Diego Santa Cruz | 21 May 11:24 2013

[PATCH] make neon with OpenSSL truly timeout on read


The way neon uses OpenSSL for https connections makes it possible for an
https connection to block indefinitely on read despite setting a read

The problem stems from the fact that SSL/TLS is record oriented, so having
some data in the raw socket does not necessarily mean that OpenSSL may return
data from the SSL/TLS socket.

Currently (0.29.6) neon calls readable_ossl() to know if data is available on
the socket. This in turn calls SSL_pending() to know if there is data
available on the SSL/TLS socket and if not it calls readable_raw() to know if
there is available data on the raw socket. Hence, as soon as there are a few
bytes in the raw socket readable_ossl() will return success, but if there is
in fact less than the SSL record size available trouble will occur when
SSL_read() is called later, as that function will block until a whole SSL
record may be read from the raw socket, which may never happen.

In our application we encounter this issue with unstable 3G networks.
Sometimes the underlying connection breaks down and only a partial SSL record
has been received, then SSL_read() block indefinitely as explained above (as
the connection is broken the remaining part of the SSL record never arrives).

The attached patch solves this for OpenSSL by setting the raw socket to
non-blocking. It has been deployed in our application with success on Win32
and Linux (x86 and ARM).

As am I not versed in GnuTLS I do not know if neon's use of GnuTLS is also
affected by this problem or not and the patch only covers OpenSSL.
(Continue reading)

Diego Santa Cruz | 21 May 10:34 2013

[PATCH] double free os sess->proxies

Hi all,

We have encountered a bug in free_proxies() in ne_session.c that causes a
double-free or invalid data references in some cases.

As not all callers of free_proxies() set sess->proxies to a new value in all
cases this pointer may be kept when the block has been free'd. For instance
if ne_set_addrlist() is called with n = 0. I think calling
ne_session_system_proxy() may also cause this, although it is less clear.

The attached patch solves this by simply setting sess->proxies to NULL at the
end of free_proxies(). Patch is against 0.29.6.



Diego Santa Cruz, PhD
Technology Architect
SpinetiX S.A.
Rue des Terreaux 17
1003, Lausanne, Switzerland
T +41 21 341 15 50
F +41 21 311 19 56
(Continue reading)

Crombie, Iain | 3 May 13:18 2013

Neon with Polar SSL rather than OpenSSL/GnuTLS

Has anybody any experience regarding using PolarSSL rather than OpenSSL/GnuTLS?  Searching the archive for polar results in 0 results so I’m not optimistic and it looks non-trivial.
Best Regards.
Ravi | 3 Apr 04:43 2013

could not resolve hostname with sabredav/php

Hi ,

I'm new to list and trying write a code to connect to a webdav 
(sabredav) with following path  - cloud.com/files/webdav.php. when 
ne_session_create invoked in complains can't resolve the DNS, but i can 
connect to webdav server using finder/cyberduck. and if i tried some 
other webdav servers like mydrive.ch  it works. So i think 
ne_session_create can't handle slashes (/files/webdav.php)......please 
help me out....


neon | 8 Feb 02:48 2013

Compiling on Windows 7 with MinGW


I see several posts in the archive regarding compiling Neon with mingw, but they're all from quite some time
ago. Has this been attempted recently? When I run ./configure, after it runs its checks for a while I end up with:

configure: error: format string for off64_t not found

I'm using the version of mingw packaged with the Windows 32-bit version of the Qt 5 SDK. This is not a datatype
with which I'm familiar. I would appreciate any help!


neon | 4 Feb 15:03 2013

Host Not Found Misunderstanding

Hello. I've followed the simple example shown here: http://www.ikeepincloud.com/en/c_library .

A snippet of relevant code:

void testNeon()
    char *url = "my_owncloud_instance_url/remote.php/webdav";

    ne_session *dav;
    int res, fd;


    dav = ne_session_create("http", url, 80);

    ne_set_server_auth(dav, define_auth, NULL);

    res = ne_mkcol(dav, "/test/");

    if (res != NE_OK)
        qDebug() << "Request failed:" << QString(ne_get_error(dav));
        qDebug() << "Success!";

static int define_auth(void *userdata, const char *realm, int attempts, char *username, char *password)
    char *user = "username";
    char *pass = "userpassword";

    strncpy(username, user, NE_ABUFSIZ);
    strncpy(password, pass, NE_ABUFSIZ);

    return attempts;

This prints out "Request failed: Could not resolve hostname 'my_owncloud_instance_url/remote.php/webdav': Host not found"

When my visit the URL in question in firefox (actually copying the url posted in the error), it prompts me for my username and password. This implies to me that it's working. Am I missing something? I would appreciate any help!

Kyle Fazzari
p, li { white-space: pre-wrap; }
David Strauss | 18 Jan 01:06 2013

Memory leak in GnuTLS session management?

I keep getting memory leak traces for sessions in Valgrind, so I dug
into the Neon and GnuTLS code a bit.

Here's what I see:
 * ne_sock_connect_ssl() calls gnutls_session_get_data2() and sends in
&ctx->cache.client as the second argument.
 * gnutls_session_get_data2() allocates memory for what it puts into
its second argument. This memory should be freed by the caller using
gnutls_free(). This is documented in the man page [1].
 * There are only four calls to gnutls_free() from Neon, and they're
all for ctx->cache.server.key.data or ctx->cache.server.data.data.
 * I don't see any obvious way the ctx->cache.client pointer would get
copied into either of the values being freed.

It would break abstraction for us to access and free parts of the
context. Surely, session data shouldn't just linger. Multithreaded
clients (like ours) need to create and clean up sessions often without
leaking memory.

This is the trace I see in Valgrind for the packaged Neon 0.29.6 on Fedora 17:

3,072 bytes in 1 blocks are definitely lost in loss record 27 of 31
realloc (vg_replace_malloc.c:662)
_gnutls_buffer_append_data (gnutls_str.c:146)
_gnutls_session_pack (gnutls_session_pack.c:781)
gnutls_session_get_data2 (gnutls_session.c:119)
ne_sock_connect_ssl (ne_socket.c:1804)
ne__negotiate_ssl (ne_gnutls.c:928)
send_request.isra.5 (ne_request.c:1650)
ne_begin_request (ne_request.c:1189)

[1] http://linux.die.net/man/3/gnutls_session_get_data2

David Strauss
   | david@...
   | +1 512 577 5827 [mobile]

kk kk | 10 Dec 09:25 2012

About ne_set_read_timeout

Dear all,

If i use ne_set_read_timeout to indicate timeout value, for example, ne_set_read_timeout(sess, 10); // about 10s.
How can i interrupt the READ operation before timeout?
For example, user wants to cancel the operation immediately.


Markus Goetz | 6 Dec 17:55 2012

Decompression PROPFIND compressed with gzip?


I'm trying to find a way to integrate ne_propfind_named with ne_decompress_reader.
How can my body reader feed back the decompressed bytes back into neon so it can parse the WebDAV XML and give me the PROPFIND results?

Markus Goetz p, li { white-space: pre-wrap; }
Matthias Petschick | 22 Nov 12:40 2012

[PATCH] fix segfault due to unitialized variable


x509_crt_copy in ne_gnutls.c depends on the local size variable being 0
(or small enough) so that the subsequent call to gnutls_x509_crt_export
updates the variable to the correct size to hold the certificate. Since
size is used unitialized, the value for it is undefined and more than
likely not 0, resulting in gnutls_x509_crt_export not returning
GNUTLS_E_SHORT_MEMORY_BUFFER and consequently x509_crt_copy returning NULL.
This is not caught by make_peers_chain which then passes the NULL
pointer to populate_cert, which eventually causes a segfault down the
road when NULL is dereferenced by get_dn in gnutls.

The attached patch makes sure size is initialized correctly to 0 and
checks if x509_crt_copy returns NULL.



Attachment (ne_gnutls.c.patch): text/x-patch, 961 bytes
Chris Pick | 28 Oct 00:18 2012

Method to require SSL dependency

Is there an equivalent of NEON_NEED_XML_PARSER for SSL?
If I'm bundling neon with a program that uses ssl functionality, is
there any other way to require it?

My current setup:
$ cat configure.ac
#                                               -*- Autoconf -*-
# Process this file with autoconf to produce a configure script.

AC_INIT([test], [1.0], [neon@...])
AM_INIT_AUTOMAKE([-Wall -Werror foreign])

# Checks for programs.

# Checks for libraries.
NEON_VPATH_BUNDLED([${srcdir}/neon-0.29.6], [neon-0.29.6], [

# Checks for header files.

# Checks for typedefs, structures, and compiler characteristics.

# Checks for library functions.


$ cat Makefile.am
bin_PROGRAMS = test
test_SOURCES = src/test.c
test_LDADD =  <at> NEON_LIBS <at> 

ACLOCAL_AMFLAGS = -I neon-0.29.6/macros

gcc -DHAVE_CONFIG_H -I. -I..     -g -O2 -I../neon-0.29.6 -MT test.o
-MD -MP -MF .deps/test.Tpo -c -o test.o `test -f 'src/test.c' || echo
../src/test.c:4:22: error: ne_alloc.h: No such file or directory