Search for libnssckbi in curl's configure script

libnssckbi is loaded at runtime by NSS. On some systems it is located in a non-standard location that dlopen() can't find. For example, in Ubuntu it may be in /usr/lib/x86_64-linux-gnu and on Mac M1 in /opt/homebrew/nss. This becomes a problem when you static link NSS. Search for libnssckbi in the configure script and add the relevant path using '-rpath' linker flag. In addition, drop the previous hack for Ubuntu that searched libnssckbi in a hardcoded location.
2025-08-08 04:42:26 +00:00 · 2022-04-30 13:23:52 +03:00
parent 2b4b284cc8
commit 31e61775a3
1 changed files with 43 additions and 27 deletions
--- a/firefox/patches/curl-impersonate.patch
+++ b/firefox/patches/curl-impersonate.patch
@@ -760,7 +760,7 @@ index cc9c88870..a35a20e10 100644
      killed. */
   struct dynamically_allocated_data {
 diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index 2b44f0512..4c60797c7 100644
+index 2b44f0512..eec2bf76f 100644
 --- a/lib/vtls/nss.c
 +++ b/lib/vtls/nss.c
@@ -143,6 +143,7 @@ static const struct cipher_s cipherlist[] = {
@@ -867,32 +867,15 @@ index 2b44f0512..4c60797c7 100644
 /*
  * Return true if at least one cipher-suite is enabled. Used to determine
  * if we need to call NSS_SetDomesticPolicy() to enable the default ciphers.
-@@ -1320,6 +1410,24 @@ static CURLcode nss_load_module(SECMODModule **pmod, const char *library,
+@@ -1320,6 +1410,7 @@ static CURLcode nss_load_module(SECMODModule **pmod, const char *library,
 
   if(module)
     SECMOD_DestroyModule(module);
-+
-+  /* Patch for Ubuntu - add a "nss/" suffix to the library name */
-+  config_string = aprintf("library=/usr/lib/x86_64-linux-gnu/nss/%s name=%s", library, name);
-+  if(!config_string)
-+    return CURLE_OUT_OF_MEMORY;
-+
-+  module = SECMOD_LoadUserModule(config_string, NULL, PR_FALSE);
-+  free(config_string);
-+
-+  if(module && module->loaded) {
-+    /* loaded successfully */
-+    *pmod = module;
-+    return CURLE_OK;
-+  }
-+
-+  if(module)
-+    SECMOD_DestroyModule(module);
 +
   return CURLE_FAILED_INIT;
 }
 
-@@ -1921,6 +2029,12 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
+@@ -1921,6 +2012,12 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
   if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess)
     goto error;
 
@@ -905,7 +888,7 @@ index 2b44f0512..4c60797c7 100644
   /* enable/disable the requested SSL version(s) */
   if(nss_init_sslver(&sslver, data, conn) != CURLE_OK)
     goto error;
-@@ -1960,6 +2074,14 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
+@@ -1960,6 +2057,14 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
     }
   }
 
@@ -920,7 +903,7 @@ index 2b44f0512..4c60797c7 100644
   if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost))
     infof(data, "warning: ignoring value of ssl.verifyhost");
 
-@@ -2113,6 +2235,10 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
+@@ -2113,6 +2218,10 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
     int cur = 0;
     unsigned char protocols[128];
 
@@ -931,7 +914,7 @@ index 2b44f0512..4c60797c7 100644
 #ifdef USE_HTTP2
     if(data->state.httpwant >= CURL_HTTP_VERSION_2
 #ifndef CURL_DISABLE_PROXY
-@@ -2124,9 +2250,6 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
+@@ -2124,9 +2233,6 @@ static CURLcode nss_setup_connect(struct Curl_easy *data,
       cur += ALPN_H2_LENGTH;
     }
 #endif
@@ -954,10 +937,10 @@ index 8ac15d407..68d01b219 100644
 Libs.private: @LIBCURL_LIBS@
 Cflags: -I${includedir} @CPPFLAG_CURL_STATICLIB@
 diff --git a/m4/curl-nss.m4 b/m4/curl-nss.m4
-index 397ba71b1..922cb9a07 100644
+index 397ba71b1..d2a8fc1f2 100644
 --- a/m4/curl-nss.m4
 +++ b/m4/curl-nss.m4
-@@ -74,7 +74,74 @@ if test "x$OPT_NSS" != xno; then
+@@ -74,7 +74,107 @@ if test "x$OPT_NSS" != xno; then
       # Without pkg-config, we'll kludge in some defaults
       AC_MSG_WARN([Using hard-wired libraries and compilation flags for NSS.])
       addld="-L$OPT_NSS/lib"
@@ -1029,11 +1012,44 @@ index 397ba71b1..922cb9a07 100644
 +          addlib="$addlib -lsqlite3"
 +          ;;
 +      esac
+
+      # Attempt to locate libnssckbi.
+      # This library file contains the trusted certificates and nss loads it
+      # at runtime using dlopen. If it's not in a path findable by dlopen
+      # we have to add that path explicitly using -rpath so it may find it.
+      # On Ubuntu and Mac M1 it is in a non-standard location.
+      AC_MSG_CHECKING([if libnssckbi is in a non-standard location])
+      case $host_os in
+        linux*)
+          search_paths="/usr/lib/$host /usr/lib/$host/nss"
+          search_paths="$search_paths /usr/lib/$host_cpu-$host_os"
+          search_paths="$search_paths /usr/lib/$host_cpu-$host_os/nss"
+          search_ext="so"
+          ;;
+        darwin*)
+          search_paths="/opt/homebrew/lib"
+          search_ext="dylib"
+          ;;
+      esac
+
+      found="no"
+      for path in $search_paths; do
+        if test -f "$path/libnssckbi.$search_ext"; then
+          AC_MSG_RESULT([$path])
+          addld="$addld -Wl,-rpath,$path"
+          found="yes"
+          break
+        fi
+      done
+
+      if test "$found" = "no"; then
+        AC_MSG_RESULT([no])
+      fi
 +
       addcflags="-I$OPT_NSS/include"
       version="unknown"
       nssprefix=$OPT_NSS
-@@ -91,7 +158,7 @@ if test "x$OPT_NSS" != xno; then
+@@ -91,7 +191,7 @@ if test "x$OPT_NSS" != xno; then
     fi
 
     dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0
@@ -1042,7 +1058,7 @@ index 397ba71b1..922cb9a07 100644
      [
      AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
      AC_SUBST(USE_NSS, [1])
-@@ -101,9 +168,7 @@ if test "x$OPT_NSS" != xno; then
+@@ -101,9 +201,7 @@ if test "x$OPT_NSS" != xno; then
      test nss != "$DEFAULT_SSL_BACKEND" || VALID_DEFAULT_SSL_BACKEND=yes
      ],
      [