 0;
@@ -2126,18 +2159,43 @@ crypto_load_files(krb5_context context,
 				      &cktrust, sizeof(cktrust));
 		permanent = PR_FALSE;
 		obj = PK11_CreateGenericObject(slot, attrs, n_attrs, permanent);
-		if (obj != NULL) {
+		if (obj == NULL) {
+			status = SECFailure;
+		} else {
 			pkiDebug("%s: loaded %scertificate \"%s\"\n",
 				 __FUNCTION__,
 				 cert_mark_trusted ? "CA " : "",
 				 certfile);
 			status = SECSuccess;
-		} else {
-			status = SECFailure;
+			/* Add it to the list of objects that we're keeping. */
+			if (id_cryptoctx->id_objects != NULL) {
+				for (i = 0;
+				     id_cryptoctx->id_objects[i] != NULL;
+				     i++) {
+					continue;
+				}
+			} else {
+				i = 0;
+			}
+			id_objects = PORT_ArenaZAlloc(id_cryptoctx->pool,
+						      sizeof(id_objects[0]) *
+						      (i + 2));
+			if (id_objects != NULL) {
+				n_objs = i;
+				for (i = 0; i < n_objs; i++) {
+					id_objects[i] =
+						id_cryptoctx->id_objects[i];
+				}
+				id_objects[i++] = obj;
+				id_objects[i++] = NULL;
+				id_cryptoctx->id_objects = id_objects;
+			}
 		}
-		/* Add any certs which are in the slot now, but which
-		 * weren't before, and for which we have keys, to the
-		 * right list of certs. */
+		/* Add any certs which are in the slot now, but which weren't
+		 * before, and for which we have keys, to the right list of
+		 * certs.  (We don't have an API to get the certificate from
+		 * the generic object that we just created, so we have to do it
+		 * the hard way.) */
 		after = PK11_ListCertsInSlot(slot);
 		if (after != NULL) {
 			for (anode = CERT_LIST_HEAD(after);
-- 
1.7.6.4