Permalink
Browse files

Rob Crittenden added support for NSS (Network Security Service) for the

  • Loading branch information...
1 parent 28b932f commit 7f70dbcad58eb7183d129860192d6968dd7063a1 @bagder bagder committed Feb 12, 2007
Showing with 907 additions and 29 deletions.
  1. +5 −0 CHANGES
  2. +3 −1 RELEASE-NOTES
  3. +78 −5 configure.ac
  4. +6 −4 docs/FAQ
  5. +2 −2 docs/FEATURES
  6. +3 −0 docs/INSTALL
  7. +10 −0 docs/LICENSE-MIXING
  8. +3 −5 docs/TODO
  9. +11 −0 docs/curl.1
  10. +20 −3 docs/libcurl/curl_easy_setopt.3
  11. +3 −4 lib/Makefile.inc
  12. +12 −0 lib/http.c
  13. +605 −0 lib/nss.c
  14. +57 −0 lib/nssg.h
  15. +2 −2 lib/setup.h
  16. +69 −2 lib/sslgen.c
  17. +7 −0 lib/urldata.h
  18. +11 −1 tests/runtests.pl
View
@@ -7,6 +7,11 @@
Changelog
Daniel (12 February 2007)
+- Rob Crittenden added support for NSS (Network Security Service) for the
+ SSL/TLS layer. http://www.mozilla.org/projects/security/pki/nss/
+
+ This is the fourth supported library for TLS/SSL that libcurl supports!
+
- Shmulik Regev fixed so that the final CRLF of HTTP response headers are sent
to the debug callback.
View
@@ -14,6 +14,7 @@ This release includes the following changes:
o Added CURLOPT_TIMEOUT_MS and CURLOPT_CONNECTTIMEOUT_MS
o Added CURLOPT_HTTP_CONTENT_DECODING, CURLOPT_HTTP_TRANSFER_DECODING and
--raw
+ o Added support for using the NSS library for TLS/SSL
This release includes the following bugfixes:
@@ -36,6 +37,7 @@ New curl mirrors:
This release would not have looked like this without help, code, reports and
advice from friends like these:
- Yang Tse, Manfred Schwarb, Michael Wallner, Jeff Pohlmeyer, Shmulik Regev
+ Yang Tse, Manfred Schwarb, Michael Wallner, Jeff Pohlmeyer, Shmulik Regev,
+ Rob Crittenden
Thanks! (and sorry if I forgot to mention someone)
View
@@ -1183,6 +1183,7 @@ if test "$OPENSSL_ENABLED" != "1"; then
[
AC_DEFINE(USE_GNUTLS, 1, [if GnuTLS is enabled])
AC_SUBST(USE_GNUTLS, [1])
+ GNUTLS_ENABLED = 1
USE_GNUTLS="yes"
curl_ssl_msg="enabled (GnuTLS)"
],
@@ -1208,13 +1209,85 @@ if test "$OPENSSL_ENABLED" != "1"; then
fi dnl GNUTLS not disabled
- if test X"$USE_GNUTLS" != "Xyes"; then
- AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])
- AC_MSG_WARN([Use --with-ssl or --with-gnutls to address this.])
- fi
-
fi dnl OPENSSL != 1
+dnl ----------------------------------------------------
+dnl NSS. Only check if GnuTLS and OpenSSL are not enabled
+dnl ----------------------------------------------------
+
+dnl Default to compiler & linker defaults for NSS files & libraries.
+OPT_NSS=no
+
+AC_ARG_WITH(nss,dnl
+AC_HELP_STRING([--with-nss=PATH],[where to look for NSS, PATH points to the installation root (default: /usr/local/)])
+AC_HELP_STRING([--without-nss], [disable NSS detection]),
+ OPT_NSS=$withval)
+
+if test "$OPENSSL_ENABLED" != "1" -a "$GNUTLS_ENABLED" != "1"; then
+
+ if test X"$OPT_NSS" != Xno; then
+ if test "x$OPT_NSS" = "xyes"; then
+ check=`pkg-config --version 2>/dev/null`
+ if test -n "$check"; then
+ addlib=`pkg-config --libs nss`
+ addcflags=`pkg-config --cflags nss`
+ version=`pkg-config --modversion nss`
+ nssprefix=`pkg-config --variable=prefix nss`
+ fi
+ else
+ # Without pkg-config, we'll kludge in some defaults
+ addlib="-lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
+ addcflags="-I$OPT_NSS/include"
+ version="unknown"
+ gtlsprefix=$OPT_GNUTLS
+ fi
+ if test -n "$addlib"; then
+
+ CLEANLIBS="$LIBS"
+ CLEANCPPFLAGS="$CPPFLAGS"
+
+ LIBS="$LIBS $addlib"
+ if test "$addcflags" != "-I/usr/include"; then
+ CPPFLAGS="$CPPFLAGS $addcflags"
+ fi
+
+ AC_CHECK_LIB(nss3, NSS_Initialize,
+ [
+ AC_DEFINE(USE_NSS, 1, [if NSS is enabled])
+ AC_SUBST(USE_NSS, [1])
+ USE_NSS="yes"
+ NSS_ENABLED=1
+ curl_ssl_msg="enabled (NSS)"
+ ],
+ [
+ LIBS="$CLEANLIBS"
+ CPPFLAGS="$CLEANCPPFLAGS"
+ ])
+
+ if test "x$USE_NSS" = "xyes"; then
+ AC_MSG_NOTICE([detected NSS version $version])
+
+ dnl when shared libs were found in a path that the run-time
+ dnl linker doesn't search through, we need to add it to
+ dnl LD_LIBRARY_PATH to prevent further configure tests to fail
+ dnl due to this
+
+ LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff"
+ export LD_LIBRARY_PATH
+ AC_MSG_NOTICE([Added $nssprefix/lib$libsuff to LD_LIBRARY_PATH])
+ fi
+
+ fi
+
+ fi dnl NSS not disabled
+
+fi dnl OPENSSL != 1 -a GNUTLS_ENABLED != 1
+
+if test "x$OPENSSL_ENABLED$GNUTLS_ENABLED$NSS_ENABLED" = "x"; then
+ AC_MSG_WARN([SSL disabled, you will not be able to use HTTPS, FTPS, NTLM and more.])
+ AC_MSG_WARN([Use --with-ssl, --with-gnutls or --with-nss to address this.])
+fi
+
dnl **********************************************************************
dnl Check for the CA bundle
dnl **********************************************************************
View
@@ -358,10 +358,10 @@ FAQ
2.2 Does curl work/build with other SSL libraries?
- Curl has been written to use OpenSSL, GnuTLS or yassl, although there should
- not be many problems using a different library. If anyone does "port" curl
- to use a different SSL library, we are of course very interested in getting
- the patch!
+ Curl has been written to use OpenSSL, GnuTLS, yassl or NSS, although there
+ should not be many problems using a different library. If anyone does "port"
+ curl to use a different SSL library, we are of course very interested in
+ getting the patch!
2.3 Where can I find a copy of LIBEAY32.DLL?
@@ -844,6 +844,8 @@ FAQ
http://www.gnu.org/software/gnutls/manual/html_node/Multi_002dthreaded-applications.html
+ No special locking is needed with a NSS-powered libcurl. NSS is thread-safe.
+
5.2 How can I receive all data into a large memory chunk?
[ See also the examples/getinmemory.c source ]
View
@@ -116,10 +116,10 @@ FILE
FOOTNOTES
=========
- *1 = requires OpenSSL or GnuTLS
+ *1 = requires OpenSSL, GnuTLS or NSS
*2 = requires OpenLDAP
*3 = requires a GSSAPI-compliant library, such as Heimdal or similar.
*4 = requires FBopenssl
*5 = requires a krb4 library, such as the MIT one or similar.
*6 = requires c-ares
- *7 = requires OpenSSL specificly, as GnuTLS only supports SSLv3 and TLSv1
+ *7 = requires OpenSSL or NSS, as GnuTLS only supports SSLv3 and TLSv1
View
@@ -140,6 +140,9 @@ UNIX
yassl with its OpenSSL emulation enabled and point to that directory root
with configure --with-ssl.
+ To build with NSS support instead of OpenSSL for SSL/TLS, note that
+ you need to use both --without-ssl and --with-nss.
+
Win32
=====
View
@@ -47,6 +47,14 @@ yassl http://www.yassl.com/
(May be used for SSL/TLS support) Uses the GPL[1] license. If this is
a problem for you, consider using OpenSSL or GnuTLS instead.
+NSS http://www.mozilla.org/projects/security/pki/nss/
+
+ (May be used for SSL/TLS support) Is covered by the MPL[4] license,
+ the GPL[1] license and the LGPL[3] license. You may choose to license
+ the code under MPL terms, GPL terms, or LGPL terms. These licenses
+ grant you different permissions and impose different obligations. You
+ should select the license that best meets your needs.
+
c-ares http://daniel.haxx.se/projects/c-ares/license.html
(Used for asynchronous name resolves) Uses an MIT license that is very
@@ -110,3 +118,5 @@ OpenLDAP http://www.openldap.org/software/release/license.html
how to write such an exception to the GPL
[3] = LGPL - GNU Lesser General Public License:
http://www.gnu.org/licenses/lgpl.html
+[4] = MPL - Mozilla Public License:
+ http://www.mozilla.org/MPL/
View
@@ -157,16 +157,14 @@ TODO
Clark)
* Make curl's SSL layer capable of using other free SSL libraries. Such as
- Mozilla Security Services
- (http://www.mozilla.org/projects/security/pki/nss/) or MatrixSSL
- (http://www.matrixssl.org/).
+ MatrixSSL (http://www.matrixssl.org/).
* Peter Sylvester's patch for SRP on the TLS layer.
Awaits OpenSSL support for this, no need to support this in libcurl before
there's an OpenSSL release that does it.
- * make the configure --with-ssl option first check for OpenSSL and then for
- GnuTLS if OpenSSL wasn't detected.
+ * make the configure --with-ssl option first check for OpenSSL, then GnuTLS,
+ then NSS...
GnuTLS
View
@@ -167,6 +167,10 @@ difference.
must be using valid ciphers. Read up on SSL cipher list details on this URL:
\fIhttp://www.openssl.org/docs/apps/ciphers.html\fP
+NSS ciphers are done differently than OpenSSL and GnuTLS. The full list of
+NSS ciphers is in the NSSCipherSuite entry at this URL:
+\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP
+
If this option is used several times, the last one will override the others.
.IP "--compressed"
(HTTP) Request a compressed response using one of the algorithms libcurl
@@ -323,6 +327,10 @@ this option assumes a \&"certificate" file that is the private key and the
private certificate concatenated! See \fI--cert\fP and \fI--key\fP to specify
them independently.
+If curl is built against the NSS SSL library then this option tells
+curl the nickname of the certificate to use within the NSS database defined
+by --cacert.
+
If this option is used several times, the last one will be used.
.IP "--cert-type <type>"
(SSL) Tells curl what certificate type the provided certificate is in. PEM,
@@ -342,6 +350,9 @@ The windows version of curl will automatically look for a CA certs file named
\'curl-ca-bundle.crt\', either in the same directory as curl.exe, or in the
Current Working Directory, or in any folder along your PATH.
+If curl is built against the NSS SSL library then this option tells
+curl the directory that the NSS certificate database resides in.
+
If this option is used several times, the last one will be used.
.IP "--capath <CA certificate directory>"
(SSL) Tells curl to use the specified certificate directory to verify the
@@ -1178,6 +1178,9 @@ transfers. (Added in 7.15.2)
Pass a pointer to a zero terminated string as parameter. The string should be
the file name of your certificate. The default format is "PEM" and can be
changed with \fICURLOPT_SSLCERTTYPE\fP.
+
+With NSS this is the nickname of the certificate you wish to authenticate
+with.
.IP CURLOPT_SSLCERTTYPE
Pass a pointer to a zero terminated string as parameter. The string should be
the format of your certificate. Supported formats are "PEM" and "DER". (Added
@@ -1222,8 +1225,8 @@ Pass a long as parameter to control what version of SSL/TLS to attempt to use.
The available options are:
.RS
.IP CURL_SSLVERSION_DEFAULT
-The default action. When libcurl built with OpenSSL, this will attempt to
-figure out the remote SSL protocol version. Unfortunately there are a lot of
+The default action. When libcurl built with OpenSSL or NSS, this will attempt
+to figure out the remote SSL protocol version. Unfortunately there are a lot of
ancient and broken servers in use which cannot handle this technique and will
fail to connect. When libcurl is built with GnuTLS, this will mean SSLv3.
.IP CURL_SSLVERSION_TLSv1
@@ -1266,6 +1269,9 @@ even indicate an accessible file.
Note that option is by default set to the system path where libcurl's cacert
bundle is assumed to be stored, as established at build time.
+
+When built against NSS this is the directory that the NSS certificate
+database resides in.
.IP CURLOPT_CAPATH
Pass a char * to a zero terminated string naming a directory holding multiple
CA certificates to verify the peer with. The certificate directory must be
@@ -1315,12 +1321,23 @@ Pass a char *, pointing to a zero terminated string holding the list of
ciphers to use for the SSL connection. The list must be syntactically correct,
it consists of one or more cipher strings separated by colons. Commas or spaces
are also acceptable separators but colons are normally used, \!, \- and \+ can
-be used as operators. Valid examples of cipher lists include 'RC4-SHA',
+be used as operators.
+
+For OpenSSL and GnuTLS valid examples of cipher lists include 'RC4-SHA',
\'SHA1+DES\', 'TLSv1' and 'DEFAULT'. The default list is normally set when you
compile OpenSSL.
You'll find more details about cipher lists on this URL:
\fIhttp://www.openssl.org/docs/apps/ciphers.html\fP
+
+For NSS valid examples of cipher lists include 'rsa_rc4_128_md5',
+\'rsa_aes_128_sha\', etc. With NSS you don't add/remove ciphers. If one uses
+this option then all known ciphers are disabled and only those passed in
+are enabled.
+
+You'll find more details about the NSS cipher lists on this URL:
+\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP
+
.IP CURLOPT_SSL_SESSIONID_CACHE
Pass a long set to 0 to disable libcurl's use of SSL session-ID caching. Set
this to 1 to enable it. By default all transfers are done using the
View
@@ -8,7 +8,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
content_encoding.c share.c http_digest.c md5.c http_negotiate.c \
http_ntlm.c inet_pton.c strtoofft.c strerror.c hostares.c hostasyn.c \
hostip4.c hostip6.c hostsyn.c hostthre.c inet_ntop.c parsedate.c \
- select.c gtls.c sslgen.c tftp.c splay.c strdup.c socks.c ssh.c
+ select.c gtls.c sslgen.c tftp.c splay.c strdup.c socks.c ssh.c nss.c
HHEADERS = arpa_telnet.h netrc.h file.h timeval.h base64.h hostip.h \
progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \
@@ -18,6 +18,5 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h base64.h hostip.h \
share.h md5.h http_digest.h http_negotiate.h http_ntlm.h ca-bundle.h \
inet_pton.h strtoofft.h strerror.h inet_ntop.h curlx.h memory.h \
setup.h transfer.h select.h easyif.h multiif.h parsedate.h sslgen.h \
- gtls.h tftp.h sockaddr.h splay.h strdup.h setup_once.h socks.h ssh.h
-
-
+ gtls.h tftp.h sockaddr.h splay.h strdup.h setup_once.h socks.h ssh.h \
+ nssg.h
View
@@ -1502,6 +1502,18 @@ int Curl_https_getsock(struct connectdata *conn,
(void)numsocks;
return GETSOCK_BLANK;
}
+#else
+#ifdef USE_NSS
+int Curl_https_getsock(struct connectdata *conn,
+ curl_socket_t *socks,
+ int numsocks)
+{
+ (void)conn;
+ (void)socks;
+ (void)numsocks;
+ return GETSOCK_BLANK;
+}
+#endif
#endif
#endif
Oops, something went wrong.

0 comments on commit 7f70dbc

Please sign in to comment.