Request NSS to use DBM as the storage file format

4 files changed, 17 insertions, 5 deletions

diff --git a/security/certverifier/NSSCertDBTrustDomain.cpp b/security/certverifier/NSSCertDBTrustDomain.cpp
index b4e12fe9c..39f7d3e9e 100644
--- a/security/certverifier/NSSCertDBTrustDomain.cpp
+++ b/security/certverifier/NSSCertDBTrustDomain.cpp
@@ -22,6 +22,7 @@
 #include "mozilla/Unused.h"
 #include "nsNSSCertificate.h"
 #include "nsServiceManagerUtils.h"
+#include "nsThreadUtils.h"
 #include "nss.h"
 #include "pk11pub.h"
 #include "pkix/Result.h"
@@ -1087,8 +1088,10 @@ NSSCertDBTrustDomain::NoteAuxiliaryExtension(AuxiliaryExtension extension,
 }
 
 SECStatus
-InitializeNSS(const char* dir, bool readOnly, bool loadPKCS11Modules)
+InitializeNSS(const nsACString& dir, bool readOnly, bool loadPKCS11Modules)
 {
+  MOZ_ASSERT(NS_IsMainThread());
+
   // The NSS_INIT_NOROOTINIT flag turns off the loading of the root certs
   // module by NSS_Initialize because we will load it in InstallLoadableRoots
   // later.  It also allows us to work around a bug in the system NSS in
@@ -1101,7 +1104,10 @@ InitializeNSS(const char* dir, bool readOnly, bool loadPKCS11Modules)
   if (!loadPKCS11Modules) {
     flags |= NSS_INIT_NOMODDB;
   }
-  return ::NSS_Initialize(dir, "", "", SECMOD_DB, flags);
+  nsAutoCString dbTypeAndDirectory;
+  dbTypeAndDirectory.Append("dbm:");
+  dbTypeAndDirectory.Append(dir);
+  return ::NSS_Initialize(dbTypeAndDirectory.get(), "", "", SECMOD_DB, flags);
 }
 
 void
diff --git a/security/certverifier/NSSCertDBTrustDomain.h b/security/certverifier/NSSCertDBTrustDomain.h
index 15a5a4a2c..64827536c 100644
--- a/security/certverifier/NSSCertDBTrustDomain.h
+++ b/security/certverifier/NSSCertDBTrustDomain.h
@@ -36,7 +36,8 @@ enum class NetscapeStepUpPolicy : uint32_t {
   NeverMatch = 3,
 };
 
-SECStatus InitializeNSS(const char* dir, bool readOnly, bool loadPKCS11Modules);
+SECStatus InitializeNSS(const nsACString& dir, bool readOnly,
+                        bool loadPKCS11Modules);
 
 void DisableMD5();
 
diff --git a/security/certverifier/moz.build b/security/certverifier/moz.build
index 70f049340..97cff1f7d 100644
--- a/security/certverifier/moz.build
+++ b/security/certverifier/moz.build
@@ -68,6 +68,11 @@ if CONFIG['_MSC_VER']:
                # class copy constructor is inaccessible or deleted
     '-wd4626', # assignment operator could not be generated because a base
                # class assignment operator is inaccessible or deleted
+    '-wd4628', # digraphs not supported with -Ze (nsThreadUtils.h includes
+               # what would be the digraph "<:" in the expression
+               # "mozilla::EnableIf<::detail::...". Since we don't want it
+               # interpreted as a digraph anyway, we can disable the
+               # warning.)
     '-wd4640', # construction of local static object is not thread-safe
     '-wd4710', # 'function': function not inlined
     '-wd4711', # function 'function' selected for inline expansion
diff --git a/security/manager/ssl/nsNSSComponent.cpp b/security/manager/ssl/nsNSSComponent.cpp
index 1bcdcc1b0..025f4bda2 100644
--- a/security/manager/ssl/nsNSSComponent.cpp
+++ b/security/manager/ssl/nsNSSComponent.cpp
@@ -1828,11 +1828,11 @@ nsNSSComponent::InitializeNSS()
   if (!nocertdb && !profileStr.IsEmpty()) {
     // First try to initialize the NSS DB in read/write mode.
     // Only load PKCS11 modules if we're not in safe mode.
-    init_rv = ::mozilla::psm::InitializeNSS(profileStr.get(), false, !inSafeMode);
+    init_rv = ::mozilla::psm::InitializeNSS(profileStr, false, !inSafeMode);
     // If that fails, attempt read-only mode.
     if (init_rv != SECSuccess) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not init NSS r/w in %s\n", profileStr.get()));
-      init_rv = ::mozilla::psm::InitializeNSS(profileStr.get(), true, !inSafeMode);
+      init_rv = ::mozilla::psm::InitializeNSS(profileStr, true, !inSafeMode);
     }
     if (init_rv != SECSuccess) {
       MOZ_LOG(gPIPNSSLog, LogLevel::Debug, ("could not init in r/o either\n"));