summaryrefslogtreecommitdiff
path: root/lib/nss.c
Commit message (Collapse)AuthorAgeFilesLines
* nss: fix misplaced code enabling non-blocking socket modeKamil Dudka2013-03-061-6/+6
| | | | | | The option needs to be set on the SSL socket. Setting it on the model takes no effect. Note that the non-blocking mode is still not enabled for the handshake because the code is not yet ready for that.
* nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILEKamil Dudka2013-01-151-2/+0
| | | | Do not use the error messages from NSS for errors not occurring in NSS.
* nss: clear session cache if a client cert from file is usedKamil Dudka2013-01-111-4/+8
| | | | | | | | | | | | | | | | | | This commit fixes a regression introduced in 052a08ff. NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback and if we connect second time to the same server, the cached cert/key pair is used. If we use multiple client certificates for different paths on the same server, we need to clear the session cache to force NSS to call the hook again. The commit 052a08ff prevented the session cache from being cleared if a client certificate from file was used. The condition is now fixed to cover both cases: consssl->client_nickname is not NULL if a client certificate from the NSS database is used and connssl->obj_clicert is not NULL if a client certificate from file is used. Review by: Kai Engert
* build: fix circular header inclusion with other packagesYang Tse2013-01-091-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This commit renames lib/setup.h to lib/curl_setup.h and renames lib/setup_once.h to lib/curl_setup_once.h. Removes the need and usage of a header inclusion guard foreign to libcurl. [1] Removes the need and presence of an alarming notice we carried in old setup_once.h [2] ---------------------------------------- 1 - lib/setup_once.h used __SETUP_ONCE_H macro as header inclusion guard up to commit ec691ca3 which changed this to HEADER_CURL_SETUP_ONCE_H, this single inclusion guard is enough to ensure that inclusion of lib/setup_once.h done from lib/setup.h is only done once. Additionally lib/setup.h has always used __SETUP_ONCE_H macro to protect inclusion of setup_once.h even after commit ec691ca3, this was to avoid a circular header inclusion triggered when building a c-ares enabled version with c-ares sources available which also has a setup_once.h header. Commit ec691ca3 exposes the real nature of __SETUP_ONCE_H usage in lib/setup.h, it is a header inclusion guard foreign to libcurl belonging to c-ares's setup_once.h The renaming this commit does, fixes the circular header inclusion, and as such removes the need and usage of a header inclusion guard foreign to libcurl. Macro __SETUP_ONCE_H no longer used in libcurl. 2 - Due to the circular interdependency of old lib/setup_once.h and the c-ares setup_once.h header, old file lib/setup_once.h has carried back from 2006 up to now days an alarming and prominent notice about the need of keeping libcurl's and c-ares's setup_once.h in sync. Given that this commit fixes the circular interdependency, the need and presence of mentioned notice is removed. All mentioned interdependencies come back from now old days when the c-ares project lived inside a curl subdirectory. This commit removes last traces of such fact.
* Revert changes relative to lib/*.[ch] recent renamingYang Tse2013-01-061-0/+1572
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts renaming and usage of lib/*.h header files done 28-12-2012, reverting 2 commits: f871de0... build: make use of 76 lib/*.h renamed files ffd8e12... build: rename 76 lib/*.h files This also reverts removal of redundant include guard (redundant thanks to changes in above commits) done 2-12-2013, reverting 1 commit: c087374... curl_setup.h: remove redundant include guard This also reverts renaming and usage of lib/*.c source files done 3-12-2013, reverting 3 commits: 13606bb... build: make use of 93 lib/*.c renamed files 5b6e792... build: rename 93 lib/*.c files 7d83dff... build: commit 13606bbfde follow-up 1 Start of related discussion thread: http://curl.haxx.se/mail/lib-2013-01/0012.html Asking for confirmation on pushing this revertion commit: http://curl.haxx.se/mail/lib-2013-01/0048.html Confirmation summary: http://curl.haxx.se/mail/lib-2013-01/0079.html NOTICE: The list of 2 files that have been modified by other intermixed commits, while renamed, and also by at least one of the 6 commits this one reverts follows below. These 2 files will exhibit a hole in history unless git's '--follow' option is used when viewing logs. lib/curl_imap.h lib/curl_smtp.h
* build: rename 93 lib/*.c filesYang Tse2013-01-031-1572/+0
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | 93 lib/*.c source files renamed to use our standard naming scheme. This commit only does the file renaming. ---------------------------------------- renamed: lib/amigaos.c -> lib/curl_amigaos.c renamed: lib/asyn-ares.c -> lib/curl_asyn_ares.c renamed: lib/asyn-thread.c -> lib/curl_asyn_thread.c renamed: lib/axtls.c -> lib/curl_axtls.c renamed: lib/base64.c -> lib/curl_base64.c renamed: lib/bundles.c -> lib/curl_bundles.c renamed: lib/conncache.c -> lib/curl_conncache.c renamed: lib/connect.c -> lib/curl_connect.c renamed: lib/content_encoding.c -> lib/curl_content_encoding.c renamed: lib/cookie.c -> lib/curl_cookie.c renamed: lib/cyassl.c -> lib/curl_cyassl.c renamed: lib/dict.c -> lib/curl_dict.c renamed: lib/easy.c -> lib/curl_easy.c renamed: lib/escape.c -> lib/curl_escape.c renamed: lib/file.c -> lib/curl_file.c renamed: lib/fileinfo.c -> lib/curl_fileinfo.c renamed: lib/formdata.c -> lib/curl_formdata.c renamed: lib/ftp.c -> lib/curl_ftp.c renamed: lib/ftplistparser.c -> lib/curl_ftplistparser.c renamed: lib/getenv.c -> lib/curl_getenv.c renamed: lib/getinfo.c -> lib/curl_getinfo.c renamed: lib/gopher.c -> lib/curl_gopher.c renamed: lib/gtls.c -> lib/curl_gtls.c renamed: lib/hash.c -> lib/curl_hash.c renamed: lib/hmac.c -> lib/curl_hmac.c renamed: lib/hostasyn.c -> lib/curl_hostasyn.c renamed: lib/hostcheck.c -> lib/curl_hostcheck.c renamed: lib/hostip.c -> lib/curl_hostip.c renamed: lib/hostip4.c -> lib/curl_hostip4.c renamed: lib/hostip6.c -> lib/curl_hostip6.c renamed: lib/hostsyn.c -> lib/curl_hostsyn.c renamed: lib/http.c -> lib/curl_http.c renamed: lib/http_chunks.c -> lib/curl_http_chunks.c renamed: lib/http_digest.c -> lib/curl_http_digest.c renamed: lib/http_negotiate.c -> lib/curl_http_negotiate.c renamed: lib/http_negotiate_sspi.c -> lib/curl_http_negotiate_sspi.c renamed: lib/http_proxy.c -> lib/curl_http_proxy.c renamed: lib/idn_win32.c -> lib/curl_idn_win32.c renamed: lib/if2ip.c -> lib/curl_if2ip.c renamed: lib/imap.c -> lib/curl_imap.c renamed: lib/inet_ntop.c -> lib/curl_inet_ntop.c renamed: lib/inet_pton.c -> lib/curl_inet_pton.c renamed: lib/krb4.c -> lib/curl_krb4.c renamed: lib/krb5.c -> lib/curl_krb5.c renamed: lib/ldap.c -> lib/curl_ldap.c renamed: lib/llist.c -> lib/curl_llist.c renamed: lib/md4.c -> lib/curl_md4.c renamed: lib/md5.c -> lib/curl_md5.c renamed: lib/memdebug.c -> lib/curl_memdebug.c renamed: lib/mprintf.c -> lib/curl_mprintf.c renamed: lib/multi.c -> lib/curl_multi.c renamed: lib/netrc.c -> lib/curl_netrc.c renamed: lib/non-ascii.c -> lib/curl_non_ascii.c renamed: lib/curl_non-ascii.h -> lib/curl_non_ascii.h renamed: lib/nonblock.c -> lib/curl_nonblock.c renamed: lib/nss.c -> lib/curl_nss.c renamed: lib/nwlib.c -> lib/curl_nwlib.c renamed: lib/nwos.c -> lib/curl_nwos.c renamed: lib/openldap.c -> lib/curl_openldap.c renamed: lib/parsedate.c -> lib/curl_parsedate.c renamed: lib/pingpong.c -> lib/curl_pingpong.c renamed: lib/polarssl.c -> lib/curl_polarssl.c renamed: lib/pop3.c -> lib/curl_pop3.c renamed: lib/progress.c -> lib/curl_progress.c renamed: lib/qssl.c -> lib/curl_qssl.c renamed: lib/rawstr.c -> lib/curl_rawstr.c renamed: lib/rtsp.c -> lib/curl_rtsp.c renamed: lib/security.c -> lib/curl_security.c renamed: lib/select.c -> lib/curl_select.c renamed: lib/sendf.c -> lib/curl_sendf.c renamed: lib/share.c -> lib/curl_share.c renamed: lib/slist.c -> lib/curl_slist.c renamed: lib/smtp.c -> lib/curl_smtp.c renamed: lib/socks.c -> lib/curl_socks.c renamed: lib/socks_gssapi.c -> lib/curl_socks_gssapi.c renamed: lib/socks_sspi.c -> lib/curl_socks_sspi.c renamed: lib/speedcheck.c -> lib/curl_speedcheck.c renamed: lib/splay.c -> lib/curl_splay.c renamed: lib/ssh.c -> lib/curl_ssh.c renamed: lib/sslgen.c -> lib/curl_sslgen.c renamed: lib/ssluse.c -> lib/curl_ssluse.c renamed: lib/strdup.c -> lib/curl_strdup.c renamed: lib/strequal.c -> lib/curl_strequal.c renamed: lib/strerror.c -> lib/curl_strerror.c renamed: lib/strtok.c -> lib/curl_strtok.c renamed: lib/strtoofft.c -> lib/curl_strtoofft.c renamed: lib/telnet.c -> lib/curl_telnet.c renamed: lib/tftp.c -> lib/curl_tftp.c renamed: lib/timeval.c -> lib/curl_timeval.c renamed: lib/transfer.c -> lib/curl_transfer.c renamed: lib/url.c -> lib/curl_url.c renamed: lib/version.c -> lib/curl_version.c renamed: lib/warnless.c -> lib/curl_warnless.c renamed: lib/wildcard.c -> lib/curl_wildcard.c ----------------------------------------
* build: make use of 93 lib/*.c renamed filesYang Tse2013-01-031-2/+2
| | | | | | 93 *.c source files renamed to use our standard naming scheme. This change affects 77 files in libcurl's source tree.
* build: make use of 76 lib/*.h renamed filesYang Tse2012-12-281-14/+14
| | | | | | 76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
* setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h>Yang Tse2012-12-141-4/+0
| | | | Inclusion of top two most included header files now done in setup_once.h
* nss: prevent NSS from crashing on client auth hook failureKamil Dudka2012-12-031-6/+11
| | | | | | | | | | Although it is not explicitly stated in the documentation, NSS uses *pRetCert and *pRetKey even if the client authentication hook returns a failure. Namely, if we destroy *pRetCert without clearing *pRetCert afterwards, NSS destroys the certificate once again, which causes a double free. Reported by: Bob Relyea
* CURLOPT_SSL_VERIFYHOST: stop supporting the 1 valueDaniel Stenberg2012-11-061-2/+0
| | | | | | | | | | | | | | | | | | | | | | After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
* nss.c: Fixed warning: 'err' may be used uninitialized in this functionMarc Hoersken2012-09-111-1/+1
|
* white space fix: shorten long lineDaniel Stenberg2012-08-101-1/+2
| | | | ... to please checksrc.pl
* docs: update the links to cipher-suites supported by NSSKamil Dudka2012-08-091-54/+51
| | | | | | ... and make the list of cipher-suites in nss.c readable by humans. Bug: http://curl.haxx.se/mail/archive-2012-08/0016.html
* nss: do not print misleading NSS error codesKamil Dudka2012-08-091-12/+30
|
* nss.c: #include warnless.h for curlx_uztosi and curlx_uztoui prototypesYang Tse2012-06-281-2/+3
|
* nss.c: Fixed size_t conversion warningsMarc Hoersken2012-06-281-3/+3
|
* SSL cleanup: use crypto functions through the sslgen layerDaniel Stenberg2012-06-261-0/+20
| | | | | | curl_ntlm_msgs.c would previously use an #ifdef maze and direct SSL-library calls instead of using the SSL layer we have for this purpose.
* nss: use human-readable error messages provided by NSSKamil Dudka2012-05-281-71/+57
| | | | Bug: http://lists.baseurl.org/pipermail/yum-devel/2012-January/009002.html
* nss: avoid using explicit casts of code pointersKamil Dudka2012-05-251-7/+4
|
* nss.c: fix compiler warningYang Tse2012-04-161-1/+2
|
* nss.c: fix compiler warningYang Tse2012-04-131-4/+5
|
* nss: provide human-readable names for NSS errorsKamil Dudka2012-04-131-7/+25
|
* nss: use NSS_InitContext() to initialize NSS if availableKamil Dudka2012-04-131-1/+36
| | | | | | | NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent collisions on NSS initialization/shutdown with other libraries. Bug: https://bugzilla.redhat.com/738456
* nss: unconditionally require PK11_CreateGenericObject()Kamil Dudka2012-04-131-28/+2
| | | | This bumps the minimal supported version of NSS to 3.12.x.
* nss: add support for the CURLSSLOPT_ALLOW_BEAST optionKamil Dudka2012-02-091-0/+13
| | | | ... and fix some typos from the 62d15f1 commit.
* nss: avoid a SIGSEGV with immature version of NSSKamil Dudka2011-10-171-1/+23
| | | | Bug: https://bugzilla.redhat.com/733685
* nss: big cleanup in nss_load_cert() and cert_stuff()Kamil Dudka2011-10-171-93/+58
|
* nss: refactor fmt_nickname() -> dup_nickname()Kamil Dudka2011-10-171-28/+14
| | | | Do not use artificial nicknames for certificates from files.
* nss: select client certificates by DERKamil Dudka2011-10-171-16/+29
| | | | ... instead of nicknames, which are not unique.
* fix a bunch of MSVC compiler warningsYang Tse2011-09-031-1/+1
|
* nss: start with no database if the selected database is brokenKamil Dudka2011-08-151-24/+39
| | | | Bug: https://bugzilla.redhat.com/728562
* stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.hYang Tse2011-07-261-3/+0
|
* source cleanup: unify look, style and indent levelsDaniel Stenberg2011-04-271-30/+33
| | | | | By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
* CURL_DOES_CONVERSIONS: cleanupDaniel Stenberg2011-04-201-1/+0
| | | | | Massively reduce #ifdefs all over (23 #ifdef lines less so far) Moved conversion-specific code to non-ascii.c
* nss: allow to use multiple client certificates for a single hostKamil Dudka2011-04-081-2/+5
| | | | | | | | In case a client certificate is used, invalidate SSL session cache at the end of a session. This forces NSS to ask for a new client certificate when connecting second time to the same host. Bug: https://bugzilla.redhat.com/689031
* nss: fix a crash within SSL_AuthCertificate()Kamil Dudka2011-04-041-1/+1
| | | | | The bug was introduced in 806dbb0 (a wrong value was passed in as the first argument to the default callback in our wrapper).
* nss: do not ignore value of CURLOPT_SSL_VERIFYPEERKamil Dudka2011-03-151-18/+32
| | | | | | | | | | | | | | When NSS-powered libcurl connected to a SSL server with CURLOPT_SSL_VERIFYPEER equal to zero, NSS remembered that the peer certificate was accepted by libcurl and did not ask the second time when connecting to the same server with CURLOPT_SSL_VERIFYPEER equal to one. This patch turns off the SSL session cache for the particular SSL socket if peer verification is disabled. In order to avoid any performance impact, the peer verification is completely skipped in that case, which makes it even faster than before. Bug: https://bugzilla.redhat.com/678580
* nss: do not ignore failure of SSL handshakeKamil Dudka2011-02-221-4/+8
| | | | | Flaw introduced in fc77790 and present in curl-7.21.4. Bug: https://bugzilla.redhat.com/669702#c16
* nss: avoid memory leak on SSL connection failureKamil Dudka2011-02-171-1/+8
|
* nss_load_key: fix unused variable warningDaniel Stenberg2011-02-161-0/+2
|
* nss: avoid memory leaks and failure of NSS shutdownKamil Dudka2011-01-271-101/+89
| | | | | | ... in case more than one CA is loaded. Bug: https://bugzilla.redhat.com/670802
* nss: fix a bug in handling of CURLOPT_CAPATHKamil Dudka2011-01-181-56/+52
| | | | | | | | ... and update the curl.1 and curl_easy_setopt.3 man pages such that they do not suggest to use an OpenSSL utility if curl is not built against OpenSSL. Bug: https://bugzilla.redhat.com/669702
* Curl_timeleft: s/conn/data in first argumentDaniel Stenberg2011-01-041-1/+1
| | | | | As the function doesn't really use the connectdata struct but only the SessionHanadle struct I modified what argument it wants.
* nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slashKamil Dudka2011-01-041-33/+40
| | | | Bug: https://bugzilla.redhat.com/623663
* Curl_nss_connect: avoid PATH_MAXDaniel Stenberg2011-01-021-4/+13
| | | | | | | | | Since some systems don't have PATH_MAX and it isn't that clever to assume a fixed maximum path length, the code now allocates buffer space instead of using stack. Reported by: Samuel Thibault Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608521
* http_ntlm: add support for NSSKamil Dudka2010-06-301-66/+96
| | | | | | | | | | | | | | | | | | | When configured with '--without-ssl --with-nss', NTLM authentication now uses NSS crypto library for MD5 and DES. For MD4 we have a local implementation in that case. More details are available at https://bugzilla.redhat.com/603783 In order to get it working, curl_global_init() must be called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs to be initialized globally and we do so only when the NSS library is actually required by protocol. The mentioned call of curl_global_init() is responsible for creating of the initialization mutex. There was also slightly changed the NSS initialization scenario, in particular, loading of the NSS PEM module. It used to be loaded always right after the NSS library was initialized. Now the library is initialized as soon as any SSL or NTLM is required, while the PEM module is prevented from being loaded until the SSL is actually required.
* sendrecv: make them two pairs of send/recv to properly deal with FTPSHoward Chu2010-05-111-2/+2
| | | | | | | | | FTP(S) use two connections that can be set to different recv and send functions independently, so by introducing recv+send pairs in the same manner we already have sockets/connections we can work with FTPS fine. This commit fixes the FTPS regression introduced in change d64bd82.
* nss: make it possible to read ASCII and DER CRLKamil Dudka2010-05-111-56/+53
|
* nss: add CRL to cache instead of read-only NSS dbKamil Dudka2010-05-111-12/+30
|
View Lorry Controller Status