- Rob Crittenden did once again provide an NSS update:

I have to jump through a few hoops now with the NSS library initialization since another part of an application may have already initialized NSS by the time Curl gets invoked. This patch is more careful to only shutdown the NSS library if Curl did the initialization. It also adds in a bit of code to set the default ciphers if the app that call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific ciphers. One might argue that this lets other application developers get lazy and/or they aren't using the NSS API correctly, and you'd be right. But still, this will avoid terribly difficult-to-trace crashes and is generally helpful.
2009-01-07 14:10:35 +00:00 · 2009-01-07 14:10:35 +00:00 · 3c2ad4022c
parent 1f4b8da60a
commit 3c2ad4022c
3 changed files with 59 additions and 19 deletions
--- a/16
+++ b/16
@ -6,6 +6,22 @@

                                  Changelog

+
+Daniel Stenberg (7 Jan 2009)
+- Rob Crittenden did once again provide an NSS update:
+
+  I have to jump through a few hoops now with the NSS library initialization
+  since another part of an application may have already initialized NSS by the
+  time Curl gets invoked. This patch is more careful to only shutdown the NSS
+  library if Curl did the initialization.
+
+  It also adds in a bit of code to set the default ciphers if the app that
+  call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
+  ciphers. One might argue that this lets other application developers get
+  lazy and/or they aren't using the NSS API correctly, and you'd be right.
+  But still, this will avoid terribly difficult-to-trace crashes and is
+  generally helpful.
+
 Daniel Stenberg (1 Jan 2009)
 - 'reconf' is removed since we rather have users use 'buildconf'

--- a/3
+++ b/3
@ -40,6 +40,7 @@ This release includes the following bugfixes:
 o SFTP seek/resume beyond 32bit file sizes
 o fixed breakage with --with-ssl --disable-verbose
 o TTL "leak" in the DNS cache
+ o improved NSS initing

 This release includes the following known bugs:

@ -51,6 +52,6 @@ advice from friends like these:
 Yang Tse, Daniel Fandrich, Jim Meyering, Christian Krause, Andreas Wurf,
 Markus Koetter, Josef Wolf, Vlad Grachov, Pawel Kierski, Igor Novoseltsev,
 Fred Machado, Ken Hirsch, Keshav Krity, Patrick Monnerat, Mark Karpeles,
- Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen
+ Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen, Rob Crittenden

        Thanks! (and sorry if I forgot to mention someone)
--- a/lib/nss.c
+++ b/lib/nss.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -231,6 +231,24 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
  return SECSuccess;
 }

+/*
+ * Get the number of ciphers that are enabled. We use this to determine
+ * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
+ */
+static int num_enabled_ciphers()
+{
+  PRInt32 policy = 0;
+  int count = 0;
+  int i;
+
+  for(i=0; i<NUM_OF_CIPHERS; i++) {
+    SSL_CipherPolicyGet(cipherlist[i].num, &policy);
+    if(policy)
+      count++;
+  }
+  return count;
+}
+
 /*
 * Determine whether the nickname passed in is a filename that needs to
 * be loaded as a PEM or a regular NSS nickname.
@ -944,8 +962,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)

  /* FIXME. NSS doesn't support multiple databases open at the same time. */
  PR_Lock(nss_initlock);
-  if(!initialized && !NSS_IsInitialized()) {
-    initialized = 1;
+  if(!initialized) {

    certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */

@ -958,27 +975,33 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
        }
    }

-    if(!certDir) {
-      rv = NSS_NoDB_Init(NULL);
-    }
-    else {
-      rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
-                          NSS_INIT_READONLY);
-    }
-    if(rv != SECSuccess) {
-      infof(conn->data, "Unable to initialize NSS database\n");
-      curlerr = CURLE_SSL_CACERT_BADFILE;
-      initialized = 0;
-      PR_Unlock(nss_initlock);
-      goto error;
+    if (!NSS_IsInitialized()) {
+      initialized = 1;
+      if(!certDir) {
+        rv = NSS_NoDB_Init(NULL);
+      }
+      else {
+        rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
+                            NSS_INIT_READONLY);
+      }
+      if(rv != SECSuccess) {
+        infof(conn->data, "Unable to initialize NSS database\n");
+        curlerr = CURLE_SSL_CACERT_BADFILE;
+        initialized = 0;
+        PR_Unlock(nss_initlock);
+        goto error;
+      }
    }

-    NSS_SetDomesticPolicy();
+    if(num_enabled_ciphers() == 0)
+      NSS_SetDomesticPolicy();

 #ifdef HAVE_PK11_CREATEGENERICOBJECT
    configstring = aprintf("library=%s name=PEM", pem_library);
-    if(!configstring)
+    if(!configstring) {
+      PR_Unlock(nss_initlock);
      goto error;
+    }
    mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
    free(configstring);