diff options
Diffstat (limited to 'libs/libcurl/src/vtls/nss.c')
-rw-r--r-- | libs/libcurl/src/vtls/nss.c | 92 |
1 files changed, 50 insertions, 42 deletions
diff --git a/libs/libcurl/src/vtls/nss.c b/libs/libcurl/src/vtls/nss.c index 1582b1e580..cf657895f6 100644 --- a/libs/libcurl/src/vtls/nss.c +++ b/libs/libcurl/src/vtls/nss.c @@ -433,7 +433,7 @@ static char *dup_nickname(struct Curl_easy *data, const char *str) n = strchr(str, '/'); if(!n) { infof(data, "warning: certificate file name \"%s\" handled as nickname; " - "please use \"./%s\" to force file name\n", str, str); + "please use \"./%s\" to force file name", str, str); return strdup(str); } @@ -824,7 +824,7 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig, #endif if(!SSL_CONN_CONFIG(verifypeer)) { - infof(data, "skipping SSL peer certificate verification\n"); + infof(data, "skipping SSL peer certificate verification"); return SECSuccess; } @@ -857,15 +857,15 @@ static void HandshakeCallback(PRFileDesc *sock, void *arg) #endif case SSL_NEXT_PROTO_NO_SUPPORT: case SSL_NEXT_PROTO_NO_OVERLAP: - infof(data, "ALPN/NPN, server did not agree to a protocol\n"); + infof(data, "ALPN/NPN, server did not agree to a protocol"); return; #ifdef SSL_ENABLE_ALPN case SSL_NEXT_PROTO_SELECTED: - infof(data, "ALPN, server accepted to use %.*s\n", buflen, buf); + infof(data, "ALPN, server accepted to use %.*s", buflen, buf); break; #endif case SSL_NEXT_PROTO_NEGOTIATED: - infof(data, "NPN, server accepted to use %.*s\n", buflen, buf); + infof(data, "NPN, server accepted to use %.*s", buflen, buf); break; } @@ -937,7 +937,7 @@ static SECStatus CanFalseStartCallback(PRFileDesc *sock, void *client_data, *canFalseStart = PR_TRUE; - infof(data, "Trying TLS False Start\n"); + infof(data, "Trying TLS False Start"); end: return SECSuccess; @@ -955,17 +955,17 @@ static void display_cert_info(struct Curl_easy *data, subject = CERT_NameToAscii(&cert->subject); issuer = CERT_NameToAscii(&cert->issuer); common_name = CERT_GetCommonName(&cert->subject); - infof(data, "\tsubject: %s\n", subject); + infof(data, "subject: %s\n", subject); CERT_GetCertTimes(cert, ¬Before, ¬After); PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime); PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); - infof(data, "\tstart date: %s\n", timeString); + infof(data, " start date: %s", timeString); PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime); PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); - infof(data, "\texpire date: %s\n", timeString); - infof(data, "\tcommon name: %s\n", common_name); - infof(data, "\tissuer: %s\n", issuer); + infof(data, " expire date: %s", timeString); + infof(data, " common name: %s", common_name); + infof(data, " issuer: %s", issuer); PR_Free(subject); PR_Free(issuer); @@ -987,13 +987,13 @@ static CURLcode display_conn_info(struct Curl_easy *data, PRFileDesc *sock) channel.cipherSuite) { if(SSL_GetCipherSuiteInfo(channel.cipherSuite, &suite, sizeof(suite)) == SECSuccess) { - infof(data, "SSL connection using %s\n", suite.cipherSuiteName); + infof(data, "SSL connection using %s", suite.cipherSuiteName); } } cert = SSL_PeerCertificate(sock); if(cert) { - infof(data, "Server certificate:\n"); + infof(data, "Server certificate:"); if(!data->set.ssl.certinfo) { display_cert_info(data, cert); @@ -1058,7 +1058,7 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock) /* print only info about the cert, the error is printed off the callback */ cert = SSL_PeerCertificate(sock); if(cert) { - infof(data, "Server certificate:\n"); + infof(data, "Server certificate:"); display_cert_info(data, cert); CERT_DestroyCertificate(cert); } @@ -1132,7 +1132,7 @@ static CURLcode cmp_peer_pubkey(struct ssl_connect_data *connssl, /* report the resulting status */ switch(result) { case CURLE_OK: - infof(data, "pinned public key verified successfully!\n"); + infof(data, "pinned public key verified successfully!"); break; case CURLE_SSL_PINNEDPUBKEYNOTMATCH: failf(data, "failed to verify pinned public key"); @@ -1196,7 +1196,7 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, return SECFailure; } - infof(data, "NSS: client certificate from file\n"); + infof(data, "NSS: client certificate from file"); display_cert_info(data, cert); *pRetCert = cert; @@ -1234,7 +1234,7 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, return SECFailure; } - infof(data, "NSS: using client certificate: %s\n", nickname); + infof(data, "NSS: using client certificate: %s", nickname); display_cert_info(data, *pRetCert); return SECSuccess; } @@ -1355,7 +1355,7 @@ static CURLcode nss_init_core(struct Curl_easy *data, const char *cert_dir) if(!certpath) return CURLE_OUT_OF_MEMORY; - infof(data, "Initializing NSS with certpath: %s\n", certpath); + infof(data, "Initializing NSS with certpath: %s", certpath); nss_context = NSS_InitContext(certpath, "", "", "", &initparams, NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); free(certpath); @@ -1365,10 +1365,10 @@ static CURLcode nss_init_core(struct Curl_easy *data, const char *cert_dir) err = PR_GetError(); err_name = nss_error_to_name(err); - infof(data, "Unable to initialize NSS database: %d (%s)\n", err, err_name); + infof(data, "Unable to initialize NSS database: %d (%s)", err, err_name); } - infof(data, "Initializing NSS with certpath: none\n"); + infof(data, "Initializing NSS with certpath: none"); nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD); @@ -1546,6 +1546,14 @@ static void close_one(struct ssl_connect_data *connssl) const bool client_cert = (backend->client_nickname != NULL) || (backend->obj_clicert != NULL); + if(backend->handle) { + char buf[32]; + /* Maybe the server has already sent a close notify alert. + Read it to avoid an RST on the TCP connection. */ + (void)PR_Recv(backend->handle, buf, (int)sizeof(buf), 0, + PR_INTERVAL_NO_WAIT); + } + free(backend->client_nickname); backend->client_nickname = NULL; @@ -1650,8 +1658,8 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, if(capath && !capath[0]) capath = NULL; - infof(data, " CAfile: %s\n", cafile ? cafile : "none"); - infof(data, " CApath: %s\n", capath ? capath : "none"); + infof(data, " CAfile: %s", cafile ? cafile : "none"); + infof(data, " CApath: %s", capath ? capath : "none"); /* load libnssckbi.so if no other trust roots were specified */ use_trust_module = !cafile && !capath; @@ -1660,7 +1668,7 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, if(use_trust_module && !trust_module) { /* libnssckbi.so needed but not yet loaded --> load it! */ result = nss_load_module(&trust_module, trust_library, "trust"); - infof(data, "%s %s\n", (result) ? "failed to load" : "loaded", + infof(data, "%s %s", (result) ? "failed to load" : "loaded", trust_library); if(result == CURLE_FAILED_INIT) /* If libnssckbi.so is not available (or fails to load), one can still @@ -1669,7 +1677,7 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, } else if(!use_trust_module && trust_module) { /* libnssckbi.so not needed but already loaded --> unload it! */ - infof(data, "unloading %s\n", trust_library); + infof(data, "unloading %s", trust_library); nss_unload_module(&trust_module); } PR_Unlock(nss_trustload_lock); @@ -1702,7 +1710,7 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, if(CURLE_OK != nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE)) /* This is purposefully tolerant of errors so non-PEM files can * be in the same directory */ - infof(data, "failed to load '%s' from CURLOPT_CAPATH\n", fullpath); + infof(data, "failed to load '%s' from CURLOPT_CAPATH", fullpath); free(fullpath); } @@ -1710,7 +1718,7 @@ static CURLcode nss_load_ca_certificates(struct Curl_easy *data, PR_CloseDir(dir); } else - infof(data, "warning: CURLOPT_CAPATH not a directory (%s)\n", capath); + infof(data, "warning: CURLOPT_CAPATH not a directory (%s)", capath); } return CURLE_OK; @@ -1813,7 +1821,7 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, curlerr = CURLE_SSL_CERTPROBLEM; /* print the error number and error string */ - infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); + infof(data, "NSS error %d (%s)", err, nss_error_to_name(err)); /* print a human-readable message describing the error if available */ nss_print_error_message(data, err); @@ -1887,7 +1895,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, PR_Unlock(nss_initlock); if(result == CURLE_FAILED_INIT) infof(data, "WARNING: failed to load NSS PEM library %s. Using " - "OpenSSL PEM certificates will not work.\n", pem_library); + "OpenSSL PEM certificates will not work.", pem_library); else if(result) goto error; @@ -1922,8 +1930,8 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, sslver_req_str = nss_sslver_to_name(sslver.max); sslver_supp_str = nss_sslver_to_name(sslver_supported.max); if(sslver_req_str && sslver_supp_str) - infof(data, "Falling back from %s to max supported SSL version (%s)\n", - sslver_req_str, sslver_supp_str); + infof(data, "Falling back from %s to max supported SSL version (%s)", + sslver_req_str, sslver_supp_str); free(sslver_req_str); free(sslver_supp_str); sslver.max = sslver_supported.max; @@ -1936,11 +1944,11 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, /* unless the user explicitly asks to allow the protocol vulnerability, we use the work-around */ if(SSL_OptionSet(model, SSL_CBC_RANDOM_IV, ssl_cbc_random_iv) != SECSuccess) - infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d\n", + infof(data, "warning: failed to set SSL_CBC_RANDOM_IV = %d", ssl_cbc_random_iv); #else if(ssl_cbc_random_iv) - infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n"); + infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in"); #endif if(SSL_CONN_CONFIG(cipher_list)) { @@ -1951,7 +1959,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, } if(!SSL_CONN_CONFIG(verifypeer) && SSL_CONN_CONFIG(verifyhost)) - infof(data, "warning: ignoring value of ssl.verifyhost\n"); + infof(data, "warning: ignoring value of ssl.verifyhost"); /* bypass the default SSL_AuthCertificate() hook in case we do not want to * verify peer */ @@ -1971,7 +1979,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, const CURLcode rv = nss_load_ca_certificates(data, conn, sockindex); if((rv == CURLE_SSL_CACERT_BADFILE) && !SSL_CONN_CONFIG(verifypeer)) /* not a fatal error because we are not going to verify the peer */ - infof(data, "warning: CA certificates failed to load\n"); + infof(data, "warning: CA certificates failed to load"); else if(rv) { result = rv; goto error; @@ -1984,7 +1992,7 @@ static CURLcode nss_setup_connect(struct Curl_easy *data, result = rv; goto error; } - infof(data, " CRLfile: %s\n", SSL_SET_OPTION(CRLfile)); + infof(data, " CRLfile: %s", SSL_SET_OPTION(CRLfile)); } if(SSL_SET_OPTION(primary.clientcert)) { @@ -2179,9 +2187,9 @@ static CURLcode nss_do_connect(struct Curl_easy *data, if(result) goto error; - if(SSL_SET_OPTION(issuercert)) { + if(SSL_CONN_CONFIG(issuercert)) { SECStatus ret = SECFailure; - char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); + char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); if(nickname) { /* we support only nicknames in case of issuercert for now */ ret = check_issuer_cert(backend->handle, nickname); @@ -2189,12 +2197,12 @@ static CURLcode nss_do_connect(struct Curl_easy *data, } if(SECFailure == ret) { - infof(data, "SSL certificate issuer check failed\n"); + infof(data, "SSL certificate issuer check failed"); result = CURLE_SSL_ISSUER_ERROR; goto error; } else { - infof(data, "SSL certificate issuer check ok\n"); + infof(data, "SSL certificate issuer check ok"); } } @@ -2306,7 +2314,7 @@ static ssize_t nss_send(struct Curl_easy *data, /* transfer */ else { /* print the error number and error string */ const char *err_name = nss_error_to_name(err); - infof(data, "SSL write: error %d (%s)\n", err, err_name); + infof(data, "SSL write: error %d (%s)", err, err_name); /* print a human-readable message describing the error if available */ nss_print_error_message(data, err); @@ -2348,7 +2356,7 @@ static ssize_t nss_recv(struct Curl_easy *data, /* transfer */ else { /* print the error number and error string */ const char *err_name = nss_error_to_name(err); - infof(data, "SSL read: errno %d (%s)\n", err, err_name); + infof(data, "SSL read: errno %d (%s)", err, err_name); /* print a human-readable message describing the error if available */ nss_print_error_message(data, err); @@ -2427,7 +2435,7 @@ static bool nss_false_start(void) } static void *nss_get_internals(struct ssl_connect_data *connssl, - CURLINFO info UNUSED_PARAM) + CURLINFO info UNUSED_PARAM) { struct ssl_backend_data *backend = connssl->backend; (void)info; |