Re: [evolution-patches] possible fix for nssckbi loading issues

[Not Zed <notzed ximian com>]

Shouldn't it look in more places, that list looks quite short?

Otherwise, sure.  I hope the copyright statement in that file is correct too.


On Tue, 2005-03-22 at 16:26 -0500, Jeffrey Stedfast wrote:

I don't know if it's the right fix, but it compiles.

text/plain attachment (nssckbi.patch)

? nssckbi.patch
Index: ChangeLog
===================================================================
RCS file: /cvs/gnome/evolution/smime/ChangeLog,v
retrieving revision 1.49
diff -u -r1.49 ChangeLog
--- ChangeLog	24 Feb 2005 02:18:50 -0000	1.49
+++ ChangeLog	22 Mar 2005 21:27:37 -0000
@@ -1,3 +1,9 @@
+2005-03-22  Jeffrey Stedfast  <fejj novell com>
+
+	* lib/e-cert-db.c (install_loadable_roots): Copied Mozilla code to
+	check if the nssckbi root certs module was too old and if it was,
+	delete/unload it.
+
 2005-02-21  Not Zed  <NotZed Ximian com>
 
 	** See bug #68592
Index: lib/e-cert-db.c
===================================================================
RCS file: /cvs/gnome/evolution/smime/lib/e-cert-db.c,v
retrieving revision 1.15
diff -u -r1.15 e-cert-db.c
--- lib/e-cert-db.c	23 Feb 2005 18:57:00 -0000	1.15
+++ lib/e-cert-db.c	22 Mar 2005 21:27:38 -0000
@@ -78,6 +78,7 @@
 #include "ssl.h"
 #include "p12plcy.h"
 #include "pk11func.h"
+#include "nssckbi.h"
 #include "secmod.h"
 #include "certdb.h"
 #include "plstr.h"
@@ -213,44 +214,73 @@
 static void
 install_loadable_roots (void)
 {
-	gboolean has_roots;
-	PK11SlotList *list;
-
-	has_roots = FALSE;
-	list = PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE, NULL);
-	if (list) {
-		PK11SlotListElement *le;
-
-		for (le = list->head; le; le = le->next) {
-			if (PK11_HasRootCerts(le->slot)) {
-				has_roots = TRUE;
-				break;
+	SECMODModuleList *list = SECMOD_GetDefaultModuleList ();
+	SECMODListLock *lock = SECMOD_GetDefaultModuleListLock ();
+	SECMODModule *RootsModule = NULL;
+	int i;
+	
+	SECMOD_GetReadLock (lock);
+	while (!RootsModule && list) {
+		SECMODModule *module = list->module;
+		
+		for (i = 0; i < module->slotCount; i++) {
+			PK11SlotInfo *slot = module->slots[i];
+			if (PK11_IsPresent (slot)) {
+				if (PK11_HasRootCerts(slot)) {
+					RootsModule = module;
+					break;
+				}
 			}
 		}
+		
+		list = list->next;
 	}
-
-	if (!has_roots) {
+	SECMOD_ReleaseReadLock (lock);
+	
+	if (RootsModule) {
+		/* Check version, and unload module if it is too old */
+		CK_INFO info;
+		if (PK11_GetModInfo (RootsModule, &info) != SECSuccess) {
+			/* Do not use this module */
+			RootsModule = NULL;
+		} else {
+			/* NSS_BUILTINS_LIBRARY_VERSION_MAJOR and NSS_BUILTINS_LIBRARY_VERSION_MINOR
+			 * define the version we expect to have.
+			 * Later version are fine.
+			 * Older versions are not ok, and we will replace with our own version.
+			 */ 
+			if ((info.libraryVersion.major < NSS_BUILTINS_LIBRARY_VERSION_MAJOR)
+			    || (info.libraryVersion.major == NSS_BUILTINS_LIBRARY_VERSION_MAJOR
+				&& info.libraryVersion.minor < NSS_BUILTINS_LIBRARY_VERSION_MINOR)) {
+				PRInt32 modType;
+				
+				SECMOD_DeleteModule (RootsModule->commonName, &modType);
+				
+				RootsModule = NULL;
+			}
+		}
+	}
+	
+	if (!RootsModule) {
 		/* grovel in various places for mozilla's built-in
 		   cert module.
-
+		   
 		   XXX yes this is gross.  *sigh*
 		*/
 		char *paths_to_check[] = {
 			"/usr/lib",
 			"/usr/lib/mozilla",
 		};
-		int i;
-
+		
 		for (i = 0; i < G_N_ELEMENTS (paths_to_check); i ++) {
-			char *dll_path = g_module_build_path (paths_to_check [i],
-							      "nssckbi");
-
+			char *dll_path = g_module_build_path (paths_to_check [i], "nssckbi");
+			
 			if (g_file_test (dll_path, G_FILE_TEST_EXISTS)) {
 				SECMOD_AddNewModule("Mozilla Root Certs",dll_path, 0, 0);
 				g_free (dll_path);
 				break;
 			}
-
+			
 			g_free (dll_path);
 		}
 	}