Guenter wrote:
> Hi NSS friends,
> I've chatted a bit with a NSS dev about initializing NSS:
> http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/4cc313a18f31f9cb
> and based on that I would like to commit the patch below which does:
> - add a check if SSL_DIR env var points to a valid dir
> - remove NSS_Initialize() 4th argument secmod.db which seems not needed
> - add a check if we run on 3.12.0 or later, and based on the result
> prefix the certpath with 'sql:'
>
> I've tested it with old and new databases on OpenSuSE, and seems to work
> fine - please review and test before I commit it!

If I'm reading this right it means you can't set SSL_DIR to point to a
sql database, right? I wonder if an extra bit of code to detect that
would be helpful.

It will also silently skip bad directories. If you have a typo in
SSL_DIR it will default to using either the default database or try to
initialize a NULL string.

Error reporting is pretty weak right now (my fault). Might be nice to
improve the message to include what was passed to NSS_Initialize when it
fails, particularly since it could be auto-generated (though the sql:
string might be confusing for some).

rob

>
> --- lib/nss.c.orig 2009-09-08 04:00:15.000000000 +0200
> +++ lib/nss.c 2009-09-15 04:09:51.000000000 +0200
> @@ -964,16 +964,23 @@
> /* FIXME. NSS doesn't support multiple databases open at the same
> time. */
> PR_Lock(nss_initlock);
> if(!initialized) {
> + struct_stat st;
>
> - certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
> + /* First we check if $SSL_DIR points to a valid dir */
> + certDir = getenv("SSL_DIR");
> + if(certDir) {
> + if((stat(certDir, &st) != 0) ||
> + (!S_ISDIR(st.st_mode))) {
> + certDir = NULL;
> + }
> + }
>
> + /* Now we check if the default location is a valid dir */
> if(!certDir) {
> - struct_stat st;
> -
> - if(stat(SSL_DIR, &st) == 0)
> - if(S_ISDIR(st.st_mode)) {
> - certDir = (char *)SSL_DIR;
> - }
> + if((stat(SSL_DIR, &st) == 0) &&
> + (S_ISDIR(st.st_mode))) {
> + certDir = (char *)SSL_DIR;
> + }
> }
>
> if (!NSS_IsInitialized()) {
> @@ -984,8 +991,11 @@
> rv = NSS_NoDB_Init(NULL);
> }
> else {
> - rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
> - NSS_INIT_READONLY);
> + char *certpath = PR_smprintf("%s%s",
> + NSS_VersionCheck("3.12.0") ? "sql:" : "",
> + certDir);
> + rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
> + PR_smprintf_free(certpath);
> }
> if(rv != SECSuccess) {
> infof(conn->data, "Unable to initialize NSS database\n");
>
> Gün.
>