certmonger

Clone

#171 Fix NSS shutdown issues when obtaining the internal token name
Merged 3 years ago by rcritten. Opened 3 years ago by rcritten.
rcritten/certmonger issue_8533  into  master

file modified
+1 -1 
@@ -193,7 +193,7 @@ 
 

  		_exit(CM_SUB_STATUS_ERROR_AUTH);
 

  	}
 

  	if (entry->cm_cert_token == NULL) {
 

- 		entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
 

+ 		entry->cm_cert_token = util_internal_token_name(entry);
 

  	}
 

  	PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
 

  	for (sle = slotlist->head;

file modified
+1 -1 
@@ -228,7 +228,7 @@ 
 

  		}
 

  		PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
 

  		if (entry->cm_cert_token == NULL) {
 

- 			entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
 

+ 			entry->cm_cert_token = util_internal_token_name(entry);
 

  		}
 

  		for (sle = slotlist->head;
 

  		     ((sle != NULL) && (sle->slot != NULL));

file modified
+1 -1 
@@ -285,7 +285,7 @@ 
 

  		_exit(CM_SUB_STATUS_ERROR_NO_TOKEN);
 

  	}
 

  	if (entry->cm_cert_token == NULL) {
 

- 		entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name());
 

+ 		entry->cm_cert_token = util_internal_token_name(entry);
 

  	}
 

  	/* Walk the list looking for the requested slot, or the first one if
 

  	 * none was requested. */

file modified
+1 -1 
@@ -165,7 +165,7 @@ 
 

  	}
 

  	PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
 

  	if (entry->cm_key_token == NULL) {
 

- 		entry->cm_key_token = talloc_strdup(entry, util_internal_token_name());
 

+ 		entry->cm_key_token = util_internal_token_name(entry);
 

  	}
 

  	n_tokens = 0;
 

  	pubkey = NULL;

file modified
+1 -1 
@@ -359,7 +359,7 @@ 
 

  		goto done;
 

  	}
 

  	if (args->entry->cm_key_token == NULL) {
 

- 		args->entry->cm_key_token = talloc_strdup(args->entry, util_internal_token_name());
 

+ 		args->entry->cm_key_token = util_internal_token_name(args->entry);
 

  	}
 

  	PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb);
 

  	n_tokens = 0;

file modified
+10 -2 
@@ -34,6 +34,8 @@ 
 

  #include "store-int.h"
 

  #include "util-n.h"
 

  

+ #include <talloc.h>
 

+ 

  #define NODE "/proc/sys/crypto/fips_enabled"
 

  

  static PRBool force_fips = PR_FALSE;
 
@@ -289,7 +291,13 @@ 
 

  }
 

  

  char *
 

- util_internal_token_name()
 

+ util_internal_token_name(void *ctx)
 

  {
 

- 	return PK11_GetTokenName(PK11_GetInternalKeySlot());
 

+ 	PK11SlotInfo *slot = NULL;
 

+ 	char *name = NULL;
 

+ 

+ 	slot = PK11_GetInternalKeySlot();
 

+ 	name = talloc_strdup(ctx, PK11_GetTokenName(slot));
 

+ 	PK11_FreeSlot(slot);
 

+ 	return name;
 

  }

file modified
+1 -1 
@@ -29,6 +29,6 @@ 
 

  				 struct cm_store_entry *entry);
 

  void util_set_db_entry_cert_owner(const char *dbdir,
 

  				  struct cm_store_entry *entry);
 

- char * util_internal_token_name();
 

+ char * util_internal_token_name(void *ctx);
 

  

  #endif

The slot wasn't being freed every time util_internal_token_name()
was called which caused NSS_Shutdown() and NSS_ShutdownContext()
to return SEC_ERROR_BUSY.

Discovered in IPA issue https://pagure.io/freeipa/issue/8533

Tested locally and in IPA CI and confirmed successful shutdown.

Pull-Request has been merged by rcritten
3 years ago
Metadata
None
No Tags
Changes Summary 7
+1 -1
file changed
src/certread-n.c
+1 -1
file changed
src/certsave-n.c
+1 -1
file changed
src/keygen-n.c
+1 -1
file changed
src/keyiread-n.c
+1 -1
file changed
src/submit-n.c
+10 -2
file changed
src/util-n.c
+1 -1
file changed
src/util-n.h
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.