nss: unconditionally require PK11_CreateGenericObject()

This bumps the minimal supported version of NSS to 3.12.x.

RELEASE-NOTES

@@ -9,6 +9,7 @@ Curl and libcurl 7.25.1
 
 This release includes the following changes:
 
+ o nss: the minimal supported version of NSS bumped to 3.12.x
  o 
 
 This release includes the following bugfixes:

configure.ac

@@ -2091,13 +2091,6 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then
         nssprefix=$OPT_NSS
     fi
 
-    dnl Check for functionPK11_CreateGenericObject
-    dnl this is needed for using the PEM PKCS#11 module
-    AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
-     [
-     AC_DEFINE(HAVE_PK11_CREATEGENERICOBJECT, 1, [if you have the function PK11_CreateGenericObject])
-     AC_SUBST(HAVE_PK11_CREATEGENERICOBJECT, [1])
-     ])
     if test -n "$addlib"; then
 
       CLEANLIBS="$LIBS"
@@ -2108,7 +2101,8 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then
          CPPFLAGS="$CPPFLAGS $addcflags"
       fi
 
-      AC_CHECK_LIB(nss3, NSS_Initialize,
+      dnl The function PK11_CreateGenericObject is needed to load libnsspem.so
+      AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
        [
        AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
        AC_SUBST(USE_NSS, [1])

docs/INTERNALS

@@ -43,7 +43,7 @@ Portability
  openldap     2.0
  MIT krb5 lib 1.2.4
  qsossl       V5R2M0
- NSS          3.11.x
+ NSS          3.12.x
  axTLS        1.2.7
  Heimdal      ?
 

lib/config-symbian.h

@@ -396,9 +396,6 @@
 /* Define to 1 if you have the `pipe' function. */
 #define HAVE_PIPE 1
 
-/* if you have the function PK11_CreateGenericObject */
-/* #undef HAVE_PK11_CREATEGENERICOBJECT */
-
 /* Define to 1 if you have the `poll' function. */
 /*#define HAVE_POLL 1*/
 

lib/config-vxworks.h

@@ -460,9 +460,6 @@
 /* Define to 1 if you have the `pipe' function. */
 #define HAVE_PIPE 1
 
-/* if you have the function PK11_CreateGenericObject */
-/* #undef HAVE_PK11_CREATEGENERICOBJECT */
-
 /* Define to 1 if you have a working poll function. */
 /* #undef HAVE_POLL */
 

lib/curl_config.h.cmake

@@ -441,9 +441,6 @@
 /* Define to 1 if you have the `pipe' function. */
 #cmakedefine HAVE_PIPE ${HAVE_PIPE}
 
-/* if you have the function PK11_CreateGenericObject */
-#cmakedefine HAVE_PK11_CREATEGENERICOBJECT ${HAVE_PK11_CREATEGENERICOBJECT}
-
 /* Define to 1 if you have a working poll function. */
 #cmakedefine HAVE_POLL ${HAVE_POLL}
 

lib/nss.c

@@ -170,9 +170,7 @@ static const int enable_ciphers_by_default[] = {
   SSL_NULL_WITH_NULL_NULL
 };
 
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
 static const char* pem_library = "libnsspem.so";
-#endif
 SECMODModule* mod = NULL;
 
 static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
@@ -305,7 +303,6 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind)
   return NULL;
 }
 
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
 /* Call PK11_CreateGenericObject() with the given obj_class and filename.  If
  * the call succeeds, append the object handle to the list of objects so that
  * the object can be destroyed in Curl_nss_close(). */
@@ -369,7 +366,6 @@ static void nss_destroy_object(void *user, void *ptr)
   (void) user;
   PK11_DestroyGenericObject(obj);
 }
-#endif
 
 static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
                               const char *filename, PRBool cacert)
@@ -378,7 +374,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
     ? CURLE_SSL_CACERT_BADFILE
     : CURLE_SSL_CERTPROBLEM;
 
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
   /* libnsspem.so leaks memory if the requested file does not exist.  For more
    * details, go to <https://bugzilla.redhat.com/734760>. */
   if(is_file(filename))
@@ -405,7 +400,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
       free(nickname);
     }
   }
-#endif
 
   return err;
 }
@@ -499,10 +493,10 @@ fail:
 static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
                              char *key_file)
 {
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
   PK11SlotInfo *slot;
   SECStatus status;
   struct ssl_connect_data *ssl = conn->ssl;
+  (void)sockindex; /* unused */
 
   CURLcode rv = nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE);
   if(CURLE_OK != rv) {
@@ -524,15 +518,6 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
   return (SECSuccess == status)
     ? CURLE_OK
     : CURLE_SSL_CERTPROBLEM;
-#else
-  /* If we don't have PK11_CreateGenericObject then we can't load a file-based
-   * key.
-   */
-  (void)conn; /* unused */
-  (void)key_file; /* unused */
-  return CURLE_SSL_CERTPROBLEM;
-#endif
-  (void)sockindex; /* unused */
 }
 
 static int display_error(struct connectdata *conn, PRInt32 err,
@@ -775,7 +760,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
   struct SessionHandle *data = connssl->data;
   const char *nickname = connssl->client_nickname;
 
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
   if(connssl->obj_clicert) {
     /* use the cert/key provided by PEM reader */
     static const char pem_slotname[] = "PEM Token #1";
@@ -815,7 +799,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
     display_cert_info(data, *pRetCert);
     return SECSuccess;
   }
-#endif
 
   /* use the default NSS hook */
   if(SECSuccess != NSS_GetClientAuthData((void *)nickname, sock, caNames,
@@ -1053,12 +1036,11 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
        * next time to the same server */
       SSL_InvalidateSession(connssl->handle);
     }
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
     /* destroy all NSS objects in order to avoid failure of NSS shutdown */
     Curl_llist_destroy(connssl->obj_list, NULL);
     connssl->obj_list = NULL;
     connssl->obj_clicert = NULL;
-#endif
+
     PR_Close(connssl->handle);
     connssl->handle = NULL;
   }
@@ -1173,12 +1155,10 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
 
   connssl->data = data;
 
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
   /* list of all NSS objects we need to destroy in Curl_nss_close() */
   connssl->obj_list = Curl_llist_alloc(nss_destroy_object);
   if(!connssl->obj_list)
     return CURLE_OUT_OF_MEMORY;
-#endif
 
   /* FIXME. NSS doesn't support multiple databases open at the same time. */
   PR_Lock(nss_initlock);
@@ -1190,7 +1170,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
 
   curlerr = CURLE_SSL_CONNECT_ERROR;
 
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
   if(!mod) {
     char *configstring = aprintf("library=%s name=PEM", pem_library);
     if(!configstring) {
@@ -1209,7 +1188,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
             "OpenSSL PEM certificates will not work.\n", pem_library);
     }
   }
-#endif
 
   PK11_SetPasswordFunc(nss_get_password);
   PR_Unlock(nss_initlock);
@@ -1340,9 +1318,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
     char *nickname = dup_nickname(data, STRING_CERT);
     if(nickname) {
       /* we are not going to use libnsspem.so to read the client cert */
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
       connssl->obj_clicert = NULL;
-#endif
     }
     else {
       CURLcode rv = cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
@@ -1442,11 +1418,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   if(model)
     PR_Close(model);
 
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
     /* cleanup on connection failure */
     Curl_llist_destroy(connssl->obj_list, NULL);
     connssl->obj_list = NULL;
-#endif
 
   if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) {
     /* schedule reconnect through Curl_retry_request() */

lib/urldata.h

@@ -272,10 +272,8 @@ struct ssl_connect_data {
   PRFileDesc *handle;
   char *client_nickname;
   struct SessionHandle *data;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
   struct curl_llist *obj_list;
   PK11GenericObject *obj_clicert;
-#endif
 #endif /* USE_NSS */
 #ifdef USE_QSOSSL
   SSLHandle *handle;