Changelog
+
+Daniel Stenberg (7 Jan 2009)
+- Rob Crittenden did once again provide an NSS update:
+
+ I have to jump through a few hoops now with the NSS library initialization
+ since another part of an application may have already initialized NSS by the
+ time Curl gets invoked. This patch is more careful to only shutdown the NSS
+ library if Curl did the initialization.
+
+ It also adds in a bit of code to set the default ciphers if the app that
+ call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific
+ ciphers. One might argue that this lets other application developers get
+ lazy and/or they aren't using the NSS API correctly, and you'd be right.
+ But still, this will avoid terribly difficult-to-trace crashes and is
+ generally helpful.
+
Daniel Stenberg (1 Jan 2009)
- 'reconf' is removed since we rather have users use 'buildconf'
o SFTP seek/resume beyond 32bit file sizes
o fixed breakage with --with-ssl --disable-verbose
o TTL "leak" in the DNS cache
+ o improved NSS initing
This release includes the following known bugs:
Yang Tse, Daniel Fandrich, Jim Meyering, Christian Krause, Andreas Wurf,
Markus Koetter, Josef Wolf, Vlad Grachov, Pawel Kierski, Igor Novoseltsev,
Fred Machado, Ken Hirsch, Keshav Krity, Patrick Monnerat, Mark Karpeles,
- Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen
+ Anthony Bryan, Peter Korsgaard, Phil Lisiecki, Bas Mevissen, Rob Crittenden
Thanks! (and sorry if I forgot to mention someone)
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2008, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2009, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
return SECSuccess;
}
+/*
+ * Get the number of ciphers that are enabled. We use this to determine
+ * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
+ */
+static int num_enabled_ciphers()
+{
+ PRInt32 policy = 0;
+ int count = 0;
+ int i;
+
+ for(i=0; i<NUM_OF_CIPHERS; i++) {
+ SSL_CipherPolicyGet(cipherlist[i].num, &policy);
+ if(policy)
+ count++;
+ }
+ return count;
+}
+
/*
* Determine whether the nickname passed in is a filename that needs to
* be loaded as a PEM or a regular NSS nickname.
/* FIXME. NSS doesn't support multiple databases open at the same time. */
PR_Lock(nss_initlock);
- if(!initialized && !NSS_IsInitialized()) {
- initialized = 1;
+ if(!initialized) {
certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
}
}
- if(!certDir) {
- rv = NSS_NoDB_Init(NULL);
- }
- else {
- rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
- NSS_INIT_READONLY);
- }
- if(rv != SECSuccess) {
- infof(conn->data, "Unable to initialize NSS database\n");
- curlerr = CURLE_SSL_CACERT_BADFILE;
- initialized = 0;
- PR_Unlock(nss_initlock);
- goto error;
+ if (!NSS_IsInitialized()) {
+ initialized = 1;
+ if(!certDir) {
+ rv = NSS_NoDB_Init(NULL);
+ }
+ else {
+ rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
+ NSS_INIT_READONLY);
+ }
+ if(rv != SECSuccess) {
+ infof(conn->data, "Unable to initialize NSS database\n");
+ curlerr = CURLE_SSL_CACERT_BADFILE;
+ initialized = 0;
+ PR_Unlock(nss_initlock);
+ goto error;
+ }
}
- NSS_SetDomesticPolicy();
+ if(num_enabled_ciphers() == 0)
+ NSS_SetDomesticPolicy();
#ifdef HAVE_PK11_CREATEGENERICOBJECT
configstring = aprintf("library=%s name=PEM", pem_library);
- if(!configstring)
+ if(!configstring) {
+ PR_Unlock(nss_initlock);
goto error;
+ }
mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
free(configstring);
projects / curl / commitdiff