From 92ec27a249002f81ac31ea1a18f894dcac0d03b3 Mon Sep 17 00:00:00 2001 From: Jindrich Novy Date: Sat, 6 Dec 2008 20:52:24 +0000 Subject: [PATCH] - use improved NSS patch, thanks to Rob Crittenden (#472489) --- curl-7.18.2-nss-init.patch | 133 ++++++++++++++++++++++++++++ curl-7.18.2-nss-thread-safety.patch | 72 --------------- curl.spec | 9 +- 3 files changed, 139 insertions(+), 75 deletions(-) create mode 100644 curl-7.18.2-nss-init.patch delete mode 100644 curl-7.18.2-nss-thread-safety.patch diff --git a/curl-7.18.2-nss-init.patch b/curl-7.18.2-nss-init.patch new file mode 100644 index 0000000..15d5316 --- /dev/null +++ b/curl-7.18.2-nss-init.patch @@ -0,0 +1,133 @@ +--- curl-7.18.2/lib/nss.c.orig 2008-12-03 16:39:41.000000000 -0500 ++++ curl-7.18.2/lib/nss.c 2008-12-03 18:26:06.000000000 -0500 +@@ -73,6 +73,8 @@ + + PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); + ++PRLock * nss_initlock = NULL; ++ + int initialized = 0; + + #define HANDSHAKE_TIMEOUT 30 +@@ -229,6 +231,23 @@ + } + + /* ++ * Get the number of ciphers that are enabled. We use this to determine ++ * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers. ++ */ ++static int num_enabled_ciphers() { ++ PRInt32 policy = 0; ++ int count = 0; ++ int i; ++ ++ for(i=0; idata, "Unable to initialize NSS database\n"); +- curlerr = CURLE_SSL_CACERT_BADFILE; +- goto error; ++ if (!NSS_IsInitialized()) { ++ initialized = 1; ++ if(!certDir) { ++ rv = NSS_NoDB_Init(NULL); ++ } ++ else { ++ rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", ++ NSS_INIT_READONLY); ++ } ++ if(rv != SECSuccess) { ++ infof(conn->data, "Unable to initialize NSS database\n"); ++ curlerr = CURLE_SSL_CACERT_BADFILE; ++ PR_Unlock(nss_initlock); ++ initialized = 0; ++ goto error; ++ } + } +- +- NSS_SetDomesticPolicy(); ++ if(num_enabled_ciphers() == 0) ++ NSS_SetDomesticPolicy(); + + #ifdef HAVE_PK11_CREATEGENERICOBJECT + configstring = (char *)malloc(PATH_MAX); +@@ -854,6 +891,7 @@ + } + #endif + } ++ PR_Unlock(nss_initlock); + + model = PR_NewTCPSocket(); + if(!model) diff --git a/curl-7.18.2-nss-thread-safety.patch b/curl-7.18.2-nss-thread-safety.patch deleted file mode 100644 index 46857f1..0000000 --- a/curl-7.18.2-nss-thread-safety.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff -u --recursive curl-7.18.2/lib/nss.c curl-7.18.2.new/lib/nss.c ---- curl-7.18.2/lib/nss.c 2008-09-16 11:13:00.000000000 -0400 -+++ curl-7.18.2.new/lib/nss.c 2008-09-16 11:29:13.000000000 -0400 -@@ -73,6 +73,8 @@ - - PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); - -+PRLock * nss_initlock = NULL; -+ - int initialized = 0; - - #define HANDSHAKE_TIMEOUT 30 -@@ -719,8 +721,11 @@ - */ - int Curl_nss_init(void) - { -- if(!initialized) -+ /* curl_global_init() is not thread-safe so this test is ok */ -+ if (nss_initlock == NULL) { - PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256); -+ nss_initlock = PR_NewLock(); -+ } - - /* We will actually initialize NSS later */ - -@@ -730,7 +735,17 @@ - /* Global cleanup */ - void Curl_nss_cleanup(void) - { -- NSS_Shutdown(); -+ /* This function isn't required to be threadsafe and this is only done -+ * as a safety feature. -+ */ -+ PR_Lock(nss_initlock); -+ if (initialized) -+ NSS_Shutdown(); -+ PR_Unlock(nss_initlock); -+ -+ PR_DestroyLock(nss_initlock); -+ nss_initlock = NULL; -+ - initialized = 0; - } - -@@ -808,7 +823,8 @@ - return CURLE_OK; - - /* FIXME. NSS doesn't support multiple databases open at the same time. */ -- if(!initialized) { -+ PR_Lock(nss_initlock); -+ if(!initialized && !NSS_IsInitialized()) { - initialized = 1; - - certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ -@@ -832,6 +848,8 @@ - if(rv != SECSuccess) { - infof(conn->data, "Unable to initialize NSS database\n"); - curlerr = CURLE_SSL_CACERT_BADFILE; -+ PR_Unlock(nss_initlock); -+ initialized = 0; - goto error; - } - -@@ -854,6 +872,7 @@ - } - #endif - } -+ PR_Unlock(nss_initlock); - - model = PR_NewTCPSocket(); - if(!model) -Only in curl-7.18.2.new/lib: nss.c.orig diff --git a/curl.spec b/curl.spec index af80c8a..f527599 100644 --- a/curl.spec +++ b/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.18.2 -Release: 7%{?dist} +Release: 8%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 @@ -9,7 +9,7 @@ Patch1: curl-7.15.3-multilib.patch Patch2: curl-7.16.0-privlibs.patch Patch3: curl-7.17.1-badsocket.patch Patch4: curl-7.18.2-nssproxy.patch -Patch5: curl-7.18.2-nss-thread-safety.patch +Patch5: curl-7.18.2-nss-init.patch Provides: webclient URL: http://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -51,7 +51,7 @@ use cURL's capabilities internally. %patch2 -p1 -b .privlibs %patch3 -p1 -b .badsocket %patch4 -p1 -b .nssproxy -%patch5 -p1 -b .nssthreadsafety +%patch5 -p1 -b .nssinit # Convert docs to UTF-8 for f in CHANGES README; do @@ -120,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 +- use improved NSS patch, thanks to Rob Crittenden (#472489) + * Tue Sep 09 2008 Jindrich Novy 7.18.2-7 - update the thread safety patch, thanks to Rob Crittenden (#462217)