Re: patch to make NSS libcurl work with new database format

Tue, 15 Sep 2009 06:21:35 -0700 

Guenter wrote:

Hi NSS friends,
I've chatted a bit with a NSS dev about initializing NSS:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/4cc313a18f31f9cb
and based on that I would like to commit the patch below which does:
- add a check if SSL_DIR env var points to a valid dir
- remove NSS_Initialize() 4th argument secmod.db which seems not needed
- add a check if we run on 3.12.0 or later, and based on the result
prefix the certpath with 'sql:'

I've tested it with old and new databases on OpenSuSE, and seems to work
fine - please review and test before I commit it!
If I'm reading this right it means you can't set SSL_DIR to point to a sql database, right? I wonder if an extra bit of code to detect that would be helpful.
It will also silently skip bad directories. If you have a typo in SSL_DIR it will default to using either the default database or try to initialize a NULL string.
Error reporting is pretty weak right now (my fault). Might be nice to improve the message to include what was passed to NSS_Initialize when it fails, particularly since it could be auto-generated (though the sql: string might be confusing for some). 

rob



--- lib/nss.c.orig      2009-09-08 04:00:15.000000000 +0200
+++ lib/nss.c   2009-09-15 04:09:51.000000000 +0200
@@ -964,16 +964,23 @@
   /* FIXME. NSS doesn't support multiple databases open at the same
time. */
   PR_Lock(nss_initlock);
   if(!initialized) {
+    struct_stat st;

-    certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
+    /* First we check if $SSL_DIR points to a valid dir */
+    certDir = getenv("SSL_DIR");
+    if(certDir) {
+      if((stat(certDir, &st) != 0) ||
+              (!S_ISDIR(st.st_mode))) {
+        certDir = NULL;
+      }
+    }

+    /* Now we check if the default location is a valid dir */
     if(!certDir) {
-      struct_stat st;
-
-      if(stat(SSL_DIR, &st) == 0)
-        if(S_ISDIR(st.st_mode)) {
-          certDir = (char *)SSL_DIR;
-        }
+      if((stat(SSL_DIR, &st) == 0) &&
+              (S_ISDIR(st.st_mode))) {
+        certDir = (char *)SSL_DIR;
+      }
     }

     if (!NSS_IsInitialized()) {
@@ -984,8 +991,11 @@
         rv = NSS_NoDB_Init(NULL);
       }
       else {
-        rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
-                            NSS_INIT_READONLY);
+        char *certpath = PR_smprintf("%s%s",
+                         NSS_VersionCheck("3.12.0") ? "sql:" : "",
+                         certDir);
+        rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
+        PR_smprintf_free(certpath);
       }
       if(rv != SECSuccess) {
         infof(conn->data, "Unable to initialize NSS database\n");

Gün.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to