Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 236101 Details for
Bug 336701
RFE : cURL 7.17.0 is available
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
forwardported NSS patch, just in case you want to give it a try.
curl-7.17.0-nsspem.patch (text/plain), 21.39 KB, created by
Jindrich Novy
on 2007-10-24 11:39:54 UTC
(
hide
)
Description:
forwardported NSS patch, just in case you want to give it a try.
Filename:
MIME Type:
Creator:
Jindrich Novy
Created:
2007-10-24 11:39:54 UTC
Size:
21.39 KB
patch
obsolete
>diff -up curl-7.17.0/configure.nsspem curl-7.17.0/configure >--- curl-7.17.0/configure.nsspem 2007-09-02 23:53:27.000000000 +0200 >+++ curl-7.17.0/configure 2007-09-14 10:46:23.000000000 +0200 >@@ -27270,7 +27270,7 @@ echo "$as_me: WARNING: Use --with-ssl, - > fi > > >-if test X"$USE_GNUTLS$OPENSSL_ENABLED" != "X"; then >+if test X"$USE_NSS$USE_GNUTLS$OPENSSL_ENABLED" != "X"; then > > { echo "$as_me:$LINENO: checking CA cert bundle install path" >&5 > echo $ECHO_N "checking CA cert bundle install path... $ECHO_C" >&6; } >diff -up curl-7.17.0/configure.ac.nsspem curl-7.17.0/configure.ac >--- curl-7.17.0/configure.ac.nsspem 2007-09-02 23:53:15.000000000 +0200 >+++ curl-7.17.0/configure.ac 2007-09-14 10:46:23.000000000 +0200 >@@ -1520,7 +1520,7 @@ dnl ************************************ > dnl Check for the CA bundle > dnl ********************************************************************** > >-if test X"$USE_GNUTLS$OPENSSL_ENABLED" != "X"; then >+if test X"$USE_NSS$USE_GNUTLS$OPENSSL_ENABLED" != "X"; then > > AC_MSG_CHECKING([CA cert bundle install path]) > >diff -up curl-7.17.0/lib/nss.c.nsspem curl-7.17.0/lib/nss.c >--- curl-7.17.0/lib/nss.c.nsspem 2007-09-02 23:53:15.000000000 +0200 >+++ curl-7.17.0/lib/nss.c 2007-09-14 10:51:41.000000000 +0200 >@@ -55,6 +55,7 @@ > #include <ssl.h> > #include <sslerr.h> > #include <secerr.h> >+#include <secmod.h> > #include <sslproto.h> > #include <prtypes.h> > #include <pk11pub.h> >@@ -69,10 +70,19 @@ > #define min(a, b) ((a) < (b) ? (a) : (b)) > #endif > >+#define SSL_DIR "/etc/pki/nssdb" >+ >+/* enough to fit the string "PEM Token #[0|1]" */ >+#define SLOTSIZE 13 >+ > PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); > > static int initialized = 0; >-static int noverify = 0; >+static int verify_done = 0; >+char * select_nickname = NULL; >+ >+/* Global so our callbacks can update as appropriate */ >+static int curlerr; > > #define HANDSHAKE_TIMEOUT 30 > >@@ -87,15 +97,25 @@ typedef struct { > PRInt32 version; /* protocol version valid for this cipher */ > } cipher_s; > >-/* the table itself is defined in nss_engine_init.c */ > #ifdef NSS_ENABLE_ECC > #define ciphernum 48 > #else > #define ciphernum 23 > #endif > >+#define PK11_SETATTRS(x,id,v,l) \ >+ do { \ >+ (x)->type = (id); \ >+ (x)->pValue=(v); \ >+ (x)->ulValueLen = (l); \ >+ } while (0) >+ >+#define CERT_NewTempCertificate __CERT_NewTempCertificate >+ > enum sslversion { SSL2 = 1, SSL3 = 2, TLS = 4 }; > >+pphrase_arg_t *parg = NULL; >+ > static const cipher_s cipherlist[ciphernum] = { > /* SSL2 cipher suites */ > {"rc4", SSL_EN_RC4_128_WITH_MD5, SSL2}, >@@ -154,6 +174,9 @@ static const cipher_s cipherlist[ciphern > #endif > }; > >+const char* pem_library = "libnsspem.so"; >+static SECMODModule* mod = NULL; >+ > static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, > char *cipher_list) > { >@@ -197,9 +220,7 @@ static SECStatus set_ciphers(struct Sess > } > > if(found == PR_FALSE) { >- char buf[1024]; >- snprintf(buf, 1024, "Unknown cipher in list: %s", cipher); >- failf(data, buf); >+ failf(data, "Unknown cipher in list: %s", cipher); > return SECFailure; > } > >@@ -220,27 +241,240 @@ static SECStatus set_ciphers(struct Sess > return SECSuccess; > } > >+/* >+ * Determine whether the nickname passed in is a filename that needs to >+ * be loaded as a PEM or a regular NSS nickname. >+ * >+ * returns 1 for a file >+ * returns 0 for not a file (NSS nickname) >+ */ >+static int is_file(const char *filename) { >+ struct stat st; >+ >+ if (filename == NULL) >+ return 0; >+ >+ if (stat(filename, &st) == 0) { >+ if (S_ISREG(st.st_mode)) >+ return 1; >+ } >+ return 0; >+} >+ >+static int >+nss_load_cert(struct SessionHandle *data, const char *filename, PRBool cacert) >+{ >+ CERTCertificate *cert; >+ void *proto_win = NULL; >+ CK_SLOT_ID slotID; >+ PK11SlotInfo * slot = NULL; >+ PK11GenericObject *rv; >+ CK_ATTRIBUTE *attrs; >+ CK_ATTRIBUTE theTemplate[20]; >+ CK_BBOOL cktrue = CK_TRUE; >+ CK_BBOOL ckfalse = CK_FALSE; >+ CK_OBJECT_CLASS objClass = CKO_CERTIFICATE; >+ char *nickname = NULL; >+ char *slotname = NULL; >+ char *n; >+ >+ /* If there is no slash in the filename it is assumed to be a regular >+ * NSS nickname. >+ */ >+ if (is_file(filename)) { >+ n = strrchr(filename, '/'); >+ if (n) >+ n++; >+ } else { >+ /* A nickname from the NSS internal database */ >+ nickname = strdup(filename); >+ goto done; >+ } >+ >+ attrs = theTemplate; >+ >+ /* All CA and trust objects go into slot 0. Other slots are used >+ * for storing certificates. With each new user certificate we increment >+ * the slot count. We only support 1 user certificate right now. >+ */ >+ if (cacert) { >+ slotID = 0; >+ } else { >+ slotID = 1; >+ } >+ >+ slotname = (char *)malloc(SLOTSIZE); >+ nickname = (char *)malloc(PATH_MAX); >+ snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); >+ snprintf(nickname, PATH_MAX, "PEM Token #%ld:%s", slotID, n); >+ >+ slot = PK11_FindSlotByName(slotname); >+ >+ if (!slot) { >+ free(slotname); >+ free(nickname); >+ return 0; >+ } >+ >+ PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass) ); attrs++; >+ PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); attrs++; >+ PK11_SETATTRS(attrs, CKA_LABEL, (unsigned char *)filename, strlen(filename)+1); attrs++; >+ if (cacert) { >+ PK11_SETATTRS(attrs, CKA_TRUST, &cktrue, sizeof(CK_BBOOL) ); attrs++; >+ } else { >+ PK11_SETATTRS(attrs, CKA_TRUST, &ckfalse, sizeof(CK_BBOOL) ); attrs++; >+ } >+ >+ /* This load the certificate in our PEM module into the appropriate >+ * slot. >+ */ >+ rv = PK11_CreateGenericObject(slot, theTemplate, 4, PR_FALSE /* isPerm */); >+ >+ PK11_FreeSlot(slot); >+ >+ free(slotname); >+ if (rv == NULL) { >+ free(nickname); >+ return 0; >+ } >+ >+done: >+ /* Double-check that the certificate or nickname requested exists in >+ * either the token or the NSS certificate database. >+ */ >+ if (!cacert) { >+ cert = PK11_FindCertFromNickname((char *)nickname, proto_win); >+ >+ /* An invalid nickname was passed in */ >+ if (cert == NULL) { >+ PR_SetError(SEC_ERROR_UNKNOWN_CERT, 0); >+ return 0; >+ } >+ >+ CERT_DestroyCertificate(cert); >+ } >+ free(nickname); >+ >+ return 1; >+} >+ >+static int nss_load_key(char *key_file) >+{ >+ PK11SlotInfo * slot = NULL; >+ PK11GenericObject *rv; >+ CK_ATTRIBUTE *attrs; >+ CK_ATTRIBUTE theTemplate[20]; >+ CK_BBOOL cktrue = CK_TRUE; >+ CK_OBJECT_CLASS objClass = CKO_PRIVATE_KEY; >+ CK_SLOT_ID slotID; >+ char *slotname = NULL; >+ >+ attrs = theTemplate; >+ >+ /* FIXME: grok the various file types */ >+ >+ /* FIXME: shouldn't be hardcoded */ >+ slotID = 1; >+ >+ slotname = (char *)malloc(SLOTSIZE); >+ snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); >+ >+ slot = PK11_FindSlotByName(slotname); >+ free(slotname); >+ >+ if (!slot) { >+ return 0; >+ } >+ >+ PK11_SETATTRS(attrs, CKA_CLASS, &objClass, sizeof(objClass) ); attrs++; >+ PK11_SETATTRS(attrs, CKA_TOKEN, &cktrue, sizeof(CK_BBOOL) ); attrs++; >+ PK11_SETATTRS(attrs, CKA_LABEL, (unsigned char *)key_file, strlen(key_file)+1); attrs++; >+ >+ /* When adding an encrypted key the PKCS#11 will be set as removed */ >+ rv = PK11_CreateGenericObject(slot, theTemplate, 3, PR_FALSE /* isPerm */); >+ if (rv == NULL) { >+ PR_SetError(SEC_ERROR_BAD_KEY, 0); >+ return 0; >+ } >+ >+ /* This will force the token to be seen as re-inserted */ >+ PK11_IsPresent(slot); >+ >+ parg->retryCount = 0; >+ /* parg is initialized in nss_Init_Tokens() */ >+ if (PK11_Authenticate(slot, PR_TRUE, parg) != SECSuccess) { >+ return 0; >+ } >+ >+ return 1; >+} >+ >+static int display_error(struct connectdata *conn, PRInt32 err, const char *filename) { >+ switch(err) { >+ case SEC_ERROR_BAD_PASSWORD: >+ failf(conn->data, "Unable to load client key: Incorrect password\n"); >+ return 1; >+ case SEC_ERROR_UNKNOWN_CERT: >+ failf(conn->data, "Unable to load certificate %s\n", filename); >+ return 1; >+ } >+ return 0; /* The caller will print a generic error */ >+} >+ >+static int cert_stuff(struct connectdata *conn, char *cert_file, char *key_file) >+{ >+ struct SessionHandle *data = conn->data; >+ int rv = 0; >+ >+ if (cert_file) >+ rv = nss_load_cert(data, cert_file, PR_FALSE); >+ if (!rv) { >+ if (!display_error(conn, PR_GetError(), cert_file)) >+ failf(data, "Unable to load client cert %d.", PR_GetError()); >+ return 0; >+ } >+ if (key_file || (is_file(cert_file) )) { >+ if (key_file) >+ rv = nss_load_key(key_file); >+ else >+ rv = nss_load_key(cert_file); >+ if (!rv) { >+ if (!display_error(conn, PR_GetError(), key_file)) >+ failf(data, "Unable to load client key %d.", PR_GetError()); >+ >+ return 0; >+ } >+ } >+ return 1; >+} >+ > static char * nss_get_password(PK11SlotInfo * slot, PRBool retry, void *arg) > { > pphrase_arg_t *parg = (pphrase_arg_t *) arg; >- (void)slot; /* unused */ >- (void)retry; /* unused */ >+ parg->retryCount++; >+ if (parg->retryCount > 2) >+ return NULL; > if(parg->data->set.str[STRING_KEY_PASSWD]) > return (char *)PORT_Strdup((char *)parg->data->set.str[STRING_KEY_PASSWD]); > else > return NULL; > } > >-static SECStatus nss_Init_Tokens(struct connectdata * conn) >+static char * nss_no_password(PK11SlotInfo *slot, PRBool retry, void *arg) >+{ >+ return NULL; >+} >+ >+static SECStatus nss_Init_Tokens(struct SessionHandle *data) > { > PK11SlotList *slotList; > PK11SlotListElement *listEntry; > SECStatus ret, status = SECSuccess; >- pphrase_arg_t *parg; > >- parg = (pphrase_arg_t *) malloc(sizeof(*parg)); >+ if (!parg) >+ parg = (pphrase_arg_t *) malloc(sizeof(*parg)); > parg->retryCount = 0; >- parg->data = conn->data; >+ parg->data = data; > > PK11_SetPasswordFunc(nss_get_password); > >@@ -253,10 +487,10 @@ static SECStatus nss_Init_Tokens(struct > > if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) { > if(slot == PK11_GetInternalKeySlot()) { >- failf(conn->data, "The NSS database has not been initialized.\n"); >+ failf(data, "The NSS database has not been initialized.\n"); > } > else { >- failf(conn->data, "The token %s has not been initialized.", >+ failf(data, "The token %s has not been initialized.", > PK11_GetTokenName(slot)); > } > PK11_FreeSlot(slot); >@@ -265,6 +499,8 @@ static SECStatus nss_Init_Tokens(struct > > ret = PK11_Authenticate(slot, PR_TRUE, parg); > if(SECSuccess != ret) { >+ if (PR_GetError() == SEC_ERROR_BAD_PASSWORD) >+ infof(data, "The password for token '%s' is incorrect\n", PK11_GetTokenName(slot)); > status = SECFailure; > break; > } >@@ -272,15 +508,59 @@ static SECStatus nss_Init_Tokens(struct > PK11_FreeSlot(slot); > } > >- free(parg); > return status; > } > > static SECStatus BadCertHandler(void *arg, PRFileDesc * socket) > { > SECStatus success = SECSuccess; >- (void)arg; >- (void)socket; >+ struct connectdata *conn = (struct connectdata *)arg; >+ PRErrorCode err = PR_GetError(); >+ CERTCertificate *cert = NULL; >+ char *subject, *issuer; >+ >+ if (verify_done) >+ return success; >+ >+ verify_done = 1; >+ cert = SSL_PeerCertificate(socket); >+ subject = CERT_NameToAscii(&cert->subject); >+ issuer = CERT_NameToAscii(&cert->issuer); >+ CERT_DestroyCertificate(cert); >+ >+ switch(err) { >+ case SEC_ERROR_CA_CERT_INVALID: >+ infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer); >+ if (conn->data->set.ssl.verifypeer) >+ success = SECFailure; >+ break; >+ case SEC_ERROR_UNTRUSTED_ISSUER: >+ if (conn->data->set.ssl.verifypeer) >+ success = SECFailure; >+ infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n", issuer); >+ break; >+ case SSL_ERROR_BAD_CERT_DOMAIN: >+ if (conn->data->set.ssl.verifypeer) >+ success = SECFailure; >+ infof(conn->data, "common name: %s (does not match '%s')\n", >+ subject, conn->host.dispname); >+ break; >+ case SEC_ERROR_EXPIRED_CERTIFICATE: >+ if (conn->data->set.ssl.verifypeer) >+ success = SECFailure; >+ infof(conn->data, "Remote Certificate has expired.\n"); >+ break; >+ default: >+ if (conn->data->set.ssl.verifypeer) >+ success = SECFailure; >+ infof(conn->data, "Bad certificate received. Subject = '%s', Issuer = '%s'\n", subject, issuer); >+ break; >+ } >+ if (success == SECSuccess) >+ infof(conn->data, "SSL certificate verify ok.\n"); >+ PR_Free(subject); >+ PR_Free(issuer); >+ curlerr = CURLE_SSL_CACERT; > > return success; > } >@@ -295,6 +575,52 @@ static SECStatus HandshakeCallback(PRFil > return SECSuccess; > } > >+static void display_conn_info(struct connectdata *conn, PRFileDesc * socket) >+{ >+ SSLChannelInfo channel; >+ SSLCipherSuiteInfo suite; >+ CERTCertificate *cert; >+ char *subject, *issuer, *common_name; >+ PRExplodedTime printableTime; >+ char timeString[256]; >+ PRTime notBefore, notAfter; >+ >+ if (SSL_GetChannelInfo(socket, &channel, sizeof channel) == >+ SECSuccess && channel.length == sizeof channel && >+ channel.cipherSuite) { >+ if (SSL_GetCipherSuiteInfo(channel.cipherSuite, >+ &suite, sizeof suite) == SECSuccess) { >+ infof(conn->data, "SSL connection using %s\n", suite.cipherSuiteName); >+ } >+ } >+ >+ infof(conn->data, "Server certificate:\n"); >+ >+ cert = SSL_PeerCertificate(socket); >+ subject = CERT_NameToAscii(&cert->subject); >+ issuer = CERT_NameToAscii(&cert->issuer); >+ common_name = CERT_GetCommonName(&cert->subject); >+ infof(conn->data, "\tsubject: %s\n", subject); >+ >+ CERT_GetCertTimes(cert, ¬Before, ¬After); >+ PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime); >+ PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); >+ infof(conn->data, "\tstart date: %s\n", timeString); >+ PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime); >+ PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime); >+ infof(conn->data, "\texpire date: %s\n", timeString); >+ infof(conn->data, "\tcommon name: %s\n", common_name); >+ infof(conn->data, "\tissuer: %s\n", issuer); >+ >+ PR_Free(subject); >+ PR_Free(issuer); >+ PR_Free(common_name); >+ >+ CERT_DestroyCertificate(cert); >+ >+ return; >+} >+ > /** > * > * Callback to pick the SSL client certificate. >@@ -309,24 +635,42 @@ static SECStatus SelectClientCert(void * > char *nickname = (char *)arg; > void *proto_win = NULL; > SECStatus secStatus = SECFailure; >+ PK11SlotInfo *slot; > (void)caNames; > > proto_win = SSL_RevealPinArg(socket); > >+ if (!nickname) >+ return secStatus; >+ > cert = PK11_FindCertFromNickname(nickname, proto_win); > if(cert) { >- privKey = PK11_FindKeyByAnyCert(cert, proto_win); >- if(privKey) { >- secStatus = SECSuccess; >- } >- else { >- CERT_DestroyCertificate(cert); >+ >+ if (!strncmp(nickname, "PEM Token", 9)) { >+ CK_SLOT_ID slotID = 1; /* hardcoded for now */ >+ char * slotname = (char *)malloc(SLOTSIZE); >+ snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID); >+ slot = PK11_FindSlotByName(slotname); >+ privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL); >+ PK11_FreeSlot(slot); >+ free(slotname); >+ if(privKey) { >+ secStatus = SECSuccess; >+ } >+ } else { >+ privKey = PK11_FindKeyByAnyCert(cert, proto_win); >+ if(privKey) { >+ secStatus = SECSuccess; >+ } > } > } > > if(secStatus == SECSuccess) { > *pRetCert = cert; > *pRetKey = privKey; >+ } else { >+ if (cert) >+ CERT_DestroyCertificate(cert); > } > > return secStatus; >@@ -392,6 +736,8 @@ void Curl_nss_close(struct connectdata * > PR_Close(connssl->handle); > connssl->handle = NULL; > } >+ if (select_nickname) >+ free(select_nickname); > } > > /* >@@ -413,31 +759,52 @@ CURLcode Curl_nss_connect(struct connect > curl_socket_t sockfd = conn->sock[sockindex]; > struct ssl_connect_data *connssl = &conn->ssl[sockindex]; > SECStatus rv; >- int curlerr = CURLE_SSL_CONNECT_ERROR; >+ char *configstring = NULL; >+ char *certDir = NULL; >+ >+ curlerr = CURLE_SSL_CONNECT_ERROR; >+ certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ >+ >+ if (!certDir) { >+ struct stat st; >+ >+ if (stat(SSL_DIR, &st) == 0) >+ if (S_ISDIR(st.st_mode)) { >+ certDir = "/etc/pki/nssdb"; >+ } >+ } > > /* FIXME. NSS doesn't support multiple databases open at the same time. */ > if(!initialized) { >- if(!data->set.ssl.CAfile) { >- if(data->set.ssl.verifypeer) { >- failf(data, "No NSS cacert database specified."); >- return CURLE_SSL_CACERT_BADFILE; >- } >- else { >- rv = NSS_NoDB_Init(NULL); >- noverify = 1; >- } >+ if(!certDir) { >+ rv = NSS_NoDB_Init(NULL); > } > else { >- rv = NSS_Initialize(data->set.ssl.CAfile, NULL, NULL, "secmod.db", >+ rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", > NSS_INIT_READONLY); > } > if(rv != SECSuccess) { > curlerr = CURLE_SSL_CACERT_BADFILE; > goto error; > } >- } >+ configstring = (char *)malloc(4096); >+ >+ NSS_SetDomesticPolicy(); > >- NSS_SetDomesticPolicy(); >+ PR_snprintf(configstring, 4096, "library=%s name=PEM", pem_library); >+// PR_snprintf(configstring, 4096, "library=%s name=PEM parameters=\"NSS=\"trustorder=75\"\"", pem_library); >+// PR_snprintf(configstring, 4096, "library=/usr/lib/libnsspem.so name=PEM parameters=\"/etc/pki/tls/certs/ca-bundle.crt\" NSS=\"trustorder=75\""); >+ >+ mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE); >+ if (!mod || !mod->loaded) { >+ if (mod) { >+ SECMOD_DestroyModule(mod); >+ mod = NULL; >+ } >+ infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL PEM certificates will not work.\n", pem_library); >+ } >+ free(configstring); >+ } > > model = PR_NewTCPSocket(); > if(!model) >@@ -477,27 +844,92 @@ CURLcode Curl_nss_connect(struct connect > goto error; > > if(data->set.ssl.cipher_list) { >- if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) >+ if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { >+ curlerr = CURLE_SSL_CIPHER; > goto error; >+ } > } > >- if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, NULL) >- != SECSuccess) >+ if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn) >+ != SECSuccess) { > goto error; >+ } > if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback, > NULL) != SECSuccess) > goto error; > >+ if (mod && data->set.ssl.CAfile) { >+ rv = nss_load_cert(data, data->set.ssl.CAfile, PR_TRUE); >+ } else if (data->set.ssl.CApath) { >+ struct stat st; >+ PRDir *dir; >+ PRDirEntry *entry; >+ >+ if (stat(data->set.ssl.CApath, &st) == -1) >+ curlerr = CURLE_SSL_CACERT_BADFILE; >+ goto error; >+ >+ if (S_ISDIR(st.st_mode)) { >+ dir = PR_OpenDir(data->set.ssl.CApath); >+ int rv; >+ do { >+ entry = PR_ReadDir(dir, PR_SKIP_BOTH | PR_SKIP_HIDDEN); >+ >+ if (entry) { >+ char fullpath[PATH_MAX]; >+ >+ snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath, entry->name); >+ rv = nss_load_cert(data, fullpath, PR_TRUE); >+ } >+ /* This is purposefully tolerant of errors so non-PEM files >+ * can be in the same directory */ >+ } while (entry != NULL); >+ PR_CloseDir(dir); >+ } >+ } >+ infof(data, >+ " CAfile: %s\n" >+ " CApath: %s\n", >+ data->set.ssl.CAfile ? data->set.ssl.CAfile : "none", >+ data->set.ssl.CApath ? data->set.ssl.CApath : "none"); >+ > if(data->set.str[STRING_CERT]) { >+ char * n; >+ char * nickname; >+ >+ nickname = (char *)malloc(PATH_MAX); >+ if (is_file(data->set.str[STRING_CERT])) { >+ n = strrchr(data->set.str[STRING_CERT], '/'); >+ if (n) { >+ n++; /* skip last slash */ >+ snprintf(nickname, PATH_MAX, "PEM Token #%ld:%s", 1, n); >+ } >+ } else { >+ strncpy(nickname, data->set.str[STRING_CERT], PATH_MAX); >+ } >+ if(nss_Init_Tokens(conn->data) != SECSuccess) { >+ free(nickname); >+ goto error; >+ } >+ if (!cert_stuff(conn, data->set.str[STRING_CERT], data->set.str[STRING_KEY])) { >+ /* failf() is already done in cert_stuff() */ >+ free(nickname); >+ return CURLE_SSL_CERTPROBLEM; >+ } >+ >+ select_nickname = strdup(nickname); > if(SSL_GetClientAuthDataHook(model, > (SSLGetClientAuthData) SelectClientCert, >- (void *)data->set.str[STRING_CERT]) != >- SECSuccess) { >+ (void *)select_nickname) != SECSuccess) { > curlerr = CURLE_SSL_CERTPROBLEM; > goto error; > } >- if(nss_Init_Tokens(conn) != SECSuccess) >- goto error; >+ >+ free(nickname); >+ free(parg); >+ >+ /* No longer return the password, lets us free parg */ >+ PK11_SetPasswordFunc(nss_no_password); > } > > /* Import our model socket onto the existing file descriptor */ >@@ -505,6 +937,7 @@ CURLcode Curl_nss_connect(struct connect > connssl->handle = SSL_ImportFD(model, connssl->handle); > if(!connssl->handle) > goto error; >+ PR_Close(model); /* We don't need this any more */ > > /* Force handshake on next I/O */ > SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE); >@@ -514,14 +947,17 @@ CURLcode Curl_nss_connect(struct connect > /* Force the handshake now */ > if (SSL_ForceHandshakeWithTimeout(connssl->handle, > PR_SecondsToInterval(HANDSHAKE_TIMEOUT)) >- != SECSuccess) >+ != SECSuccess) { > goto error; >+ } >+ >+ display_conn_info(conn, connssl->handle); > > return CURLE_OK; > > error: > err = PR_GetError(); >- failf(data, "NSS error %d", err); >+ infof(data, "NSS error %d\n", err); > if(model) > PR_Close(model); > return curlerr;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=236101">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 336701
: 236101