- Rob Crittenden did once again provide an NSS update:

  I have to jump through a few hoops now with the NSS library initialization
  since another part of an application may have already initialized NSS by the
  time Curl gets invoked. This patch is more careful to only shutdown the NSS
  library if Curl did the initialization.

  It also adds in a bit of code to set the default ciphers if the app that
  call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
  ciphers. One might argue that this lets other application developers get
  lazy and/or they aren't using the NSS API correctly, and you'd be right.
  But still, this will avoid terribly difficult-to-trace crashes and is
  generally helpful.

1 files changed, 41 insertions, 18 deletions

diff --git a/lib/nss.c b/lib/nss.c
index dcbf27620..55f3169e9 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -5,7 +5,7 @@
  *                            | (__| |_| |  _ <| |___
  *                             \___|\___/|_| \_\_____|
  *
- * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
  *
  * This software is licensed as described in the file COPYING, which
  * you should have received as part of this distribution. The terms
@@ -232,6 +232,24 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
 }
 
 /*
+ * Get the number of ciphers that are enabled. We use this to determine
+ * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
+ */
+static int num_enabled_ciphers()
+{
+  PRInt32 policy = 0;
+  int count = 0;
+  int i;
+
+  for(i=0; i<NUM_OF_CIPHERS; i++) {
+    SSL_CipherPolicyGet(cipherlist[i].num, &policy);
+    if(policy)
+      count++;
+  }
+  return count;
+}
+
+/*
  * Determine whether the nickname passed in is a filename that needs to
  * be loaded as a PEM or a regular NSS nickname.
  *
@@ -944,8 +962,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
 
   /* FIXME. NSS doesn't support multiple databases open at the same time. */
   PR_Lock(nss_initlock);
-  if(!initialized && !NSS_IsInitialized()) {
-    initialized = 1;
+  if(!initialized) {
 
     certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
 
@@ -958,27 +975,33 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
         }
     }
 
-    if(!certDir) {
-      rv = NSS_NoDB_Init(NULL);
-    }
-    else {
-      rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
-                          NSS_INIT_READONLY);
-    }
-    if(rv != SECSuccess) {
-      infof(conn->data, "Unable to initialize NSS database\n");
-      curlerr = CURLE_SSL_CACERT_BADFILE;
-      initialized = 0;
-      PR_Unlock(nss_initlock);
-      goto error;
+    if (!NSS_IsInitialized()) {
+      initialized = 1;
+      if(!certDir) {
+        rv = NSS_NoDB_Init(NULL);
+      }
+      else {
+        rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
+                            NSS_INIT_READONLY);
+      }
+      if(rv != SECSuccess) {
+        infof(conn->data, "Unable to initialize NSS database\n");
+        curlerr = CURLE_SSL_CACERT_BADFILE;
+        initialized = 0;
+        PR_Unlock(nss_initlock);
+        goto error;
+      }
     }
 
-    NSS_SetDomesticPolicy();
+    if(num_enabled_ciphers() == 0)
+      NSS_SetDomesticPolicy();
 
 #ifdef HAVE_PK11_CREATEGENERICOBJECT
     configstring = aprintf("library=%s name=PEM", pem_library);
-    if(!configstring)
+    if(!configstring) {
+      PR_Unlock(nss_initlock);
       goto error;
+    }
     mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
     free(configstring);