aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/nss.c
AgeCommit message (Collapse)Author
2016-10-25nss: fix tight loop in non-blocking TLS handhsake over proxyMartin Frodl
... in case the handshake completes before entering CURLM_STATE_PROTOCONNECT Bug: https://bugzilla.redhat.com/1388162
2016-09-22nss: add chacha20-poly1305 cipher suites if supported by NSSKamil Dudka
2016-09-22nss: add cipher suites using SHA384 if supported by NSSKamil Dudka
2016-09-22nss: fix typo in ecdhe_rsa_null cipher suite stringKamil Dudka
As it seems to be a rarely used cipher suite (for securely established but _unencrypted_ connections), I believe it is fine not to provide an alias for the misspelled variant.
2016-08-26nss: work around race condition in PK11_FindSlotByName()Peter Wang
Serialise the call to PK11_FindSlotByName() to avoid spurious errors in a multi-threaded environment. The underlying cause is a race condition in nssSlot_IsTokenPresent(). Bug: https://bugzilla.mozilla.org/1297397 Closes #985
2016-08-26nss: refuse previously loaded certificate from fileKamil Dudka
... when we are not asked to use a certificate from file
2016-08-17nss: make the global variables staticDaniel Stenberg
2016-06-22internals: rename the SessionHandle struct to Curl_easyDaniel Stenberg
2016-05-09TLS: move the ALPN/NPN enable bits to the connectionDaniel Stenberg
Only protocols that actually have a protocol registered for ALPN and NPN should try to get that negotiated in the TLS handshake. That is only HTTPS (well, http/1.1 and http/2) right now. Previously ALPN and NPN would wrongly be used in all handshakes if libcurl was built with it enabled. Reported-by: Jay Satiro Fixes #789
2016-02-10nss: search slash in forward direction in dup_nickname()Kamil Dudka
It is wasteful to search it backwards if we look for _any_ slash.
2016-02-10nss: do not count enabled cipher-suitesKamil Dudka
We only care if at least one cipher-suite is enabled, so it does not make any sense to iterate till the end and count all enabled cipher-suites.
2016-02-03URLs: change all http:// URLs to https://Daniel Stenberg
2015-12-13http: add libcurl option to allow HTTP/2 for HTTPS onlyDaniel Stenberg
... and stick to 1.1 for HTTP. This is in line with what browsers do and should have very little risk.
2015-09-19ssl: add server cert's "sha256//" hash to verboseDaniel Hwang
Add a "pinnedpubkey" section to the "Server Certificate" verbose Bug: https://github.com/bagder/curl/issues/410 Reported-by: W. Mark Kubacki Closes #430 Closes #410
2015-09-18nss: prevent NSS from incorrectly re-using a sessionKamil Dudka
Without this workaround, NSS re-uses a session cache entry despite the server name does not match. This causes SNI host name to differ from the actual host name. Consequently, certain servers (e.g. github.com) respond by 400 to such requests. Bug: https://bugzilla.mozilla.org/1202264
2015-09-18nss: check return values of NSS functionsKamil Dudka
2015-09-04nss: do not directly access SSL_ImplementedCiphers[]Kamil Dudka
It causes dynamic linking issues at run-time after an update of NSS. Bug: https://lists.fedoraproject.org/pipermail/devel/2015-September/214117.html
2015-07-01SSL: Pinned public key hash supportmoparisthebest
2015-04-27nss: fix compilation failure with old versions of NSSPaul Howarth
Bug: http://curl.haxx.se/mail/lib-2015-04/0095.html
2015-04-22nss: implement public key pinning for NSS backendKamil Dudka
Bug: https://bugzilla.redhat.com/1195771
2015-03-24curl_memory: make curl_memory.h the second-last header file loadedDan Fandrich
This header file must be included after all header files except memdebug.h, as it does similar memory function redefinitions and can be similarly affected by conflicting definitions in system or dependent library headers.
2015-03-21nss: error: unused variable 'connssl'Daniel Stenberg
2015-03-20nss: add support for TLS False StartAlessandro Ghedini
2015-03-18nss: explicitly tell NSS to disable NPN/ALPNKamil Dudka
... if disabled at libcurl level. Otherwise, we would allow to negotiate NPN despite curl was invoked with the --no-npn option.
2015-03-17checksrc: use space after commaDaniel Stenberg
2015-03-16Bug #149: Deletion of unnecessary checks before calls of the function "free"Markus Elfring
The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-07http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*Daniel Stenberg
Since they already exist and will make comparing easier
2015-03-07nss: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-02-25nss: do not skip Curl_nss_seed() if data is NULLKamil Dudka
In that case, we only skip writing the error message for failed NSS initialization (while still returning the correct error code).
2015-02-25nss: improve error handling in Curl_nss_random()Kamil Dudka
The vtls layer now checks the return value, so it is no longer necessary to abort if a random number cannot be provided by NSS. This also fixes the following Coverity report: Error: FORWARD_NULL (CWE-476): lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null. lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it. lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".
2015-02-19nss: fix NPN/ALPN protocol negotiationAlessandro Ghedini
Correctly check for memcmp() return value (it returns 0 if the strings match). This is not really important, since curl is going to use http/1.1 anyway, but it's still a bug I guess.
2015-01-17vtls: Removed unimplemented overrides of curlssl_close_all()Steve Holme
Carrying on from commit 037cd0d991, removed the following unimplemented instances of curlssl_close_all(): Curl_axtls_close_all() Curl_darwinssl_close_all() Curl_cyassl_close_all() Curl_gskit_close_all() Curl_gtls_close_all() Curl_nss_close_all() Curl_polarssl_close_all()
2015-01-16nss: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires NSS 3.15 or higher.
2015-01-09NSS: fix compiler error when built http2-enabledDaniel Stenberg
2014-12-28vtls: Fixed compilation warning and an ignored return codeSteve Holme
curl_schannel.h:123: warning: right-hand operand of comma expression has no effect Some instances of the curlssl_close_all() function were declared with a void return type whilst others as int. The schannel version returned CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the return code was ignored by the calling function Curl_ssl_close_all(). For the time being and to keep the internal API consistent, changed all declarations to use a void return type. To reduce code we might want to consider removing the unimplemented versions and use a void #define like schannel does.
2014-12-27nss: Don't ignore Curl_extract_certinfo() OOM failureSteve Holme
2014-12-27nss: Don't ignore Curl_ssl_init_certinfo() OOM failureSteve Holme
2014-12-27nss: Use 'CURLcode result' for curl result codesSteve Holme
...and don't use CURLE_OK in failure/success comparisons.
2014-12-09http2: avoid logging neg "failure" if h2 was not requestedDaniel Stenberg
2014-10-29nss: drop the code for libcurl-level downgrade to SSLv3Kamil Dudka
This code was already deactivated by commit ec783dc142129d3860e542b443caaa78a6172d56.
2014-10-24SSL: Remove SSLv3 from SSL default due to POODLE attackJay Satiro
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc
2014-10-20nss: reset SSL handshake state machineKamil Dudka
... when the handshake succeeds This fixes a connection failure when FTPS handle is reused.
2014-10-08nss: do not fail if a CRL is already cachedKamil Dudka
This fixes a copy-paste mistake from commit 2968f957.
2014-07-30vtls: make the random function mandatory in the TLS backendDaniel Stenberg
To force each backend implementation to really attempt to provide proper random. If a proper random function is missing, then we can explicitly make use of the default one we use when TLS support is missing. This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-28nss: do not check the version of NSS at run timeKamil Dudka
The minimal required version of NSS is 3.14.x so it does not make sense to check for NSS 3.12.0+ at run time.
2014-07-04nss: make the list of CRL items globalKamil Dudka
Otherwise NSS could use an already freed item for another connection.
2014-07-04nss: fix a memory leak when CURLOPT_CRLFILE is usedKamil Dudka
2014-07-04nss: make crl_der allocated on heapKamil Dudka
... and spell it as crl_der instead of crlDER
2014-07-04nss: let nss_{cache,load}_crl return CURLcodeKamil Dudka