Fixes for smart card cache. Don't do cache searches by email address, since GetAttributeValue does not set that field. Handle removal correctly for item at tail of list. Don't search token after a successful cache search that returned zero hits.

4 files changed, 35 insertions, 18 deletions

diff --git a/security/nss/lib/dev/devm.h b/security/nss/lib/dev/devm.h
index 9e62df1a1..379e21470 100644
--- a/security/nss/lib/dev/devm.h
+++ b/security/nss/lib/dev/devm.h
@@ -171,7 +171,8 @@ nssTokenObjectCache_FindObjectsByTemplate
   CK_OBJECT_CLASS objclass,
   CK_ATTRIBUTE_PTR otemplate,
   CK_ULONG otlen,
-  PRUint32 maximumOpt
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
 );
 
 NSS_EXTERN PRStatus
diff --git a/security/nss/lib/dev/devtoken.c b/security/nss/lib/dev/devtoken.c
index ee1705436..cc1324b85 100644
--- a/security/nss/lib/dev/devtoken.c
+++ b/security/nss/lib/dev/devtoken.c
@@ -488,19 +488,22 @@ find_objects_by_template
     if (token->cache && 
         nssTokenObjectCache_HaveObjectClass(token->cache, objclass)) 
     {
+	PRStatus status;
 	objects = nssTokenObjectCache_FindObjectsByTemplate(token->cache,
 	                                                    objclass,
 	                                                    obj_template,
 	                                                    otsize,
-	                                                    maximumOpt);
-	if (statusOpt) *statusOpt = PR_SUCCESS;
+	                                                    maximumOpt,
+	                                                    &status);
+	if (status == PR_SUCCESS) {
+	    if (statusOpt) *statusOpt = status;
+	    return objects;
+	}
     }
     /* Either they are not cached, or cache failed; look on token. */
-    if (!objects) {
-	objects = find_objects(token, sessionOpt, 
-	                       obj_template, otsize, 
-	                       maximumOpt, statusOpt);
-    }
+    objects = find_objects(token, sessionOpt, 
+                           obj_template, otsize, 
+                           maximumOpt, statusOpt);
     return objects;
 }
 
@@ -670,6 +673,12 @@ nssToken_FindCertificatesByNickname
     return objects;
 }
 
+/* XXX
+ * This function *does not* use the token object cache, because not even
+ * the softoken will return a value for CKA_NETSCAPE_EMAIL from a call
+ * to GetAttributes.  The softoken does allow searches with that attribute,
+ * it just won't return a value for it.
+ */
 NSS_IMPLEMENT nssCryptokiObject **
 nssToken_FindCertificatesByEmail
 (
@@ -696,9 +705,9 @@ nssToken_FindCertificatesByEmail
     NSS_CK_SET_ATTRIBUTE_ITEM(attr, CKA_CLASS, &g_ck_class_cert);
     NSS_CK_TEMPLATE_FINISH(email_template, attr, etsize);
     /* now locate the token certs matching this template */
-    objects = find_objects_by_template(token, sessionOpt,
-                                       email_template, etsize,
-                                       maximumOpt, statusOpt);
+    objects = find_objects(token, sessionOpt,
+                           email_template, etsize,
+                           maximumOpt, statusOpt);
     if (!objects) {
 	/* This is to workaround the fact that PKCS#11 doesn't specify
 	 * whether the '\0' should be included.  XXX Is that still true?
@@ -707,9 +716,9 @@ nssToken_FindCertificatesByEmail
 	 * well, its needed by the builtin token...
 	 */
 	email_template[0].ulValueLen++;
-	objects = find_objects_by_template(token, sessionOpt,
-	                                   email_template, etsize,
-	                                   maximumOpt, statusOpt);
+	objects = find_objects(token, sessionOpt,
+	                       email_template, etsize,
+	                       maximumOpt, statusOpt);
     }
     return objects;
 }
diff --git a/security/nss/lib/dev/devutil.c b/security/nss/lib/dev/devutil.c
index 45ea9883d..198ef2c42 100644
--- a/security/nss/lib/dev/devutil.c
+++ b/security/nss/lib/dev/devutil.c
@@ -1052,7 +1052,8 @@ nssTokenObjectCache_FindObjectsByTemplate
   CK_OBJECT_CLASS objclass,
   CK_ATTRIBUTE_PTR otemplate,
   CK_ULONG otlen,
-  PRUint32 maximumOpt
+  PRUint32 maximumOpt,
+  PRStatus *statusOpt
 )
 {
     PRStatus status = PR_FAILURE;
@@ -1093,6 +1094,9 @@ nssTokenObjectCache_FindObjectsByTemplate
     }
 finish:
     PZ_Unlock(cache->lock);
+    if (statusOpt) {
+	*statusOpt = status;
+    }
     return rvObjects;
 }
 
@@ -1301,11 +1305,11 @@ nssTokenObjectCache_RemoveObject
 	    break;
 	}
     }
-    PZ_Unlock(cache->lock);
-    if (swp && *swp == NULL) {
-	nss_ZFreeIf(swp); /* the only entry */
+    if (cache->objects[oType] && cache->objects[oType][0] == NULL) {
+	nss_ZFreeIf(cache->objects[oType]); /* no entries remaining */
 	cache->objects[oType] = NULL;
     }
+    PZ_Unlock(cache->lock);
     return PR_SUCCESS;
 }
 
diff --git a/security/nss/lib/pk11wrap/dev3hack.c b/security/nss/lib/pk11wrap/dev3hack.c
index 06b279f95..57fbb37c0 100644
--- a/security/nss/lib/pk11wrap/dev3hack.c
+++ b/security/nss/lib/pk11wrap/dev3hack.c
@@ -255,6 +255,9 @@ nssSlot_IsLoggedIn
   NSSSlot *slot
 )
 {
+    if (!slot->pk11slot->needLogin) {
+	return PR_TRUE;
+    }
     return PK11_IsLoggedIn(slot->pk11slot, NULL);
 }