aboutsummaryrefslogtreecommitdiff
path: root/lib/nss.c
AgeCommit message (Collapse)Author
2012-12-28build: make use of 76 lib/*.h renamed filesYang Tse
76 private header files renamed to use our standard naming scheme. This change affects 322 files in libcurl's source tree.
2012-12-14setup_once.h: refactor inclusion of <unistd.h> and <sys/socket.h>Yang Tse
Inclusion of top two most included header files now done in setup_once.h
2012-12-03nss: prevent NSS from crashing on client auth hook failureKamil Dudka
Although it is not explicitly stated in the documentation, NSS uses *pRetCert and *pRetKey even if the client authentication hook returns a failure. Namely, if we destroy *pRetCert without clearing *pRetCert afterwards, NSS destroys the certificate once again, which causes a double free. Reported by: Bob Relyea
2012-11-06CURLOPT_SSL_VERIFYHOST: stop supporting the 1 valueDaniel Stenberg
After a research team wrote a document[1] that found several live source codes out there in the wild that misused the CURLOPT_SSL_VERIFYHOST option thinking it was a boolean, this change now bans 1 as a value and will make libcurl return error for it. 1 was never a sensible value to use in production but was introduced back in the days to help debugging. It was always documented clearly this way. 1 was never supported by all SSL backends in libcurl, so this cleanup makes the treatment of it unified. The report's list of mistakes for this option were all PHP code and while there's a binding layer between libcurl and PHP, the PHP team has decided that they have an as thin layer as possible on top of libcurl so they will not alter or specifically filter a 'TRUE' value for this particular option. I sympathize with that position. [1] = http://daniel.haxx.se/blog/2012/10/25/libcurl-claimed-to-be-dangerous/
2012-09-11nss.c: Fixed warning: 'err' may be used uninitialized in this functionMarc Hoersken
2012-08-10white space fix: shorten long lineDaniel Stenberg
... to please checksrc.pl
2012-08-09docs: update the links to cipher-suites supported by NSSKamil Dudka
... and make the list of cipher-suites in nss.c readable by humans. Bug: http://curl.haxx.se/mail/archive-2012-08/0016.html
2012-08-09nss: do not print misleading NSS error codesKamil Dudka
2012-06-28nss.c: #include warnless.h for curlx_uztosi and curlx_uztoui prototypesYang Tse
2012-06-28nss.c: Fixed size_t conversion warningsMarc Hoersken
2012-06-26SSL cleanup: use crypto functions through the sslgen layerDaniel Stenberg
curl_ntlm_msgs.c would previously use an #ifdef maze and direct SSL-library calls instead of using the SSL layer we have for this purpose.
2012-05-28nss: use human-readable error messages provided by NSSKamil Dudka
Bug: http://lists.baseurl.org/pipermail/yum-devel/2012-January/009002.html
2012-05-25nss: avoid using explicit casts of code pointersKamil Dudka
2012-04-16nss.c: fix compiler warningYang Tse
2012-04-13nss.c: fix compiler warningYang Tse
2012-04-13nss: provide human-readable names for NSS errorsKamil Dudka
2012-04-13nss: use NSS_InitContext() to initialize NSS if availableKamil Dudka
NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent collisions on NSS initialization/shutdown with other libraries. Bug: https://bugzilla.redhat.com/738456
2012-04-13nss: unconditionally require PK11_CreateGenericObject()Kamil Dudka
This bumps the minimal supported version of NSS to 3.12.x.
2012-02-09nss: add support for the CURLSSLOPT_ALLOW_BEAST optionKamil Dudka
... and fix some typos from the 62d15f1 commit.
2011-10-17nss: avoid a SIGSEGV with immature version of NSSKamil Dudka
Bug: https://bugzilla.redhat.com/733685
2011-10-17nss: big cleanup in nss_load_cert() and cert_stuff()Kamil Dudka
2011-10-17nss: refactor fmt_nickname() -> dup_nickname()Kamil Dudka
Do not use artificial nicknames for certificates from files.
2011-10-17nss: select client certificates by DERKamil Dudka
... instead of nicknames, which are not unique.
2011-09-03fix a bunch of MSVC compiler warningsYang Tse
2011-08-15nss: start with no database if the selected database is brokenKamil Dudka
Bug: https://bugzilla.redhat.com/728562
2011-07-26stdio.h, stdlib.h, string.h, stdarg.h and ctype.h inclusion done in setup_once.hYang Tse
2011-04-27source cleanup: unify look, style and indent levelsDaniel Stenberg
By the use of a the new lib/checksrc.pl script that checks that our basic source style rules are followed.
2011-04-20CURL_DOES_CONVERSIONS: cleanupDaniel Stenberg
Massively reduce #ifdefs all over (23 #ifdef lines less so far) Moved conversion-specific code to non-ascii.c
2011-04-08nss: allow to use multiple client certificates for a single hostKamil Dudka
In case a client certificate is used, invalidate SSL session cache at the end of a session. This forces NSS to ask for a new client certificate when connecting second time to the same host. Bug: https://bugzilla.redhat.com/689031
2011-04-04nss: fix a crash within SSL_AuthCertificate()Kamil Dudka
The bug was introduced in 806dbb0 (a wrong value was passed in as the first argument to the default callback in our wrapper).
2011-03-15nss: do not ignore value of CURLOPT_SSL_VERIFYPEERKamil Dudka
When NSS-powered libcurl connected to a SSL server with CURLOPT_SSL_VERIFYPEER equal to zero, NSS remembered that the peer certificate was accepted by libcurl and did not ask the second time when connecting to the same server with CURLOPT_SSL_VERIFYPEER equal to one. This patch turns off the SSL session cache for the particular SSL socket if peer verification is disabled. In order to avoid any performance impact, the peer verification is completely skipped in that case, which makes it even faster than before. Bug: https://bugzilla.redhat.com/678580
2011-02-22nss: do not ignore failure of SSL handshakeKamil Dudka
Flaw introduced in fc77790 and present in curl-7.21.4. Bug: https://bugzilla.redhat.com/669702#c16
2011-02-17nss: avoid memory leak on SSL connection failureKamil Dudka
2011-02-16nss_load_key: fix unused variable warningDaniel Stenberg
2011-01-27nss: avoid memory leaks and failure of NSS shutdownKamil Dudka
... in case more than one CA is loaded. Bug: https://bugzilla.redhat.com/670802
2011-01-18nss: fix a bug in handling of CURLOPT_CAPATHKamil Dudka
... and update the curl.1 and curl_easy_setopt.3 man pages such that they do not suggest to use an OpenSSL utility if curl is not built against OpenSSL. Bug: https://bugzilla.redhat.com/669702
2011-01-04Curl_timeleft: s/conn/data in first argumentDaniel Stenberg
As the function doesn't really use the connectdata struct but only the SessionHanadle struct I modified what argument it wants.
2011-01-04nss: avoid CURLE_OUT_OF_MEMORY given a file name without any slashKamil Dudka
Bug: https://bugzilla.redhat.com/623663
2011-01-02Curl_nss_connect: avoid PATH_MAXDaniel Stenberg
Since some systems don't have PATH_MAX and it isn't that clever to assume a fixed maximum path length, the code now allocates buffer space instead of using stack. Reported by: Samuel Thibault Bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608521
2010-06-30http_ntlm: add support for NSSKamil Dudka
When configured with '--without-ssl --with-nss', NTLM authentication now uses NSS crypto library for MD5 and DES. For MD4 we have a local implementation in that case. More details are available at https://bugzilla.redhat.com/603783 In order to get it working, curl_global_init() must be called with CURL_GLOBAL_SSL or CURL_GLOBAL_ALL. That's necessary because NSS needs to be initialized globally and we do so only when the NSS library is actually required by protocol. The mentioned call of curl_global_init() is responsible for creating of the initialization mutex. There was also slightly changed the NSS initialization scenario, in particular, loading of the NSS PEM module. It used to be loaded always right after the NSS library was initialized. Now the library is initialized as soon as any SSL or NTLM is required, while the PEM module is prevented from being loaded until the SSL is actually required.
2010-05-11sendrecv: make them two pairs of send/recv to properly deal with FTPSHoward Chu
FTP(S) use two connections that can be set to different recv and send functions independently, so by introducing recv+send pairs in the same manner we already have sockets/connections we can work with FTPS fine. This commit fixes the FTPS regression introduced in change d64bd82.
2010-05-11nss: make it possible to read ASCII and DER CRLKamil Dudka
2010-05-11nss: add CRL to cache instead of read-only NSS dbKamil Dudka
2010-05-07sendrecv: split the I/O handling into private handlerHoward Chu
Howard Chu brought the bulk work of this patch that properly moves out the sending and recving of data to the parts of the code that are properly responsible for the various ways of doing so. Daniel Stenberg assisted with polishing a few bits and fixed some minor flaws in the original patch. Another upside of this patch is that we now abuse CURLcodes less with the "magic" -1 return codes and instead use CURLE_AGAIN more consistently.
2010-04-24nss: fix SSL handshake timeout underflowKamil Dudka
2010-04-06nss: handle client certificate related errorsKamil Dudka
2010-04-04refactorize interface of Curl_ssl_recv/Curl_ssl_sendKamil Dudka
2010-03-31fix compiler warning with a cast.Guenter Knauf
2010-03-24remove the CVSish $Id$ linesDaniel Stenberg
2010-02-17use curl standard indentation and line lengthsDaniel Stenberg