From 92ec27a249002f81ac31ea1a18f894dcac0d03b3 Mon Sep 17 00:00:00 2001
From: Jindrich Novy <jnovy@fedoraproject.org>
Date: Sat, 6 Dec 2008 20:52:24 +0000
Subject: [PATCH] - use improved NSS patch, thanks to Rob Crittenden (#472489)

---
 curl-7.18.2-nss-init.patch          | 133 ++++++++++++++++++++++++++++
 curl-7.18.2-nss-thread-safety.patch |  72 ---------------
 curl.spec                           |   9 +-
 3 files changed, 139 insertions(+), 75 deletions(-)
 create mode 100644 curl-7.18.2-nss-init.patch
 delete mode 100644 curl-7.18.2-nss-thread-safety.patch

diff --git a/curl-7.18.2-nss-init.patch b/curl-7.18.2-nss-init.patch
new file mode 100644
index 0000000..15d5316
--- /dev/null
+++ b/curl-7.18.2-nss-init.patch
@@ -0,0 +1,133 @@
+--- curl-7.18.2/lib/nss.c.orig	2008-12-03 16:39:41.000000000 -0500
++++ curl-7.18.2/lib/nss.c	2008-12-03 18:26:06.000000000 -0500
+@@ -73,6 +73,8 @@
+ 
+ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
+ 
++PRLock * nss_initlock = NULL;
++
+ int initialized = 0;
+ 
+ #define HANDSHAKE_TIMEOUT 30
+@@ -229,6 +231,23 @@
+ }
+ 
+ /*
++ * Get the number of ciphers that are enabled. We use this to determine
++ * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
++ */
++static int num_enabled_ciphers() {
++  PRInt32 policy = 0;
++  int count = 0;
++  int i;
++
++  for(i=0; i<ciphernum; i++) {
++    SSL_CipherPolicyGet(cipherlist[i].num, &policy);
++    if(policy)
++      count++;
++  }
++  return count;
++}
++
++/*
+  * Determine whether the nickname passed in is a filename that needs to
+  * be loaded as a PEM or a regular NSS nickname.
+  *
+@@ -719,8 +738,11 @@
+  */
+ int Curl_nss_init(void)
+ {
+-  if(!initialized)
++  /* curl_global_init() is not thread-safe so this test is ok */
++  if (nss_initlock == NULL) {
+     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
++    nss_initlock = PR_NewLock();
++  }
+ 
+   /* We will actually initialize NSS later */
+ 
+@@ -730,7 +752,17 @@
+ /* Global cleanup */
+ void Curl_nss_cleanup(void)
+ {
+-  NSS_Shutdown();
++  /* This function isn't required to be threadsafe and this is only done
++   * as a safety feature.
++   */
++  PR_Lock(nss_initlock);
++  if (initialized)
++    NSS_Shutdown();
++  PR_Unlock(nss_initlock);
++
++  PR_DestroyLock(nss_initlock);
++  nss_initlock = NULL;
++
+   initialized = 0;
+ }
+ 
+@@ -801,6 +833,7 @@
+ #endif
+   char *certDir = NULL;
+   int curlerr;
++  int policy;
+ 
+   curlerr = CURLE_SSL_CONNECT_ERROR;
+ 
+@@ -808,9 +841,8 @@
+     return CURLE_OK;
+ 
+   /* FIXME. NSS doesn't support multiple databases open at the same time. */
++  PR_Lock(nss_initlock);
+   if(!initialized) {
+-    initialized = 1;
+-
+     certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
+ 
+     if(!certDir) {
+@@ -822,20 +854,25 @@
+         }
+     }
+ 
+-    if(!certDir) {
+-      rv = NSS_NoDB_Init(NULL);
+-    }
+-    else {
+-      rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
+-                          NSS_INIT_READONLY);
+-    }
+-    if(rv != SECSuccess) {
+-      infof(conn->data, "Unable to initialize NSS database\n");
+-      curlerr = CURLE_SSL_CACERT_BADFILE;
+-      goto error;
++    if (!NSS_IsInitialized()) {
++        initialized = 1;
++        if(!certDir) {
++          rv = NSS_NoDB_Init(NULL);
++        }
++        else {
++          rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db",
++                              NSS_INIT_READONLY);
++        }
++        if(rv != SECSuccess) {
++          infof(conn->data, "Unable to initialize NSS database\n");
++          curlerr = CURLE_SSL_CACERT_BADFILE;
++          PR_Unlock(nss_initlock);
++          initialized = 0;
++          goto error;
++        }
+     }
+-
+-    NSS_SetDomesticPolicy();
++    if(num_enabled_ciphers() == 0)
++      NSS_SetDomesticPolicy();
+ 
+ #ifdef HAVE_PK11_CREATEGENERICOBJECT
+     configstring = (char *)malloc(PATH_MAX);
+@@ -854,6 +891,7 @@
+     }
+ #endif
+   }
++  PR_Unlock(nss_initlock);
+ 
+   model = PR_NewTCPSocket();
+   if(!model)
diff --git a/curl-7.18.2-nss-thread-safety.patch b/curl-7.18.2-nss-thread-safety.patch
deleted file mode 100644
index 46857f1..0000000
--- a/curl-7.18.2-nss-thread-safety.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-diff -u --recursive curl-7.18.2/lib/nss.c curl-7.18.2.new/lib/nss.c
---- curl-7.18.2/lib/nss.c	2008-09-16 11:13:00.000000000 -0400
-+++ curl-7.18.2.new/lib/nss.c	2008-09-16 11:29:13.000000000 -0400
-@@ -73,6 +73,8 @@
- 
- PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd);
- 
-+PRLock * nss_initlock = NULL;
-+
- int initialized = 0;
- 
- #define HANDSHAKE_TIMEOUT 30
-@@ -719,8 +721,11 @@
-  */
- int Curl_nss_init(void)
- {
--  if(!initialized)
-+  /* curl_global_init() is not thread-safe so this test is ok */
-+  if (nss_initlock == NULL) {
-     PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 256);
-+    nss_initlock = PR_NewLock();
-+  }
- 
-   /* We will actually initialize NSS later */
- 
-@@ -730,7 +735,17 @@
- /* Global cleanup */
- void Curl_nss_cleanup(void)
- {
--  NSS_Shutdown();
-+  /* This function isn't required to be threadsafe and this is only done
-+   * as a safety feature.
-+   */
-+  PR_Lock(nss_initlock);
-+  if (initialized)
-+    NSS_Shutdown();
-+  PR_Unlock(nss_initlock);
-+
-+  PR_DestroyLock(nss_initlock);
-+  nss_initlock = NULL;
-+
-   initialized = 0;
- }
- 
-@@ -808,7 +823,8 @@
-     return CURLE_OK;
- 
-   /* FIXME. NSS doesn't support multiple databases open at the same time. */
--  if(!initialized) {
-+  PR_Lock(nss_initlock);
-+  if(!initialized && !NSS_IsInitialized()) {
-     initialized = 1;
- 
-     certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */
-@@ -832,6 +848,8 @@
-     if(rv != SECSuccess) {
-       infof(conn->data, "Unable to initialize NSS database\n");
-       curlerr = CURLE_SSL_CACERT_BADFILE;
-+      PR_Unlock(nss_initlock);
-+      initialized = 0;
-       goto error;
-     }
- 
-@@ -854,6 +872,7 @@
-     }
- #endif
-   }
-+  PR_Unlock(nss_initlock);
- 
-   model = PR_NewTCPSocket();
-   if(!model)
-Only in curl-7.18.2.new/lib: nss.c.orig
diff --git a/curl.spec b/curl.spec
index af80c8a..f527599 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.18.2
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
@@ -9,7 +9,7 @@ Patch1: curl-7.15.3-multilib.patch
 Patch2: curl-7.16.0-privlibs.patch
 Patch3: curl-7.17.1-badsocket.patch
 Patch4: curl-7.18.2-nssproxy.patch
-Patch5: curl-7.18.2-nss-thread-safety.patch
+Patch5: curl-7.18.2-nss-init.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -51,7 +51,7 @@ use cURL's capabilities internally.
 %patch2 -p1 -b .privlibs
 %patch3 -p1 -b .badsocket
 %patch4 -p1 -b .nssproxy
-%patch5 -p1 -b .nssthreadsafety
+%patch5 -p1 -b .nssinit
 
 # Convert docs to UTF-8
 for f in CHANGES README; do
@@ -120,6 +120,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Sat Dec 06 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-8
+- use improved NSS patch, thanks to Rob Crittenden (#472489)
+
 * Tue Sep 09 2008 Jindrich Novy <jnovy@redhat.com> 7.18.2-7
 - update the thread safety patch, thanks to Rob Crittenden (#462217)