summaryrefslogtreecommitdiff
path: root/lib/nss.c
Commit message (Collapse)AuthorAgeFilesLines
* CURL_DOES_CONVERSIONS: cleanupDaniel Stenberg2011-04-201-1/+0
| | | | | Massively reduce #ifdefs all over (23 #ifdef lines less so far) Moved conversion-specific code to non-ascii.c
* nss: allow to use multiple client certificates for a single hostKamil Dudka2011-04-081-2/+5
| | | | | | | | In case a client certificate is used, invalidate SSL session cache at the end of a session. This forces NSS to ask for a new client certificate when connecting second time to the same host. Bug: https://bugzilla.redhat.com/689031
* nss: fix a crash within SSL_AuthCertificate()Kamil Dudka2011-04-041-1/+1
| | | | | The bug was introduced in 806dbb0 (a wrong value was passed in as the first argument to the default callback in our wrapper).
* nss: do not ignore value of CURLOPT_SSL_VERIFYPEERKamil Dudka2011-03-151-18/+32
| | | | | | | | | | | | | | When NSS-powered libcurl connected to a SSL server with CURLOPT_SSL_VERIFYPEER equal to zero, NSS remembered that the peer certificate was accepted by libcurl and did not ask the second time when connecting to the same server with CURLOPT_SSL_VERIFYPEER equal to one. This patch turns off the SSL session cache for the particular SSL socket if peer verification is disabled. In order to avoid any performance impact, the peer verification is completely skipped in that case, which makes it even faster than before. Bug: https://bugzilla.redhat.com/678580
* nss: do not ignore failure of SSL handshakeKamil Dudka2011-02-221-4/+8
| | | | | Flaw introduced in fc77790 and present in curl-7.21.4. Bug: https://bugzilla.redhat.com/669702#c16
* nss: avoid memory leak on SSL connection failureKamil Dudka2011-02-171-1/+8
|
* nss_load_key: fix unused variable warningDaniel Stenberg2011-02-161-0/+2
|
* nss: avoid memory leaks and failure of NSS shutdownKamil Dudka2011-01-271-101/+89
| | | | | | ... in case more than one CA is loaded. Bug: https://bugzilla.redhat.com/670802
* nss: fix a bug in handling of CURLOPT_CAPATHKamil Dudka2011-01-181-56/+52
| | | | | | | | ... and update the curl.1 and curl_easy_setopt.3 man pages such that they do not suggest to use an OpenSSL utility if curl is not built against OpenSSL. Bug: https://bugzilla.redhat.com/669702
* Curl_timeleft: s/conn/data in first argumentDaniel Stenberg2011-01-041-1/+1
| | | | | As the function doesn't really use the connectdata struct but only the SessionHanadle struct I modified what argument it wants.
* nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slashKamil Dudka2011-01-041-33/+40
| | | | Bug: https://bugzilla.redhat.com/623663
* Curl_nss_connect: avoid PATH_MAXDaniel Stenberg2011-01-021-4/+13
| | | | | | | | | Since some systems don't have PATH_MAX and it isn't that clever to assume a fixed maximum path length, the code now allocates buffer space instead of using stack. Reported by: Samuel Thibault Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608521
* http_ntlm: add support for NSSKamil Dudka2010-06-301-66/+96
| | | | | | | | | | | | | | | | | | | When configured with '--without-ssl --with-nss', NTLM authentication now uses NSS crypto library for MD5 and DES. For MD4 we have a local implementation in that case. More details are available at https://bugzilla.redhat.com/603783 In order to get it working, curl_global_init() must be called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs to be initialized globally and we do so only when the NSS library is actually required by protocol. The mentioned call of curl_global_init() is responsible for creating of the initialization mutex. There was also slightly changed the NSS initialization scenario, in particular, loading of the NSS PEM module. It used to be loaded always right after the NSS library was initialized. Now the library is initialized as soon as any SSL or NTLM is required, while the PEM module is prevented from being loaded until the SSL is actually required.
* sendrecv: make them two pairs of send/recv to properly deal with FTPSHoward Chu2010-05-111-2/+2
| | | | | | | | | FTP(S) use two connections that can be set to different recv and send functions independently, so by introducing recv+send pairs in the same manner we already have sockets/connections we can work with FTPS fine. This commit fixes the FTPS regression introduced in change d64bd82.
* nss: make it possible to read ASCII and DER CRLKamil Dudka2010-05-111-56/+53
|
* nss: add CRL to cache instead of read-only NSS dbKamil Dudka2010-05-111-12/+30
|
* sendrecv: split the I/O handling into private handlerHoward Chu2010-05-071-14/+17
| | | | | | | | | | | | | | Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
* nss: fix SSL handshake timeout underflowKamil Dudka2010-04-241-1/+9
|
* nss: handle client certificate related errorsKamil Dudka2010-04-061-1/+30
|
* refactorize interface of Curl_ssl_recv/Curl_ssl_sendKamil Dudka2010-04-041-14/+17
|
* fix compiler warning with a cast.Guenter Knauf2010-03-311-1/+1
|
* remove the CVSish $Id$ linesDaniel Stenberg2010-03-241-1/+0
|
* use curl standard indentation and line lengthsDaniel Stenberg2010-02-171-55/+59
|
* lib/nss.c: avoid use of uninitialized valueKamil Dudka2009-12-021-3/+3
|
* - libcurl-NSS now tries to reconnect with TLS disabled in case it detectsKamil Dudka2009-11-121-1/+49
| | | | | | | | a broken TLS server. However it does not happen if SSL version is selected manually. The approach was originally taken from PSM. Kaspar Brand helped me to complete the patch. Original bug reports: https://bugzilla.redhat.com/525496 https://bugzilla.redhat.com/527771
* - Kevin Baughman provided a fix preventing libcurl-NSS from crash on doublyKamil Dudka2009-11-121-0/+2
| | | | | | closed NSPR descriptor. The issue was hard to find, reported several times before and always closed unresolved. More info at the RH bug: https://bugzilla.redhat.com/534176
* - Dropped misleading timeouts in libcurl-NSS and made sure the SSL socket worksKamil Dudka2009-11-051-34/+13
| | | | in non-blocking mode.
* Since the NSS lib closes the socket the memory tracking system wrongly gets aDaniel Stenberg2009-10-281-0/+1
| | | | | false positive on a leaked socket, so this introduces a way to tell the system that the socket is indeed closed without explicitly closing it!
* - Kevin Baughman found a double close() problem with libcurl-NSS, as whenDaniel Stenberg2009-10-181-2/+6
| | | | | libcurl called NSS to close the SSL "session" it also closed the actual socket.
* fix gcc warnings in lib/nss.cKamil Dudka2009-10-071-33/+27
|
* added support for new SQLite cert database format: added a runtime check for ↵Gunter Knauf2009-09-211-2/+5
| | | | version 3.12.0, and depending on the result add 'sql:' prefix to cert database directory so that newer SQLIte database format works.
* added aditional check for the directory specified with SSL_DIR, and fall ↵Gunter Knauf2009-09-211-7/+14
| | | | back to hardcoded directory if not a valid directory.
* added debug output for NSS certpath.Gunter Knauf2009-09-081-0/+2
|
* added casts to silent compiler warning on 64bit systems.Gunter Knauf2009-09-061-2/+2
|
* use our define struct_stat to be compatible with largefile support.Gunter Knauf2009-09-061-3/+3
|
* added base64.h include to silent warnings about missing prototype for ↵Gunter Knauf2009-09-061-0/+1
| | | | ATOB_ConvertAsciiToItem.
* - Improved error message for not matching certificate subject name inKamil Dudka2009-08-281-5/+7
| | | | | libcurl-NSS. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
* - Changed NSS code to not ignore the value of ssl.verifyhost and produce moreKamil Dudka2009-08-131-4/+19
| | | | | verbose error messages. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056
* - Claes Jakobsson improved the support for client certificates handlingKamil Dudka2009-07-201-129/+124
| | | | | | | | | | in NSS-powered libcurl. Now the client certificates can be selected automatically by a NSS built-in hook. Additionally pre-login to all PKCS11 slots is no more performed. It used to cause problems with HW tokens. - Fixed reference counting for NSS client certificates. Now the PEM reader module should be always properly unloaded on Curl_nss_cleanup(). If the unload fails though, libcurl will try to reuse the already loaded instance.
* - Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcountDaniel Stenberg2009-06-081-18/+12
| | | | | issue with client certs that caused issues like segfaults. http://curl.haxx.se/mail/lib-2009-05/0316.html
* Fixed a few comment typos (from the FreeBSD ports)Dan Fandrich2009-05-281-1/+1
|
* - Claes Jakobsson fixed libcurl-NSS to build fine even without theDaniel Stenberg2009-05-271-0/+4
| | | | PK11_CreateGenericObject() function.
* - Kamil Dudka provided a fix for libcurl-NSS reported by Michael CronenworthDaniel Stenberg2009-05-111-44/+8
| | | | | | | at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12 If an incorrect password is given while loading a private key, libcurl ends up in an infinite loop consuming memory. The bug is critical.
* - Kamil Dudka fixed another NSS-related leak when client certs were used.Daniel Stenberg2009-04-241-12/+20
|
* libcurl's memory.h renamed to curl_memory.hYang Tse2009-04-211-1/+1
|
* Kamil Dudka's follow-up fixDaniel Stenberg2009-04-141-1/+1
|
* - Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turnedDaniel Stenberg2009-04-131-16/+29
| | | | | | | | out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue is found in Redhat's bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=453612 There are still memory leaks present, but they seem to have other reasons.
* - Kamil Dudka brought a patch that enables 6 additional crypto algorithms whenDaniel Stenberg2009-03-181-0/+23
| | | | | NSS is used. These ciphers were added in NSS 3.4 and require to be enabled explicitly.
* Indentation fixes, untabify and related whitespace-cleanup. No code changed.Daniel Stenberg2009-02-271-1/+1
|
* - Kamil Dudka made NSS-powered builds compile and run again!Daniel Stenberg2009-02-171-2/+3
|
View Lorry Controller Status