- Rob Crittenden did once again provide an NSS update:
I have to jump through a few hoops now with the NSS library initialization
since another part of an application may have already initialized NSS by the
time Curl gets invoked. This patch is more careful to only shutdown the NSS
library if Curl did the initialization.
It also adds in a bit of code to set the default ciphers if the app that
call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
ciphers. One might argue that this lets other application developers get
lazy and/or they aren't using the NSS API correctly, and you'd be right.
But still, this will avoid terribly difficult-to-trace crashes and is
generally helpful.
diff --git a/CHANGES b/CHANGES
index 28bbd558..ce89bce 100644
--- a/CHANGES
+++ b/CHANGES
@@ -6,6 +6,22 @@
Changelog
+
+Daniel Stenberg (7 Jan 2009)
+- Rob Crittenden did once again provide an NSS update:
+
+ I have to jump through a few hoops now with the NSS library initialization
+ since another part of an application may have already initialized NSS by the
+ time Curl gets invoked. This patch is more careful to only shutdown the NSS
+ library if Curl did the initialization.
+
+ It also adds in a bit of code to set the default ciphers if the app that
+ call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
+ ciphers. One might argue that this lets other application developers get
+ lazy and/or they aren't using the NSS API correctly, and you'd be right.
+ But still, this will avoid terribly difficult-to-trace crashes and is
+ generally helpful.
+
Daniel Stenberg (1 Jan 2009)
- 'reconf' is removed since we rather have users use 'buildconf'
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 93f5127..72404f3 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -40,6 +40,7 @@
o SFTP seek/resume beyond 32bit file sizes
o fixed breakage with --with-ssl --disable-verbose
o TTL "leak" in the DNS cache
+ o improved NSS initing
This release includes the following known bugs:
@@ -51,6 +52,6 @@
Yang Tse, Daniel Fandrich, Jim Meyering, Christian Krause, Andreas Wurf,
Markus Koetter, Josef Wolf, Vlad Grachov, Pawel Kierski, Igor Novoseltsev,
Fred Machado, Ken Hirsch, Keshav Krity, Patrick Monnerat, Mark Karpeles,
- Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen
+ Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen, Rob Crittenden
Thanks! (and sorry if I forgot to mention someone)
diff --git a/lib/nss.c b/lib/nss.c
index dcbf276..55f3169 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -232,6 +232,24 @@
}
/*
+ * Get the number of ciphers that are enabled. We use this to determine
+ * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
+ */
+static int num_enabled_ciphers()
+{
+ PRInt32 policy = 0;
+ int count = 0;
+ int i;
+
+ for(i=0; i<NUM_OF_CIPHERS; i++) {
+ SSL_CipherPolicyGet(cipherlist[i].num, &policy);
+ if(policy)
+ count++;
+ }
+ return count;
+}
+
+/*
* Determine whether the nickname passed in is a filename that needs to
* be loaded as a PEM or a regular NSS nickname.
*
@@ -944,8 +962,7 @@
/* FIXME. NSS doesn't support multiple databases open at the same time. */
PR_Lock(nss_initlock);
- if(!initialized && !NSS_IsInitialized()) {
- initialized = 1;
+ if(!initialized) {
certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
@@ -958,27 +975,33 @@
}
}
- if(!certDir) {
- rv = NSS_NoDB_Init(NULL);
- }
- else {
- rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
- NSS_INIT_READONLY);
- }
- if(rv != SECSuccess) {
- infof(conn->data, "Unable to initialize NSS database\n");
- curlerr = CURLE_SSL_CACERT_BADFILE;
- initialized = 0;
- PR_Unlock(nss_initlock);
- goto error;
+ if (!NSS_IsInitialized()) {
+ initialized = 1;
+ if(!certDir) {
+ rv = NSS_NoDB_Init(NULL);
+ }
+ else {
+ rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
+ NSS_INIT_READONLY);
+ }
+ if(rv != SECSuccess) {
+ infof(conn->data, "Unable to initialize NSS database\n");
+ curlerr = CURLE_SSL_CACERT_BADFILE;
+ initialized = 0;
+ PR_Unlock(nss_initlock);
+ goto error;
+ }
}
- NSS_SetDomesticPolicy();
+ if(num_enabled_ciphers() == 0)
+ NSS_SetDomesticPolicy();
#ifdef HAVE_PK11_CREATEGENERICOBJECT
configstring = aprintf("library=%s name=PEM", pem_library);
- if(!configstring)
+ if(!configstring) {
+ PR_Unlock(nss_initlock);
goto error;
+ }
mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
free(configstring);
