From 42aa796150a580a0adff714c157d3b38b7672c7f Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 6 Apr 2012 16:05:25 +0200 Subject: [PATCH] nss: unconditionally require PK11_CreateGenericObject() This bumps the minimal supported version of NSS to 3.12.x. --- RELEASE-NOTES | 1 + configure.ac | 10 ++-------- docs/INTERNALS | 2 +- lib/config-symbian.h | 3 --- lib/config-vxworks.h | 3 --- lib/curl_config.h.cmake | 3 --- lib/nss.c | 30 ++---------------------------- lib/urldata.h | 2 -- 8 files changed, 6 insertions(+), 48 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 70a07c852..58a4cbd65 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -9,6 +9,7 @@ Curl and libcurl 7.25.1 This release includes the following changes: + o nss: the minimal supported version of NSS bumped to 3.12.x o This release includes the following bugfixes: diff --git a/configure.ac b/configure.ac index dbdde18c9..541c74f3d 100644 --- a/configure.ac +++ b/configure.ac @@ -2091,13 +2091,6 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then nssprefix=$OPT_NSS fi - dnl Check for functionPK11_CreateGenericObject - dnl this is needed for using the PEM PKCS#11 module - AC_CHECK_LIB(nss3, PK11_CreateGenericObject, - [ - AC_DEFINE(HAVE_PK11_CREATEGENERICOBJECT, 1, [if you have the function PK11_CreateGenericObject]) - AC_SUBST(HAVE_PK11_CREATEGENERICOBJECT, [1]) - ]) if test -n "$addlib"; then CLEANLIBS="$LIBS" @@ -2108,7 +2101,8 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then CPPFLAGS="$CPPFLAGS $addcflags" fi - AC_CHECK_LIB(nss3, NSS_Initialize, + dnl The function PK11_CreateGenericObject is needed to load libnsspem.so + AC_CHECK_LIB(nss3, PK11_CreateGenericObject, [ AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) AC_SUBST(USE_NSS, [1]) diff --git a/docs/INTERNALS b/docs/INTERNALS index b87e2ce20..d2bff0ce5 100644 --- a/docs/INTERNALS +++ b/docs/INTERNALS @@ -43,7 +43,7 @@ Portability openldap 2.0 MIT krb5 lib 1.2.4 qsossl V5R2M0 - NSS 3.11.x + NSS 3.12.x axTLS 1.2.7 Heimdal ? diff --git a/lib/config-symbian.h b/lib/config-symbian.h index e7cef5020..fcfb4058c 100644 --- a/lib/config-symbian.h +++ b/lib/config-symbian.h @@ -396,9 +396,6 @@ /* Define to 1 if you have the `pipe' function. */ #define HAVE_PIPE 1 -/* if you have the function PK11_CreateGenericObject */ -/* #undef HAVE_PK11_CREATEGENERICOBJECT */ - /* Define to 1 if you have the `poll' function. */ /*#define HAVE_POLL 1*/ diff --git a/lib/config-vxworks.h b/lib/config-vxworks.h index 42a770700..5b224c045 100644 --- a/lib/config-vxworks.h +++ b/lib/config-vxworks.h @@ -460,9 +460,6 @@ /* Define to 1 if you have the `pipe' function. */ #define HAVE_PIPE 1 -/* if you have the function PK11_CreateGenericObject */ -/* #undef HAVE_PK11_CREATEGENERICOBJECT */ - /* Define to 1 if you have a working poll function. */ /* #undef HAVE_POLL */ diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake index 303eea91b..454c9e6d2 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake @@ -441,9 +441,6 @@ /* Define to 1 if you have the `pipe' function. */ #cmakedefine HAVE_PIPE ${HAVE_PIPE} -/* if you have the function PK11_CreateGenericObject */ -#cmakedefine HAVE_PK11_CREATEGENERICOBJECT ${HAVE_PK11_CREATEGENERICOBJECT} - /* Define to 1 if you have a working poll function. */ #cmakedefine HAVE_POLL ${HAVE_POLL} diff --git a/lib/nss.c b/lib/nss.c index 8f6da50ea..61089173c 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -170,9 +170,7 @@ static const int enable_ciphers_by_default[] = { SSL_NULL_WITH_NULL_NULL }; -#ifdef HAVE_PK11_CREATEGENERICOBJECT static const char* pem_library = "libnsspem.so"; -#endif SECMODModule* mod = NULL; static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, @@ -305,7 +303,6 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind) return NULL; } -#ifdef HAVE_PK11_CREATEGENERICOBJECT /* Call PK11_CreateGenericObject() with the given obj_class and filename. If * the call succeeds, append the object handle to the list of objects so that * the object can be destroyed in Curl_nss_close(). */ @@ -369,7 +366,6 @@ static void nss_destroy_object(void *user, void *ptr) (void) user; PK11_DestroyGenericObject(obj); } -#endif static CURLcode nss_load_cert(struct ssl_connect_data *ssl, const char *filename, PRBool cacert) @@ -378,7 +374,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl, ? CURLE_SSL_CACERT_BADFILE : CURLE_SSL_CERTPROBLEM; -#ifdef HAVE_PK11_CREATEGENERICOBJECT /* libnsspem.so leaks memory if the requested file does not exist. For more * details, go to . */ if(is_file(filename)) @@ -405,7 +400,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl, free(nickname); } } -#endif return err; } @@ -499,10 +493,10 @@ fail: static CURLcode nss_load_key(struct connectdata *conn, int sockindex, char *key_file) { -#ifdef HAVE_PK11_CREATEGENERICOBJECT PK11SlotInfo *slot; SECStatus status; struct ssl_connect_data *ssl = conn->ssl; + (void)sockindex; /* unused */ CURLcode rv = nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE); if(CURLE_OK != rv) { @@ -524,15 +518,6 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex, return (SECSuccess == status) ? CURLE_OK : CURLE_SSL_CERTPROBLEM; -#else - /* If we don't have PK11_CreateGenericObject then we can't load a file-based - * key. - */ - (void)conn; /* unused */ - (void)key_file; /* unused */ - return CURLE_SSL_CERTPROBLEM; -#endif - (void)sockindex; /* unused */ } static int display_error(struct connectdata *conn, PRInt32 err, @@ -775,7 +760,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, struct SessionHandle *data = connssl->data; const char *nickname = connssl->client_nickname; -#ifdef HAVE_PK11_CREATEGENERICOBJECT if(connssl->obj_clicert) { /* use the cert/key provided by PEM reader */ static const char pem_slotname[] = "PEM Token #1"; @@ -815,7 +799,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, display_cert_info(data, *pRetCert); return SECSuccess; } -#endif /* use the default NSS hook */ if(SECSuccess != NSS_GetClientAuthData((void *)nickname, sock, caNames, @@ -1053,12 +1036,11 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) * next time to the same server */ SSL_InvalidateSession(connssl->handle); } -#ifdef HAVE_PK11_CREATEGENERICOBJECT /* destroy all NSS objects in order to avoid failure of NSS shutdown */ Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; connssl->obj_clicert = NULL; -#endif + PR_Close(connssl->handle); connssl->handle = NULL; } @@ -1173,12 +1155,10 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) connssl->data = data; -#ifdef HAVE_PK11_CREATEGENERICOBJECT /* list of all NSS objects we need to destroy in Curl_nss_close() */ connssl->obj_list = Curl_llist_alloc(nss_destroy_object); if(!connssl->obj_list) return CURLE_OUT_OF_MEMORY; -#endif /* FIXME. NSS doesn't support multiple databases open at the same time. */ PR_Lock(nss_initlock); @@ -1190,7 +1170,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) curlerr = CURLE_SSL_CONNECT_ERROR; -#ifdef HAVE_PK11_CREATEGENERICOBJECT if(!mod) { char *configstring = aprintf("library=%s name=PEM", pem_library); if(!configstring) { @@ -1209,7 +1188,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) "OpenSSL PEM certificates will not work.\n", pem_library); } } -#endif PK11_SetPasswordFunc(nss_get_password); PR_Unlock(nss_initlock); @@ -1340,9 +1318,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) char *nickname = dup_nickname(data, STRING_CERT); if(nickname) { /* we are not going to use libnsspem.so to read the client cert */ -#ifdef HAVE_PK11_CREATEGENERICOBJECT connssl->obj_clicert = NULL; -#endif } else { CURLcode rv = cert_stuff(conn, sockindex, data->set.str[STRING_CERT], @@ -1442,11 +1418,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) if(model) PR_Close(model); -#ifdef HAVE_PK11_CREATEGENERICOBJECT /* cleanup on connection failure */ Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; -#endif if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { /* schedule reconnect through Curl_retry_request() */ diff --git a/lib/urldata.h b/lib/urldata.h index 3474431cb..b718ed8d2 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -272,10 +272,8 @@ struct ssl_connect_data { PRFileDesc *handle; char *client_nickname; struct SessionHandle *data; -#ifdef HAVE_PK11_CREATEGENERICOBJECT struct curl_llist *obj_list; PK11GenericObject *obj_clicert; -#endif #endif /* USE_NSS */ #ifdef USE_QSOSSL SSLHandle *handle;