From 31e61775a30ce9dd91ca99ab3776caf7ff5293e9 Mon Sep 17 00:00:00 2001 From: lwthiker Date: Sat, 30 Apr 2022 13:23:52 +0300 Subject: [PATCH] Search for libnssckbi in curl's configure script libnssckbi is loaded at runtime by NSS. On some systems it is located in a non-standard location that dlopen() can't find. For example, in Ubuntu it may be in /usr/lib/x86_64-linux-gnu and on Mac M1 in /opt/homebrew/nss. This becomes a problem when you static link NSS. Search for libnssckbi in the configure script and add the relevant path using '-rpath' linker flag. In addition, drop the previous hack for Ubuntu that searched libnssckbi in a hardcoded location. --- firefox/patches/curl-impersonate.patch | 70 ++++++++++++++++---------- 1 file changed, 43 insertions(+), 27 deletions(-) diff --git a/firefox/patches/curl-impersonate.patch b/firefox/patches/curl-impersonate.patch index 3496184..ba6b604 100644 --- a/firefox/patches/curl-impersonate.patch +++ b/firefox/patches/curl-impersonate.patch @@ -760,7 +760,7 @@ index cc9c88870..a35a20e10 100644 killed. */ struct dynamically_allocated_data { diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 2b44f0512..4c60797c7 100644 +index 2b44f0512..eec2bf76f 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -143,6 +143,7 @@ static const struct cipher_s cipherlist[] = { @@ -867,32 +867,15 @@ index 2b44f0512..4c60797c7 100644 /* * Return true if at least one cipher-suite is enabled. Used to determine * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers. -@@ -1320,6 +1410,24 @@ static CURLcode nss_load_module(SECMODModule **pmod, const char *library, +@@ -1320,6 +1410,7 @@ static CURLcode nss_load_module(SECMODModule **pmod, const char *library, if(module) SECMOD_DestroyModule(module); -+ -+ /* Patch for Ubuntu - add a "nss/" suffix to the library name */ -+ config_string = aprintf("library=/usr/lib/x86_64-linux-gnu/nss/%s name=%s", library, name); -+ if(!config_string) -+ return CURLE_OUT_OF_MEMORY; -+ -+ module = SECMOD_LoadUserModule(config_string, NULL, PR_FALSE); -+ free(config_string); -+ -+ if(module && module->loaded) { -+ /* loaded successfully */ -+ *pmod = module; -+ return CURLE_OK; -+ } -+ -+ if(module) -+ SECMOD_DestroyModule(module); + return CURLE_FAILED_INIT; } -@@ -1921,6 +2029,12 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, +@@ -1921,6 +2012,12 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) goto error; @@ -905,7 +888,7 @@ index 2b44f0512..4c60797c7 100644 /* enable/disable the requested SSL version(s) */ if(nss_init_sslver(&sslver, data, conn) != CURLE_OK) goto error; -@@ -1960,6 +2074,14 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, +@@ -1960,6 +2057,14 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } } @@ -920,7 +903,7 @@ index 2b44f0512..4c60797c7 100644 if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost)) infof(data, "warning: ignoring value of ssl.verifyhost"); -@@ -2113,6 +2235,10 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, +@@ -2113,6 +2218,10 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, int cur = 0; unsigned char protocols[128]; @@ -931,7 +914,7 @@ index 2b44f0512..4c60797c7 100644 #ifdef USE_HTTP2 if(data->state.httpwant >= CURL_HTTP_VERSION_2 #ifndef CURL_DISABLE_PROXY -@@ -2124,9 +2250,6 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, +@@ -2124,9 +2233,6 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, cur += ALPN_H2_LENGTH; } #endif @@ -954,10 +937,10 @@ index 8ac15d407..68d01b219 100644 Libs.private: @LIBCURL_LIBS@ Cflags: -I${includedir} @CPPFLAG_CURL_STATICLIB@ diff --git a/m4/curl-nss.m4 b/m4/curl-nss.m4 -index 397ba71b1..922cb9a07 100644 +index 397ba71b1..d2a8fc1f2 100644 --- a/m4/curl-nss.m4 +++ b/m4/curl-nss.m4 -@@ -74,7 +74,74 @@ if test "x$OPT_NSS" != xno; then +@@ -74,7 +74,107 @@ if test "x$OPT_NSS" != xno; then # Without pkg-config, we'll kludge in some defaults AC_MSG_WARN([Using hard-wired libraries and compilation flags for NSS.]) addld="-L$OPT_NSS/lib" @@ -1029,11 +1012,44 @@ index 397ba71b1..922cb9a07 100644 + addlib="$addlib -lsqlite3" + ;; + esac ++ ++ # Attempt to locate libnssckbi. ++ # This library file contains the trusted certificates and nss loads it ++ # at runtime using dlopen. If it's not in a path findable by dlopen ++ # we have to add that path explicitly using -rpath so it may find it. ++ # On Ubuntu and Mac M1 it is in a non-standard location. ++ AC_MSG_CHECKING([if libnssckbi is in a non-standard location]) ++ case $host_os in ++ linux*) ++ search_paths="/usr/lib/$host /usr/lib/$host/nss" ++ search_paths="$search_paths /usr/lib/$host_cpu-$host_os" ++ search_paths="$search_paths /usr/lib/$host_cpu-$host_os/nss" ++ search_ext="so" ++ ;; ++ darwin*) ++ search_paths="/opt/homebrew/lib" ++ search_ext="dylib" ++ ;; ++ esac ++ ++ found="no" ++ for path in $search_paths; do ++ if test -f "$path/libnssckbi.$search_ext"; then ++ AC_MSG_RESULT([$path]) ++ addld="$addld -Wl,-rpath,$path" ++ found="yes" ++ break ++ fi ++ done ++ ++ if test "$found" = "no"; then ++ AC_MSG_RESULT([no]) ++ fi + addcflags="-I$OPT_NSS/include" version="unknown" nssprefix=$OPT_NSS -@@ -91,7 +158,7 @@ if test "x$OPT_NSS" != xno; then +@@ -91,7 +191,7 @@ if test "x$OPT_NSS" != xno; then fi dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0 @@ -1042,7 +1058,7 @@ index 397ba71b1..922cb9a07 100644 [ AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) AC_SUBST(USE_NSS, [1]) -@@ -101,9 +168,7 @@ if test "x$OPT_NSS" != xno; then +@@ -101,9 +201,7 @@ if test "x$OPT_NSS" != xno; then test nss != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes ], [