On Thu, 9 Dec 2010, Hu, Eric wrote:
Oops, spoke too soon. There is this additional patch that needs to be applied to cURL on top of the patches that started this thread.
Hi!Allow me to offer three patches that clean up things. They were necessary for me to build fine with axTLS support.
The 0002 one should be especially noticed as that's a rather terrible "bug" that should be adressed in axTLS really.
-- / daniel.haxx.se
From 49a35d0f3dd4a4cd772b397086fd0c6c81b520e7 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Sat, 11 Dec 2010 00:52:34 +0100 Subject: [PATCH 1/3] configure: make --with-axtls set prefix In tradition with other options, have this point to the directory prefix and not the lib directory. Otherwise we can't set the include path reliably. --- configure.ac | 12 +++++++----- 1 files changed, 7 insertions(+), 5 deletions(-) diff --git a/configure.ac b/configure.ac index 9096531..ea51689 100644 --- a/configure.ac +++ b/configure.ac @@ -1937,7 +1937,7 @@ fi dnl OPENSSL != 1 -a GNUTLS_ENABLED != 1 OPT_AXTLS=off AC_ARG_WITH(axtls,dnl -AC_HELP_STRING([--with-axtls=PATH],[Where to look for axTLS, PATH points to the axTLS installation (default: /usr/local/lib). Ignored if another SSL engine is selected.]) +AC_HELP_STRING([--with-axtls=PATH],[Where to look for axTLS, PATH points to the axTLS installation prefix (default: /usr/local). Ignored if another SSL engine is selected.]) AC_HELP_STRING([--without-axtls], [disable axTLS]), OPT_AXTLS=$withval) @@ -1951,8 +1951,10 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then case "$OPT_AXTLS" in yes) dnl --with-axtls (without path) used - PREFIX_AXTLS=/usr/local/lib - LIB_AXTLS="$PREFIX_AXTLS" + PREFIX_AXTLS=/usr/local + LIB_AXTLS="$PREFIX_AXTLS/lib" + LDFLAGS="$LDFLAGS -L$LIB_AXTLS" + CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include" ;; off) dnl no --with-axtls option given, just check default places @@ -1961,9 +1963,9 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then *) dnl check the given --with-axtls spot PREFIX_AXTLS=$OPT_AXTLS - LIB_AXTLS="$PREFIX_AXTLS" + LIB_AXTLS="$PREFIX_AXTLS/lib" LDFLAGS="$LDFLAGS -L$LIB_AXTLS" - CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/ssl" + CPPFLAGS="$CPPFLAGS -I$PREFIX_AXTLS/include" ;; esac -- 1.7.2.3
From 7c9c505be6bbc3f1d86f3f0902f747c844ab61b3 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Sat, 11 Dec 2010 00:53:37 +0100 Subject: [PATCH 2/3] urldate: undef hideous memory defines The public axTLS header (at least as of 1.2.7) redefines the memory functions. We #undef those again immediately after the public header to limit the damage. This should be fixed in axTLS. --- lib/urldata.h | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/lib/urldata.h b/lib/urldata.h index 47f5f79..83b646e 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -122,6 +122,9 @@ #ifdef USE_AXTLS #include <axTLS/ssl.h> +#undef malloc +#undef calloc +#undef realloc #endif /* USE_AXTLS */ #ifdef HAVE_NETINET_IN_H -- 1.7.2.3
From 688ed1c14a7650c4fc0c2df94b7826f3dd5c9f02 Mon Sep 17 00:00:00 2001 From: Daniel Stenberg <[email protected]> Date: Sat, 11 Dec 2010 00:55:06 +0100 Subject: [PATCH 3/3] axtls.c: cleanup Removed trailing whitespace Removed several compiler warnings Removed odd backslashes at some line endings --- lib/axtls.c | 96 +++++++++++++++++++++++++++++------------------------------ 1 files changed, 47 insertions(+), 49 deletions(-) diff --git a/lib/axtls.c b/lib/axtls.c index 82a0ddc..80c3554 100644 --- a/lib/axtls.c +++ b/lib/axtls.c @@ -55,7 +55,7 @@ static int SSL_read(SSL *ssl, void *buf, int num) { uint8_t *read_buf; int ret; - + while((ret = ssl_read(ssl, &read_buf)) == SSL_OK); if(ret > SSL_OK){ @@ -182,13 +182,13 @@ Curl_axtls_connect(struct connectdata *conn, /* Load the trusted CA cert bundle file */ if(data->set.ssl.CAfile) { - if(ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, data->set.ssl.CAfile, NULL) \ + if(ssl_obj_load(ssl_ctx, SSL_OBJ_X509_CACERT, data->set.ssl.CAfile, NULL) != SSL_OK){ infof(data, "error reading ca cert file %s \n", - data->set.ssl.CAfile); + data->set.ssl.CAfile); if(data->set.ssl.verifypeer){ - Curl_axtls_close(conn, sockindex); - return CURLE_SSL_CACERT_BADFILE; + Curl_axtls_close(conn, sockindex); + return CURLE_SSL_CACERT_BADFILE; } } else @@ -199,7 +199,7 @@ Curl_axtls_connect(struct connectdata *conn, * 1) certificate revocation list checking * 2) dns name assignment to host * 3) set protocol priority. axTLS is TLSv1 only, so can probably ignore - * 4) set certificate priority. axTLS ignores type and sends certs in + * 4) set certificate priority. axTLS ignores type and sends certs in * order added. can probably ignore this. */ @@ -208,20 +208,20 @@ Curl_axtls_connect(struct connectdata *conn, i=0; /* Instead of trying to analyze cert type here, let axTLS try them all. */ while(cert_types[i] != 0){ - ssl_fcn_return = ssl_obj_load(ssl_ctx, cert_types[i], \ - data->set.str[STRING_CERT], NULL); + ssl_fcn_return = ssl_obj_load(ssl_ctx, cert_types[i], + data->set.str[STRING_CERT], NULL); if(ssl_fcn_return == SSL_OK){ - infof(data, "successfully read cert file %s \n", \ - data->set.str[STRING_CERT]); - break; + infof(data, "successfully read cert file %s \n", + data->set.str[STRING_CERT]); + break; } i++; } /* Tried all cert types, none worked. */ if(cert_types[i] == 0){ - failf(data, "%s is not x509 or pkcs12 format", \ - data->set.str[STRING_CERT]); - Curl_axtls_close(conn, sockindex); + failf(data, "%s is not x509 or pkcs12 format", + data->set.str[STRING_CERT]); + Curl_axtls_close(conn, sockindex); return CURLE_SSL_CERTPROBLEM; } } @@ -233,20 +233,20 @@ Curl_axtls_connect(struct connectdata *conn, i=0; /* Instead of trying to analyze key type here, let axTLS try them all. */ while(key_types[i] != 0){ - ssl_fcn_return = ssl_obj_load(ssl_ctx, key_types[i], \ - data->set.str[STRING_KEY], NULL); + ssl_fcn_return = ssl_obj_load(ssl_ctx, key_types[i], + data->set.str[STRING_KEY], NULL); if(ssl_fcn_return == SSL_OK){ - infof(data, "successfully read key file %s \n", \ - data->set.str[STRING_KEY]); - break; + infof(data, "successfully read key file %s \n", + data->set.str[STRING_KEY]); + break; } i++; } /* Tried all key types, none worked. */ if(key_types[i] == 0){ - failf(data, "Failure: %s is not a supported key file", \ - data->set.str[STRING_KEY]); - Curl_axtls_close(conn, sockindex); + failf(data, "Failure: %s is not a supported key file", + data->set.str[STRING_KEY]); + Curl_axtls_close(conn, sockindex); return CURLE_SSL_CONNECT_ERROR; } } @@ -258,11 +258,11 @@ Curl_axtls_connect(struct connectdata *conn, */ /* In axTLS, handshaking happens inside ssl_client_new. */ - if(!Curl_ssl_getsessionid(conn, (void **) &ssl_sessionid, &ssl_idsize)){ + if(!Curl_ssl_getsessionid(conn, (void **) &ssl_sessionid, &ssl_idsize)) { /* we got a session id, use it! */ infof (data, "SSL re-using session ID\n"); - ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], \ - ssl_sessionid, ssl_idsize); + ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], + ssl_sessionid, (uint8_t)ssl_idsize); } else ssl = ssl_client_new(ssl_ctx, conn->sock[sockindex], NULL, 0); @@ -270,20 +270,20 @@ Curl_axtls_connect(struct connectdata *conn, /* Check to make sure handshake was ok. */ ssl_fcn_return = ssl_handshake_status(ssl); if(ssl_fcn_return != SSL_OK){ - Curl_axtls_close(conn, sockindex); + Curl_axtls_close(conn, sockindex); ssl_display_error(ssl_fcn_return); /* goes to stdout. */ return map_error_to_curl(ssl_fcn_return); } infof (data, "handshake completed successfully\n"); - /* Here, gtls.c gets the peer certificates and fails out depending on + /* Here, gtls.c gets the peer certificates and fails out depending on * settings in "data." axTLS api doesn't have get cert chain fcn, so omit? */ /* Verify server's certificate */ if(data->set.ssl.verifypeer){ if(ssl_verify_cert(ssl) != SSL_OK){ - Curl_axtls_close(conn, sockindex); + Curl_axtls_close(conn, sockindex); failf(data, "server cert verify failed"); return CURLE_SSL_CONNECT_ERROR; } @@ -296,11 +296,11 @@ Curl_axtls_connect(struct connectdata *conn, /* See if common name was set in server certificate */ x509 = ssl_get_cert_dn(ssl, SSL_X509_CERT_COMMON_NAME); - if(x509 == NULL) + if(x509 == NULL) infof(data, "error fetching CN from cert\n"); /* Here, gtls.c does the following - * 1) x509 hostname checking per RFC2818. axTLS doesn't support this, but + * 1) x509 hostname checking per RFC2818. axTLS doesn't support this, but * it seems useful. Omitting for now. * 2) checks cert validity based on time. axTLS does this in ssl_verify_cert * 3) displays a bunch of cert information. axTLS doesn't support most of @@ -317,7 +317,7 @@ Curl_axtls_connect(struct connectdata *conn, /* Put our freshly minted SSL session in cache */ ssl_idsize = ssl_get_session_id_size(ssl); ssl_sessionid = ssl_get_session_id(ssl); - if(Curl_ssl_addsessionid(conn, (void *) ssl_sessionid, ssl_idsize) \ + if(Curl_ssl_addsessionid(conn, (void *) ssl_sessionid, ssl_idsize) != CURLE_OK) infof (data, "failed to add session to cache\n"); @@ -327,15 +327,12 @@ Curl_axtls_connect(struct connectdata *conn, /* return number of sent (non-SSL) bytes */ static ssize_t axtls_send(struct connectdata *conn, - int sockindex, - const void *mem, - size_t len, - CURLcode *err) + int sockindex, + const void *mem, + size_t len, + CURLcode *err) { - /* ssl_write() returns 'int' while write() and send() returns - 'size_t' */ - char error_buffer[120]; /* Comply with OpenSSL, which documents that this - must be at least 120 bytes long. */ + /* ssl_write() returns 'int' while write() and send() returns 'size_t' */ int rc = ssl_write(conn->ssl[sockindex].ssl, mem, (int)len); infof(conn->data, " axtls_send\n"); @@ -407,16 +404,16 @@ int Curl_axtls_shutdown(struct connectdata *conn, int sockindex) if(connssl->ssl) { int what = Curl_socket_ready(conn->sock[sockindex], - CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT); + CURL_SOCKET_BAD, SSL_SHUTDOWN_TIMEOUT); if(what > 0) { /* Something to read, let's do it and hope that it is the close - notify alert from the server */ + notify alert from the server */ nread = (ssize_t)SSL_read(conn->ssl[sockindex].ssl, buf, - sizeof(buf)); + sizeof(buf)); if (nread < SSL_OK){ - failf(data, "close notify alert not received during shutdown"); - retval = -1; + failf(data, "close notify alert not received during shutdown"); + retval = -1; } } else if(0 == what) { @@ -436,10 +433,10 @@ int Curl_axtls_shutdown(struct connectdata *conn, int sockindex) } static ssize_t axtls_recv(struct connectdata *conn, /* connection data */ - int num, /* socketindex */ - char *buf, /* store read data here */ - size_t buffersize, /* max amount to read */ - CURLcode *err) + int num, /* socketindex */ + char *buf, /* store read data here */ + size_t buffersize, /* max amount to read */ + CURLcode *err) { struct ssl_connect_data *connssl = &conn->ssl[num]; ssize_t ret = 0; @@ -475,7 +472,7 @@ static ssize_t axtls_recv(struct connectdata *conn, /* connection data */ int Curl_axtls_check_cxn(struct connectdata *conn) { /* ssluse.c line: rc = SSL_peek(conn->ssl[FIRSTSOCKET].ssl, (void*)&buf, 1); - axTLS compat layer always returns the last argument, so connection is + axTLS compat layer always returns the last argument, so connection is always alive? */ infof(conn->data, " Curl_axtls_check_cxn\n"); @@ -484,6 +481,7 @@ int Curl_axtls_check_cxn(struct connectdata *conn) void Curl_axtls_session_free(void *ptr) { + (void)ptr; /* free the ID */ /* both ssluse.c and gtls.c do something here, but axTLS's OpenSSL compatibility layer does nothing, so we do nothing too. */ -- 1.7.2.3
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
