Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

nss: unconditionally require PK11_CreateGenericObject()

This bumps the minimal supported version of NSS to 3.12.x.
  • Loading branch information...
commit 42aa796150a580a0adff714c157d3b38b7672c7f 1 parent 2a90273
@kdudka kdudka authored
View
1  RELEASE-NOTES
@@ -9,6 +9,7 @@ Curl and libcurl 7.25.1
This release includes the following changes:
+ o nss: the minimal supported version of NSS bumped to 3.12.x
o
This release includes the following bugfixes:
View
10 configure.ac
@@ -2091,13 +2091,6 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then
nssprefix=$OPT_NSS
fi
- dnl Check for functionPK11_CreateGenericObject
- dnl this is needed for using the PEM PKCS#11 module
- AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
- [
- AC_DEFINE(HAVE_PK11_CREATEGENERICOBJECT, 1, [if you have the function PK11_CreateGenericObject])
- AC_SUBST(HAVE_PK11_CREATEGENERICOBJECT, [1])
- ])
if test -n "$addlib"; then
CLEANLIBS="$LIBS"
@@ -2108,7 +2101,8 @@ if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then
CPPFLAGS="$CPPFLAGS $addcflags"
fi
- AC_CHECK_LIB(nss3, NSS_Initialize,
+ dnl The function PK11_CreateGenericObject is needed to load libnsspem.so
+ AC_CHECK_LIB(nss3, PK11_CreateGenericObject,
[
AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
AC_SUBST(USE_NSS, [1])
View
2  docs/INTERNALS
@@ -43,7 +43,7 @@ Portability
openldap 2.0
MIT krb5 lib 1.2.4
qsossl V5R2M0
- NSS 3.11.x
+ NSS 3.12.x
axTLS 1.2.7
Heimdal ?
View
3  lib/config-symbian.h
@@ -396,9 +396,6 @@
/* Define to 1 if you have the `pipe' function. */
#define HAVE_PIPE 1
-/* if you have the function PK11_CreateGenericObject */
-/* #undef HAVE_PK11_CREATEGENERICOBJECT */
-
/* Define to 1 if you have the `poll' function. */
/*#define HAVE_POLL 1*/
View
3  lib/config-vxworks.h
@@ -460,9 +460,6 @@
/* Define to 1 if you have the `pipe' function. */
#define HAVE_PIPE 1
-/* if you have the function PK11_CreateGenericObject */
-/* #undef HAVE_PK11_CREATEGENERICOBJECT */
-
/* Define to 1 if you have a working poll function. */
/* #undef HAVE_POLL */
View
3  lib/curl_config.h.cmake
@@ -441,9 +441,6 @@
/* Define to 1 if you have the `pipe' function. */
#cmakedefine HAVE_PIPE ${HAVE_PIPE}
-/* if you have the function PK11_CreateGenericObject */
-#cmakedefine HAVE_PK11_CREATEGENERICOBJECT ${HAVE_PK11_CREATEGENERICOBJECT}
-
/* Define to 1 if you have a working poll function. */
#cmakedefine HAVE_POLL ${HAVE_POLL}
View
30 lib/nss.c
@@ -170,9 +170,7 @@ static const int enable_ciphers_by_default[] = {
SSL_NULL_WITH_NULL_NULL
};
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
static const char* pem_library = "libnsspem.so";
-#endif
SECMODModule* mod = NULL;
static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
@@ -305,7 +303,6 @@ static char* dup_nickname(struct SessionHandle *data, enum dupstring cert_kind)
return NULL;
}
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* Call PK11_CreateGenericObject() with the given obj_class and filename. If
* the call succeeds, append the object handle to the list of objects so that
* the object can be destroyed in Curl_nss_close(). */
@@ -369,7 +366,6 @@ static void nss_destroy_object(void *user, void *ptr)
(void) user;
PK11_DestroyGenericObject(obj);
}
-#endif
static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
const char *filename, PRBool cacert)
@@ -378,7 +374,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
? CURLE_SSL_CACERT_BADFILE
: CURLE_SSL_CERTPROBLEM;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* libnsspem.so leaks memory if the requested file does not exist. For more
* details, go to <https://bugzilla.redhat.com/734760>. */
if(is_file(filename))
@@ -405,7 +400,6 @@ static CURLcode nss_load_cert(struct ssl_connect_data *ssl,
free(nickname);
}
}
-#endif
return err;
}
@@ -499,10 +493,10 @@ static SECStatus nss_load_crl(const char* crlfilename)
static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
char *key_file)
{
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
PK11SlotInfo *slot;
SECStatus status;
struct ssl_connect_data *ssl = conn->ssl;
+ (void)sockindex; /* unused */
CURLcode rv = nss_create_object(ssl, CKO_PRIVATE_KEY, key_file, FALSE);
if(CURLE_OK != rv) {
@@ -524,15 +518,6 @@ static CURLcode nss_load_key(struct connectdata *conn, int sockindex,
return (SECSuccess == status)
? CURLE_OK
: CURLE_SSL_CERTPROBLEM;
-#else
- /* If we don't have PK11_CreateGenericObject then we can't load a file-based
- * key.
- */
- (void)conn; /* unused */
- (void)key_file; /* unused */
- return CURLE_SSL_CERTPROBLEM;
-#endif
- (void)sockindex; /* unused */
}
static int display_error(struct connectdata *conn, PRInt32 err,
@@ -775,7 +760,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
struct SessionHandle *data = connssl->data;
const char *nickname = connssl->client_nickname;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
if(connssl->obj_clicert) {
/* use the cert/key provided by PEM reader */
static const char pem_slotname[] = "PEM Token #1";
@@ -815,7 +799,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
display_cert_info(data, *pRetCert);
return SECSuccess;
}
-#endif
/* use the default NSS hook */
if(SECSuccess != NSS_GetClientAuthData((void *)nickname, sock, caNames,
@@ -1053,12 +1036,11 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
* next time to the same server */
SSL_InvalidateSession(connssl->handle);
}
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* destroy all NSS objects in order to avoid failure of NSS shutdown */
Curl_llist_destroy(connssl->obj_list, NULL);
connssl->obj_list = NULL;
connssl->obj_clicert = NULL;
-#endif
+
PR_Close(connssl->handle);
connssl->handle = NULL;
}
@@ -1173,12 +1155,10 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
connssl->data = data;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* list of all NSS objects we need to destroy in Curl_nss_close() */
connssl->obj_list = Curl_llist_alloc(nss_destroy_object);
if(!connssl->obj_list)
return CURLE_OUT_OF_MEMORY;
-#endif
/* FIXME. NSS doesn't support multiple databases open at the same time. */
PR_Lock(nss_initlock);
@@ -1190,7 +1170,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
curlerr = CURLE_SSL_CONNECT_ERROR;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
if(!mod) {
char *configstring = aprintf("library=%s name=PEM", pem_library);
if(!configstring) {
@@ -1209,7 +1188,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
"OpenSSL PEM certificates will not work.\n", pem_library);
}
}
-#endif
PK11_SetPasswordFunc(nss_get_password);
PR_Unlock(nss_initlock);
@@ -1340,9 +1318,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
char *nickname = dup_nickname(data, STRING_CERT);
if(nickname) {
/* we are not going to use libnsspem.so to read the client cert */
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
connssl->obj_clicert = NULL;
-#endif
}
else {
CURLcode rv = cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
@@ -1442,11 +1418,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
if(model)
PR_Close(model);
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
/* cleanup on connection failure */
Curl_llist_destroy(connssl->obj_list, NULL);
connssl->obj_list = NULL;
-#endif
if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) {
/* schedule reconnect through Curl_retry_request() */
View
2  lib/urldata.h
@@ -272,10 +272,8 @@ struct ssl_connect_data {
PRFileDesc *handle;
char *client_nickname;
struct SessionHandle *data;
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
struct curl_llist *obj_list;
PK11GenericObject *obj_clicert;
-#endif
#endif /* USE_NSS */
#ifdef USE_QSOSSL
SSLHandle *handle;
Please sign in to comment.
Something went wrong with that request. Please try again.