aboutsummaryrefslogtreecommitdiff
path: root/lib/vtls/nss.c
AgeCommit message (Collapse)Author
2015-03-16Bug #149: Deletion of unnecessary checks before calls of the function "free"Markus Elfring
The function "free" is documented in the way that no action shall occur for a passed null pointer. It is therefore not needed that a function caller repeats a corresponding check. http://stackoverflow.com/questions/18775608/free-a-null-pointer-anyway-or-check-first This issue was fixed by using the software Coccinelle 1.0.0-rc24. Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
2015-03-07http2: use CURL_HTTP_VERSION_* symbols instead of NPN_*Daniel Stenberg
Since they already exist and will make comparing easier
2015-03-07nss: make it possible to enable ALPN/NPN without HTTP2Alessandro Ghedini
2015-03-03vtls: use curl_printf.h all overDaniel Stenberg
No need to use _MPRINTF_REPLACE internally.
2015-02-25nss: do not skip Curl_nss_seed() if data is NULLKamil Dudka
In that case, we only skip writing the error message for failed NSS initialization (while still returning the correct error code).
2015-02-25nss: improve error handling in Curl_nss_random()Kamil Dudka
The vtls layer now checks the return value, so it is no longer necessary to abort if a random number cannot be provided by NSS. This also fixes the following Coverity report: Error: FORWARD_NULL (CWE-476): lib/vtls/nss.c:1918: var_compare_op: Comparing "data" to null implies that "data" might be null. lib/vtls/nss.c:1923: var_deref_model: Passing null pointer "data" to "Curl_failf", which dereferences it. lib/sendf.c:154:3: deref_parm: Directly dereferencing parameter "data".
2015-02-19nss: fix NPN/ALPN protocol negotiationAlessandro Ghedini
Correctly check for memcmp() return value (it returns 0 if the strings match). This is not really important, since curl is going to use http/1.1 anyway, but it's still a bug I guess.
2015-01-17vtls: Removed unimplemented overrides of curlssl_close_all()Steve Holme
Carrying on from commit 037cd0d991, removed the following unimplemented instances of curlssl_close_all(): Curl_axtls_close_all() Curl_darwinssl_close_all() Curl_cyassl_close_all() Curl_gskit_close_all() Curl_gtls_close_all() Curl_nss_close_all() Curl_polarssl_close_all()
2015-01-16nss: add support for the Certificate Status Request TLS extensionAlessandro Ghedini
Also known as "status_request" or OCSP stapling, defined in RFC6066 section 8. This requires NSS 3.15 or higher.
2015-01-09NSS: fix compiler error when built http2-enabledDaniel Stenberg
2014-12-28vtls: Fixed compilation warning and an ignored return codeSteve Holme
curl_schannel.h:123: warning: right-hand operand of comma expression has no effect Some instances of the curlssl_close_all() function were declared with a void return type whilst others as int. The schannel version returned CURLE_NOT_BUILT_IN and others simply returned zero, but in all cases the return code was ignored by the calling function Curl_ssl_close_all(). For the time being and to keep the internal API consistent, changed all declarations to use a void return type. To reduce code we might want to consider removing the unimplemented versions and use a void #define like schannel does.
2014-12-27nss: Don't ignore Curl_extract_certinfo() OOM failureSteve Holme
2014-12-27nss: Don't ignore Curl_ssl_init_certinfo() OOM failureSteve Holme
2014-12-27nss: Use 'CURLcode result' for curl result codesSteve Holme
...and don't use CURLE_OK in failure/success comparisons.
2014-12-09http2: avoid logging neg "failure" if h2 was not requestedDaniel Stenberg
2014-10-29nss: drop the code for libcurl-level downgrade to SSLv3Kamil Dudka
This code was already deactivated by commit ec783dc142129d3860e542b443caaa78a6172d56.
2014-10-24SSL: Remove SSLv3 from SSL default due to POODLE attackJay Satiro
- Remove SSLv3 from SSL default in darwinssl, schannel, cyassl, nss, openssl effectively making the default TLS 1.x. axTLS is not affected since it supports only TLS, and gnutls is not affected since it already defaults to TLS 1.x. - Update CURLOPT_SSLVERSION doc
2014-10-20nss: reset SSL handshake state machineKamil Dudka
... when the handshake succeeds This fixes a connection failure when FTPS handle is reused.
2014-10-08nss: do not fail if a CRL is already cachedKamil Dudka
This fixes a copy-paste mistake from commit 2968f957.
2014-07-30vtls: make the random function mandatory in the TLS backendDaniel Stenberg
To force each backend implementation to really attempt to provide proper random. If a proper random function is missing, then we can explicitly make use of the default one we use when TLS support is missing. This commit makes sure it works for darwinssl, gnutls, nss and openssl.
2014-07-28nss: do not check the version of NSS at run timeKamil Dudka
The minimal required version of NSS is 3.14.x so it does not make sense to check for NSS 3.12.0+ at run time.
2014-07-04nss: make the list of CRL items globalKamil Dudka
Otherwise NSS could use an already freed item for another connection.
2014-07-04nss: fix a memory leak when CURLOPT_CRLFILE is usedKamil Dudka
2014-07-04nss: make crl_der allocated on heapKamil Dudka
... and spell it as crl_der instead of crlDER
2014-07-04nss: let nss_{cache,load}_crl return CURLcodeKamil Dudka
2014-07-02nss: make the fallback to SSLv3 work againKamil Dudka
This feature was unintentionally disabled by commit ff92fcfb.
2014-07-02nss: do not abort on connection failureKamil Dudka
... due to calling SSL_VersionRangeGet() with NULL file descriptor reported-by: upstream tests 305 and 404
2014-04-25nss: propagate blocking direction from NSPR I/OKamil Dudka
... during the non-blocking SSL handshake
2014-04-22nss: implement non-blocking SSL handshakeKamil Dudka
2014-04-22nss: split Curl_nss_connect() into 4 functionsKamil Dudka
2014-03-31http2: remove _DRAFT09 from the NPN_HTTP2 enumDaniel Stenberg
We're progressing throught drafts so there's no point in having a fixed one in a symbol that'll survive.
2014-03-15nss: allow to enable/disable new AES GCM cipher-suitesKamil Dudka
... if built against a new enough version of NSS
2014-03-15nss: allow to enable/disable new HMAC-SHA256 cipher-suitesKamil Dudka
... if built against a new enough version of NSS
2014-03-15nss: do not enable AES cipher-suites by defaultKamil Dudka
... but allow them to be enabled/disabled explicitly. The default policy should be maintained at the NSS level.
2014-03-03NSS: avoid compiler warnings when built without http2 supportDaniel Stenberg
2014-02-10NPN/ALPN: allow disabling via command lineFabian Frank
when using --http2 one can now selectively disable NPN or ALPN with --no-alpn and --no-npn. for now honored with NSS only. TODO: honor this option with GnuTLS and OpenSSL
2014-02-10nss: use correct preprocessor macroFabian Frank
SSL_ENABLE_ALPN can be used for preprocessor ALPN feature detection, but not SSL_NEXT_PROTO_SELECTED, since it is an enum value and not a preprocessor macro.
2014-02-07nss: support pre-ALPN versionsDaniel Stenberg
2014-02-07nss: ALPN and NPN supportFabian Frank
Add ALPN and NPN support for NSS. This allows cURL to negotiate HTTP/2.0 connections when built with NSS.
2014-02-06nss: Updated copyright year for recent editsSteve Holme
2014-02-06nss: prefer highest available TLS versionFabian Frank
Offer TLSv1.0 to 1.2 by default, still fall back to SSLv3 if --tlsv1[.N] was not specified on the command line.
2014-01-29nss: do not use the NSS_ENABLE_ECC defineKamil Dudka
It is not provided by NSS public headers. Bug: https://bugzilla.redhat.com/1058776
2014-01-29nss: do not fail if NSS does not implement a cipherKamil Dudka
... that the user does not ask for
2013-12-26vtls: Updated comments referencing sslgen.c and ssluse.cSteve Holme
2013-12-26vtls: Fixed up include of vtls.hSteve Holme
2013-12-20vtls: moved all TLS/SSL source and header files into subdirDaniel Stenberg