From f167cff199e2fc7df6c558e437222593ccecd390 Mon Sep 17 00:00:00 2001 From: Rob Crittenden Date: Oct 09 2020 15:10:02 +0000 Subject: Fix NSS shutdown issues when obtaining the internal token name The slot wasn't being freed every time util_internal_token_name() was called which caused NSS_Shutdown() and NSS_ShutdownContext() to return SEC_ERROR_BUSY. Discovered in IPA issue https://pagure.io/freeipa/issue/8533 --- diff --git a/src/certread-n.c b/src/certread-n.c index 3ce7ec0..bea5c13 100644 --- a/src/certread-n.c +++ b/src/certread-n.c @@ -193,7 +193,7 @@ cm_certread_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, _exit(CM_SUB_STATUS_ERROR_AUTH); } if (entry->cm_cert_token == NULL) { - entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name()); + entry->cm_cert_token = util_internal_token_name(entry); } PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); for (sle = slotlist->head; diff --git a/src/certsave-n.c b/src/certsave-n.c index 237f4f8..cb47072 100644 --- a/src/certsave-n.c +++ b/src/certsave-n.c @@ -228,7 +228,7 @@ cm_certsave_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, } PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); if (entry->cm_cert_token == NULL) { - entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name()); + entry->cm_cert_token = util_internal_token_name(entry); } for (sle = slotlist->head; ((sle != NULL) && (sle->slot != NULL)); diff --git a/src/keygen-n.c b/src/keygen-n.c index 6832cb6..4701821 100644 --- a/src/keygen-n.c +++ b/src/keygen-n.c @@ -285,7 +285,7 @@ cm_keygen_n_main(int fd, struct cm_store_ca *ca, struct cm_store_entry *entry, _exit(CM_SUB_STATUS_ERROR_NO_TOKEN); } if (entry->cm_cert_token == NULL) { - entry->cm_cert_token = talloc_strdup(entry, util_internal_token_name()); + entry->cm_cert_token = util_internal_token_name(entry); } /* Walk the list looking for the requested slot, or the first one if * none was requested. */ diff --git a/src/keyiread-n.c b/src/keyiread-n.c index b8bf353..7a65474 100644 --- a/src/keyiread-n.c +++ b/src/keyiread-n.c @@ -165,7 +165,7 @@ cm_keyiread_n_get_keys(struct cm_store_entry *entry, int readwrite) } PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); if (entry->cm_key_token == NULL) { - entry->cm_key_token = talloc_strdup(entry, util_internal_token_name()); + entry->cm_key_token = util_internal_token_name(entry); } n_tokens = 0; pubkey = NULL; diff --git a/src/submit-n.c b/src/submit-n.c index 98fc7c5..7751ed6 100644 --- a/src/submit-n.c +++ b/src/submit-n.c @@ -359,7 +359,7 @@ cm_submit_n_decrypt_envelope(const unsigned char *envelope, goto done; } if (args->entry->cm_key_token == NULL) { - args->entry->cm_key_token = talloc_strdup(args->entry, util_internal_token_name()); + args->entry->cm_key_token = util_internal_token_name(args->entry); } PK11_SetPasswordFunc(&cm_pin_read_for_cert_nss_cb); n_tokens = 0; diff --git a/src/util-n.c b/src/util-n.c index 4ab3d47..f041a5c 100644 --- a/src/util-n.c +++ b/src/util-n.c @@ -34,6 +34,8 @@ #include "store-int.h" #include "util-n.h" +#include + #define NODE "/proc/sys/crypto/fips_enabled" static PRBool force_fips = PR_FALSE; @@ -289,7 +291,13 @@ util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry) } char * -util_internal_token_name() +util_internal_token_name(void *ctx) { - return PK11_GetTokenName(PK11_GetInternalKeySlot()); + PK11SlotInfo *slot = NULL; + char *name = NULL; + + slot = PK11_GetInternalKeySlot(); + name = talloc_strdup(ctx, PK11_GetTokenName(slot)); + PK11_FreeSlot(slot); + return name; } diff --git a/src/util-n.h b/src/util-n.h index 637fd4b..801ff8c 100644 --- a/src/util-n.h +++ b/src/util-n.h @@ -29,6 +29,6 @@ void util_set_db_entry_key_owner(const char *dbdir, struct cm_store_entry *entry); void util_set_db_entry_cert_owner(const char *dbdir, struct cm_store_entry *entry); -char * util_internal_token_name(); +char * util_internal_token_name(void *ctx); #endif