[openldap/private-moznss-f17] update: enhancement: prefer unlocked slots when getting private key

Mon Aug 13 13:42:29 UTC 2012

commit 9f3240285a9b7b2989d46914d30bd8eaf14bb31d
Author: Jan Vcelak <jvcelak at redhat.com>
Date:   Mon Aug 13 15:33:35 2012 +0200

    update: enhancement: prefer unlocked slots when getting private key

 openldap-nss-prefer-unlocked-slot.patch |   72 +++++++++++++++++++++++++++++++
 1 files changed, 72 insertions(+), 0 deletions(-)
---

diff --git a/openldap-nss-prefer-unlocked-slot.patch b/openldap-nss-prefer-unlocked-slot.patch
new file mode 100644
index 0000000..fc25e7a
--- /dev/null
+++ b/openldap-nss-prefer-unlocked-slot.patch
@@ -0,0 +1,72 @@
+From c59072eaa7d85a56c36073bebb7e21b3e2a95492 Mon Sep 17 00:00:00 2001
+From: Jan Vcelak <jvcelak at redhat.com>
+Date: Mon, 13 Aug 2012 14:25:47 +0200
+Subject: [PATCH] MozNSS: prefer unlocked slot when getting private key
+
+---
+ libraries/libldap/tls_m.c | 41 ++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/libraries/libldap/tls_m.c b/libraries/libldap/tls_m.c
+index f37da06..061d6b8 100644
+--- a/libraries/libldap/tls_m.c
++++ b/libraries/libldap/tls_m.c
+@@ -990,6 +990,36 @@ tlsm_cert_is_self_issued( CERTCertificate *cert )
+ 	return is_self_issued;
+ }
+ 
++/*
++ * The private key for used certificate can be already unlocked by other
++ * thread or library. Find the unlocked slot if possible.
++ */
++static PK11SlotInfo *
++tlsm_find_unlocked_slot(tlsm_ctx *ctx)
++{
++	PK11SlotInfo *result = NULL;
++
++	PK11SlotList *slots = PK11_GetAllSlotsForCert(ctx->tc_certificate, NULL);
++	if (!slots) {
++		PRErrorCode errcode = PR_GetError();
++		Debug(LDAP_DEBUG_ANY,
++				"TLS: cannot get all slots for certificate '%s' (error %d: %s)",
++				tlsm_ctx_subject_name(ctx), errcode,
++				PR_ErrorToString(errcode, PR_LANGUAGE_I_DEFAULT));
++		return result;
++	}
++
++	PK11SlotListElement *le;
++	for (le = slots->head; le && !result; le = le->next) {
++		PK11SlotInfo *slot = le->slot;
++		if (PK11_IsLoggedIn(slot, NULL))
++			result = slot;
++	}
++
++	PK11_FreeSlotList(slots);
++	return result;
++}
++
+ static SECStatus
+ tlsm_verify_cert(CERTCertDBHandle *handle, CERTCertificate *cert, void *pinarg,
+ 				 PRBool checksig, SECCertificateUsage certUsage, PRBool warn_only,
+@@ -1302,8 +1332,17 @@ tlsm_ctx_load_private_key(tlsm_ctx *ctx)
+ 		return 0;
+ 
+ 	void *pin_arg = SSL_RevealPinArg(ctx->tc_model);
++	PK11SlotInfo *unlockedSlot = tlsm_find_unlocked_slot(ctx);
++
++	Debug(LDAP_DEBUG_ANY,
++			"TLS: %s unlocked slot for certificate '%s'.\n",
++			unlockedSlot ? "found" : "no", 	tlsm_ctx_subject_name(ctx), 0);
++
++	if (unlockedSlot)
++		ctx->tc_private_key = PK11_FindKeyByDERCert(unlockedSlot, ctx->tc_certificate, pin_arg);
++	else
++		ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
+ 
+-	ctx->tc_private_key = PK11_FindKeyByAnyCert(ctx->tc_certificate, pin_arg);
+ 	if (!ctx->tc_private_key) {
+ 		PRErrorCode errcode = PR_GetError();
+ 		Debug(LDAP_DEBUG_ANY,
+-- 
+1.7.11.4
+
