summaryrefslogtreecommitdiff
path: root/librabbitmq/amqp_openssl.c
Commit message (Collapse)AuthorAgeFilesLines
* ssl: Add OpenSSL BIO that passes MSG_NOSIGNALssl_bioAlan Antonuk2017-02-201-4/+9
| | | | | | | Add an OpenSSL BIO that ignores SIGPIPE by passing MSG_NOSIGNAL to the send() and recv() calls on platforms that support it. Fixes #401
* Lib: remove unreachable return statementsAlan Antonuk2016-04-091-1/+0
|
* Lib: fix incorrect hostname check return valueAlan Antonuk2015-11-301-33/+14
| | | | | | | | amqp_ssl_socket_verify_hostname returns 1 on success, 0 on not found, and -1 on error. Refactor this code to be less error-prone and not use magic numbers in return values. Fixes #330
* Lib: fix size_t conversion issues in openssl.cAlan Antonuk2015-11-291-7/+24
|
* Lib: correctly check SSL connectionInsu Yun2015-11-271-0/+10
| | | | | | | | | | | According to "https://www.openssl.org/docs/manmaster/ssl/SSL_get_verify_result.html", to verify SSL connection result, SSL_get_verify_result() needs to be called with SSL_get_peer_certificate(). In default mode, which verify_peer and verify_hostname are activated, then there is no problem because in verify_hostname, the existence of certificate is confirmed. However, it is possible that the user want to verify_peer, but not verify_host. In such case, it is not working as they wanted. Because with invalid certificate, the attacker can bypass certificate validity check.
* Lib: use vetted hostname validation algorithmssl_leakAlan Antonuk2015-11-081-91/+5
| | | | | | | Use vetted hostname validation code which should fix some of the issues with memory leaks from incorrect use of the OpenSSL API. Fixes #325
* Lib: add braces in if statements lacking them.Alan Antonuk2015-10-271-4/+8
|
* Lib: fix leak in amqp_ssl_socket_verify_hostnameopenssl_leaksAlan Antonuk2015-10-261-0/+4
| | | | | | | | The cert object should be X509_free'd after use, it leaks otherwise. Thanks Volker Schreiner for reporting this. Fixes #323
* Lib: add amqp_ssl_socket_set_versions fnAlan Antonuk2015-10-221-0/+60
| | | | | Add amqp_ssl_socket_versions function which allows a user to specify the acceptable range of TLS versions they want to connect to the broker with.
* Lib: disable SSLv2 and SSLv3.Alan Antonuk2015-10-221-0/+2
| | | | | SSLv2 and SSLv3 are outdated, and contain serious security vulnerabilities. Disable these outdated protocols so they cannot be used.
* Lib: don't try hard when closing SSL socketsAlan Antonuk2015-10-221-21/+6
| | | | | | | | If a heartbeat timeout occurs skip calling SSL_shutdown as it involves doing a send() which will likely hang. Additionally don't wait for a response when doing an SSL_shutdown, as the underlying transport will not be reused. Fixes #313
* Lib: separate peer & hostname SSL cert validationAlan Antonuk2015-10-151-9/+29
| | | | | | | | Add amqp_ssl_socket_set_verify_peer which controls peer certificate validation, and amqp_ssl_socket_set_verify_hostname which controls hostname validation in the certificate. Additionally this deprecates amqp_ssl_socket_set_verify. Fixes #180, #279, #303
* Lib: add AMQP_SF_POLL{IN,OUT} flags for amqp_pollAlan Antonuk2015-06-011-4/+4
| | | | | | Get rid of amqp_poll_{read,write} and flatten the call-tree to amqp_poll with an appropriate flag. Done in preparation for adding a select()-based implementation of the amqp_poll() function.
* lib: amqp_ssl_socket_send ign unused parameter.warnfixAlan Antonuk2015-06-011-1/+1
|
* lib: remove unused buffer in opensslAlan Antonuk2015-05-311-3/+0
|
* lib: use MSG_MORE on Linux for basic.publishAlan Antonuk2015-05-311-5/+2
| | | | | | | | As a performance optimization in the send path, add an AMQP_SF_MORE flag indicating that more data is intended to be sent, and that packets shouldn't be sent out on the wire unless there is a full packet's worth of data available. Use this to specify MSG_MORE to send() on Linux.
* amqp_openssl: *_ssl_send() should return number of bytes sentpr271Maciej Borzecki2015-05-211-1/+0
| | | | | | Function amqp_ssl_socket_send() should return the number of bytes written. Retruning AMQP_STATUS_OK on success will cause all amqp_socket_send() with SSL socket implementation to behave incorrectly.
* amqp_openssl: fix SSL_connect() status checkMaciej Borzecki2015-05-141-1/+1
| | | | | | | | | | | | | | According to documentation SSL_connect() can return: - 1 if handshake was successful or - 0 or < 0 if handshake failed and connection was cleaned up or communcation error occurred When nonblocking flag is set on the socket and handshake is in progress, SSL_connect() retruns -1 and sets error SSL_ERROR_WANT_READ. The test will then skip the switch() branch, and proceed forward with hanshake procedure in unfinished state. This may lead to certificate verification failure, as should the handshake be interrupted too soon, no server certificates would be received.
* Remove writev specific code.Alan Antonuk2015-05-031-38/+0
|
* Rename amqp_timer_t related functions.Alan Antonuk2015-05-031-7/+7
| | | | | Rename amqp_timer_t related functions to improve readability of the code and clarify what they do.
* Rename amqp_timer.[ch] to amqp_time.[ch].Alan Antonuk2015-05-031-1/+1
| | | | Rename the files to better reflect the functions that they contain.
* Add nonblocking sockets in OpenSSL socket implnonblocking_socketAlan Antonuk2015-04-191-5/+55
|
* Enable SSL verification of hostname using certificates with Subject ↵Yevhen Kyriukha2015-01-061-29/+75
| | | | | | | | Alternate Names DNS entries. Additional check for entries in SSL certificate. Signed-off-by: Yevhen Kyriukha <kirgene@gmail.com>
* Check for closed socket in amqp_ssl_socket_send().Alan Antonuk2015-01-061-0/+4
|
* Check for double close/open in socket implAlan Antonuk2014-12-291-9/+18
| | | | | | | Check to state of socket when doing open/read/write/close to prevent double-open and double-close issues with the socket implementation. Fixes #228
* Update copyright on files changed in 2014.Alan Antonuk2014-08-261-1/+5
|
* Suppress OpenSSL deprecation warnings on OSXAlan Antonuk2014-08-251-4/+0
|
* ssl: Fix a bug that host name verification failure isn't reportedKouhei Sutou2014-08-251-2/+2
| | | | | | | | There is an unexpected local variable shadowing in amqp_ssl_socket_open(). So the following code is meaningless unexpectedly. status = AMQP_STATUS_SSL_HOSTNAME_VERIFY_FAILED
* [openssl] Support wildcard hostname verificationMichael Steinert2014-03-041-7/+2
| | | | Most of this code comes from version Curl 7.35.
* Moved mutex initialization inside ENABLE_THREAD_SAFETY guards.woldan2013-10-291-1/+1
|
* BUG: double-free in ssl-socket on connect failureAlan Antonuk2013-07-221-0/+1
| | | | | | | In amqp_ssl_socket_open() set self->ssl to NULL after SSL_free() to avoid calling SSL_free() on a SSL object that has already been freed. This fixes #129 crash while call amqp_destroy_connection() with ssl
* Add nonblocking connect supportzaq178miami2013-07-061-2/+2
|
* Squash OpenSSL deprecated warnings on MacOSX 10.7+Alan Antonuk2013-07-061-0/+4
|
* Get rid of amqp_socket_error interfaceAlan Antonuk2013-07-031-14/+0
| | | | | Get rid of experimental amqp_socket_error interface. Errors are returned using the error codes from the primary function
* Make connection the socket object ownerAlan Antonuk2013-07-031-13/+43
| | | | | | | | Improve the socket interface by making the amqp_connection_state_t object the amqp_socket_t owner, and tie its lifetime to the connection's lifetime. This prevents a class of silly errors where the socket object isn't freed, or the socket object is assigned to two different connection objects
* Move amqp_os_socket* funcs to amqp_socket.h/cAlan Antonuk2013-06-131-1/+2
| | | | | Doing this for code clarity, as its easier to see what the issues are when you have all implementations in one file
* Improve error handling in socket functionsAlan Antonuk2013-06-131-29/+39
|
* Add more specific SSL connection error codesAlan Antonuk2013-06-131-28/+54
| | | | | | | | Add the following error codes: - hostname verify failure: e.g., provided hostname doesn't match peer certificate - peer verification failed - connection handshake failed
* Correctly handle 0 ret val from SSL_read/writeAlan Antonuk2013-06-131-2/+2
| | | | | A 0 return value from SSL_read/SSL_write means the (SSL) connection has been terminated.
* Expose public error-code interfaceAlan Antonuk2013-06-131-8/+8
| | | | | | | | | | Publicly define the error codes returned from the various public API functions. The error codes are defined in the amqp_status_enum and are all negative in value to work with functions that return positive values. OS and SSL specific codes are no longer munged into the error code, as it is unlikely for that information to be useful to library users.
* Fixes to compile it on Win32/MSVCAlan Antonuk2013-04-171-1/+2
|
* Adding basic error handling to SSL send/recv funcsAlan Antonuk2013-04-171-2/+17
| | | | | | | | For recv/send() functions, the functions themselves return a negative number on error, then the amqp_ssl_socket_error() can be used to return an opaque (e.g., not very useful to API users) error code. Internally we store this error in the last_error field of the amqp_ssl_socket_t object.
* Add very rudimentary error code handling for SSLAlan Antonuk2013-04-171-1/+8
|
* Updating license header in new filesAlan Antonuk2013-04-171-1/+1
|
* Fix code formatting to match the rest of the libAlan Antonuk2013-04-171-310/+303
|
* Adding vim modelines to new filesAlan Antonuk2013-04-171-0/+1
|
* Enable SSL hostname verification by defaultMichael Steinert2013-04-171-1/+1
| | | | Signed-off-by: Michael Steinert <mike.steinert@gmail.com>
* Start addressing review commentsMichael Steinert2013-04-091-0/+556
Signed-off-by: Michael Steinert <mike.steinert@gmail.com>
View Lorry Controller Status