- use improved NSS patch, thanks to Rob Crittenden (#472489)
This commit is contained in:
		
							parent
							
								
									3958b78446
								
							
						
					
					
						commit
						92ec27a249
					
				
							
								
								
									
										133
									
								
								curl-7.18.2-nss-init.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										133
									
								
								curl-7.18.2-nss-init.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,133 @@ | ||||
| --- curl-7.18.2/lib/nss.c.orig	2008-12-03 16:39:41.000000000 -0500
 | ||||
| +++ curl-7.18.2/lib/nss.c	2008-12-03 18:26:06.000000000 -0500
 | ||||
| @@ -73,6 +73,8 @@
 | ||||
|   | ||||
|  PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); | ||||
|   | ||||
| +PRLock * nss_initlock = NULL;
 | ||||
| +
 | ||||
|  int initialized = 0; | ||||
|   | ||||
|  #define HANDSHAKE_TIMEOUT 30 | ||||
| @@ -229,6 +231,23 @@
 | ||||
|  } | ||||
|   | ||||
|  /* | ||||
| + * Get the number of ciphers that are enabled. We use this to determine
 | ||||
| + * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
 | ||||
| + */
 | ||||
| +static int num_enabled_ciphers() {
 | ||||
| +  PRInt32 policy = 0;
 | ||||
| +  int count = 0;
 | ||||
| +  int i;
 | ||||
| +
 | ||||
| +  for(i=0; i<ciphernum; i++) {
 | ||||
| +    SSL_CipherPolicyGet(cipherlist[i].num, &policy);
 | ||||
| +    if(policy)
 | ||||
| +      count++;
 | ||||
| +  }
 | ||||
| +  return count;
 | ||||
| +}
 | ||||
| +
 | ||||
| +/*
 | ||||
|   * Determine whether the nickname passed in is a filename that needs to | ||||
|   * be loaded as a PEM or a regular NSS nickname. | ||||
|   * | ||||
| @@ -719,8 +738,11 @@
 | ||||
|   */ | ||||
|  int Curl_nss_init(void) | ||||
|  { | ||||
| -  if(!initialized)
 | ||||
| +  /* curl_global_init() is not thread-safe so this test is ok */
 | ||||
| +  if (nss_initlock == NULL) {
 | ||||
|      PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256); | ||||
| +    nss_initlock = PR_NewLock();
 | ||||
| +  }
 | ||||
|   | ||||
|    /* We will actually initialize NSS later */ | ||||
|   | ||||
| @@ -730,7 +752,17 @@
 | ||||
|  /* Global cleanup */ | ||||
|  void Curl_nss_cleanup(void) | ||||
|  { | ||||
| -  NSS_Shutdown();
 | ||||
| +  /* This function isn't required to be threadsafe and this is only done
 | ||||
| +   * as a safety feature.
 | ||||
| +   */
 | ||||
| +  PR_Lock(nss_initlock);
 | ||||
| +  if (initialized)
 | ||||
| +    NSS_Shutdown();
 | ||||
| +  PR_Unlock(nss_initlock);
 | ||||
| +
 | ||||
| +  PR_DestroyLock(nss_initlock);
 | ||||
| +  nss_initlock = NULL;
 | ||||
| +
 | ||||
|    initialized = 0; | ||||
|  } | ||||
|   | ||||
| @@ -801,6 +833,7 @@
 | ||||
|  #endif | ||||
|    char *certDir = NULL; | ||||
|    int curlerr; | ||||
| +  int policy;
 | ||||
|   | ||||
|    curlerr = CURLE_SSL_CONNECT_ERROR; | ||||
|   | ||||
| @@ -808,9 +841,8 @@
 | ||||
|      return CURLE_OK; | ||||
|   | ||||
|    /* FIXME. NSS doesn't support multiple databases open at the same time. */ | ||||
| +  PR_Lock(nss_initlock);
 | ||||
|    if(!initialized) { | ||||
| -    initialized = 1;
 | ||||
| -
 | ||||
|      certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ | ||||
|   | ||||
|      if(!certDir) { | ||||
| @@ -822,20 +854,25 @@
 | ||||
|          } | ||||
|      } | ||||
|   | ||||
| -    if(!certDir) {
 | ||||
| -      rv = NSS_NoDB_Init(NULL);
 | ||||
| -    }
 | ||||
| -    else {
 | ||||
| -      rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
 | ||||
| -                          NSS_INIT_READONLY);
 | ||||
| -    }
 | ||||
| -    if(rv != SECSuccess) {
 | ||||
| -      infof(conn->data, "Unable to initialize NSS database\n");
 | ||||
| -      curlerr = CURLE_SSL_CACERT_BADFILE;
 | ||||
| -      goto error;
 | ||||
| +    if (!NSS_IsInitialized()) {
 | ||||
| +        initialized = 1;
 | ||||
| +        if(!certDir) {
 | ||||
| +          rv = NSS_NoDB_Init(NULL);
 | ||||
| +        }
 | ||||
| +        else {
 | ||||
| +          rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
 | ||||
| +                              NSS_INIT_READONLY);
 | ||||
| +        }
 | ||||
| +        if(rv != SECSuccess) {
 | ||||
| +          infof(conn->data, "Unable to initialize NSS database\n");
 | ||||
| +          curlerr = CURLE_SSL_CACERT_BADFILE;
 | ||||
| +          PR_Unlock(nss_initlock);
 | ||||
| +          initialized = 0;
 | ||||
| +          goto error;
 | ||||
| +        }
 | ||||
|      } | ||||
| -
 | ||||
| -    NSS_SetDomesticPolicy();
 | ||||
| +    if(num_enabled_ciphers() == 0)
 | ||||
| +      NSS_SetDomesticPolicy();
 | ||||
|   | ||||
|  #ifdef HAVE_PK11_CREATEGENERICOBJECT | ||||
|      configstring = (char *)malloc(PATH_MAX); | ||||
| @@ -854,6 +891,7 @@
 | ||||
|      } | ||||
|  #endif | ||||
|    } | ||||
| +  PR_Unlock(nss_initlock);
 | ||||
|   | ||||
|    model = PR_NewTCPSocket(); | ||||
|    if(!model) | ||||
| @ -1,72 +0,0 @@ | ||||
| diff -u --recursive curl-7.18.2/lib/nss.c curl-7.18.2.new/lib/nss.c
 | ||||
| --- curl-7.18.2/lib/nss.c	2008-09-16 11:13:00.000000000 -0400
 | ||||
| +++ curl-7.18.2.new/lib/nss.c	2008-09-16 11:29:13.000000000 -0400
 | ||||
| @@ -73,6 +73,8 @@
 | ||||
|   | ||||
|  PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); | ||||
|   | ||||
| +PRLock * nss_initlock = NULL;
 | ||||
| +
 | ||||
|  int initialized = 0; | ||||
|   | ||||
|  #define HANDSHAKE_TIMEOUT 30 | ||||
| @@ -719,8 +721,11 @@
 | ||||
|   */ | ||||
|  int Curl_nss_init(void) | ||||
|  { | ||||
| -  if(!initialized)
 | ||||
| +  /* curl_global_init() is not thread-safe so this test is ok */
 | ||||
| +  if (nss_initlock == NULL) {
 | ||||
|      PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256); | ||||
| +    nss_initlock = PR_NewLock();
 | ||||
| +  }
 | ||||
|   | ||||
|    /* We will actually initialize NSS later */ | ||||
|   | ||||
| @@ -730,7 +735,17 @@
 | ||||
|  /* Global cleanup */ | ||||
|  void Curl_nss_cleanup(void) | ||||
|  { | ||||
| -  NSS_Shutdown();
 | ||||
| +  /* This function isn't required to be threadsafe and this is only done
 | ||||
| +   * as a safety feature.
 | ||||
| +   */
 | ||||
| +  PR_Lock(nss_initlock);
 | ||||
| +  if (initialized)
 | ||||
| +    NSS_Shutdown();
 | ||||
| +  PR_Unlock(nss_initlock);
 | ||||
| +
 | ||||
| +  PR_DestroyLock(nss_initlock);
 | ||||
| +  nss_initlock = NULL;
 | ||||
| +
 | ||||
|    initialized = 0; | ||||
|  } | ||||
|   | ||||
| @@ -808,7 +823,8 @@
 | ||||
|      return CURLE_OK; | ||||
|   | ||||
|    /* FIXME. NSS doesn't support multiple databases open at the same time. */ | ||||
| -  if(!initialized) {
 | ||||
| +  PR_Lock(nss_initlock);
 | ||||
| +  if(!initialized && !NSS_IsInitialized()) {
 | ||||
|      initialized = 1; | ||||
|   | ||||
|      certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ | ||||
| @@ -832,6 +848,8 @@
 | ||||
|      if(rv != SECSuccess) { | ||||
|        infof(conn->data, "Unable to initialize NSS database\n"); | ||||
|        curlerr = CURLE_SSL_CACERT_BADFILE; | ||||
| +      PR_Unlock(nss_initlock);
 | ||||
| +      initialized = 0;
 | ||||
|        goto error; | ||||
|      } | ||||
|   | ||||
| @@ -854,6 +872,7 @@
 | ||||
|      } | ||||
|  #endif | ||||
|    } | ||||
| +  PR_Unlock(nss_initlock);
 | ||||
|   | ||||
|    model = PR_NewTCPSocket(); | ||||
|    if(!model) | ||||
| Only in curl-7.18.2.new/lib: nss.c.orig | ||||
| @ -1,7 +1,7 @@ | ||||
| Summary: A utility for getting files from remote servers (FTP, HTTP, and others) | ||||
| Name: curl | ||||
| Version: 7.18.2 | ||||
| Release: 7%{?dist} | ||||
| Release: 8%{?dist} | ||||
| License: MIT | ||||
| Group: Applications/Internet | ||||
| Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 | ||||
| @ -9,7 +9,7 @@ Patch1: curl-7.15.3-multilib.patch | ||||
| Patch2: curl-7.16.0-privlibs.patch | ||||
| Patch3: curl-7.17.1-badsocket.patch | ||||
| Patch4: curl-7.18.2-nssproxy.patch | ||||
| Patch5: curl-7.18.2-nss-thread-safety.patch | ||||
| Patch5: curl-7.18.2-nss-init.patch | ||||
| Provides: webclient | ||||
| URL: http://curl.haxx.se/ | ||||
| BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) | ||||
| @ -51,7 +51,7 @@ use cURL's capabilities internally. | ||||
| %patch2 -p1 -b .privlibs | ||||
| %patch3 -p1 -b .badsocket | ||||
| %patch4 -p1 -b .nssproxy | ||||
| %patch5 -p1 -b .nssthreadsafety | ||||
| %patch5 -p1 -b .nssinit | ||||
| 
 | ||||
| # Convert docs to UTF-8 | ||||
| for f in CHANGES README; do | ||||
| @ -120,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT | ||||
| %{_datadir}/aclocal/libcurl.m4 | ||||
| 
 | ||||
| %changelog | ||||
| * Sat Dec 06 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-8 | ||||
| - use improved NSS patch, thanks to Rob Crittenden (#472489) | ||||
| 
 | ||||
| * Tue Sep 09 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-7 | ||||
| - update the thread safety patch, thanks to Rob Crittenden (#462217) | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user