Re: [evolution-patches] possible fix for nssckbi loading issues

From: JP Rosevear <jpr novell com>
To: Jeffrey Stedfast <fejj novell com>
Cc: evolution-patches ximian com
Subject: Re: [evolution-patches] possible fix for nssckbi loading issues
Date: Wed, 23 Mar 2005 09:54:18 -0500

On Tue, 2005-03-22 at 16:26 -0500, Jeffrey Stedfast wrote:
> I don't know if it's the right fix, but it compiles.

Added one more case based on
http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsNSSComponent.cpp#412

Which is to delete any existing module of the same name unconditionally
before adding the new root module (else it doesn't get added if the
versions are the same but the location changed).


-JP
-- 
JP Rosevear <jpr novell com>
Novell, Inc.

? cert-location-changed.patch
Index: ChangeLog
===================================================================
RCS file: /cvs/gnome/evolution/smime/ChangeLog,v
retrieving revision 1.49
diff -u -r1.49 ChangeLog
--- ChangeLog	24 Feb 2005 02:18:50 -0000	1.49
+++ ChangeLog	23 Mar 2005 14:53:06 -0000
@@ -1,3 +1,9 @@
+2005-03-22  Jeffrey Stedfast  <fejj novell com>
+
+	* lib/e-cert-db.c (install_loadable_roots): Copied Mozilla code to
+	check if the nssckbi root certs module was too old and if it was,
+	delete/unload it.
+
 2005-02-21  Not Zed  <NotZed Ximian com>
 
 	** See bug #68592
Index: lib/e-cert-db.c
===================================================================
RCS file: /cvs/gnome/evolution/smime/lib/e-cert-db.c,v
retrieving revision 1.15
diff -u -r1.15 e-cert-db.c
--- lib/e-cert-db.c	23 Feb 2005 18:57:00 -0000	1.15
+++ lib/e-cert-db.c	23 Mar 2005 14:53:06 -0000
@@ -78,6 +78,7 @@
 #include "ssl.h"
 #include "p12plcy.h"
 #include "pk11func.h"
+#include "nssckbi.h"
 #include "secmod.h"
 #include "certdb.h"
 #include "plstr.h"
@@ -213,44 +214,81 @@
 static void
 install_loadable_roots (void)
 {
-	gboolean has_roots;
-	PK11SlotList *list;
-
-	has_roots = FALSE;
-	list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL);
-	if (list) {
-		PK11SlotListElement *le;
-
-		for (le = list->head; le; le = le->next) {
-			if (PK11_HasRootCerts(le->slot)) {
-				has_roots = TRUE;
-				break;
+	SECMODModuleList *list = SECMOD_GetDefaultModuleList ();
+	SECMODListLock *lock = SECMOD_GetDefaultModuleListLock ();
+	SECMODModule *RootsModule = NULL;
+	int i;
+	
+	SECMOD_GetReadLock (lock);
+	while (!RootsModule && list) {
+		SECMODModule *module = list->module;
+		
+		for (i = 0; i < module->slotCount; i++) {
+			PK11SlotInfo *slot = module->slots[i];
+			if (PK11_IsPresent (slot)) {
+				if (PK11_HasRootCerts(slot)) {
+					RootsModule = module;
+					break;
+				}
 			}
 		}
+		
+		list = list->next;
 	}
-
-	if (!has_roots) {
+	SECMOD_ReleaseReadLock (lock);
+	
+	if (RootsModule) {
+		/* Check version, and unload module if it is too old */
+		CK_INFO info;
+
+		if (PK11_GetModInfo (RootsModule, &info) != SECSuccess) {
+			/* Do not use this module */
+			RootsModule = NULL;
+		} else {
+			/* NSS_BUILTINS_LIBRARY_VERSION_MAJOR and NSS_BUILTINS_LIBRARY_VERSION_MINOR
+			 * define the version we expect to have.
+			 * Later version are fine.
+			 * Older versions are not ok, and we will replace with our own version.
+			 */ 
+			if ((info.libraryVersion.major < NSS_BUILTINS_LIBRARY_VERSION_MAJOR)
+			    || (info.libraryVersion.major == NSS_BUILTINS_LIBRARY_VERSION_MAJOR
+				&& info.libraryVersion.minor < NSS_BUILTINS_LIBRARY_VERSION_MINOR)) {
+				PRInt32 modType;
+				
+				SECMOD_DeleteModule (RootsModule->commonName, &modType);
+				
+				RootsModule = NULL;
+			}
+		}
+	}
+	
+	if (!RootsModule) {
 		/* grovel in various places for mozilla's built-in
 		   cert module.
-
+		   
 		   XXX yes this is gross.  *sigh*
 		*/
 		char *paths_to_check[] = {
 			"/usr/lib",
 			"/usr/lib/mozilla",
+			"/opt/mozilla/lib",
+			"/opt/mozilla/lib/mozilla"
 		};
-		int i;
-
+		
 		for (i = 0; i < G_N_ELEMENTS (paths_to_check); i ++) {
-			char *dll_path = g_module_build_path (paths_to_check [i],
-							      "nssckbi");
-
+			char *dll_path = g_module_build_path (paths_to_check [i], "nssckbi");
+			
 			if (g_file_test (dll_path, G_FILE_TEST_EXISTS)) {
+				PRInt32 modType;
+
+				/* Delete the existing module */
+				SECMOD_DeleteModule ("Mozilla Root Certs", &modType);
+
 				SECMOD_AddNewModule("Mozilla Root Certs",dll_path, 0, 0);
 				g_free (dll_path);
 				break;
 			}
-
+			
 			g_free (dll_path);
 		}
 	}

Follow-Ups:
- Re: [evolution-patches] possible fix for nssckbi loading issues
  - From: Jeffrey Stedfast

References:
- [evolution-patches] possible fix for nssckbi loading issues
  - From: Jeffrey Stedfast

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]