diff options
| author | Daniel Stenberg <daniel@haxx.se> | 2009-01-07 14:10:35 +0000 |
|---|---|---|
| committer | Daniel Stenberg <daniel@haxx.se> | 2009-01-07 14:10:35 +0000 |
| commit | 3c2ad4022c009ff06e5e62049c7a5f78d3cfdb01 (patch) | |
| tree | a65d74e4e711f8ed5913770cce3e0b5e47516ac6 /lib | |
| parent | 1f4b8da60a3e558e6a6e568f9d5393b0c44a0542 (diff) | |
- Rob Crittenden did once again provide an NSS update:
I have to jump through a few hoops now with the NSS library initialization
since another part of an application may have already initialized NSS by the
time Curl gets invoked. This patch is more careful to only shutdown the NSS
library if Curl did the initialization.
It also adds in a bit of code to set the default ciphers if the app that
call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
ciphers. One might argue that this lets other application developers get
lazy and/or they aren't using the NSS API correctly, and you'd be right.
But still, this will avoid terribly difficult-to-trace crashes and is
generally helpful.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/nss.c | 59 |
1 files changed, 41 insertions, 18 deletions
@@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -232,6 +232,24 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, } /* + * Get the number of ciphers that are enabled. We use this to determine + * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers. + */ +static int num_enabled_ciphers() +{ + PRInt32 policy = 0; + int count = 0; + int i; + + for(i=0; i<NUM_OF_CIPHERS; i++) { + SSL_CipherPolicyGet(cipherlist[i].num, &policy); + if(policy) + count++; + } + return count; +} + +/* * Determine whether the nickname passed in is a filename that needs to * be loaded as a PEM or a regular NSS nickname. * @@ -944,8 +962,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* FIXME. NSS doesn't support multiple databases open at the same time. */ PR_Lock(nss_initlock); - if(!initialized && !NSS_IsInitialized()) { - initialized = 1; + if(!initialized) { certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ @@ -958,27 +975,33 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) } } - if(!certDir) { - rv = NSS_NoDB_Init(NULL); - } - else { - rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", - NSS_INIT_READONLY); - } - if(rv != SECSuccess) { - infof(conn->data, "Unable to initialize NSS database\n"); - curlerr = CURLE_SSL_CACERT_BADFILE; - initialized = 0; - PR_Unlock(nss_initlock); - goto error; + if (!NSS_IsInitialized()) { + initialized = 1; + if(!certDir) { + rv = NSS_NoDB_Init(NULL); + } + else { + rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", + NSS_INIT_READONLY); + } + if(rv != SECSuccess) { + infof(conn->data, "Unable to initialize NSS database\n"); + curlerr = CURLE_SSL_CACERT_BADFILE; + initialized = 0; + PR_Unlock(nss_initlock); + goto error; + } } - NSS_SetDomesticPolicy(); + if(num_enabled_ciphers() == 0) + NSS_SetDomesticPolicy(); #ifdef HAVE_PK11_CREATEGENERICOBJECT configstring = aprintf("library=%s name=PEM", pem_library); - if(!configstring) + if(!configstring) { + PR_Unlock(nss_initlock); goto error; + } mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); free(configstring); |