nss: use PK11_CreateManagedGenericObject() if available

kdudka · kdudka · commit 1605d93a7b8a · 2018-02-15T10:18:34.000+01:00
... so that the memory allocated by applications using libcurl does not grow per each TLS connection. Bug: https://bugzilla.redhat.com/1510247 Closes #2297
diff --git a/configure.ac b/configure.ac
@@ -2483,6 +2483,15 @@ if test -z "$ssl_backends" -o "x$OPT_NSS" != xno; then
     if test "x$USE_NSS" = "xyes"; then
       AC_MSG_NOTICE([detected NSS version $version])
 
+      dnl PK11_CreateManagedGenericObject() was introduced in NSS 3.34 because
+      dnl PK11_DestroyGenericObject() does not release resources allocated by
+      dnl PK11_CreateGenericObject() early enough.
+      AC_CHECK_FUNC(PK11_CreateManagedGenericObject,
+        [
+          AC_DEFINE(HAVE_PK11_CREATEMANAGEDGENERICOBJECT, 1,
+                    [if you have the PK11_CreateManagedGenericObject function])
+        ])
+
       dnl needed when linking the curl tool without USE_EXPLICIT_LIB_DEPS
       NSS_LIBS=$addlib
       AC_SUBST([NSS_LIBS])
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
@@ -440,7 +440,17 @@ static CURLcode nss_create_object(struct ssl_connect_data *connssl,
     PK11_SETATTRS(attrs, attr_cnt, CKA_TRUST, pval, sizeof(*pval));
   }
 
-  obj = PK11_CreateGenericObject(slot, attrs, attr_cnt, PR_FALSE);
+  /* PK11_CreateManagedGenericObject() was introduced in NSS 3.34 because
+   * PK11_DestroyGenericObject() does not release resources allocated by
+   * PK11_CreateGenericObject() early enough.  */
+  obj =
+#ifdef HAVE_PK11_CREATEMANAGEDGENERICOBJECT
+    PK11_CreateManagedGenericObject
+#else
+    PK11_CreateGenericObject
+#endif
+    (slot, attrs, attr_cnt, PR_FALSE);
+
   PK11_FreeSlot(slot);
   if(!obj)
     return result;
