diff options
| -rw-r--r-- | CHANGES | 16 | ||||
| -rw-r--r-- | RELEASE-NOTES | 3 | ||||
| -rw-r--r-- | lib/nss.c | 59 |
3 files changed, 59 insertions, 19 deletions
@@ -6,6 +6,22 @@ Changelog + +Daniel Stenberg (7 Jan 2009) +- Rob Crittenden did once again provide an NSS update: + + I have to jump through a few hoops now with the NSS library initialization + since another part of an application may have already initialized NSS by the + time Curl gets invoked. This patch is more careful to only shutdown the NSS + library if Curl did the initialization. + + It also adds in a bit of code to set the default ciphers if the app that + call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific + ciphers. One might argue that this lets other application developers get + lazy and/or they aren't using the NSS API correctly, and you'd be right. + But still, this will avoid terribly difficult-to-trace crashes and is + generally helpful. + Daniel Stenberg (1 Jan 2009) - 'reconf' is removed since we rather have users use 'buildconf' diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 93f512757..72404f3bd 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -40,6 +40,7 @@ This release includes the following bugfixes: o SFTP seek/resume beyond 32bit file sizes o fixed breakage with --with-ssl --disable-verbose o TTL "leak" in the DNS cache + o improved NSS initing This release includes the following known bugs: @@ -51,6 +52,6 @@ advice from friends like these: Yang Tse, Daniel Fandrich, Jim Meyering, Christian Krause, Andreas Wurf, Markus Koetter, Josef Wolf, Vlad Grachov, Pawel Kierski, Igor Novoseltsev, Fred Machado, Ken Hirsch, Keshav Krity, Patrick Monnerat, Mark Karpeles, - Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen + Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen, Rob Crittenden Thanks! (and sorry if I forgot to mention someone) @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al. + * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -232,6 +232,24 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, } /* + * Get the number of ciphers that are enabled. We use this to determine + * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers. + */ +static int num_enabled_ciphers() +{ + PRInt32 policy = 0; + int count = 0; + int i; + + for(i=0; i<NUM_OF_CIPHERS; i++) { + SSL_CipherPolicyGet(cipherlist[i].num, &policy); + if(policy) + count++; + } + return count; +} + +/* * Determine whether the nickname passed in is a filename that needs to * be loaded as a PEM or a regular NSS nickname. * @@ -944,8 +962,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* FIXME. NSS doesn't support multiple databases open at the same time. */ PR_Lock(nss_initlock); - if(!initialized && !NSS_IsInitialized()) { - initialized = 1; + if(!initialized) { certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ @@ -958,27 +975,33 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) } } - if(!certDir) { - rv = NSS_NoDB_Init(NULL); - } - else { - rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", - NSS_INIT_READONLY); - } - if(rv != SECSuccess) { - infof(conn->data, "Unable to initialize NSS database\n"); - curlerr = CURLE_SSL_CACERT_BADFILE; - initialized = 0; - PR_Unlock(nss_initlock); - goto error; + if (!NSS_IsInitialized()) { + initialized = 1; + if(!certDir) { + rv = NSS_NoDB_Init(NULL); + } + else { + rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", + NSS_INIT_READONLY); + } + if(rv != SECSuccess) { + infof(conn->data, "Unable to initialize NSS database\n"); + curlerr = CURLE_SSL_CACERT_BADFILE; + initialized = 0; + PR_Unlock(nss_initlock); + goto error; + } } - NSS_SetDomesticPolicy(); + if(num_enabled_ciphers() == 0) + NSS_SetDomesticPolicy(); #ifdef HAVE_PK11_CREATEGENERICOBJECT configstring = aprintf("library=%s name=PEM", pem_library); - if(!configstring) + if(!configstring) { + PR_Unlock(nss_initlock); goto error; + } mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); free(configstring); |