From 6e619393824922118317689ef59a73c556b7ef98 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 7 Apr 2005 15:27:13 +0000 Subject: GnuTLS support added. There's now a "generic" SSL layer that we use all over internally, with code provided by sslgen.c. All SSL-layer-specific code is then written in ssluse.c (for OpenSSL) and gtls.c (for GnuTLS). As far as possible, internals should not need to know what SSL layer that is in use. Building with GnuTLS currently makes two test cases fail. TODO.gnutls contains a few known outstanding issues for the GnuTLS support. GnuTLS support is enabled with configure --with-gnutls --- lib/sslgen.c | 535 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 535 insertions(+) create mode 100644 lib/sslgen.c (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c new file mode 100644 index 000000000..fc1db457e --- /dev/null +++ b/lib/sslgen.c @@ -0,0 +1,535 @@ +/*************************************************************************** + * _ _ ____ _ + * Project ___| | | | _ \| | + * / __| | | | |_) | | + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * + * Copyright (C) 1998 - 2005, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms + * are also available at http://curl.haxx.se/docs/copyright.html. + * + * You may opt to use, copy, modify, merge, publish, distribute and/or sell + * copies of the Software, and permit persons to whom the Software is + * furnished to do so, under the terms of the COPYING file. + * + * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY + * KIND, either express or implied. + * + * $Id$ + ***************************************************************************/ + +/* This file is for "generic" SSL functions that all libcurl internals should + use. It is responsible for calling the proper 'ossl' function in ssluse.c + (OpenSSL based) or the 'gtsl' function in gtsl.c (GnuTLS based). + + SSL-functions in libcurl should call functions in this source file, and not + to any specific SSL-layer. + + Curl_ssl_ - prefix for generic ones + Curl_ossl_ - prefix for OpenSSL ones + Curl_gtls_ - prefix for GnuTLS ones + + "SSL/TLS Strong Encryption: An Introduction" + http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html +*/ + +#include "setup.h" +#include +#include +#include +#ifdef HAVE_SYS_TYPES_H +#include +#endif +#ifdef HAVE_SYS_SOCKET_H +#include +#endif + +#include "urldata.h" +#define SSLGEN_C +#include "sslgen.h" /* generic SSL protos etc */ +#include "ssluse.h" /* OpenSSL versions */ +#include "gtls.h" /* GnuTLS versions */ +#include "sendf.h" +#include "strequal.h" +#include "url.h" +#include "memory.h" +/* The last #include file should be: */ +#include "memdebug.h" + +/* "global" init done? */ +static bool init_ssl=FALSE; + +static bool safe_strequal(char* str1, char* str2); + +static bool safe_strequal(char* str1, char* str2) +{ + if(str1 && str2) + /* both pointers point to something then compare them */ + return strequal(str1, str2); + else + /* if both pointers are NULL then treat them as equal */ + return (!str1 && !str2); +} + +bool +Curl_ssl_config_matches(struct ssl_config_data* data, + struct ssl_config_data* needle) +{ + if((data->version == needle->version) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + safe_strequal(data->CApath, needle->CApath) && + safe_strequal(data->CAfile, needle->CAfile) && + safe_strequal(data->random_file, needle->random_file) && + safe_strequal(data->egdsocket, needle->egdsocket) && + safe_strequal(data->cipher_list, needle->cipher_list)) + return TRUE; + + return FALSE; +} + +bool +Curl_clone_ssl_config(struct ssl_config_data *source, + struct ssl_config_data *dest) +{ + dest->verifyhost = source->verifyhost; + dest->verifypeer = source->verifypeer; + dest->version = source->version; + + if(source->CAfile) { + dest->CAfile = strdup(source->CAfile); + if(!dest->CAfile) + return FALSE; + } + + if(source->CApath) { + dest->CApath = strdup(source->CApath); + if(!dest->CApath) + return FALSE; + } + + if(source->cipher_list) { + dest->cipher_list = strdup(source->cipher_list); + if(!dest->cipher_list) + return FALSE; + } + + if(source->egdsocket) { + dest->egdsocket = strdup(source->egdsocket); + if(!dest->egdsocket) + return FALSE; + } + + if(source->random_file) { + dest->random_file = strdup(source->random_file); + if(!dest->random_file) + return FALSE; + } + + return TRUE; +} + +void Curl_free_ssl_config(struct ssl_config_data* sslc) +{ + if(sslc->CAfile) + free(sslc->CAfile); + + if(sslc->CApath) + free(sslc->CApath); + + if(sslc->cipher_list) + free(sslc->cipher_list); + + if(sslc->egdsocket) + free(sslc->egdsocket); + + if(sslc->random_file) + free(sslc->random_file); +} + +/** + * Global SSL init + * + * @retval 0 error initializing SSL + * @retval 1 SSL initialized successfully + */ +int Curl_ssl_init(void) +{ + /* make sure this is only done once */ + if(init_ssl) + return 1; + init_ssl = TRUE; /* never again */ + +#ifdef USE_SSLEAY + return Curl_ossl_init(); +#else +#ifdef USE_GNUTLS + return Curl_gtls_init(); +#else + /* no SSL support */ +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ + + return 1; +} + + +/* Global cleanup */ +void Curl_ssl_cleanup(void) +{ + if(init_ssl) { + /* only cleanup if we did a previous init */ +#ifdef USE_SSLEAY + Curl_ossl_cleanup(); +#else +#ifdef USE_GNUTLS + Curl_gtls_cleanup(); +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ + init_ssl = FALSE; + } +} + +CURLcode +Curl_ssl_connect(struct connectdata *conn, int sockindex) +{ +#ifdef USE_SSL + /* mark this is being ssl enabled from here on. */ + conn->ssl[sockindex].use = TRUE; + +#ifdef USE_SSLEAY + return Curl_ossl_connect(conn, sockindex); +#else +#ifdef USE_GNUTLS + return Curl_gtls_connect(conn, sockindex); +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ + +#else + /* without SSL */ + (void)conn; + (void)sockindex; + return CURLE_OK; +#endif /* USE_SSL */ +} + +#ifdef USE_SSL + +/* + * Check if there's a session ID for the given connection in the cache, and if + * there's one suitable, it is provided. Returns TRUE when no entry matched. + */ +int Curl_ssl_getsessionid(struct connectdata *conn, + void **ssl_sessionid, + size_t *idsize) /* set 0 if unknown */ +{ + struct curl_ssl_session *check; + struct SessionHandle *data = conn->data; + long i; + + for(i=0; i< data->set.ssl.numsessions; i++) { + check = &data->state.session[i]; + if(!check->sessionid) + /* not session ID means blank entry */ + continue; + if(curl_strequal(conn->host.name, check->name) && + (conn->remote_port == check->remote_port) && + Curl_ssl_config_matches(&conn->ssl_config, &check->ssl_config)) { + /* yes, we have a session ID! */ + data->state.sessionage++; /* increase general age */ + check->age = data->state.sessionage; /* set this as used in this age */ + *ssl_sessionid = check->sessionid; + if(idsize) + *idsize = check->idsize; + return FALSE; + } + } + *ssl_sessionid = NULL; + return TRUE; +} + +/* + * Kill a single session ID entry in the cache. + */ +static int kill_session(struct curl_ssl_session *session) +{ + if(session->sessionid) { + /* defensive check */ + + /* free the ID the SSL-layer specific way */ +#ifdef USE_SSLEAY + Curl_ossl_session_free(session->sessionid); +#else + Curl_gtls_session_free(session->sessionid); +#endif + session->sessionid=NULL; + session->age = 0; /* fresh */ + + Curl_free_ssl_config(&session->ssl_config); + + Curl_safefree(session->name); + session->name = NULL; /* no name */ + + return 0; /* ok */ + } + else + return 1; +} + +/* + * Store session id in the session cache. The ID passed on to this function + * must already have been extracted and allocated the proper way for the SSL + * layer. Curl_XXXX_session_free() will be called to free/kill the session ID + * later on. + */ +CURLcode Curl_ssl_addsessionid(struct connectdata *conn, + void *ssl_sessionid, + size_t idsize) +{ + int i; + struct SessionHandle *data=conn->data; /* the mother of all structs */ + struct curl_ssl_session *store = &data->state.session[0]; + long oldest_age=data->state.session[0].age; /* zero if unused */ + char *clone_host; + + clone_host = strdup(conn->host.name); + if(!clone_host) + return CURLE_OUT_OF_MEMORY; /* bail out */ + + /* Now we should add the session ID and the host name to the cache, (remove + the oldest if necessary) */ + + /* find an empty slot for us, or find the oldest */ + for(i=1; (iset.ssl.numsessions) && + data->state.session[i].sessionid; i++) { + if(data->state.session[i].age < oldest_age) { + oldest_age = data->state.session[i].age; + store = &data->state.session[i]; + } + } + if(i == data->set.ssl.numsessions) + /* cache is full, we must "kill" the oldest entry! */ + kill_session(store); + else + store = &data->state.session[i]; /* use this slot */ + + /* now init the session struct wisely */ + store->sessionid = ssl_sessionid; + store->idsize = idsize; + store->age = data->state.sessionage; /* set current age */ + store->name = clone_host; /* clone host name */ + store->remote_port = conn->remote_port; /* port number */ + + if (!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) + return CURLE_OUT_OF_MEMORY; + + return CURLE_OK; +} + + +#endif + +void Curl_ssl_close_all(struct SessionHandle *data) +{ +#ifdef USE_SSL + int i; + /* kill the session ID cache */ + if(data->state.session) { + for(i=0; i< data->set.ssl.numsessions; i++) + /* the single-killer function handles empty table slots */ + kill_session(&data->state.session[i]); + + /* free the cache data */ + free(data->state.session); + data->state.session = NULL; + } +#ifdef USE_SSLEAY + Curl_ossl_close_all(data); +#else +#ifdef USE_GNUTLS + Curl_gtls_close_all(data); +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ +#else /* USE_SSL */ + (void)data; +#endif /* USE_SSL */ +} + +void Curl_ssl_close(struct connectdata *conn) +{ + if(conn->ssl[FIRSTSOCKET].use) { +#ifdef USE_SSLEAY + Curl_ossl_close(conn); +#else +#ifdef USE_GNUTLS + Curl_gtls_close(conn); +#else + (void)conn; +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ + } +} + +/* Selects an (Open)SSL crypto engine + */ +CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) +{ +#ifdef USE_SSLEAY + return Curl_ossl_set_engine(data, engine); +#else +#ifdef USE_GNUTLS + /* FIX: add code here */ + (void)data; + (void)engine; +#else + (void)data; + (void)engine; +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ + return CURLE_FAILED_INIT; +} + +/* Selects an (Open?)SSL crypto engine + */ +CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data) +{ +#ifdef USE_SSLEAY + return Curl_ossl_set_engine_default(data); +#else +#ifdef USE_GNUTLS + /* FIX: add code here */ + (void)data; +#else + (void)data; +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ + return CURLE_FAILED_INIT; +} + +/* Return list of OpenSSL crypto engine names. */ +struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) +{ +#ifdef USE_SSLEAY + return Curl_ossl_engines_list(data); +#else +#ifdef USE_GNUTLS + /* FIX: add code here? */ + (void)data; + return NULL; +#else + (void)data; + return NULL; +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ +} + +/* return number of sent (non-SSL) bytes */ +int Curl_ssl_send(struct connectdata *conn, + int sockindex, + void *mem, + size_t len) +{ +#ifdef USE_SSLEAY + return Curl_ossl_send(conn, sockindex, mem, len); +#else +#ifdef USE_GNUTLS + return Curl_gtls_send(conn, sockindex, mem, len); +#else + (void)conn; + (void)sockindex; + (void)mem; + (void)len; + return 0; +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ +} + +/* return number of received (decrypted) bytes */ + +/* + * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return + * a regular CURLcode value. + */ +int Curl_ssl_recv(struct connectdata *conn, /* connection data */ + int sockindex, /* socketindex */ + char *mem, /* store read data here */ + size_t len) /* max amount to read */ +{ +#ifdef USE_SSL + ssize_t nread; + bool block = FALSE; + +#ifdef USE_SSLEAY + nread = Curl_ossl_recv(conn, sockindex, mem, len, &block); +#else +#ifdef USE_GNUTLS + nread = Curl_gtls_recv(conn, sockindex, mem, len, &block); +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ + if(nread == -1) { + infof(conn->data, "Curl_xxx_rcvs returned -1, block = %s\n", + block?"TRUE":"FALSE"); + if(!block) + return 0; /* this is a true error, not EWOULDBLOCK */ + else + return -1; + } + + return nread; + +#else /* USE_SSL */ + (void)conn; + (void)sockindex; + (void)mem; + (void)len; + return 0; +#endif /* USE_SSL */ +} + + +/* + * This sets up a session ID cache to the specified size. Make sure this code + * is agnostic to what underlying SSL technology we use. + */ +CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) +{ + struct curl_ssl_session *session; + + if(data->state.session) + /* this is just a precaution to prevent multiple inits */ + return CURLE_OK; + + session = (struct curl_ssl_session *) + malloc(amount * sizeof(struct curl_ssl_session)); + if(!session) + return CURLE_OUT_OF_MEMORY; + + /* "blank out" the newly allocated memory */ + memset(session, 0, amount * sizeof(struct curl_ssl_session)); + + /* store the info in the SSL section */ + data->set.ssl.numsessions = amount; + data->state.session = session; + data->state.sessionage = 1; /* this is brand new */ + + return CURLE_OK; +} + +size_t Curl_ssl_version(char *buffer, size_t size) +{ +#ifdef USE_SSLEAY + return Curl_ossl_version(buffer, size); +#else +#ifdef USE_GNUTLS + return Curl_gtls_version(buffer, size); +#else + (void)buffer; + (void)size; + return 0; /* no SSL support */ +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ +} + -- cgit v1.2.1 From 2fc70e2c5d6cf45de85119106db96699556abd60 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 8 Apr 2005 09:25:48 +0000 Subject: re-arrange some code to prevent warnings on unreachable code --- lib/sslgen.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index fc1db457e..1945789a3 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -170,10 +170,9 @@ int Curl_ssl_init(void) return Curl_gtls_init(); #else /* no SSL support */ + return 1; #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ - - return 1; } @@ -384,12 +383,14 @@ CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) /* FIX: add code here */ (void)data; (void)engine; + return CURLE_FAILED_INIT; #else + /* no SSL layer */ (void)data; (void)engine; + return CURLE_FAILED_INIT; #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ - return CURLE_FAILED_INIT; } /* Selects an (Open?)SSL crypto engine @@ -402,11 +403,13 @@ CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data) #ifdef USE_GNUTLS /* FIX: add code here */ (void)data; + return CURLE_FAILED_INIT; #else + /* No SSL layer */ (void)data; + return CURLE_FAILED_INIT; #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ - return CURLE_FAILED_INIT; } /* Return list of OpenSSL crypto engine names. */ -- cgit v1.2.1 From f30e8b11eb86584620036dcea32ee5d821908664 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 19 Apr 2005 23:38:57 +0000 Subject: prevent compiler warning --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 1945789a3..e7f0011b2 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -481,7 +481,7 @@ int Curl_ssl_recv(struct connectdata *conn, /* connection data */ return -1; } - return nread; + return (int)nread; #else /* USE_SSL */ (void)conn; -- cgit v1.2.1 From 2179e6e797de0cb577612b7929f4d520caf74350 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 4 May 2005 14:52:51 +0000 Subject: prevent memory leak when built SSL disabled --- lib/sslgen.c | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index e7f0011b2..5e8f75332 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -499,6 +499,7 @@ int Curl_ssl_recv(struct connectdata *conn, /* connection data */ */ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) { +#ifdef USE_SSL struct curl_ssl_session *session; if(data->state.session) @@ -517,6 +518,11 @@ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) data->set.ssl.numsessions = amount; data->state.session = session; data->state.sessionage = 1; /* this is brand new */ +#else + /* without SSL, do nothing */ + (void)data; + (void)amount; +#endif return CURLE_OK; } -- cgit v1.2.1 From 274842ec418e79cb841e798a58f186fd48b54ec5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 5 May 2005 06:04:00 +0000 Subject: use calloc instead of malloc to save a call to memset() --- lib/sslgen.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 5e8f75332..7592e668b 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -507,13 +507,10 @@ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) return CURLE_OK; session = (struct curl_ssl_session *) - malloc(amount * sizeof(struct curl_ssl_session)); + calloc(sizeof(struct curl_ssl_session), amount); if(!session) return CURLE_OUT_OF_MEMORY; - /* "blank out" the newly allocated memory */ - memset(session, 0, amount * sizeof(struct curl_ssl_session)); - /* store the info in the SSL section */ data->set.ssl.numsessions = amount; data->state.session = session; -- cgit v1.2.1 From 84c4d96e71c54f410b9582375e92bcc0186c9103 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 11 Aug 2005 21:41:11 +0000 Subject: removed old debug left-over infof() call --- lib/sslgen.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 7592e668b..d7d1259f3 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -473,8 +473,6 @@ int Curl_ssl_recv(struct connectdata *conn, /* connection data */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ if(nread == -1) { - infof(conn->data, "Curl_xxx_rcvs returned -1, block = %s\n", - block?"TRUE":"FALSE"); if(!block) return 0; /* this is a true error, not EWOULDBLOCK */ else -- cgit v1.2.1 From 83367f67de9584b91570bcb53a153b8aa496d455 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 21 Mar 2006 21:54:44 +0000 Subject: Xavier Bouchoux made the SSL connection non-blocking for the multi interface (when using OpenSSL). --- lib/sslgen.c | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index d7d1259f3..a4c941050 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2005, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -215,6 +215,23 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex) #endif /* USE_SSL */ } +CURLcode +Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, + bool *done) +{ +#if defined(USE_SSL) && defined(USE_SSLEAY) + /* mark this is being ssl enabled from here on. */ + conn->ssl[sockindex].use = TRUE; + return Curl_ossl_connect_nonblocking(conn, sockindex, done); + +#else + /* not implemented! + fallback to BLOCKING call. */ + *done = TRUE; + return Curl_ssl_connect(conn, sockindex); +#endif +} + #ifdef USE_SSL /* -- cgit v1.2.1 From c9c5ce23652db79f36925c1509a15ddf4f665422 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 10 May 2006 22:17:42 +0000 Subject: David McCreedy provided a fix for CURLINFO_LASTSOCKET that does extended checks on the to-be-returned socket to make sure it truly seems to be alive and well. For SSL connection it (only) uses OpenSSL functions. --- lib/sslgen.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index a4c941050..f8f8ec622 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -554,3 +554,21 @@ size_t Curl_ssl_version(char *buffer, size_t size) #endif /* USE_SSLEAY */ } + +/* + * This function tries to determine connection status. + * + * Return codes: + * 1 means the connection is still in place + * 0 means the connection has been closed + * -1 means the connection status is unknown + */ +int Curl_ssl_check_cxn(struct connectdata *conn) +{ +#ifdef USE_SSLEAY + return Curl_ossl_check_cxn(conn); +#else + /* TODO: we lack implementation of this for GnuTLS */ + return -1; /* connection status unknown */ +#endif /* USE_SSLEAY */ +} -- cgit v1.2.1 From d9e14408f0e113a6056d4bde95cda6d0daee60f5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 11 May 2006 05:16:38 +0000 Subject: silence warning --- lib/sslgen.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index f8f8ec622..641131571 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -568,6 +568,7 @@ int Curl_ssl_check_cxn(struct connectdata *conn) #ifdef USE_SSLEAY return Curl_ossl_check_cxn(conn); #else + (void)conn; /* TODO: we lack implementation of this for GnuTLS */ return -1; /* connection status unknown */ #endif /* USE_SSLEAY */ -- cgit v1.2.1 From 29dc39fce1126265d8526be15beec3e3fdc1c11d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 11 Sep 2006 17:18:18 +0000 Subject: - Fixed my breakage from earlier today so that doing curl_easy_cleanup() on a handle that is part of a multi handle first removes the handle from the stack. - Added CURLOPT_SSL_SESSIONID_CACHE and --no-sessionid to disable SSL session-ID re-use on demand since there obviously are broken servers out there that misbehave with session-IDs used. --- lib/sslgen.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 641131571..fec358c51 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -246,6 +246,10 @@ int Curl_ssl_getsessionid(struct connectdata *conn, struct SessionHandle *data = conn->data; long i; + if(!conn->ssl_config.sessionid) + /* session ID re-use is disabled */ + return TRUE; + for(i=0; i< data->set.ssl.numsessions; i++) { check = &data->state.session[i]; if(!check->sessionid) @@ -311,6 +315,10 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, long oldest_age=data->state.session[0].age; /* zero if unused */ char *clone_host; + /* Even though session ID re-use might be disabled, that only disables USING + IT. We still store it here in case the re-using is again enabled for an + upcoming transfer */ + clone_host = strdup(conn->host.name); if(!clone_host) return CURLE_OUT_OF_MEMORY; /* bail out */ -- cgit v1.2.1 From 733a184ce0747c65fbc634e066cfac0ffae43d80 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 12 Sep 2006 23:51:01 +0000 Subject: Compiler warning fix --- lib/sslgen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index fec358c51..7d264b0de 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -68,10 +68,10 @@ static bool safe_strequal(char* str1, char* str2) { if(str1 && str2) /* both pointers point to something then compare them */ - return strequal(str1, str2); + return (bool)(0 != strequal(str1, str2)); else /* if both pointers are NULL then treat them as equal */ - return (!str1 && !str2); + return (bool)(!str1 && !str2); } bool -- cgit v1.2.1 From be0d17e812053bddd99e1d330c429399f17aee44 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 11 Nov 2006 21:34:43 +0000 Subject: cleaned up Curl_write() and the sub functions it uses for various protocols. They all now return ssize_t to Curl_write(). Unfortunately, Curl_read() is in a sorrier state but it too would benefit from a similar cleanup. --- lib/sslgen.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 7d264b0de..1e0248448 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -455,10 +455,10 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) } /* return number of sent (non-SSL) bytes */ -int Curl_ssl_send(struct connectdata *conn, - int sockindex, - void *mem, - size_t len) +ssize_t Curl_ssl_send(struct connectdata *conn, + int sockindex, + void *mem, + size_t len) { #ifdef USE_SSLEAY return Curl_ossl_send(conn, sockindex, mem, len); @@ -481,10 +481,10 @@ int Curl_ssl_send(struct connectdata *conn, * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return * a regular CURLcode value. */ -int Curl_ssl_recv(struct connectdata *conn, /* connection data */ - int sockindex, /* socketindex */ - char *mem, /* store read data here */ - size_t len) /* max amount to read */ +ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ + int sockindex, /* socketindex */ + char *mem, /* store read data here */ + size_t len) /* max amount to read */ { #ifdef USE_SSL ssize_t nread; -- cgit v1.2.1 From 72bd027537f6f09f3fceef1126bf917030c75c64 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 16 Dec 2006 21:05:33 +0000 Subject: Brendan Jurd pointed out these typos --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 1e0248448..1d88ba343 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -23,7 +23,7 @@ /* This file is for "generic" SSL functions that all libcurl internals should use. It is responsible for calling the proper 'ossl' function in ssluse.c - (OpenSSL based) or the 'gtsl' function in gtsl.c (GnuTLS based). + (OpenSSL based) or the 'gtls' function in gtls.c (GnuTLS based). SSL-functions in libcurl should call functions in this source file, and not to any specific SSL-layer. -- cgit v1.2.1 From 4750e6f3c5fd42e19998242ddb63d7d5506b9fd9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 5 Jan 2007 23:11:14 +0000 Subject: - Linus Nielsen Feltzing introduced the --ftp-ssl-ccc command line option to curl that uses the new CURLOPT_FTP_SSL_CCC option in libcurl. If enabled, it will make libcurl shutdown SSL/TLS after the authentication is done on a FTP-SSL operation. --- lib/sslgen.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 1d88ba343..e4fb5fb24 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -397,6 +397,18 @@ void Curl_ssl_close(struct connectdata *conn) } } +CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) +{ + if(conn->ssl[sockindex].use) { +#ifdef USE_GNUTLS + return Curl_gtls_shutdown(conn, sockindex); +#else + return Curl_ossl_shutdown(conn, sockindex); +#endif + } + return CURLE_OK; +} + /* Selects an (Open)SSL crypto engine */ CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) -- cgit v1.2.1 From 7515a75206aee8f0e3c78301b4e8ce80f7aa9c98 Mon Sep 17 00:00:00 2001 From: Linus Nielsen Feltzing Date: Sat, 6 Jan 2007 10:49:11 +0000 Subject: Fix compilation errors when building without SSL --- lib/sslgen.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index e4fb5fb24..cc9642b66 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -400,11 +400,16 @@ void Curl_ssl_close(struct connectdata *conn) CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) { if(conn->ssl[sockindex].use) { +#ifdef USE_SSLEAY + return Curl_ossl_shutdown(conn, sockindex); +#else #ifdef USE_GNUTLS return Curl_gtls_shutdown(conn, sockindex); #else - return Curl_ossl_shutdown(conn, sockindex); -#endif + (void)conn; + (void)sockindex; +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ } return CURLE_OK; } -- cgit v1.2.1 From d4651994110612c476a2b65dfa0f9b4f138fca68 Mon Sep 17 00:00:00 2001 From: Linus Nielsen Feltzing Date: Mon, 8 Jan 2007 11:24:11 +0000 Subject: Correct error code for CCC/SSL shutdown failure --- lib/sslgen.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index cc9642b66..33f038017 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -401,10 +401,12 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) { if(conn->ssl[sockindex].use) { #ifdef USE_SSLEAY - return Curl_ossl_shutdown(conn, sockindex); + if(Curl_ossl_shutdown(conn, sockindex)) + return CURLE_SSL_SHUTDOWN_FAILED; #else #ifdef USE_GNUTLS - return Curl_gtls_shutdown(conn, sockindex); + if(Curl_gtls_shutdown(conn, sockindex)) + return CURLE_SSL_SHUTDOWN_FAILED; #else (void)conn; (void)sockindex; -- cgit v1.2.1 From 3239f059b82d2b20a76f7470d8c4a334755f25c4 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 24 Jan 2007 17:19:08 +0000 Subject: moved the SSL pending function to the proper place and name --- lib/sslgen.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 33f038017..210ea9af5 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -600,3 +600,16 @@ int Curl_ssl_check_cxn(struct connectdata *conn) return -1; /* connection status unknown */ #endif /* USE_SSLEAY */ } + +bool Curl_ssl_data_pending(struct connectdata *conn, + int connindex) +{ +#ifdef USE_SSLEAY + /* OpenSSL-specific */ + if(conn->ssl[connindex].handle) + /* SSL is in use */ + return SSL_pending(conn->ssl[connindex].handle); +#endif + return FALSE; /* nothing pending */ + +} -- cgit v1.2.1 From 2b280bcc69137e53650b06372cdfc60d86d214a3 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 25 Jan 2007 21:00:03 +0000 Subject: fix compiler warnings for SSL-disabled builds --- lib/sslgen.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 210ea9af5..f110a51ea 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -609,6 +609,9 @@ bool Curl_ssl_data_pending(struct connectdata *conn, if(conn->ssl[connindex].handle) /* SSL is in use */ return SSL_pending(conn->ssl[connindex].handle); +#else + (void)conn; + (void)connindex; #endif return FALSE; /* nothing pending */ -- cgit v1.2.1 From d2dd3d7e16fcebdb34d41c944c5a5aef0d0d8bcf Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Thu, 1 Feb 2007 15:36:56 +0000 Subject: compiler warning fix --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index f110a51ea..5b75c3807 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -608,7 +608,7 @@ bool Curl_ssl_data_pending(struct connectdata *conn, /* OpenSSL-specific */ if(conn->ssl[connindex].handle) /* SSL is in use */ - return SSL_pending(conn->ssl[connindex].handle); + return (bool)(0 != SSL_pending(conn->ssl[connindex].handle)); #else (void)conn; (void)connindex; -- cgit v1.2.1 From 7f70dbcad58eb7183d129860192d6968dd7063a1 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 12 Feb 2007 22:32:37 +0000 Subject: Rob Crittenden added support for NSS (Network Security Service) for the SSL/TLS layer. http://www.mozilla.org/projects/security/pki/nss/ --- lib/sslgen.c | 71 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 69 insertions(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 5b75c3807..9043cee29 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -31,6 +31,7 @@ Curl_ssl_ - prefix for generic ones Curl_ossl_ - prefix for OpenSSL ones Curl_gtls_ - prefix for GnuTLS ones + Curl_nss_ - prefix for NSS ones "SSL/TLS Strong Encryption: An Introduction" http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html @@ -52,6 +53,7 @@ #include "sslgen.h" /* generic SSL protos etc */ #include "ssluse.h" /* OpenSSL versions */ #include "gtls.h" /* GnuTLS versions */ +#include "nssg.h" /* NSS versions */ #include "sendf.h" #include "strequal.h" #include "url.h" @@ -168,9 +170,13 @@ int Curl_ssl_init(void) #else #ifdef USE_GNUTLS return Curl_gtls_init(); +#else +#ifdef USE_NSS + return Curl_nss_init(); #else /* no SSL support */ return 1; +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -186,6 +192,9 @@ void Curl_ssl_cleanup(void) #else #ifdef USE_GNUTLS Curl_gtls_cleanup(); +#ifdef USE_NSS + Curl_nss_cleanup(); +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ init_ssl = FALSE; @@ -204,6 +213,10 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex) #else #ifdef USE_GNUTLS return Curl_gtls_connect(conn, sockindex); +#else +#ifdef USE_NSS + return Curl_nss_connect(conn, sockindex); +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -224,12 +237,17 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, conn->ssl[sockindex].use = TRUE; return Curl_ossl_connect_nonblocking(conn, sockindex, done); +#else +#ifdef USE_NSS + *done = TRUE; /* fallback to BLOCKING */ + return Curl_nss_connect(conn, sockindex); #else /* not implemented! fallback to BLOCKING call. */ *done = TRUE; return Curl_ssl_connect(conn, sockindex); -#endif +#endif /* USE_NSS */ +#endif /* USE_SSLEAY */ } #ifdef USE_SSL @@ -283,8 +301,14 @@ static int kill_session(struct curl_ssl_session *session) #ifdef USE_SSLEAY Curl_ossl_session_free(session->sessionid); #else +#ifdef USE_GNUTLS Curl_gtls_session_free(session->sessionid); -#endif +#else +#ifdef USE_NSS + /* NSS has its own session ID cache */ +#endif /* USE_NSS */ +#endif /* USE_GNUTLS */ +#endif /* USE_SSLEAY */ session->sessionid=NULL; session->age = 0; /* fresh */ @@ -375,6 +399,10 @@ void Curl_ssl_close_all(struct SessionHandle *data) #else #ifdef USE_GNUTLS Curl_gtls_close_all(data); +#else +#ifdef USE_NSS + Curl_nss_close_all(data); +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ #else /* USE_SSL */ @@ -390,8 +418,12 @@ void Curl_ssl_close(struct connectdata *conn) #else #ifdef USE_GNUTLS Curl_gtls_close(conn); +#else +#ifdef USE_GNUTLS + Curl_nss_close(conn); #else (void)conn; +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -428,11 +460,18 @@ CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) (void)data; (void)engine; return CURLE_FAILED_INIT; +#else +#ifdef USE_NSS + /* NSS doesn't set an engine this way */ + (void)data; + (void)engine; + return CURLE_FAILED_INIT; #else /* no SSL layer */ (void)data; (void)engine; return CURLE_FAILED_INIT; +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -448,10 +487,16 @@ CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data) /* FIX: add code here */ (void)data; return CURLE_FAILED_INIT; +#else +#ifdef USE_NSS + /* A no-op for NSS */ + (void)data; + return CURLE_FAILED_INIT; #else /* No SSL layer */ (void)data; return CURLE_FAILED_INIT; +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -467,8 +512,14 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) (void)data; return NULL; #else +#ifdef USE_NSS + /* In theory we could return the PKCS#11 modules loaded but that + * would just confuse things */ (void)data; return NULL; + (void)data; + return NULL; +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -484,12 +535,16 @@ ssize_t Curl_ssl_send(struct connectdata *conn, #else #ifdef USE_GNUTLS return Curl_gtls_send(conn, sockindex, mem, len); +#else +#ifdef USE_NSS + return Curl_nss_send(conn, sockindex, mem, len); #else (void)conn; (void)sockindex; (void)mem; (void)len; return 0; +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -514,6 +569,10 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ #else #ifdef USE_GNUTLS nread = Curl_gtls_recv(conn, sockindex, mem, len, &block); +#else +#ifdef USE_NSS + nread = Curl_nss_recv(conn, sockindex, mem, len, &block); +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ if(nread == -1) { @@ -573,10 +632,14 @@ size_t Curl_ssl_version(char *buffer, size_t size) #else #ifdef USE_GNUTLS return Curl_gtls_version(buffer, size); +#else +#ifdef USE_NSS + return Curl_nss_version(buffer, size); #else (void)buffer; (void)size; return 0; /* no SSL support */ +#endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -594,10 +657,14 @@ int Curl_ssl_check_cxn(struct connectdata *conn) { #ifdef USE_SSLEAY return Curl_ossl_check_cxn(conn); +#else +#ifdef USE_NSS + return Curl_nss_check_cxn(conn); #else (void)conn; /* TODO: we lack implementation of this for GnuTLS */ return -1; /* connection status unknown */ +#endif /* USE_NSS */ #endif /* USE_SSLEAY */ } -- cgit v1.2.1 From 5649b738befc3c509136313c914e43b90304a450 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 13 Feb 2007 02:30:31 +0000 Subject: compiler warning fix --- lib/sslgen.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 9043cee29..6b1de1e3c 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -517,6 +517,7 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) * would just confuse things */ (void)data; return NULL; +#else (void)data; return NULL; #endif /* USE_NSS */ -- cgit v1.2.1 From c514a2a89aa1c1e06b70405eedb4e1f70b27fd10 Mon Sep 17 00:00:00 2001 From: Gisle Vanem Date: Mon, 26 Feb 2007 04:24:26 +0000 Subject: Removed inclusion of and in .c-files since they're already included through "setup.h". --- lib/sslgen.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 6b1de1e3c..6bf240395 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -38,12 +38,10 @@ */ #include "setup.h" + #include #include #include -#ifdef HAVE_SYS_TYPES_H -#include -#endif #ifdef HAVE_SYS_SOCKET_H #include #endif -- cgit v1.2.1 From 92039629c7e72f9d792f963b5818630dce61c9cb Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sat, 21 Apr 2007 21:24:53 +0000 Subject: Curl_ssl_close(): mark the connection as not using SSL anymore, to better survive getting called twice --- lib/sslgen.c | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 6bf240395..faabeeb0d 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -413,17 +413,14 @@ void Curl_ssl_close(struct connectdata *conn) if(conn->ssl[FIRSTSOCKET].use) { #ifdef USE_SSLEAY Curl_ossl_close(conn); -#else +#endif /* USE_SSLEAY */ #ifdef USE_GNUTLS Curl_gtls_close(conn); -#else -#ifdef USE_GNUTLS +#endif /* USE_GNUTLS */ +#ifdef USE_NSS Curl_nss_close(conn); -#else - (void)conn; #endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + conn->ssl[FIRSTSOCKET].use = FALSE; } } -- cgit v1.2.1 From b3461bab1df4221abf74d7c159cf5c719b1b9744 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 23 Jul 2007 21:46:26 +0000 Subject: Implemented the parts of Patrick Monnerat's OS/400 patch that introduces support for the OS/400 Secure Sockets Layer library --- lib/sslgen.c | 70 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index faabeeb0d..56f626ac2 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -52,6 +52,7 @@ #include "ssluse.h" /* OpenSSL versions */ #include "gtls.h" /* GnuTLS versions */ #include "nssg.h" /* NSS versions */ +#include "qssl.h" /* QSOSSL versions */ #include "sendf.h" #include "strequal.h" #include "url.h" @@ -171,9 +172,13 @@ int Curl_ssl_init(void) #else #ifdef USE_NSS return Curl_nss_init(); +#else +#ifdef USE_QSOSSL + return Curl_qsossl_init(); #else /* no SSL support */ return 1; +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -190,8 +195,13 @@ void Curl_ssl_cleanup(void) #else #ifdef USE_GNUTLS Curl_gtls_cleanup(); +#else #ifdef USE_NSS Curl_nss_cleanup(); +#else +#ifdef USE_QSOSSL + Curl_qsossl_cleanup(); +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -214,6 +224,10 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex) #else #ifdef USE_NSS return Curl_nss_connect(conn, sockindex); +#else +#ifdef USE_QSOSSL + return Curl_qsossl_connect(conn, sockindex); +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -239,11 +253,16 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, #ifdef USE_NSS *done = TRUE; /* fallback to BLOCKING */ return Curl_nss_connect(conn, sockindex); +#else +#ifdef USE_QSOSSL + *done = TRUE; /* fallback to BLOCKING */ + return Curl_qsossl_connect(conn, sockindex); #else /* not implemented! fallback to BLOCKING call. */ *done = TRUE; return Curl_ssl_connect(conn, sockindex); +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_SSLEAY */ } @@ -302,9 +321,13 @@ static int kill_session(struct curl_ssl_session *session) #ifdef USE_GNUTLS Curl_gtls_session_free(session->sessionid); #else +#ifdef USE_QSOSSL + /* No session handling for QsoSSL. */ +#else #ifdef USE_NSS /* NSS has its own session ID cache */ #endif /* USE_NSS */ +#endif /* USE_QSOSSL */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ session->sessionid=NULL; @@ -400,6 +423,10 @@ void Curl_ssl_close_all(struct SessionHandle *data) #else #ifdef USE_NSS Curl_nss_close_all(data); +#else +#ifdef USE_QSOSSL + Curl_qsossl_close_all(data); +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -420,6 +447,9 @@ void Curl_ssl_close(struct connectdata *conn) #ifdef USE_NSS Curl_nss_close(conn); #endif /* USE_NSS */ +#ifdef USE_QSOSSL + Curl_qsossl_close(conn); +#endif /* USE_QSOSSL */ conn->ssl[FIRSTSOCKET].use = FALSE; } } @@ -434,9 +464,14 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) #ifdef USE_GNUTLS if(Curl_gtls_shutdown(conn, sockindex)) return CURLE_SSL_SHUTDOWN_FAILED; +#else +#ifdef USE_QSOSSL + if(Curl_qsossl_shutdown(conn, sockindex)) + return CURLE_SSL_SHUTDOWN_FAILED; #else (void)conn; (void)sockindex; +#endif /* USE_QSOSSL */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ } @@ -461,11 +496,18 @@ CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) (void)data; (void)engine; return CURLE_FAILED_INIT; +#else +#ifdef USE_QSOSSL + /* QSOSSL doesn't set an engine this way */ + (void)data; + (void)engine; + return CURLE_FAILED_INIT; #else /* no SSL layer */ (void)data; (void)engine; return CURLE_FAILED_INIT; +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -487,10 +529,16 @@ CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data) /* A no-op for NSS */ (void)data; return CURLE_FAILED_INIT; +#else +#ifdef USE_QSOSSL + /* A no-op for QSOSSL */ + (void)data; + return CURLE_FAILED_INIT; #else /* No SSL layer */ (void)data; return CURLE_FAILED_INIT; +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -512,9 +560,15 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) * would just confuse things */ (void)data; return NULL; +#else +#ifdef USE_QSOSSL + /* No engine support in QSOSSL. */ + (void)data; + return NULL; #else (void)data; return NULL; +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -534,12 +588,16 @@ ssize_t Curl_ssl_send(struct connectdata *conn, #else #ifdef USE_NSS return Curl_nss_send(conn, sockindex, mem, len); +#else +#ifdef USE_QSOSSL + return Curl_qsossl_send(conn, sockindex, mem, len); #else (void)conn; (void)sockindex; (void)mem; (void)len; return 0; +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -568,6 +626,10 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ #else #ifdef USE_NSS nread = Curl_nss_recv(conn, sockindex, mem, len, &block); +#else +#ifdef USE_QSOSSL + nread = Curl_qsossl_recv(conn, sockindex, mem, len, &block); +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -631,10 +693,14 @@ size_t Curl_ssl_version(char *buffer, size_t size) #else #ifdef USE_NSS return Curl_nss_version(buffer, size); +#else +#ifdef USE_QSOSSL + return Curl_qsossl_version(buffer, size); #else (void)buffer; (void)size; return 0; /* no SSL support */ +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ @@ -656,10 +722,14 @@ int Curl_ssl_check_cxn(struct connectdata *conn) #else #ifdef USE_NSS return Curl_nss_check_cxn(conn); +#else +#ifdef USE_QSOSSL + return Curl_qsossl_check_cxn(conn); #else (void)conn; /* TODO: we lack implementation of this for GnuTLS */ return -1; /* connection status unknown */ +#endif /* USE_QSOSSL */ #endif /* USE_NSS */ #endif /* USE_SSLEAY */ } -- cgit v1.2.1 From f1fa7b8ba469d9b8681e30f107b44004695b32e9 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 29 Jul 2007 12:54:05 +0000 Subject: Bug report #1759542 (http://curl.haxx.se/bug/view.cgi?id=1759542). A bad use of a socket after it has been closed, when the FTP-SSL data connection is taken down. --- lib/sslgen.c | 35 ++++++++++++++++------------------- 1 file changed, 16 insertions(+), 19 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 56f626ac2..b452d504f 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -435,46 +435,43 @@ void Curl_ssl_close_all(struct SessionHandle *data) #endif /* USE_SSL */ } -void Curl_ssl_close(struct connectdata *conn) +void Curl_ssl_close(struct connectdata *conn, int sockindex) { - if(conn->ssl[FIRSTSOCKET].use) { + DEBUGASSERT((sockindex <= 1) && (sockindex >= -1)); + #ifdef USE_SSLEAY - Curl_ossl_close(conn); + Curl_ossl_close(conn, sockindex); #endif /* USE_SSLEAY */ #ifdef USE_GNUTLS - Curl_gtls_close(conn); + Curl_gtls_close(conn, sockindex); #endif /* USE_GNUTLS */ #ifdef USE_NSS - Curl_nss_close(conn); + Curl_nss_close(conn, sockindex); #endif /* USE_NSS */ #ifdef USE_QSOSSL - Curl_qsossl_close(conn); + Curl_qsossl_close(conn, sockindex); #endif /* USE_QSOSSL */ - conn->ssl[FIRSTSOCKET].use = FALSE; - } } CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) { - if(conn->ssl[sockindex].use) { #ifdef USE_SSLEAY - if(Curl_ossl_shutdown(conn, sockindex)) - return CURLE_SSL_SHUTDOWN_FAILED; + if(Curl_ossl_shutdown(conn, sockindex)) + return CURLE_SSL_SHUTDOWN_FAILED; #else #ifdef USE_GNUTLS - if(Curl_gtls_shutdown(conn, sockindex)) - return CURLE_SSL_SHUTDOWN_FAILED; + if(Curl_gtls_shutdown(conn, sockindex)) + return CURLE_SSL_SHUTDOWN_FAILED; #else #ifdef USE_QSOSSL - if(Curl_qsossl_shutdown(conn, sockindex)) - return CURLE_SSL_SHUTDOWN_FAILED; -#else - (void)conn; - (void)sockindex; + if(Curl_qsossl_shutdown(conn, sockindex)) + return CURLE_SSL_SHUTDOWN_FAILED; #endif /* USE_QSOSSL */ #endif /* USE_GNUTLS */ #endif /* USE_SSLEAY */ - } + + conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ + return CURLE_OK; } -- cgit v1.2.1 From ea908c23ae598be7132448beece49196b2f7cf60 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Mon, 30 Jul 2007 17:05:39 +0000 Subject: Fixed compiler warning on non-SSL builds --- lib/sslgen.c | 4 ++++ 1 file changed, 4 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index b452d504f..7410a00de 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -451,6 +451,10 @@ void Curl_ssl_close(struct connectdata *conn, int sockindex) #ifdef USE_QSOSSL Curl_qsossl_close(conn, sockindex); #endif /* USE_QSOSSL */ +#ifndef USE_SSL + (void)conn; + (void)sockindex; +#endif /* !USE_SSL */ } CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) -- cgit v1.2.1 From 50c10aa5bf545eedfdbe561116656b6ec12654cd Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 1 Aug 2007 21:20:01 +0000 Subject: Patrick Monnerat and I modified libcurl so that now it *copies* all strings passed to it with curl_easy_setopt()! Previously it has always just refered to the data, forcing the user to keep the data around until libcurl is done with it. That is now history and libcurl will instead clone the given strings and keep private copies. --- lib/sslgen.c | 19 +++++-------------- 1 file changed, 5 insertions(+), 14 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 7410a00de..90af86053 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -135,20 +135,11 @@ Curl_clone_ssl_config(struct ssl_config_data *source, void Curl_free_ssl_config(struct ssl_config_data* sslc) { - if(sslc->CAfile) - free(sslc->CAfile); - - if(sslc->CApath) - free(sslc->CApath); - - if(sslc->cipher_list) - free(sslc->cipher_list); - - if(sslc->egdsocket) - free(sslc->egdsocket); - - if(sslc->random_file) - free(sslc->random_file); + Curl_safefree(sslc->CAfile); + Curl_safefree(sslc->CApath); + Curl_safefree(sslc->cipher_list); + Curl_safefree(sslc->egdsocket); + Curl_safefree(sslc->random_file); } /** -- cgit v1.2.1 From 8cf0814a143d99de813fbd1653b785252b4c58a6 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Mon, 27 Aug 2007 06:31:28 +0000 Subject: Fixed some minor type mismatches and missing consts mainly found by splint. --- lib/sslgen.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 90af86053..3549232ab 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -345,7 +345,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, void *ssl_sessionid, size_t idsize) { - int i; + long i; struct SessionHandle *data=conn->data; /* the mother of all structs */ struct curl_ssl_session *store = &data->state.session[0]; long oldest_age=data->state.session[0].age; /* zero if unused */ @@ -395,7 +395,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, void Curl_ssl_close_all(struct SessionHandle *data) { #ifdef USE_SSL - int i; + long i; /* kill the session ID cache */ if(data->state.session) { for(i=0; i< data->set.ssl.numsessions; i++) @@ -632,7 +632,7 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ return -1; } - return (int)nread; + return nread; #else /* USE_SSL */ (void)conn; @@ -726,7 +726,7 @@ int Curl_ssl_check_cxn(struct connectdata *conn) #endif /* USE_SSLEAY */ } -bool Curl_ssl_data_pending(struct connectdata *conn, +bool Curl_ssl_data_pending(const struct connectdata *conn, int connindex) { #ifdef USE_SSLEAY -- cgit v1.2.1 From bdfeaa0f953a920ca4b565d502238cf8f8e23ce3 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Tue, 25 Sep 2007 06:45:05 +0000 Subject: #ifdef out a few more functions when SSL is disabled. --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 3549232ab..ed578490d 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -390,7 +390,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, } -#endif +#endif /* USE_SSL */ void Curl_ssl_close_all(struct SessionHandle *data) { -- cgit v1.2.1 From cbd1a77ec24e397d05f20c6de106625676343c9d Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 7 Nov 2007 09:21:35 +0000 Subject: if () => if() while () => while() and some other minor re-indentings --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index ed578490d..b76f807b8 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -383,7 +383,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, store->name = clone_host; /* clone host name */ store->remote_port = conn->remote_port; /* port number */ - if (!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) + if(!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) return CURLE_OUT_OF_MEMORY; return CURLE_OK; -- cgit v1.2.1 From c80b9c3778597058f60b40b439bcf09a400d0012 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 18 Nov 2007 09:45:05 +0000 Subject: Rob Crittenden fixed SSL connections with NSS done with the multi-interface --- lib/sslgen.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index b76f807b8..a8f4e2539 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -243,6 +243,7 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, #else #ifdef USE_NSS *done = TRUE; /* fallback to BLOCKING */ + conn->ssl[sockindex].use = TRUE; return Curl_nss_connect(conn, sockindex); #else #ifdef USE_QSOSSL -- cgit v1.2.1 From 0561bffab3e99edcac2ae79ab0813f5ceacaf930 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 19 Nov 2007 09:24:24 +0000 Subject: I think this is the right fix for other non-OpenSSL libs, based on the NSS fix from the other day. It is time to setup the internal SSL libs and treat them with a "handler" struct similar to how we deal with the protocols these days... --- lib/sslgen.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index a8f4e2539..42adbc803 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -248,11 +248,13 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, #else #ifdef USE_QSOSSL *done = TRUE; /* fallback to BLOCKING */ + conn->ssl[sockindex].use = TRUE; return Curl_qsossl_connect(conn, sockindex); #else /* not implemented! fallback to BLOCKING call. */ *done = TRUE; + conn->ssl[sockindex].use = TRUE; return Curl_ssl_connect(conn, sockindex); #endif /* USE_QSOSSL */ #endif /* USE_NSS */ -- cgit v1.2.1 From 5c447f2499ed04bf29b6f1a82407aa53c975a58a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 3 Dec 2007 11:48:09 +0000 Subject: Bug report #1842029 (http://curl.haxx.se/bug/view.cgi?id=1842029) identified a problem with SSL session caching that prevent it from working, and the associated fix! --- lib/sslgen.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 42adbc803..c3d4ee401 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -96,6 +96,7 @@ bool Curl_clone_ssl_config(struct ssl_config_data *source, struct ssl_config_data *dest) { + dest->sessionid = source->sessionid; dest->verifyhost = source->verifyhost; dest->verifypeer = source->verifypeer; dest->version = source->version; -- cgit v1.2.1 From fc1d1ea93472985c12a4e3ae892a416de00d032e Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 24 Dec 2007 23:45:48 +0000 Subject: Gary Maxwell filed bug report #1856628 (http://curl.haxx.se/bug/view.cgi?id=1856628) and provided a fix for the (small) memory leak in the SSL session ID caching code. It happened when a previous entry in the cache was re-used. --- lib/sslgen.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index c3d4ee401..2d61960cb 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -384,6 +384,9 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, store->sessionid = ssl_sessionid; store->idsize = idsize; store->age = data->state.sessionage; /* set current age */ + if (store->name) + /* free it if there's one already present */ + free(store->name) store->name = clone_host; /* clone host name */ store->remote_port = conn->remote_port; /* port number */ -- cgit v1.2.1 From 4e8c4fc80ba0395910b427bf91a10d8e6dbd8e68 Mon Sep 17 00:00:00 2001 From: Gunter Knauf Date: Tue, 25 Dec 2007 13:26:01 +0000 Subject: added missing semicolon fromn last commit. --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 2d61960cb..5719c0bf2 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -386,7 +386,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, store->age = data->state.sessionage; /* set current age */ if (store->name) /* free it if there's one already present */ - free(store->name) + free(store->name); store->name = clone_host; /* clone host name */ store->remote_port = conn->remote_port; /* port number */ -- cgit v1.2.1 From 53a549000c3634f6b0a5ed262d5834c3145885d7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 20 Feb 2008 09:56:26 +0000 Subject: - Based on initial work done by Gautam Kachroo to address a bug, we now keep better control at the exact state of the connection's SSL status so that we know exactly when it has completed the SSL negotiation or not so that there won't be accidental re-uses of connections that are wrongly believed to be in SSL-completed-negotiate state. --- lib/sslgen.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 5719c0bf2..bbcc8c56d 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2007, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2008, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -207,6 +207,7 @@ Curl_ssl_connect(struct connectdata *conn, int sockindex) #ifdef USE_SSL /* mark this is being ssl enabled from here on. */ conn->ssl[sockindex].use = TRUE; + conn->ssl[sockindex].state = ssl_connection_negotiating; #ifdef USE_SSLEAY return Curl_ossl_connect(conn, sockindex); @@ -473,6 +474,7 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) #endif /* USE_SSLEAY */ conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ + conn->ssl[sockindex].state = ssl_connection_none; return CURLE_OK; } -- cgit v1.2.1 From e2b82b4325e2726a802b6202f2d011fb4988e41d Mon Sep 17 00:00:00 2001 From: Michal Marek Date: Fri, 9 May 2008 11:27:54 +0000 Subject: - Make Curl_write and it's callees accept a const pointer, in preparation of tetetest's patch for curl_easy_send() --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index bbcc8c56d..b25cbddf2 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -578,7 +578,7 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) /* return number of sent (non-SSL) bytes */ ssize_t Curl_ssl_send(struct connectdata *conn, int sockindex, - void *mem, + const void *mem, size_t len) { #ifdef USE_SSLEAY -- cgit v1.2.1 From 04d5c8fb779afdb4f7e85a701f8b4b987a4016ee Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 11 Jun 2008 17:01:58 +0000 Subject: - I did a cleanup of the internal generic SSL layer and how the various SSL libraries are supported. Starting now, each underlying SSL library support code does a set of defines for the 16 functions the generic layer (sslgen.c) uses (all these new function defines use the prefix "curlssl_"). This greatly simplified the generic layer in readability by involving much less #ifdefs and other preprocessor stuff and should make it easier for people to make libcurl work with new SSL libraries. Hopefully I can later on document these 16 functions somewhat as well. I also made most of the internal SSL-dependent functions (using Curl_ssl_ prefix) #defined to nothing when no SSL support is requested - previously they would unnecessarily call mostly empty functions. --- lib/sslgen.c | 360 ++++++----------------------------------------------------- 1 file changed, 34 insertions(+), 326 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index b25cbddf2..a6824090d 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -33,6 +33,9 @@ Curl_gtls_ - prefix for GnuTLS ones Curl_nss_ - prefix for NSS ones + Note that this source code uses curlssl_* functions, and they are all + defines/macros #defined by the lib-specific header files. + "SSL/TLS Strong Encryption: An Introduction" http://httpd.apache.org/docs-2.0/ssl/ssl_intro.html */ @@ -60,9 +63,6 @@ /* The last #include file should be: */ #include "memdebug.h" -/* "global" init done? */ -static bool init_ssl=FALSE; - static bool safe_strequal(char* str1, char* str2); static bool safe_strequal(char* str1, char* str2) @@ -143,6 +143,11 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc) Curl_safefree(sslc->random_file); } +#ifdef USE_SSL + +/* "global" init done? */ +static bool init_ssl=FALSE; + /** * Global SSL init * @@ -156,24 +161,7 @@ int Curl_ssl_init(void) return 1; init_ssl = TRUE; /* never again */ -#ifdef USE_SSLEAY - return Curl_ossl_init(); -#else -#ifdef USE_GNUTLS - return Curl_gtls_init(); -#else -#ifdef USE_NSS - return Curl_nss_init(); -#else -#ifdef USE_QSOSSL - return Curl_qsossl_init(); -#else - /* no SSL support */ - return 1; -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + return curlssl_init(); } @@ -182,21 +170,7 @@ void Curl_ssl_cleanup(void) { if(init_ssl) { /* only cleanup if we did a previous init */ -#ifdef USE_SSLEAY - Curl_ossl_cleanup(); -#else -#ifdef USE_GNUTLS - Curl_gtls_cleanup(); -#else -#ifdef USE_NSS - Curl_nss_cleanup(); -#else -#ifdef USE_QSOSSL - Curl_qsossl_cleanup(); -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + curlssl_cleanup(); init_ssl = FALSE; } } @@ -204,67 +178,28 @@ void Curl_ssl_cleanup(void) CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex) { -#ifdef USE_SSL - /* mark this is being ssl enabled from here on. */ + /* mark this is being ssl-enabled from here on. */ conn->ssl[sockindex].use = TRUE; conn->ssl[sockindex].state = ssl_connection_negotiating; -#ifdef USE_SSLEAY - return Curl_ossl_connect(conn, sockindex); -#else -#ifdef USE_GNUTLS - return Curl_gtls_connect(conn, sockindex); -#else -#ifdef USE_NSS - return Curl_nss_connect(conn, sockindex); -#else -#ifdef USE_QSOSSL - return Curl_qsossl_connect(conn, sockindex); -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ - -#else - /* without SSL */ - (void)conn; - (void)sockindex; - return CURLE_OK; -#endif /* USE_SSL */ + return curlssl_connect(conn, sockindex); } CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, bool *done) { -#if defined(USE_SSL) && defined(USE_SSLEAY) - /* mark this is being ssl enabled from here on. */ +#ifdef curlssl_connect_nonblocking + /* mark this is being ssl requested from here on. */ conn->ssl[sockindex].use = TRUE; return Curl_ossl_connect_nonblocking(conn, sockindex, done); - -#else -#ifdef USE_NSS - *done = TRUE; /* fallback to BLOCKING */ - conn->ssl[sockindex].use = TRUE; - return Curl_nss_connect(conn, sockindex); #else -#ifdef USE_QSOSSL *done = TRUE; /* fallback to BLOCKING */ conn->ssl[sockindex].use = TRUE; - return Curl_qsossl_connect(conn, sockindex); -#else - /* not implemented! - fallback to BLOCKING call. */ - *done = TRUE; - conn->ssl[sockindex].use = TRUE; - return Curl_ssl_connect(conn, sockindex); -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_SSLEAY */ + return curlssl_connect(conn, sockindex); +#endif /* non-blocking connect support */ } -#ifdef USE_SSL - /* * Check if there's a session ID for the given connection in the cache, and if * there's one suitable, it is provided. Returns TRUE when no entry matched. @@ -311,21 +246,8 @@ static int kill_session(struct curl_ssl_session *session) /* defensive check */ /* free the ID the SSL-layer specific way */ -#ifdef USE_SSLEAY - Curl_ossl_session_free(session->sessionid); -#else -#ifdef USE_GNUTLS - Curl_gtls_session_free(session->sessionid); -#else -#ifdef USE_QSOSSL - /* No session handling for QsoSSL. */ -#else -#ifdef USE_NSS - /* NSS has its own session ID cache */ -#endif /* USE_NSS */ -#endif /* USE_QSOSSL */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + curlssl_session_free(session->sessionid); + session->sessionid=NULL; session->age = 0; /* fresh */ @@ -398,11 +320,8 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, } -#endif /* USE_SSL */ - void Curl_ssl_close_all(struct SessionHandle *data) { -#ifdef USE_SSL long i; /* kill the session ID cache */ if(data->state.session) { @@ -414,64 +333,20 @@ void Curl_ssl_close_all(struct SessionHandle *data) free(data->state.session); data->state.session = NULL; } -#ifdef USE_SSLEAY - Curl_ossl_close_all(data); -#else -#ifdef USE_GNUTLS - Curl_gtls_close_all(data); -#else -#ifdef USE_NSS - Curl_nss_close_all(data); -#else -#ifdef USE_QSOSSL - Curl_qsossl_close_all(data); -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ -#else /* USE_SSL */ - (void)data; -#endif /* USE_SSL */ + + curlssl_close_all(data); } void Curl_ssl_close(struct connectdata *conn, int sockindex) { DEBUGASSERT((sockindex <= 1) && (sockindex >= -1)); - -#ifdef USE_SSLEAY - Curl_ossl_close(conn, sockindex); -#endif /* USE_SSLEAY */ -#ifdef USE_GNUTLS - Curl_gtls_close(conn, sockindex); -#endif /* USE_GNUTLS */ -#ifdef USE_NSS - Curl_nss_close(conn, sockindex); -#endif /* USE_NSS */ -#ifdef USE_QSOSSL - Curl_qsossl_close(conn, sockindex); -#endif /* USE_QSOSSL */ -#ifndef USE_SSL - (void)conn; - (void)sockindex; -#endif /* !USE_SSL */ + curlssl_close(conn, sockindex); } CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) { -#ifdef USE_SSLEAY - if(Curl_ossl_shutdown(conn, sockindex)) - return CURLE_SSL_SHUTDOWN_FAILED; -#else -#ifdef USE_GNUTLS - if(Curl_gtls_shutdown(conn, sockindex)) + if(curlssl_shutdown(conn, sockindex)) return CURLE_SSL_SHUTDOWN_FAILED; -#else -#ifdef USE_QSOSSL - if(Curl_qsossl_shutdown(conn, sockindex)) - return CURLE_SSL_SHUTDOWN_FAILED; -#endif /* USE_QSOSSL */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ conn->ssl[sockindex].state = ssl_connection_none; @@ -479,100 +354,24 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) return CURLE_OK; } -/* Selects an (Open)SSL crypto engine +/* Selects an SSL crypto engine */ CURLcode Curl_ssl_set_engine(struct SessionHandle *data, const char *engine) { -#ifdef USE_SSLEAY - return Curl_ossl_set_engine(data, engine); -#else -#ifdef USE_GNUTLS - /* FIX: add code here */ - (void)data; - (void)engine; - return CURLE_FAILED_INIT; -#else -#ifdef USE_NSS - /* NSS doesn't set an engine this way */ - (void)data; - (void)engine; - return CURLE_FAILED_INIT; -#else -#ifdef USE_QSOSSL - /* QSOSSL doesn't set an engine this way */ - (void)data; - (void)engine; - return CURLE_FAILED_INIT; -#else - /* no SSL layer */ - (void)data; - (void)engine; - return CURLE_FAILED_INIT; -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + return curlssl_set_engine(data, engine); } -/* Selects an (Open?)SSL crypto engine +/* Selects the default SSL crypto engine */ CURLcode Curl_ssl_set_engine_default(struct SessionHandle *data) { -#ifdef USE_SSLEAY - return Curl_ossl_set_engine_default(data); -#else -#ifdef USE_GNUTLS - /* FIX: add code here */ - (void)data; - return CURLE_FAILED_INIT; -#else -#ifdef USE_NSS - /* A no-op for NSS */ - (void)data; - return CURLE_FAILED_INIT; -#else -#ifdef USE_QSOSSL - /* A no-op for QSOSSL */ - (void)data; - return CURLE_FAILED_INIT; -#else - /* No SSL layer */ - (void)data; - return CURLE_FAILED_INIT; -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + return curlssl_set_engine_default(data); } /* Return list of OpenSSL crypto engine names. */ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) { -#ifdef USE_SSLEAY - return Curl_ossl_engines_list(data); -#else -#ifdef USE_GNUTLS - /* FIX: add code here? */ - (void)data; - return NULL; -#else -#ifdef USE_NSS - /* In theory we could return the PKCS#11 modules loaded but that - * would just confuse things */ - (void)data; - return NULL; -#else -#ifdef USE_QSOSSL - /* No engine support in QSOSSL. */ - (void)data; - return NULL; -#else - (void)data; - return NULL; -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + return curlssl_engines_list(data); } /* return number of sent (non-SSL) bytes */ @@ -581,27 +380,7 @@ ssize_t Curl_ssl_send(struct connectdata *conn, const void *mem, size_t len) { -#ifdef USE_SSLEAY - return Curl_ossl_send(conn, sockindex, mem, len); -#else -#ifdef USE_GNUTLS - return Curl_gtls_send(conn, sockindex, mem, len); -#else -#ifdef USE_NSS - return Curl_nss_send(conn, sockindex, mem, len); -#else -#ifdef USE_QSOSSL - return Curl_qsossl_send(conn, sockindex, mem, len); -#else - (void)conn; - (void)sockindex; - (void)mem; - (void)len; - return 0; -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + return curlssl_send(conn, sockindex, mem, len); } /* return number of received (decrypted) bytes */ @@ -615,25 +394,10 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ char *mem, /* store read data here */ size_t len) /* max amount to read */ { -#ifdef USE_SSL ssize_t nread; bool block = FALSE; -#ifdef USE_SSLEAY - nread = Curl_ossl_recv(conn, sockindex, mem, len, &block); -#else -#ifdef USE_GNUTLS - nread = Curl_gtls_recv(conn, sockindex, mem, len, &block); -#else -#ifdef USE_NSS - nread = Curl_nss_recv(conn, sockindex, mem, len, &block); -#else -#ifdef USE_QSOSSL - nread = Curl_qsossl_recv(conn, sockindex, mem, len, &block); -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + nread = curlssl_recv(conn, sockindex, mem, len, &block); if(nread == -1) { if(!block) return 0; /* this is a true error, not EWOULDBLOCK */ @@ -642,14 +406,6 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ } return nread; - -#else /* USE_SSL */ - (void)conn; - (void)sockindex; - (void)mem; - (void)len; - return 0; -#endif /* USE_SSL */ } @@ -659,7 +415,6 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ */ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) { -#ifdef USE_SSL struct curl_ssl_session *session; if(data->state.session) @@ -675,39 +430,14 @@ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) data->set.ssl.numsessions = amount; data->state.session = session; data->state.sessionage = 1; /* this is brand new */ -#else - /* without SSL, do nothing */ - (void)data; - (void)amount; -#endif - return CURLE_OK; } size_t Curl_ssl_version(char *buffer, size_t size) { -#ifdef USE_SSLEAY - return Curl_ossl_version(buffer, size); -#else -#ifdef USE_GNUTLS - return Curl_gtls_version(buffer, size); -#else -#ifdef USE_NSS - return Curl_nss_version(buffer, size); -#else -#ifdef USE_QSOSSL - return Curl_qsossl_version(buffer, size); -#else - (void)buffer; - (void)size; - return 0; /* no SSL support */ -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_GNUTLS */ -#endif /* USE_SSLEAY */ + return curlssl_version(buffer, size); } - /* * This function tries to determine connection status. * @@ -718,35 +448,13 @@ size_t Curl_ssl_version(char *buffer, size_t size) */ int Curl_ssl_check_cxn(struct connectdata *conn) { -#ifdef USE_SSLEAY - return Curl_ossl_check_cxn(conn); -#else -#ifdef USE_NSS - return Curl_nss_check_cxn(conn); -#else -#ifdef USE_QSOSSL - return Curl_qsossl_check_cxn(conn); -#else - (void)conn; - /* TODO: we lack implementation of this for GnuTLS */ - return -1; /* connection status unknown */ -#endif /* USE_QSOSSL */ -#endif /* USE_NSS */ -#endif /* USE_SSLEAY */ + return curlssl_check_cxn(conn); } bool Curl_ssl_data_pending(const struct connectdata *conn, int connindex) { -#ifdef USE_SSLEAY - /* OpenSSL-specific */ - if(conn->ssl[connindex].handle) - /* SSL is in use */ - return (bool)(0 != SSL_pending(conn->ssl[connindex].handle)); -#else - (void)conn; - (void)connindex; -#endif - return FALSE; /* nothing pending */ - + return curlssl_data_pending(conn, connindex); } +#endif /* USE_SSL */ + -- cgit v1.2.1 From 7c648782bc7c97be81c619acd8598c38b59c5832 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 3 Jul 2008 06:56:03 +0000 Subject: Introcuding a new timestamp for curl_easy_getinfo(): CURLINFO_APPCONNECT_TIME. This is set with the "application layer" handshake/connection is completed (typically SSL, TLS or SSH). By using this you can figure out the application layer's own connect time. You can extract the time stamp using curl's -w option and the new variable named 'time_appconnect'. This feature was sponsored by Lenny Rachitsky at NeuStar. --- lib/sslgen.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index a6824090d..0001cd8d3 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -60,6 +60,7 @@ #include "strequal.h" #include "url.h" #include "memory.h" +#include "progress.h" /* The last #include file should be: */ #include "memdebug.h" @@ -178,11 +179,17 @@ void Curl_ssl_cleanup(void) CURLcode Curl_ssl_connect(struct connectdata *conn, int sockindex) { + CURLcode res; /* mark this is being ssl-enabled from here on. */ conn->ssl[sockindex].use = TRUE; conn->ssl[sockindex].state = ssl_connection_negotiating; - return curlssl_connect(conn, sockindex); + res = curlssl_connect(conn, sockindex); + + if(!res) + Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ + + return res; } CURLcode @@ -192,7 +199,7 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, #ifdef curlssl_connect_nonblocking /* mark this is being ssl requested from here on. */ conn->ssl[sockindex].use = TRUE; - return Curl_ossl_connect_nonblocking(conn, sockindex, done); + return curlssl_connect_nonblocking(conn, sockindex, done); #else *done = TRUE; /* fallback to BLOCKING */ conn->ssl[sockindex].use = TRUE; -- cgit v1.2.1 From 4c9768565ec3a9baf26ac8a547bca6e42cc64fa5 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 5 Sep 2008 14:29:21 +0000 Subject: - Introducing CURLOPT_CERTINFO and the corresponding CURLINFO_CERTINFO. By enabling this feature with CURLOPT_CERTINFO for a request using SSL (HTTPS or FTPS), libcurl will gather lots of server certificate info and that info can then get extracted by a client after the request has completed with curl_easy_getinfo()'s CURLINFO_CERTINFO option. Linus Nielsen Feltzing helped me test and smoothen out this feature. Unfortunately, this feature currently only works with libcurl built to use OpenSSL. This feature was sponsored by networking4all.com - thanks! --- lib/sslgen.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 0001cd8d3..df24fbdd4 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -465,3 +465,15 @@ bool Curl_ssl_data_pending(const struct connectdata *conn, } #endif /* USE_SSL */ +void Curl_ssl_free_certinfo(struct SessionHandle *data) +{ + int i; + struct curl_certinfo *ci = &data->info.certs; + if(ci->num_of_certs) { + /* free all individual lists used */ + for(i=0; inum_of_certs; i++) + curl_slist_free_all(ci->certinfo[i]); + free(ci->certinfo); /* free the actual array too */ + ci->num_of_certs = 0; + } +} -- cgit v1.2.1 From 70e57dad8856c2b99d947344661ae260c6fff594 Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Fri, 5 Sep 2008 18:35:29 +0000 Subject: Only compile Curl_ssl_free_certinfo when SSL is enabled --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index df24fbdd4..b78310f2f 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -463,7 +463,6 @@ bool Curl_ssl_data_pending(const struct connectdata *conn, { return curlssl_data_pending(conn, connindex); } -#endif /* USE_SSL */ void Curl_ssl_free_certinfo(struct SessionHandle *data) { @@ -477,3 +476,4 @@ void Curl_ssl_free_certinfo(struct SessionHandle *data) ci->num_of_certs = 0; } } +#endif /* USE_SSL */ -- cgit v1.2.1 From a622fd90b4c563a4fced20c5b88cb57537e809b0 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Sat, 6 Sep 2008 04:47:14 +0000 Subject: remove unnecessary typecasting of calloc() --- lib/sslgen.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index b78310f2f..eee46b912 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -428,8 +428,7 @@ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) /* this is just a precaution to prevent multiple inits */ return CURLE_OK; - session = (struct curl_ssl_session *) - calloc(sizeof(struct curl_ssl_session), amount); + session = calloc(sizeof(struct curl_ssl_session), amount); if(!session) return CURLE_OUT_OF_MEMORY; -- cgit v1.2.1 From bab5183820dbd2e0ea9ee4f0442844291d05c90e Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Thu, 23 Oct 2008 01:20:57 +0000 Subject: Created Curl_raw_nequal() which does a C-locale string case comparison. Changed checkprefix() to use it and those instances of strnequal() that compare host names or other protocol strings that are defined to be independent of case in the C locale. This should fix a few more Turkish locale problems. --- lib/sslgen.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index eee46b912..1bfeda713 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -64,8 +64,6 @@ /* The last #include file should be: */ #include "memdebug.h" -static bool safe_strequal(char* str1, char* str2); - static bool safe_strequal(char* str1, char* str2) { if(str1 && str2) @@ -228,7 +226,7 @@ int Curl_ssl_getsessionid(struct connectdata *conn, if(!check->sessionid) /* not session ID means blank entry */ continue; - if(curl_strequal(conn->host.name, check->name) && + if(Curl_raw_equal(conn->host.name, check->name) && (conn->remote_port == check->remote_port) && Curl_ssl_config_matches(&conn->ssl_config, &check->ssl_config)) { /* yes, we have a session ID! */ -- cgit v1.2.1 From b701ea36a723b2d7700e23ae53e2c3145dfe7bda Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 23 Oct 2008 11:49:19 +0000 Subject: moved the Curl_raw_ functions into the new lib/rawstr.c file for easier curlx_ inclusion by the curl tool without colliding with the curl_strequal functions. --- lib/sslgen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 1bfeda713..ac6991bdc 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -57,7 +57,7 @@ #include "nssg.h" /* NSS versions */ #include "qssl.h" /* QSOSSL versions */ #include "sendf.h" -#include "strequal.h" +#include "rawstr.h" #include "url.h" #include "memory.h" #include "progress.h" @@ -68,7 +68,7 @@ static bool safe_strequal(char* str1, char* str2) { if(str1 && str2) /* both pointers point to something then compare them */ - return (bool)(0 != strequal(str1, str2)); + return (bool)(0 != Curl_raw_equal(str1, str2)); else /* if both pointers are NULL then treat them as equal */ return (bool)(!str1 && !str2); -- cgit v1.2.1 From e9ea3ba4a2b23c803379f4445ffe1e288a971117 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 25 Feb 2009 12:51:39 +0000 Subject: corrected and clarified the top comment --- lib/sslgen.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index ac6991bdc..57ce31284 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2008, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -21,9 +21,9 @@ * $Id$ ***************************************************************************/ -/* This file is for "generic" SSL functions that all libcurl internals should - use. It is responsible for calling the proper 'ossl' function in ssluse.c - (OpenSSL based) or the 'gtls' function in gtls.c (GnuTLS based). +/* This file is for implementing all "generic" SSL functions that all libcurl + internals should use. It is then responsible for calling the proper + "backend" function. SSL-functions in libcurl should call functions in this source file, and not to any specific SSL-layer. -- cgit v1.2.1 From 33a3753c3f41d546ebf3350685eb7201d25783f4 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 21 Apr 2009 11:46:16 +0000 Subject: libcurl's memory.h renamed to curl_memory.h --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 57ce31284..8325dccf0 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -59,7 +59,7 @@ #include "sendf.h" #include "rawstr.h" #include "url.h" -#include "memory.h" +#include "curl_memory.h" #include "progress.h" /* The last #include file should be: */ #include "memdebug.h" -- cgit v1.2.1 From 14df44dd3f9b562cb2ed37baca95446b05d2e66b Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Sun, 26 Apr 2009 11:56:22 +0000 Subject: - Bug report #2779733 (http://curl.haxx.se/bug/view.cgi?id=2779733) by Sven Wegener pointed out that CURLINFO_APPCONNECT_TIME didn't work with the multi interface and provided a patch that fixed the problem! --- lib/sslgen.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 8325dccf0..f512a8807 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -195,9 +195,13 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, bool *done) { #ifdef curlssl_connect_nonblocking + CURLcode res; /* mark this is being ssl requested from here on. */ conn->ssl[sockindex].use = TRUE; - return curlssl_connect_nonblocking(conn, sockindex, done); + res = curlssl_connect_nonblocking(conn, sockindex, done); + if(!res && *done == TRUE) + Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ + return res; #else *done = TRUE; /* fallback to BLOCKING */ conn->ssl[sockindex].use = TRUE; -- cgit v1.2.1 From a16cca768051ae7c2020426fef00bb0ec537477a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 4 May 2009 21:57:14 +0000 Subject: - Michael Smith posted bug report #2786255 (http://curl.haxx.se/bug/view.cgi?id=2786255) with a patch, identifying how libcurl did not deal with SSL session ids properly if the server rejected a re-use of one. Starting now, it will forget the rejected one and remember the new. This change was for OpenSSL only, it is likely that other SSL lib code needs similar fixes. --- lib/sslgen.c | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index f512a8807..6352224f1 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -271,6 +271,22 @@ static int kill_session(struct curl_ssl_session *session) return 1; } +/* + * Delete the given session ID from the cache. + */ +void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) +{ + int i; + for(i=0; i< conn->data->set.ssl.numsessions; i++) { + struct curl_ssl_session *check = &conn->data->state.session[i]; + + if (check->sessionid == ssl_sessionid) { + kill_session(check); + break; + } + } +} + /* * Store session id in the session cache. The ID passed on to this function * must already have been extracted and allocated the proper way for the SSL -- cgit v1.2.1 From 59939313f8452a9d817c178425c2ba3b91798ea9 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Wed, 18 Nov 2009 10:33:54 +0000 Subject: Make usage of calloc()'s arguments consistent with rest of code base --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 6352224f1..2271eb589 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -446,7 +446,7 @@ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) /* this is just a precaution to prevent multiple inits */ return CURLE_OK; - session = calloc(sizeof(struct curl_ssl_session), amount); + session = calloc(amount, sizeof(struct curl_ssl_session)); if(!session) return CURLE_OUT_OF_MEMORY; -- cgit v1.2.1 From 19ca0c0fbe3066be78219ac894f0cb0ef7efebb4 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 19 Mar 2010 15:43:11 +0000 Subject: - Improved Curl_read() to not ignore the error returned from Curl_ssl_recv(). --- lib/sslgen.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 2271eb589..6707e0af6 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -399,7 +399,7 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) return curlssl_engines_list(data); } -/* return number of sent (non-SSL) bytes */ +/* return number of sent (non-SSL) bytes; -1 on error */ ssize_t Curl_ssl_send(struct connectdata *conn, int sockindex, const void *mem, @@ -411,8 +411,8 @@ ssize_t Curl_ssl_send(struct connectdata *conn, /* return number of received (decrypted) bytes */ /* - * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return - * a regular CURLcode value. + * If the read would block (EWOULDBLOCK) we return -1. If an error occurs during + * the read, we return -2. Otherwise we return the count of bytes transfered. */ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ int sockindex, /* socketindex */ @@ -425,9 +425,9 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ nread = curlssl_recv(conn, sockindex, mem, len, &block); if(nread == -1) { if(!block) - return 0; /* this is a true error, not EWOULDBLOCK */ + return -2; /* this is a true error, not EWOULDBLOCK */ else - return -1; + return -1; /* EWOULDBLOCK */ } return nread; -- cgit v1.2.1 From abcea311e3b3178e8848e4da5acdf50afd89e4ce Mon Sep 17 00:00:00 2001 From: douglas steinwand Date: Mon, 22 Mar 2010 09:25:03 +0100 Subject: Fix insufficient initialization in Curl_clone_ssl_config() which could have caused a double free when reusing curl handle. --- lib/sslgen.c | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 6707e0af6..4e88bba86 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -105,30 +105,40 @@ Curl_clone_ssl_config(struct ssl_config_data *source, if(!dest->CAfile) return FALSE; } + else + dest->CAfile = NULL; if(source->CApath) { dest->CApath = strdup(source->CApath); if(!dest->CApath) return FALSE; } + else + dest->CApath = NULL; if(source->cipher_list) { dest->cipher_list = strdup(source->cipher_list); if(!dest->cipher_list) return FALSE; } + else + dest->cipher_list = NULL; if(source->egdsocket) { dest->egdsocket = strdup(source->egdsocket); if(!dest->egdsocket) return FALSE; } + else + dest->egdsocket = NULL; if(source->random_file) { dest->random_file = strdup(source->random_file); if(!dest->random_file) return FALSE; } + else + dest->random_file = NULL; return TRUE; } -- cgit v1.2.1 From 2309b4e330b96bc2e1f8e36b6184015e59544037 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 24 Mar 2010 11:02:54 +0100 Subject: remove the CVSish $Id$ lines --- lib/sslgen.c | 1 - 1 file changed, 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 4e88bba86..a050f1094 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -18,7 +18,6 @@ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY * KIND, either express or implied. * - * $Id$ ***************************************************************************/ /* This file is for implementing all "generic" SSL functions that all libcurl -- cgit v1.2.1 From ff8711135e9311d5a54c7210a5a87a86077271cb Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Sun, 4 Apr 2010 23:37:18 +0200 Subject: refactorize interface of Curl_ssl_recv/Curl_ssl_send --- lib/sslgen.c | 36 ++++++++++-------------------------- 1 file changed, 10 insertions(+), 26 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index a050f1094..df2a4075a 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2009, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -408,38 +408,22 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) return curlssl_engines_list(data); } -/* return number of sent (non-SSL) bytes; -1 on error */ ssize_t Curl_ssl_send(struct connectdata *conn, int sockindex, const void *mem, - size_t len) + size_t len, + int *curlcode) { - return curlssl_send(conn, sockindex, mem, len); + return curlssl_send(conn, sockindex, mem, len, curlcode); } -/* return number of received (decrypted) bytes */ - -/* - * If the read would block (EWOULDBLOCK) we return -1. If an error occurs during - * the read, we return -2. Otherwise we return the count of bytes transfered. - */ -ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ - int sockindex, /* socketindex */ - char *mem, /* store read data here */ - size_t len) /* max amount to read */ +ssize_t Curl_ssl_recv(struct connectdata *conn, + int sockindex, + char *mem, + size_t len, + int *curlcode) { - ssize_t nread; - bool block = FALSE; - - nread = curlssl_recv(conn, sockindex, mem, len, &block); - if(nread == -1) { - if(!block) - return -2; /* this is a true error, not EWOULDBLOCK */ - else - return -1; /* EWOULDBLOCK */ - } - - return nread; + return curlssl_recv(conn, sockindex, mem, len, curlcode); } -- cgit v1.2.1 From 51427e1947ddc07b4ce8ad9dcb04846125170f83 Mon Sep 17 00:00:00 2001 From: Hoi-Ho Chan Date: Wed, 5 May 2010 22:30:46 +0200 Subject: PolarSSL: initial support added This is Hoi-Ho Chan's patch with some minor fixes by me. There are some potential issues in this, but none worse than we can sort out on the list and over time. --- lib/sslgen.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index df2a4075a..24b6dcbd6 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -31,6 +31,7 @@ Curl_ossl_ - prefix for OpenSSL ones Curl_gtls_ - prefix for GnuTLS ones Curl_nss_ - prefix for NSS ones + Curl_polarssl_ - prefix for PolarSSL ones Note that this source code uses curlssl_* functions, and they are all defines/macros #defined by the lib-specific header files. @@ -55,6 +56,7 @@ #include "gtls.h" /* GnuTLS versions */ #include "nssg.h" /* NSS versions */ #include "qssl.h" /* QSOSSL versions */ +#include "polarssl.h" /* PolarSSL versions */ #include "sendf.h" #include "rawstr.h" #include "url.h" -- cgit v1.2.1 From d64bd82bdcb169d0647a80f00068cedd761f8163 Mon Sep 17 00:00:00 2001 From: Howard Chu Date: Fri, 7 May 2010 15:05:34 +0200 Subject: sendrecv: split the I/O handling into private handler Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently. --- lib/sslgen.c | 19 ------------------- 1 file changed, 19 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 24b6dcbd6..bd8dc1722 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -410,25 +410,6 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) return curlssl_engines_list(data); } -ssize_t Curl_ssl_send(struct connectdata *conn, - int sockindex, - const void *mem, - size_t len, - int *curlcode) -{ - return curlssl_send(conn, sockindex, mem, len, curlcode); -} - -ssize_t Curl_ssl_recv(struct connectdata *conn, - int sockindex, - char *mem, - size_t len, - int *curlcode) -{ - return curlssl_recv(conn, sockindex, mem, len, curlcode); -} - - /* * This sets up a session ID cache to the specified size. Make sure this code * is agnostic to what underlying SSL technology we use. -- cgit v1.2.1 From 108d7693a443435e39d2278d5dbf842a80c6260c Mon Sep 17 00:00:00 2001 From: Eric Hu Date: Fri, 3 Dec 2010 10:23:45 -0800 Subject: Preparing for axTLS. Actual SSL API functions are only stubbed. Added axTLS to autotool files and glue code to misc other files. axtls.h maps SSL API functions, but may change. axtls.c is just a stub file and will definitely change. --- lib/sslgen.c | 1 + 1 file changed, 1 insertion(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index bd8dc1722..9ee3ab1d8 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -57,6 +57,7 @@ #include "nssg.h" /* NSS versions */ #include "qssl.h" /* QSOSSL versions */ #include "polarssl.h" /* PolarSSL versions */ +#include "axtls.h" /* axTLS versions */ #include "sendf.h" #include "rawstr.h" #include "url.h" -- cgit v1.2.1 From 1238edaeaf947b896aafd9ddffc8430dea179c3a Mon Sep 17 00:00:00 2001 From: Quinn Slack Date: Mon, 10 Jan 2011 13:53:01 +0100 Subject: SSL: fix memory leak In OOM situation. Follow-up fix to commit a9cd4f4ed49e1a0. --- lib/sslgen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 9ee3ab1d8..c1a8a3073 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -350,8 +350,11 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, store->name = clone_host; /* clone host name */ store->remote_port = conn->remote_port; /* port number */ - if(!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) + if(!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) { + store->sessionid = NULL; /* let caller free sessionid */ + free(clone_host); return CURLE_OUT_OF_MEMORY; + } return CURLE_OK; } -- cgit v1.2.1 From 9e60d8fd9e9308cd2c79a13710f30a8481f5f1e6 Mon Sep 17 00:00:00 2001 From: Todd A Ouska Date: Tue, 8 Mar 2011 13:54:58 +0100 Subject: SSL: (part 2) Added CyaSSL to SSL abstraction layer This is the modified existing files commit. --- lib/sslgen.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index c1a8a3073..b614e086d 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -32,6 +32,7 @@ Curl_gtls_ - prefix for GnuTLS ones Curl_nss_ - prefix for NSS ones Curl_polarssl_ - prefix for PolarSSL ones + Curl_cyassl_ - prefix for CyaSSL ones Note that this source code uses curlssl_* functions, and they are all defines/macros #defined by the lib-specific header files. @@ -58,6 +59,7 @@ #include "qssl.h" /* QSOSSL versions */ #include "polarssl.h" /* PolarSSL versions */ #include "axtls.h" /* axTLS versions */ +#include "cyassl.h" /* CyaSSL versions */ #include "sendf.h" #include "rawstr.h" #include "url.h" -- cgit v1.2.1 From 6cfbf21acfd3ddeb87cea10a06dd6190e838f662 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Fri, 15 Apr 2011 16:41:27 +0200 Subject: Curl_ssl_shutdown: restore send/recv pointers When going back from SSL, put the send/recv function pointers back to the plain versions. Bug: http://curl.haxx.se/mail/lib-2011-04/0070.html Reported by: Mehmet Bozkurt --- lib/sslgen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index b614e086d..a1b65ae74 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2010, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -393,6 +393,9 @@ CURLcode Curl_ssl_shutdown(struct connectdata *conn, int sockindex) conn->ssl[sockindex].use = FALSE; /* get back to ordinary socket usage */ conn->ssl[sockindex].state = ssl_connection_none; + conn->recv[sockindex] = Curl_recv_plain; + conn->send[sockindex] = Curl_send_plain; + return CURLE_OK; } -- cgit v1.2.1 From b903186fa0189ff241d756d25d07fdfe9885ae49 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 20 Apr 2011 15:17:42 +0200 Subject: source cleanup: unify look, style and indent levels By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed. --- lib/sslgen.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index a1b65ae74..779d9e9c3 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -294,7 +294,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) for(i=0; i< conn->data->set.ssl.numsessions; i++) { struct curl_ssl_session *check = &conn->data->state.session[i]; - if (check->sessionid == ssl_sessionid) { + if(check->sessionid == ssl_sessionid) { kill_session(check); break; } @@ -346,7 +346,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, store->sessionid = ssl_sessionid; store->idsize = idsize; store->age = data->state.sessionage; /* set current age */ - if (store->name) + if(store->name) /* free it if there's one already present */ free(store->name); store->name = clone_host; /* clone host name */ -- cgit v1.2.1 From f1586cb4775681810afd8e6626e7842d459f3b85 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Tue, 26 Jul 2011 17:23:27 +0200 Subject: stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.h --- lib/sslgen.c | 3 --- 1 file changed, 3 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 779d9e9c3..fbdbeea9d 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -43,9 +43,6 @@ #include "setup.h" -#include -#include -#include #ifdef HAVE_SYS_SOCKET_H #include #endif -- cgit v1.2.1 From a50210710ab6fd772e2762ed36602c15adfb49e1 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Mon, 5 Sep 2011 20:46:09 +0200 Subject: fix bool variables checking and assignment --- lib/sslgen.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index fbdbeea9d..005d82ef3 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -69,10 +69,10 @@ static bool safe_strequal(char* str1, char* str2) { if(str1 && str2) /* both pointers point to something then compare them */ - return (bool)(0 != Curl_raw_equal(str1, str2)); + return (0 != Curl_raw_equal(str1, str2)) ? TRUE : FALSE; else /* if both pointers are NULL then treat them as equal */ - return (bool)(!str1 && !str2); + return (!str1 && !str2) ? TRUE : FALSE; } bool @@ -210,7 +210,7 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, /* mark this is being ssl requested from here on. */ conn->ssl[sockindex].use = TRUE; res = curlssl_connect_nonblocking(conn, sockindex, done); - if(!res && *done == TRUE) + if(!res && *done) Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ return res; #else -- cgit v1.2.1 From 5793bc370c794a10e6ed014cb535a47672842ae6 Mon Sep 17 00:00:00 2001 From: Alejandro Alvarez Date: Tue, 20 Sep 2011 17:43:54 +0200 Subject: SSL session sharing support added With locking, plus test, plus documentation --- lib/sslgen.c | 49 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 42 insertions(+), 7 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 005d82ef3..77c641b24 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -62,6 +62,7 @@ #include "url.h" #include "curl_memory.h" #include "progress.h" +#include "share.h" /* The last #include file should be: */ #include "memdebug.h" @@ -236,6 +237,10 @@ int Curl_ssl_getsessionid(struct connectdata *conn, /* session ID re-use is disabled */ return TRUE; + /* Lock for reading if shared */ + if(data->share && data->share->sslsession == data->state.session) + Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SHARED); + for(i=0; i< data->set.ssl.numsessions; i++) { check = &data->state.session[i]; if(!check->sessionid) @@ -254,13 +259,19 @@ int Curl_ssl_getsessionid(struct connectdata *conn, } } *ssl_sessionid = NULL; + + /* Unlock for reading */ + if(data->share && data->share->sslsession == data->state.session) + Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); + + return TRUE; } /* * Kill a single session ID entry in the cache. */ -static int kill_session(struct curl_ssl_session *session) +int Curl_ssl_kill_session(struct curl_ssl_session *session) { if(session->sessionid) { /* defensive check */ @@ -288,14 +299,23 @@ static int kill_session(struct curl_ssl_session *session) void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) { int i; - for(i=0; i< conn->data->set.ssl.numsessions; i++) { - struct curl_ssl_session *check = &conn->data->state.session[i]; + struct SessionHandle *data=conn->data; + + if(data->share && data->share->sslsession == data->state.session) + Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, + CURL_LOCK_ACCESS_SINGLE); + + for(i=0; i< data->set.ssl.numsessions; i++) { + struct curl_ssl_session *check = &data->state.session[i]; if(check->sessionid == ssl_sessionid) { - kill_session(check); + Curl_ssl_kill_session(check); break; } } + + if(data->share && data->share->sslsession == data->state.session) + Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); } /* @@ -325,6 +345,10 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, /* Now we should add the session ID and the host name to the cache, (remove the oldest if necessary) */ + /* If using shared SSL session, lock! */ + if(data->share && data->share->sslsession == data->state.session) + Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); + /* find an empty slot for us, or find the oldest */ for(i=1; (iset.ssl.numsessions) && data->state.session[i].sessionid; i++) { @@ -335,7 +359,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, } if(i == data->set.ssl.numsessions) /* cache is full, we must "kill" the oldest entry! */ - kill_session(store); + Curl_ssl_kill_session(store); else store = &data->state.session[i]; /* use this slot */ @@ -349,6 +373,11 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, store->name = clone_host; /* clone host name */ store->remote_port = conn->remote_port; /* port number */ + + /* Unlock */ + if(data->share && data->share->sslsession == data->state.session) + Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); + if(!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) { store->sessionid = NULL; /* let caller free sessionid */ free(clone_host); @@ -363,14 +392,20 @@ void Curl_ssl_close_all(struct SessionHandle *data) { long i; /* kill the session ID cache */ - if(data->state.session) { + if(data->state.session && + !(data->share && data->share->sslsession == data->state.session)) { + + Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); + for(i=0; i< data->set.ssl.numsessions; i++) /* the single-killer function handles empty table slots */ - kill_session(&data->state.session[i]); + Curl_ssl_kill_session(&data->state.session[i]); /* free the cache data */ free(data->state.session); data->state.session = NULL; + + Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); } curlssl_close_all(data); -- cgit v1.2.1 From 17f48fe87979f159e2d8769d678641c60f4c0eed Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Fri, 7 Oct 2011 20:50:57 +0200 Subject: libcurl: some OOM handling fixes --- lib/sslgen.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 77c641b24..3b7340244 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -504,9 +504,12 @@ void Curl_ssl_free_certinfo(struct SessionHandle *data) struct curl_certinfo *ci = &data->info.certs; if(ci->num_of_certs) { /* free all individual lists used */ - for(i=0; inum_of_certs; i++) + for(i=0; inum_of_certs; i++) { curl_slist_free_all(ci->certinfo[i]); + ci->certinfo[i] = NULL; + } free(ci->certinfo); /* free the actual array too */ + ci->certinfo = NULL; ci->num_of_certs = 0; } } -- cgit v1.2.1 From 35f61c404d434e00da0f502a073cd3a0201fa504 Mon Sep 17 00:00:00 2001 From: Alejandro Alvarez Ayllon Date: Thu, 17 Nov 2011 23:34:38 +0100 Subject: SSL session share: move the age counter to the share object Previously the age counter would be counted individually in each easy handle that shared SSL sessions! --- lib/sslgen.c | 21 ++++++++++++++++----- 1 file changed, 16 insertions(+), 5 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 3b7340244..262ce42c4 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -232,14 +232,19 @@ int Curl_ssl_getsessionid(struct connectdata *conn, struct curl_ssl_session *check; struct SessionHandle *data = conn->data; long i; + long *general_age; if(!conn->ssl_config.sessionid) /* session ID re-use is disabled */ return TRUE; /* Lock for reading if shared */ - if(data->share && data->share->sslsession == data->state.session) + if(data->share && data->share->sslsession == data->state.session) { Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SHARED); + general_age = &data->share->sessionage; + } + else + general_age = &data->state.sessionage; for(i=0; i< data->set.ssl.numsessions; i++) { check = &data->state.session[i]; @@ -250,8 +255,8 @@ int Curl_ssl_getsessionid(struct connectdata *conn, (conn->remote_port == check->remote_port) && Curl_ssl_config_matches(&conn->ssl_config, &check->ssl_config)) { /* yes, we have a session ID! */ - data->state.sessionage++; /* increase general age */ - check->age = data->state.sessionage; /* set this as used in this age */ + *general_age++; /* increase general age */ + check->age = *general_age; /* set this as used in this age */ *ssl_sessionid = check->sessionid; if(idsize) *idsize = check->idsize; @@ -333,6 +338,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, struct curl_ssl_session *store = &data->state.session[0]; long oldest_age=data->state.session[0].age; /* zero if unused */ char *clone_host; + long *general_age; /* Even though session ID re-use might be disabled, that only disables USING IT. We still store it here in case the re-using is again enabled for an @@ -346,8 +352,13 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, the oldest if necessary) */ /* If using shared SSL session, lock! */ - if(data->share && data->share->sslsession == data->state.session) + if(data->share && data->share->sslsession == data->state.session) { Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); + general_age = &data->share->sessionage; + } + else { + general_age = &data->state.sessionage; + } /* find an empty slot for us, or find the oldest */ for(i=1; (iset.ssl.numsessions) && @@ -366,7 +377,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, /* now init the session struct wisely */ store->sessionid = ssl_sessionid; store->idsize = idsize; - store->age = data->state.sessionage; /* set current age */ + store->age = *general_age; /* set current age */ if(store->name) /* free it if there's one already present */ free(store->name); -- cgit v1.2.1 From bb4eb589969c6191720295e59d510cb1d8f9c0ce Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 17 Nov 2011 23:46:29 +0100 Subject: Curl_ssl_getsessionid: increase the value, not the pointer --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 262ce42c4..23c07e73b 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -255,7 +255,7 @@ int Curl_ssl_getsessionid(struct connectdata *conn, (conn->remote_port == check->remote_port) && Curl_ssl_config_matches(&conn->ssl_config, &check->ssl_config)) { /* yes, we have a session ID! */ - *general_age++; /* increase general age */ + (*general_age)++; /* increase general age */ check->age = *general_age; /* set this as used in this age */ *ssl_sessionid = check->sessionid; if(idsize) -- cgit v1.2.1 From 10ecdf5078f1f096c3b2d247ef08d35b8fa96f4a Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Thu, 17 Nov 2011 23:55:36 +0100 Subject: getsessionid: don't ever return while locked Also, check for the session sharing bit instead of comparing pointers --- lib/sslgen.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 23c07e73b..b9176b76c 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -233,14 +233,18 @@ int Curl_ssl_getsessionid(struct connectdata *conn, struct SessionHandle *data = conn->data; long i; long *general_age; + bool no_match = TRUE; + + *ssl_sessionid = NULL; if(!conn->ssl_config.sessionid) /* session ID re-use is disabled */ return TRUE; - /* Lock for reading if shared */ - if(data->share && data->share->sslsession == data->state.session) { - Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SHARED); + /* Lock if shared */ + if(data->share && + (data->share->specifier & (1<share->sessionage; } else @@ -260,17 +264,17 @@ int Curl_ssl_getsessionid(struct connectdata *conn, *ssl_sessionid = check->sessionid; if(idsize) *idsize = check->idsize; - return FALSE; + no_match = FALSE; + break; } } - *ssl_sessionid = NULL; - /* Unlock for reading */ - if(data->share && data->share->sslsession == data->state.session) + /* Unlock */ + if(data->share && + (data->share->specifier & (1< Date: Fri, 25 Nov 2011 14:58:55 +0100 Subject: SSLSESSION_SHARED: new macro to check if session is shared Added convenience macro to use to check if a handle is using a shared SSL session, and fixed so that Curl_ssl_close_all() doesn't lock when the session isn't shared. --- lib/sslgen.c | 29 +++++++++++++---------------- 1 file changed, 13 insertions(+), 16 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index b9176b76c..9ad4ab1d2 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -66,6 +66,11 @@ /* The last #include file should be: */ #include "memdebug.h" +/* convenience macro to check if this handle is using a shared SSL session */ +#define SSLSESSION_SHARED(data) (data->share && \ + (data->share->specifier & \ + (1<share && - (data->share->specifier & (1<share->sessionage; } @@ -270,8 +274,7 @@ int Curl_ssl_getsessionid(struct connectdata *conn, } /* Unlock */ - if(data->share && - (data->share->specifier & (1<data; - if(data->share && data->share->sslsession == data->state.session) + if(SSLSESSION_SHARED(data)) Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); @@ -323,7 +326,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) } } - if(data->share && data->share->sslsession == data->state.session) + if(SSLSESSION_SHARED(data)) Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); } @@ -356,7 +359,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, the oldest if necessary) */ /* If using shared SSL session, lock! */ - if(data->share && data->share->sslsession == data->state.session) { + if(SSLSESSION_SHARED(data)) { Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); general_age = &data->share->sessionage; } @@ -390,7 +393,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, /* Unlock */ - if(data->share && data->share->sslsession == data->state.session) + if(SSLSESSION_SHARED(data)) Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); if(!Curl_clone_ssl_config(&conn->ssl_config, &store->ssl_config)) { @@ -406,12 +409,8 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, void Curl_ssl_close_all(struct SessionHandle *data) { long i; - /* kill the session ID cache */ - if(data->state.session && - !(data->share && data->share->sslsession == data->state.session)) { - - Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); - + /* kill the session ID cache if not shared */ + if(data->state.session && !SSLSESSION_SHARED(data)) { for(i=0; i< data->set.ssl.numsessions; i++) /* the single-killer function handles empty table slots */ Curl_ssl_kill_session(&data->state.session[i]); @@ -419,8 +418,6 @@ void Curl_ssl_close_all(struct SessionHandle *data) /* free the cache data */ free(data->state.session); data->state.session = NULL; - - Curl_share_unlock(data, CURL_LOCK_DATA_SSL_SESSION); } curlssl_close_all(data); -- cgit v1.2.1 From 3c18b38dcc59cbb4f62b48cc4d7004f6bccffc37 Mon Sep 17 00:00:00 2001 From: Sven Wegener Date: Fri, 27 May 2011 17:46:11 +0200 Subject: Use Curl_ssl_connect for non-blocking connect fallback This gets the appconnect time right for ssl backends, which don't support non-blocking connects. Signed-off-by: Sven Wegener --- lib/sslgen.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 9ad4ab1d2..874939223 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -221,8 +221,7 @@ Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, return res; #else *done = TRUE; /* fallback to BLOCKING */ - conn->ssl[sockindex].use = TRUE; - return curlssl_connect(conn, sockindex); + return Curl_ssl_connect(conn, sockindex); #endif /* non-blocking connect support */ } -- cgit v1.2.1 From d56b4c3f89ad3ee28dc62a22cffe2c85ced19830 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Wed, 18 Jan 2012 23:39:30 +0100 Subject: ssl session caching: fix compiler warnings --- lib/sslgen.c | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 874939223..a77fd7874 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -235,7 +235,7 @@ int Curl_ssl_getsessionid(struct connectdata *conn, { struct curl_ssl_session *check; struct SessionHandle *data = conn->data; - long i; + size_t i; long *general_age; bool no_match = TRUE; @@ -253,7 +253,7 @@ int Curl_ssl_getsessionid(struct connectdata *conn, else general_age = &data->state.sessionage; - for(i=0; i< data->set.ssl.numsessions; i++) { + for(i = 0; i < data->set.ssl.max_ssl_sessions; i++) { check = &data->state.session[i]; if(!check->sessionid) /* not session ID means blank entry */ @@ -282,7 +282,7 @@ int Curl_ssl_getsessionid(struct connectdata *conn, /* * Kill a single session ID entry in the cache. */ -int Curl_ssl_kill_session(struct curl_ssl_session *session) +void Curl_ssl_kill_session(struct curl_ssl_session *session) { if(session->sessionid) { /* defensive check */ @@ -290,18 +290,13 @@ int Curl_ssl_kill_session(struct curl_ssl_session *session) /* free the ID the SSL-layer specific way */ curlssl_session_free(session->sessionid); - session->sessionid=NULL; + session->sessionid = NULL; session->age = 0; /* fresh */ Curl_free_ssl_config(&session->ssl_config); Curl_safefree(session->name); - session->name = NULL; /* no name */ - - return 0; /* ok */ } - else - return 1; } /* @@ -309,14 +304,13 @@ int Curl_ssl_kill_session(struct curl_ssl_session *session) */ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) { - int i; + size_t i; struct SessionHandle *data=conn->data; if(SSLSESSION_SHARED(data)) - Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, - CURL_LOCK_ACCESS_SINGLE); + Curl_share_lock(data, CURL_LOCK_DATA_SSL_SESSION, CURL_LOCK_ACCESS_SINGLE); - for(i=0; i< data->set.ssl.numsessions; i++) { + for(i = 0; i < data->set.ssl.max_ssl_sessions; i++) { struct curl_ssl_session *check = &data->state.session[i]; if(check->sessionid == ssl_sessionid) { @@ -339,7 +333,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, void *ssl_sessionid, size_t idsize) { - long i; + size_t i; struct SessionHandle *data=conn->data; /* the mother of all structs */ struct curl_ssl_session *store = &data->state.session[0]; long oldest_age=data->state.session[0].age; /* zero if unused */ @@ -367,14 +361,14 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, } /* find an empty slot for us, or find the oldest */ - for(i=1; (iset.ssl.numsessions) && + for(i = 1; (i < data->set.ssl.max_ssl_sessions) && data->state.session[i].sessionid; i++) { if(data->state.session[i].age < oldest_age) { oldest_age = data->state.session[i].age; store = &data->state.session[i]; } } - if(i == data->set.ssl.numsessions) + if(i == data->set.ssl.max_ssl_sessions) /* cache is full, we must "kill" the oldest entry! */ Curl_ssl_kill_session(store); else @@ -407,16 +401,15 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, void Curl_ssl_close_all(struct SessionHandle *data) { - long i; + size_t i; /* kill the session ID cache if not shared */ if(data->state.session && !SSLSESSION_SHARED(data)) { - for(i=0; i< data->set.ssl.numsessions; i++) + for(i = 0; i < data->set.ssl.max_ssl_sessions; i++) /* the single-killer function handles empty table slots */ Curl_ssl_kill_session(&data->state.session[i]); /* free the cache data */ - free(data->state.session); - data->state.session = NULL; + Curl_safefree(data->state.session); } curlssl_close_all(data); @@ -466,7 +459,7 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) * This sets up a session ID cache to the specified size. Make sure this code * is agnostic to what underlying SSL technology we use. */ -CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) +CURLcode Curl_ssl_initsessions(struct SessionHandle *data, size_t amount) { struct curl_ssl_session *session; @@ -479,7 +472,7 @@ CURLcode Curl_ssl_initsessions(struct SessionHandle *data, long amount) return CURLE_OUT_OF_MEMORY; /* store the info in the SSL section */ - data->set.ssl.numsessions = amount; + data->set.ssl.max_ssl_sessions = amount; data->state.session = session; data->state.sessionage = 1; /* this is brand new */ return CURLE_OK; -- cgit v1.2.1 From 68857e40d69ef792bfcc6d7395c65305a4117c51 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 8 Jun 2012 23:02:57 +0200 Subject: ssl: fix duplicated SSL handshake with multi interface and proxy Bug: https://bugzilla.redhat.com/788526 Reported by: Enrico Scholz --- lib/sslgen.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index a77fd7874..14649a9ec 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -211,18 +211,18 @@ CURLcode Curl_ssl_connect_nonblocking(struct connectdata *conn, int sockindex, bool *done) { -#ifdef curlssl_connect_nonblocking CURLcode res; /* mark this is being ssl requested from here on. */ conn->ssl[sockindex].use = TRUE; +#ifdef curlssl_connect_nonblocking res = curlssl_connect_nonblocking(conn, sockindex, done); - if(!res && *done) - Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ - return res; #else *done = TRUE; /* fallback to BLOCKING */ - return Curl_ssl_connect(conn, sockindex); + res = curlssl_connect(conn, sockindex); #endif /* non-blocking connect support */ + if(!res && *done) + Curl_pgrsTime(conn->data, TIMER_APPCONNECT); /* SSL is connected */ + return res; } /* -- cgit v1.2.1 From aaa42aa0d594b95c6c670a373ba30c507aa0a5ed Mon Sep 17 00:00:00 2001 From: Marc Hoersken Date: Mon, 9 Apr 2012 15:40:06 +0200 Subject: schannel: Added SSL/TLS support with Microsoft Windows Schannel SSPI --- lib/sslgen.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 14649a9ec..28326ddb1 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -33,6 +33,7 @@ Curl_nss_ - prefix for NSS ones Curl_polarssl_ - prefix for PolarSSL ones Curl_cyassl_ - prefix for CyaSSL ones + Curl_schannel_ - prefix for Schannel SSPI ones Note that this source code uses curlssl_* functions, and they are all defines/macros #defined by the lib-specific header files. @@ -57,6 +58,7 @@ #include "polarssl.h" /* PolarSSL versions */ #include "axtls.h" /* axTLS versions */ #include "cyassl.h" /* CyaSSL versions */ +#include "curl_schannel.h" /* Schannel SSPI version */ #include "sendf.h" #include "rawstr.h" #include "url.h" -- cgit v1.2.1 From 6d1ea388cbd9de7f2a944a0c64f5feaec1b1904a Mon Sep 17 00:00:00 2001 From: Nick Zitzmann Date: Tue, 26 Jun 2012 14:01:51 +0200 Subject: darwinssl: add support for native Mac OS X/iOS SSL --- lib/sslgen.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 28326ddb1..8cf91f001 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -34,6 +34,7 @@ Curl_polarssl_ - prefix for PolarSSL ones Curl_cyassl_ - prefix for CyaSSL ones Curl_schannel_ - prefix for Schannel SSPI ones + Curl_st_ - prefix for SecureTransport (Darwin) ones Note that this source code uses curlssl_* functions, and they are all defines/macros #defined by the lib-specific header files. @@ -59,6 +60,7 @@ #include "axtls.h" /* axTLS versions */ #include "cyassl.h" /* CyaSSL versions */ #include "curl_schannel.h" /* Schannel SSPI version */ +#include "curl_darwinssl.h" /* SecureTransport (Darwin) version */ #include "sendf.h" #include "rawstr.h" #include "url.h" -- cgit v1.2.1 From 849179ba2739ab9a0ad079384b125d9c1745db5f Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Tue, 26 Jun 2012 14:52:46 +0200 Subject: SSL cleanup: use crypto functions through the sslgen layer curl_ntlm_msgs.c would previously use an #ifdef maze and direct SSL-library calls instead of using the SSL layer we have for this purpose. --- lib/sslgen.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 8cf91f001..286c5ab23 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -521,4 +521,19 @@ void Curl_ssl_free_certinfo(struct SessionHandle *data) ci->num_of_certs = 0; } } + +void Curl_ssl_random(struct SessionHandle *data, + unsigned char *entropy, + size_t length) +{ + curlssl_random(data, entropy, length); +} + +void Curl_ssl_md5sum(unsigned char *tmp, /* input */ + size_t tmplen, + unsigned char *md5sum, /* output */ + size_t md5len) +{ + curlssl_md5sum(tmp, tmplen, md5sum, md5len); +} #endif /* USE_SSL */ -- cgit v1.2.1 From 3a4b28d473e7c02fe8d2e30c25861eea2d8d0d22 Mon Sep 17 00:00:00 2001 From: Nick Zitzmann Date: Tue, 26 Jun 2012 21:39:48 +0200 Subject: DarwinSSL: several adjustments - Renamed st_ function prefix to darwinssl_ - Renamed Curl_st_ function prefix to Curl_darwinssl_ - Moved the duplicated ssl_connect_done out of the #ifdef in lib/urldata.h - Fixed a teensy little bug that made non-blocking connection attempts block - Made it so that it builds cleanly against the iOS 5.1 SDK --- lib/sslgen.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 286c5ab23..abb628d90 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -34,7 +34,7 @@ Curl_polarssl_ - prefix for PolarSSL ones Curl_cyassl_ - prefix for CyaSSL ones Curl_schannel_ - prefix for Schannel SSPI ones - Curl_st_ - prefix for SecureTransport (Darwin) ones + Curl_darwinssl_ - prefix for SecureTransport (Darwin) ones Note that this source code uses curlssl_* functions, and they are all defines/macros #defined by the lib-specific header files. -- cgit v1.2.1 From e3014dcc01af5aac535dce21a9840346829463e8 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Wed, 27 Jun 2012 17:14:59 +0200 Subject: sslgen.c: add compile-time check for SSL-backend completeness --- lib/sslgen.c | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index abb628d90..96582d3ae 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -165,6 +165,39 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc) #ifdef USE_SSL +/* SSL 'backend' compile-time sanity checks */ +#if !defined(curlssl_init) +# error "SSL backend lacks definition for curlssl_init" +#elif !defined(curlssl_cleanup) +# error "SSL backend lacks definition for curlssl_cleanup" +#elif !defined(curlssl_connect) && !defined(curlssl_connect_nonblocking) +# error "SSL backend lacks curlssl_connect or curlssl_connect_nonblocking" +#elif !defined(curlssl_session_free) +# error "SSL backend lacks definition for curlssl_session_free" +#elif !defined(curlssl_close_all) +# error "SSL backend lacks definition for curlssl_close_all" +#elif !defined(curlssl_close) +# error "SSL backend lacks definition for curlssl_close" +#elif !defined(curlssl_shutdown) +# error "SSL backend lacks definition for curlssl_shutdown" +#elif !defined(curlssl_set_engine) +# error "SSL backend lacks definition for curlssl_set_engine" +#elif !defined(curlssl_set_engine_default) +# error "SSL backend lacks definition for curlssl_set_engine_default" +#elif !defined(curlssl_engines_list) +# error "SSL backend lacks definition for curlssl_engines_list" +#elif !defined(curlssl_version) +# error "SSL backend lacks definition for curlssl_version" +#elif !defined(curlssl_check_cxn) +# error "SSL backend lacks definition for curlssl_check_cxn" +#elif !defined(curlssl_data_pending) +# error "SSL backend lacks definition for curlssl_data_pending" +#elif !defined(curlssl_random) +# error "SSL backend lacks definition for curlssl_random" +#elif !defined(curlssl_md5sum) +# error "SSL backend lacks definition for curlssl_md5sum" +#endif + /* "global" init done? */ static bool init_ssl=FALSE; -- cgit v1.2.1 From 54398492462850583274bc51a5c2d1f18e9cc7d0 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Wed, 27 Jun 2012 23:15:56 +0200 Subject: sslgen: avoid compiler error in SSPI builds --- lib/sslgen.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 96582d3ae..0f8de452a 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -555,6 +555,9 @@ void Curl_ssl_free_certinfo(struct SessionHandle *data) } } +#ifndef USE_WINDOWS_SSPI +/* these functions are not used when SSPI is used for NTLM */ + void Curl_ssl_random(struct SessionHandle *data, unsigned char *entropy, size_t length) @@ -569,4 +572,6 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ { curlssl_md5sum(tmp, tmplen, md5sum, md5len); } +#endif /* USE_WINDOWS_SSPI */ + #endif /* USE_SSL */ -- cgit v1.2.1 From 74552acaea279bc96950964b9069378ccc3238f9 Mon Sep 17 00:00:00 2001 From: Yang Tse Date: Thu, 28 Jun 2012 12:49:12 +0200 Subject: sslgen.c: cleanup temporary compile-time SSL-backend check --- lib/sslgen.c | 40 ++++------------------------------------ 1 file changed, 4 insertions(+), 36 deletions(-) (limited to 'lib/sslgen.c') diff --git a/lib/sslgen.c b/lib/sslgen.c index 0f8de452a..8408d58ee 100644 --- a/lib/sslgen.c +++ b/lib/sslgen.c @@ -165,39 +165,6 @@ void Curl_free_ssl_config(struct ssl_config_data* sslc) #ifdef USE_SSL -/* SSL 'backend' compile-time sanity checks */ -#if !defined(curlssl_init) -# error "SSL backend lacks definition for curlssl_init" -#elif !defined(curlssl_cleanup) -# error "SSL backend lacks definition for curlssl_cleanup" -#elif !defined(curlssl_connect) && !defined(curlssl_connect_nonblocking) -# error "SSL backend lacks curlssl_connect or curlssl_connect_nonblocking" -#elif !defined(curlssl_session_free) -# error "SSL backend lacks definition for curlssl_session_free" -#elif !defined(curlssl_close_all) -# error "SSL backend lacks definition for curlssl_close_all" -#elif !defined(curlssl_close) -# error "SSL backend lacks definition for curlssl_close" -#elif !defined(curlssl_shutdown) -# error "SSL backend lacks definition for curlssl_shutdown" -#elif !defined(curlssl_set_engine) -# error "SSL backend lacks definition for curlssl_set_engine" -#elif !defined(curlssl_set_engine_default) -# error "SSL backend lacks definition for curlssl_set_engine_default" -#elif !defined(curlssl_engines_list) -# error "SSL backend lacks definition for curlssl_engines_list" -#elif !defined(curlssl_version) -# error "SSL backend lacks definition for curlssl_version" -#elif !defined(curlssl_check_cxn) -# error "SSL backend lacks definition for curlssl_check_cxn" -#elif !defined(curlssl_data_pending) -# error "SSL backend lacks definition for curlssl_data_pending" -#elif !defined(curlssl_random) -# error "SSL backend lacks definition for curlssl_random" -#elif !defined(curlssl_md5sum) -# error "SSL backend lacks definition for curlssl_md5sum" -#endif - /* "global" init done? */ static bool init_ssl=FALSE; @@ -555,8 +522,9 @@ void Curl_ssl_free_certinfo(struct SessionHandle *data) } } -#ifndef USE_WINDOWS_SSPI -/* these functions are not used when SSPI is used for NTLM */ +#if defined(USE_SSLEAY) || defined(USE_GNUTLS) || defined(USE_NSS) || \ + defined(USE_DARWINSSL) +/* these functions are only used by some SSL backends */ void Curl_ssl_random(struct SessionHandle *data, unsigned char *entropy, @@ -572,6 +540,6 @@ void Curl_ssl_md5sum(unsigned char *tmp, /* input */ { curlssl_md5sum(tmp, tmplen, md5sum, md5len); } -#endif /* USE_WINDOWS_SSPI */ +#endif /* USE_SSLEAY || USE_GNUTLS || USE_NSS || USE_DARWINSSL */ #endif /* USE_SSL */ -- cgit v1.2.1