curl-library
[PATCH 1/2] nss: unconditionally require PK11_CreateGenericObject()
From: Kamil Dudka <kdudka_at_redhat.com>
Date: Tue, 10 Apr 2012 16:00:11 +0200
Date: Tue, 10 Apr 2012 16:00:11 +0200
This bumps the minimal supported version of NSS to 3.12.x.
---
RELEASE-NOTES | 1 +
configure.ac | 10 ++--------
docs/INTERNALS | 2 +-
lib/config-symbian.h | 3 ---
lib/config-vxworks.h | 3 ---
lib/curl_config.h.cmake | 3 ---
lib/nss.c | 30 ++----------------------------
lib/urldata.h | 2 --
8 files changed, 6 insertions(+), 48 deletions(-)
diff --git a/RELEASE-NOTES b/RELEASE-NOTES
index 70a07c8..58a4cbd 100644
--- a/RELEASE-NOTES
+++ b/RELEASE-NOTES
@@ -9,6 +9,7 @@ Curl and libcurl 7.25.1
This release includes the following changes:
+ o nss: the minimal supported version of NSS bumped to 3.12.x
o
This release includes the following bugfixes:
diff --git a/configure.ac b/configure.ac
index 976553c..0295c18 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2089,13 +2089,6 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then
nssprefix=$OPT_NSS
fi
- dnl Check for functionPK11_CreateGenericObject
- dnl this is needed for using the PEM PKCS#11 module
- AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
- [
- AC_DEFINE(HAVE_PK11_CREATEGENERICOBJECT, 1, [if you have the function PK11_CreateGenericObject])
- AC_SUBST(HAVE_PK11_CREATEGENERICOBJECT, [1])
- ])
if test -n "$addlib"; then
CLEANLIBS="$LIBS"
@@ -2106,7 +2099,8 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then
CPPFLAGS="$CPPFLAGS $addcflags"
fi
- AC_CHECK_LIB(nss3, NSS_Initialize,
+ dnl The function PK11_CreateGenericObject is needed to load libnsspem.so
+ AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
[
AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
AC_SUBST(USE_NSS, [1])
diff --git a/docs/INTERNALS b/docs/INTERNALS
index b87e2ce..d2bff0c 100644
--- a/docs/INTERNALS
+++ b/docs/INTERNALS
@@ -43,7 +43,7 @@ Portability
openldap 2.0
MIT krb5 lib 1.2.4
qsossl V5R2M0
- NSS 3.11.x
+ NSS 3.12.x
axTLS 1.2.7
Heimdal ?
diff --git a/lib/config-symbian.h b/lib/config-symbian.h
index b4dc032..f2e8cd4 100644
--- a/lib/config-symbian.h
+++ b/lib/config-symbian.h
@@ -399,9 +399,6 @@
/* Define to 1 if you have the `pipe' function. */
#define HAVE_PIPE 1
-/* if you have the function PK11_CreateGenericObject */
-/* #undef HAVE_PK11_CREATEGENERICOBJECT */
-
/* Define to 1 if you have the `poll' function. */
/*#define HAVE_POLL 1*/
diff --git a/lib/config-vxworks.h b/lib/config-vxworks.h
index 53266c0..8616072 100644
--- a/lib/config-vxworks.h
+++ b/lib/config-vxworks.h
@@ -463,9 +463,6 @@
/* Define to 1 if you have the `pipe' function. */
#define HAVE_PIPE 1
-/* if you have the function PK11_CreateGenericObject */
-/* #undef HAVE_PK11_CREATEGENERICOBJECT */
-
/* Define to 1 if you have a working poll function. */
/* #undef HAVE_POLL */
diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake
index a321302..88b4de2 100644
--- a/lib/curl_config.h.cmake
+++ b/lib/curl_config.h.cmake
@@ -444,9 +444,6 @@
/* Define to 1 if you have the `pipe' function. */
#cmakedefine HAVE_PIPE ${HAVE_PIPE}
-/* if you have the function PK11_CreateGenericObject */
-#cmakedefine HAVE_PK11_CREATEGENERICOBJECT ${HAVE_PK11_CREATEGENERICOBJECT}
-
/* Define to 1 if you have a working poll function. */
#cmakedefine HAVE_POLL ${HAVE_POLL}
diff --git a/lib/nss.c b/lib/nss.c
index 8f6da50..6108917 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -170,9 +170,7 @@ static const int enable_ciphers_by_default[] = {
SSL_NULL_WITH_NULL_NULL
};
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
static const char* pem_library = "libnsspem.so";
-#endif
SECMODModule* mod = NULL;
static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
@@ -305,7 +303,6 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind)
return NULL;
}
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* Call PK11_CreateGenericObject() with the given obj_class and filename. If
* the call succeeds, append the object handle to the list of objects so that
* the object can be destroyed in Curl_nss_close(). */
@@ -369,7 +366,6 @@ static void nss_destroy_object(void *user, void *ptr)
(void) user;
PK11_DestroyGenericObject(obj);
}
-#endif
static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
const char *filename, PRBool cacert)
@@ -378,7 +374,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
? CURLE_SSL_CACERT_BADFILE
: CURLE_SSL_CERTPROBLEM;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* libnsspem.so leaks memory if the requested file does not exist. For more
* details, go to <https://bugzilla.redhat.com/734760>. */
if(is_file(filename))
@@ -405,7 +400,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
free(nickname);
}
}
-#endif
return err;
}
@@ -499,10 +493,10 @@ fail:
static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
{
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
PK11SlotInfo *slot;
SECStatus status;
struct ssl_connect_data *ssl = conn->ssl;
+ (void)sockindex; /* unused */
CURLcode rv = nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE);
if(CURLE_OK != rv) {
@@ -524,15 +518,6 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
return (SECSuccess == status)
? CURLE_OK
: CURLE_SSL_CERTPROBLEM;
-#else
- /* If we don't have PK11_CreateGenericObject then we can't load a file-based
- * key.
- */
- (void)conn; /* unused */
- (void)key_file; /* unused */
- return CURLE_SSL_CERTPROBLEM;
-#endif
- (void)sockindex; /* unused */
}
static int display_error(struct connectdata *conn, PRInt32 err,
@@ -775,7 +760,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
struct SessionHandle *data = connssl->data;
const char *nickname = connssl->client_nickname;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
if(connssl->obj_clicert) {
/* use the cert/key provided by PEM reader */
static const char pem_slotname[] = "PEM Token #1";
@@ -815,7 +799,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
display_cert_info(data, *pRetCert);
return SECSuccess;
}
-#endif
/* use the default NSS hook */
if(SECSuccess != NSS_GetClientAuthData((void *)nickname, sock, caNames,
@@ -1053,12 +1036,11 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
* next time to the same server */
SSL_InvalidateSession(connssl->handle);
}
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* destroy all NSS objects in order to avoid failure of NSS shutdown */
Curl_llist_destroy(connssl->obj_list, NULL);
connssl->obj_list = NULL;
connssl->obj_clicert = NULL;
-#endif
+
PR_Close(connssl->handle);
connssl->handle = NULL;
}
@@ -1173,12 +1155,10 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
connssl->data = data;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* list of all NSS objects we need to destroy in Curl_nss_close() */
connssl->obj_list = Curl_llist_alloc(nss_destroy_object);
if(!connssl->obj_list)
return CURLE_OUT_OF_MEMORY;
-#endif
/* FIXME. NSS doesn't support multiple databases open at the same time. */
PR_Lock(nss_initlock);
@@ -1190,7 +1170,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
curlerr = CURLE_SSL_CONNECT_ERROR;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
if(!mod) {
char *configstring = aprintf("library=%s name=PEM", pem_library);
if(!configstring) {
@@ -1209,7 +1188,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
"OpenSSL PEM certificates will not work.\n", pem_library);
}
}
-#endif
PK11_SetPasswordFunc(nss_get_password);
PR_Unlock(nss_initlock);
@@ -1340,9 +1318,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
char *nickname = dup_nickname(data, STRING_CERT);
if(nickname) {
/* we are not going to use libnsspem.so to read the client cert */
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
connssl->obj_clicert = NULL;
-#endif
}
else {
CURLcode rv = cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
@@ -1442,11 +1418,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(model)
PR_Close(model);
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* cleanup on connection failure */
Curl_llist_destroy(connssl->obj_list, NULL);
connssl->obj_list = NULL;
-#endif
if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) {
/* schedule reconnect through Curl_retry_request() */
diff --git a/lib/urldata.h b/lib/urldata.h
index 3474431..b718ed8 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -272,10 +272,8 @@ struct ssl_connect_data {
PRFileDesc *handle;
char *client_nickname;
struct SessionHandle *data;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
struct curl_llist *obj_list;
PK11GenericObject *obj_clicert;
-#endif
#endif /* USE_NSS */
#ifdef USE_QSOSSL
SSLHandle *handle;
--
1.7.1
-------------------------------------------------------------------
List admin: http://cool.haxx.se/list/listinfo/curl-library
Etiquette: http://curl.haxx.se/mail/etiquette.html
Received on 2012-04-10