aboutsummaryrefslogtreecommitdiff
path: root/lib/nss.c
AgeCommit message (Collapse)Author
2009-08-28- Improved error message for not matching certificate subject name inKamil Dudka
libcurl-NSS. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056#c9
2009-08-13- Changed NSS code to not ignore the value of ssl.verifyhost and produce moreKamil Dudka
verbose error messages. Originally reported at: https://bugzilla.redhat.com/show_bug.cgi?id=516056
2009-07-20- Claes Jakobsson improved the support for client certificates handlingKamil Dudka
in NSS-powered libcurl. Now the client certificates can be selected automatically by a NSS built-in hook. Additionally pre-login to all PKCS11 slots is no more performed. It used to cause problems with HW tokens. - Fixed reference counting for NSS client certificates. Now the PEM reader module should be always properly unloaded on Curl_nss_cleanup(). If the unload fails though, libcurl will try to reuse the already loaded instance.
2009-06-08- Claes Jakobsson provided a patch for libcurl-NSS that fixed a bad refcountDaniel Stenberg
issue with client certs that caused issues like segfaults. http://curl.haxx.se/mail/lib-2009-05/0316.html
2009-05-28Fixed a few comment typos (from the FreeBSD ports)Dan Fandrich
2009-05-27- Claes Jakobsson fixed libcurl-NSS to build fine even without theDaniel Stenberg
PK11_CreateGenericObject() function.
2009-05-11- Kamil Dudka provided a fix for libcurl-NSS reported by Michael CronenworthDaniel Stenberg
at https://bugzilla.redhat.com/show_bug.cgi?id=453612#c12 If an incorrect password is given while loading a private key, libcurl ends up in an infinite loop consuming memory. The bug is critical.
2009-04-24- Kamil Dudka fixed another NSS-related leak when client certs were used.Daniel Stenberg
2009-04-21libcurl's memory.h renamed to curl_memory.hYang Tse
2009-04-14Kamil Dudka's follow-up fixDaniel Stenberg
2009-04-13- Toshio Kuratomi reported a memory leak problem with libcurl+NSS that turnedDaniel Stenberg
out to be leaking cacerts. Kamil Dudka helped me complete the fix. The issue is found in Redhat's bug tracker: https://bugzilla.redhat.com/show_bug.cgi?id=453612 There are still memory leaks present, but they seem to have other reasons.
2009-03-18- Kamil Dudka brought a patch that enables 6 additional crypto algorithms whenDaniel Stenberg
NSS is used. These ciphers were added in NSS 3.4 and require to be enabled explicitly.
2009-02-27Indentation fixes, untabify and related whitespace-cleanup. No code changed.Daniel Stenberg
2009-02-17- Kamil Dudka made NSS-powered builds compile and run again!Daniel Stenberg
2009-01-07fix compiler warningsDaniel Stenberg
2009-01-07- Rob Crittenden did once again provide an NSS update:Daniel Stenberg
I have to jump through a few hoops now with the NSS library initialization since another part of an application may have already initialized NSS by the time Curl gets invoked. This patch is more careful to only shutdown the NSS library if Curl did the initialization. It also adds in a bit of code to set the default ciphers if the app that call NSS_Init* did not call NSS_SetDomesticPolicy() or set specific ciphers. One might argue that this lets other application developers get lazy and/or they aren't using the NSS API correctly, and you'd be right. But still, this will avoid terribly difficult-to-trace crashes and is generally helpful.
2008-11-15based on a report by Jim Meyering, I went over and added checks for returnDaniel Stenberg
codes for all calls to malloc and strdup that were missing. I also changed a few malloc(13) to use arrays on the stack and a few malloc(PATH_MAX) to instead use aprintf() to lower memory use. I also fixed a memory leak in Curl_nss_connect() when CURLOPT_ISSUERCERT is in use.
2008-10-16Renamed Curl_ascii_equal to Curl_raw_equal and bugfixed the my_toupper functionDaniel Stenberg
used in strequal.c so now all test cases run fine for me again.
2008-10-15- Pascal Terjan filed bug #2154627Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=2154627) which pointed out that libcurl uses strcasecmp() in multiple places where it causes failures when the Turkish locale is used. This is because 'i' and 'I' isn't the same letter so strcasecmp() on those letters are different in Turkish than in English (or just about all other languages). I thus introduced a totally new internal function in libcurl (called Curl_ascii_equal) for doing case insentive comparisons for english-(ascii?) style strings that thus will make "file" and "FILE" match even if the Turkish locale is selected.
2008-09-23- Rob Crittenden brought a patch to "add some locking for thread-safety to NSSDaniel Stenberg
implementation".
2008-09-06remove unnecessary typecasting of malloc()Yang Tse
2008-09-04Made some variables constDan Fandrich
2008-09-04fix print formatting string directivesYang Tse
2008-06-21made Curl_nss_send() take const data to kill compiler warningDaniel Stenberg
2008-06-20- Phil Pellouchoud found a case where libcurl built with NSS failed toDaniel Stenberg
handshake with a SSLv2 server, and it turned out to be because it didn't recognize the cipher named "rc4-md5". In our list that cipher was named plainly "rc4". I've now added rc4-md5 to work as an alias as Phil reported that it made things work for him again.
2008-06-19Removed the #define of ciphernum since keeping a define updated to be theDaniel Stenberg
number of entries in a provided table is doomed to fail in the long run. Now we use the NUM_OF_CIPHERS define instead to figure out the amount.
2008-06-19s/strcasecmp/strequal to make it more portableDaniel Stenberg
2008-06-18- Rob Crittenden brought a fix for the NSS layer that makes libcurl no longerDaniel Stenberg
always fire up a new connection rather than using the existing one when the multi interface is used. Original bug report: https://bugzilla.redhat.com/show_bug.cgi?id=450140
2008-06-18removed warning about unused argument by simply removing that argument fromDaniel Stenberg
the check_issuer_cert() proto
2008-06-18check_issuer_cert() now builds and there's one warning less. Still one compilerDaniel Stenberg
warning in the code though but we need NSS' base64.h header for that and we don't currently have a suitable way to include it as our own base64.h header kind of "blocks" it.
2008-06-12fixed bad infof() usage!Daniel Stenberg
2008-06-11- I did a cleanup of the internal generic SSL layer and how the various SSLDaniel Stenberg
libraries are supported. Starting now, each underlying SSL library support code does a set of defines for the 16 functions the generic layer (sslgen.c) uses (all these new function defines use the prefix "curlssl_"). This greatly simplified the generic layer in readability by involving much less #ifdefs and other preprocessor stuff and should make it easier for people to make libcurl work with new SSL libraries. Hopefully I can later on document these 16 functions somewhat as well. I also made most of the internal SSL-dependent functions (using Curl_ssl_ prefix) #defined to nothing when no SSL support is requested - previously they would unnecessarily call mostly empty functions.
2008-06-06code style cleanupDaniel Stenberg
2008-06-06- Axel Tillequin and Arnaud Ebalard added support for CURLOPT_ISSUERCERT, forDaniel Stenberg
OpenSSL, NSS and GnuTLS-built libcurls.
2008-06-06- Axel Tillequin and Arnaud Ebalard added support for CURLOPT_CRLFILE, forDaniel Stenberg
OpenSSL, NSS and GnuTLS-built libcurls.
2008-05-26fix: preprocessor complaining about macro redefinitionYang Tse
2008-02-20- Based on initial work done by Gautam Kachroo to address a bug, we now keepDaniel Stenberg
better control at the exact state of the connection's SSL status so that we know exactly when it has completed the SSL negotiation or not so that there won't be accidental re-uses of connections that are wrongly believed to be in SSL-completed-negotiate state.
2008-02-19applied patch to disable SSLv2 by default; discussion:Gunter Knauf
http://sourceforge.net/tracker/index.php?func=detail&aid=1767276&group_id=976&atid=350976 Submitted by Kaspar Brand.
2008-01-15Calls to Curl_failf() are not supposed to provide a trailing newline as theDaniel Stenberg
function itself adds that. Fixed on 50 or something strings!
2007-11-05removed space after if and while before the parenthesis for better source codeDaniel Stenberg
consistency
2007-10-25Made libcurl built with NSS possible to ignore the peer verification.Daniel Stenberg
Previously it would fail if the ca bundle wasn't present, even if the code ignored the verification results.
2007-10-25prevent compiler warnings about shadowing and one case of unused variableDaniel Stenberg
2007-09-18Rob Crittenden provided an NSS update with the following highlights:Daniel Stenberg
o It looks for the NSS database first in the environment variable SSL_DIR, then in /etc/pki/nssdb, then it initializes with no database if neither of those exist. o If the NSS PKCS#11 libnspsem.so driver is available then PEM files may be loaded, including the ca-bundle. If it is not available then only certificates already in the NSS database are used. o Tries to detect whether a file or nickname is being passed in so the right thing is done o Added a bit of code to make the output more like the OpenSSL module, including displaying the certificate information when connecting in verbose mode o Improved handling of certificate errors (expired, untrusted, etc) The libnsspem.so PKCS#11 module is currently only available in Fedora 8/rawhide. Work will be done soon to upstream it. The NSS module will work with or without it, all that changes is the source of the certificates and keys.
2007-08-30Renamed several libcurl error codes and options to make them more generalDan Fandrich
and allow reuse by multiple protocols. Several unused error codes were removed. In all cases, macros were added to preserve source (and binary) compatibility with the old names. These macros are subject to removal at a future date, but probably not before 2009. An application can be tested to see if it is using any obsolete code by compiling it with the CURL_NO_OLDIES macro defined. Documented some newer error codes in libcurl-error(3)
2007-08-24Remove leading space in curl_version_info ss_version field.Patrick Monnerat
2007-08-01Patrick Monnerat and I modified libcurl so that now it *copies* all stringsDaniel Stenberg
passed to it with curl_easy_setopt()! Previously it has always just refered to the data, forcing the user to keep the data around until libcurl is done with it. That is now history and libcurl will instead clone the given strings and keep private copies.
2007-07-29Bug report #1759542 (http://curl.haxx.se/bug/view.cgi?id=1759542). A bad useDaniel Stenberg
of a socket after it has been closed, when the FTP-SSL data connection is taken down.
2007-07-20Made some const arrays static to avoid unnecessary stack usage.Dan Fandrich
2007-05-25Rob Crittenden fixed bug #1705802Daniel Stenberg
(http://curl.haxx.se/bug/view.cgi?id=1705802), which was filed by Daniel Black identifying several FTP-SSL test cases fail when we build libcurl with NSS for TLS/SSL. Listed as #42 in KNOWN_BUGS.
2007-02-26Removed inclusion of <sys/types.h> and <sys/stat.h> in .c-filesGisle Vanem
since they're already included through "setup.h".