- Rob Crittenden did once again provide an NSS update:

  I have to jump through a few hoops now with the NSS library initialization
  since another part of an application may have already initialized NSS by the
  time Curl gets invoked. This patch is more careful to only shutdown the NSS
  library if Curl did the initialization.

  It also adds in a bit of code to set the default ciphers if the app that
  call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
  ciphers. One might argue that this lets other application developers get
  lazy and/or they aren't using the NSS API correctly, and you'd be right.
  But still, this will avoid terribly difficult-to-trace crashes and is
  generally helpful.

3 files changed, 59 insertions, 19 deletions

diff --git a/CHANGES b/CHANGES
index 28bbd5588..ce89bceb0 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,22 @@
 
                                   Changelog
 
+
+Daniel Stenberg (7 Jan 2009)
+- Rob Crittenden did once again provide an NSS update:
+
+  I have to jump through a few hoops now with the NSS library initialization
+  since another part of an application may have already initialized NSS by the
+  time Curl gets invoked. This patch is more careful to only shutdown the NSS
+  library if Curl did the initialization.
+
+  It also adds in a bit of code to set the default ciphers if the app that
+  call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
+  ciphers. One might argue that this lets other application developers get
+  lazy and/or they aren't using the NSS API correctly, and you'd be right.
+  But still, this will avoid terribly difficult-to-trace crashes and is
+  generally helpful.
+
 Daniel Stenberg (1 Jan 2009)
 - 'reconf' is removed since we rather have users use 'buildconf'
 
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 93f512757..72404f3bd 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -40,6 +40,7 @@ This release includes the following bugfixes:
  o SFTP seek/resume beyond 32bit file sizes
  o fixed breakage with --with-ssl --disable-verbose
  o TTL "leak" in the DNS cache
+ o improved NSS initing
 
 This release includes the following known bugs:
 
@@ -51,6 +52,6 @@ advice from friends like these:
  Yang Tse, Daniel Fandrich, Jim Meyering, Christian Krause, Andreas Wurf,
  Markus Koetter, Josef Wolf, Vlad Grachov, Pawel Kierski, Igor Novoseltsev,
  Fred Machado, Ken Hirsch, Keshav Krity, Patrick Monnerat, Mark Karpeles,
- Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen
+ Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen, Rob Crittenden
 
         Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/nss.c b/lib/nss.c
index dcbf27620..55f3169e9 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -232,6 +232,24 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
 }
 
 /*
+ * Get the number of ciphers that are enabled. We use this to determine
+ * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
+ */
+static int num_enabled_ciphers()
+{
+  PRInt32 policy = 0;
+  int count = 0;
+  int i;
+
+  for(i=0; i<NUM_OF_CIPHERS; i++) {
+    SSL_CipherPolicyGet(cipherlist[i].num, &policy);
+    if(policy)
+      count++;
+  }
+  return count;
+}
+
+/*
  * Determine whether the nickname passed in is a filename that needs to
  * be loaded as a PEM or a regular NSS nickname.
  *
@@ -944,8 +962,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
 
   /* FIXME. NSS doesn't support multiple databases open at the same time. */
   PR_Lock(nss_initlock);
-  if(!initialized && !NSS_IsInitialized()) {
-    initialized = 1;
+  if(!initialized) {
 
     certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
 
@@ -958,27 +975,33 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
         }
     }
 
-    if(!certDir) {
-      rv = NSS_NoDB_Init(NULL);
-    }
-    else {
-      rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
-                          NSS_INIT_READONLY);
-    }
-    if(rv != SECSuccess) {
-      infof(conn->data, "Unable to initialize NSS database\n");
-      curlerr = CURLE_SSL_CACERT_BADFILE;
-      initialized = 0;
-      PR_Unlock(nss_initlock);
-      goto error;
+    if (!NSS_IsInitialized()) {
+      initialized = 1;
+      if(!certDir) {
+        rv = NSS_NoDB_Init(NULL);
+      }
+      else {
+        rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
+                            NSS_INIT_READONLY);
+      }
+      if(rv != SECSuccess) {
+        infof(conn->data, "Unable to initialize NSS database\n");
+        curlerr = CURLE_SSL_CACERT_BADFILE;
+        initialized = 0;
+        PR_Unlock(nss_initlock);
+        goto error;
+      }
     }
 
-    NSS_SetDomesticPolicy();
+    if(num_enabled_ciphers() == 0)
+      NSS_SetDomesticPolicy();
 
 #ifdef HAVE_PK11_CREATEGENERICOBJECT
     configstring = aprintf("library=%s name=PEM", pem_library);
-    if(!configstring)
+    if(!configstring) {
+      PR_Unlock(nss_initlock);
       goto error;
+    }
     mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
     free(configstring);