Hello, the attached patch allows curl to initialize SSL, even if the NSS database is broken. Originally reported at https://bugzilla.redhat.com/728562 . Any feedback welcome!
Kamil
From 01c50e16ed0355f1ce20c3e5c9dd814c8073c504 Mon Sep 17 00:00:00 2001 From: Kamil Dudka <[email protected]> Date: Mon, 15 Aug 2011 13:48:45 +0200 Subject: [PATCH] nss: start with no database if the selected database is broken Bug: https://bugzilla.redhat.com/728562 --- RELEASE-NOTES | 1 + lib/nss.c | 61 ++++++++++++++++++++++++++++++++++---------------------- 2 files changed, 38 insertions(+), 24 deletions(-) diff --git a/RELEASE-NOTES b/RELEASE-NOTES index 96f9d92..a232538 100644 --- a/RELEASE-NOTES +++ b/RELEASE-NOTES @@ -15,6 +15,7 @@ This release includes the following changes: o BSD-style lwIP TCP/IP stack support on Windows o OpenSSL: Use SSL_MODE_RELEASE_BUFFERS if available o --delegation was added to set CURLOPT_GSSAPI_DELEGATION + o nss: start with no database if the selected database is broken This release includes the following bugfixes: diff --git a/lib/nss.c b/lib/nss.c index 7f5acbc..414dd19 100644 --- a/lib/nss.c +++ b/lib/nss.c @@ -895,10 +895,40 @@ isTLSIntoleranceError(PRInt32 err) } } -static CURLcode init_nss(struct SessionHandle *data) +static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) +{ + if(NSS_IsInitialized()) + return CURLE_OK; + + if(cert_dir) { + const bool use_sql = NSS_VersionCheck("3.12.0"); + char *certpath = PR_smprintf("%s%s", use_sql ? "sql:" : "", cert_dir); + SECStatus rv; + + infof(data, "Initializing NSS with certpath: %s\n", certpath); + rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); + PR_smprintf_free(certpath); + + if(rv == SECSuccess) + return CURLE_OK; + + infof(data, "Unable to initialize NSS database\n"); + } + + infof(data, "Initializing NSS with certpath: none\n"); + if(NSS_NoDB_Init(NULL) == SECSuccess) + return CURLE_OK; + + infof(data, "Unable to initialize NSS\n"); + return CURLE_SSL_CACERT_BADFILE; +} + +static CURLcode nss_init(struct SessionHandle *data) { char *cert_dir; struct_stat st; + CURLcode rv; + if(initialized) return CURLE_OK; @@ -919,31 +949,14 @@ static CURLcode init_nss(struct SessionHandle *data) } } - if(!NSS_IsInitialized()) { - SECStatus rv; - initialized = 1; - infof(data, "Initializing NSS with certpath: %s\n", - cert_dir ? cert_dir : "none"); - if(!cert_dir) { - rv = NSS_NoDB_Init(NULL); - } - else { - char *certpath = - PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "", - cert_dir); - rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); - PR_smprintf_free(certpath); - } - if(rv != SECSuccess) { - infof(data, "Unable to initialize NSS database\n"); - initialized = 0; - return CURLE_SSL_CACERT_BADFILE; - } - } + rv = nss_init_core(data, cert_dir); + if(rv) + return rv; if(num_enabled_ciphers() == 0) NSS_SetDomesticPolicy(); + initialized = 1; return CURLE_OK; } @@ -978,7 +991,7 @@ CURLcode Curl_nss_force_init(struct SessionHandle *data) } PR_Lock(nss_initlock); - rv = init_nss(data); + rv = nss_init(data); PR_Unlock(nss_initlock); return rv; } @@ -1181,7 +1194,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) /* FIXME. NSS doesn't support multiple databases open at the same time. */ PR_Lock(nss_initlock); - curlerr = init_nss(conn->data); + curlerr = nss_init(conn->data); if(CURLE_OK != curlerr) { PR_Unlock(nss_initlock); goto error; -- 1.7.4.4
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
