- new upstream release, dropped applied patches

- changed NSS code to not ignore the value of ssl.verifyhost and produce more verbose error messages (#516056)
2009-08-14 09:43:48 +00:00 · 2009-08-14 09:43:48 +00:00 · 69a7693fea
parent a05f6e5dd5
commit 69a7693fea
6 changed files with 75 additions and 39 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1 +1 @@
-curl-7.19.4.tar.bz2
+curl-7.19.6.tar.bz2
--- a/curl-7.17.1-badsocket.patch
+++ b/curl-7.17.1-badsocket.patch
@ -1,13 +0,0 @@
-diff -ruNp curl-7.19.3.orig/lib/ftp.c curl-7.19.3/lib/ftp.c
--- curl-7.19.3.orig/lib/ftp.c	2009-02-11 10:57:33.334280000 +0100
-+++ curl-7.19.3/lib/ftp.c	2009-02-11 10:59:43.957585266 +0100
-@@ -3222,7 +3222,8 @@ static CURLcode ftp_done(struct connectd
-       /* Note that we keep "use" set to TRUE since that (next) connection is
-          still requested to use SSL */
-     }
-    sclose(conn->sock[SECONDARYSOCKET]);
-+    if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])
-+      sclose(conn->sock[SECONDARYSOCKET]);
- 
-     conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD;
-   }
--- a/curl-7.19.4-infloop.patch
+++ b/curl-7.19.4-infloop.patch
@ -1,12 +0,0 @@
-diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c
--- curl-7.19.4.orig/lib/nss.c	2009-05-11 10:21:19.136924000 +0200
-+++ curl-7.19.4/lib/nss.c	2009-05-11 10:22:31.190315791 +0200
-@@ -591,7 +591,7 @@ static char * nss_get_password(PK11SlotI
-   parg = (pphrase_arg_t *) arg;
- 
-   (void)slot; /* unused */
-  if(retry > 2)
-+  if(retry)
-     return NULL;
-   if(parg->data->set.str[STRING_KEY_PASSWD])
-     return (char *)PORT_Strdup((char *)parg->data->set.str[STRING_KEY_PASSWD]);
--- a/curl-7.19.6-verifyhost.patch
+++ b/curl-7.19.6-verifyhost.patch
@ -0,0 +1,54 @@
+diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
+--- curl-7.19.6.orig/lib/nss.c	2009-08-14 11:14:45.423733097 +0200
+++ curl-7.19.6/lib/nss.c	2009-08-14 11:15:04.142733360 +0200
+@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar
+           issuer);
+     break;
+   case SSL_ERROR_BAD_CERT_DOMAIN:
+-    if(conn->data->set.ssl.verifypeer)
+    if(conn->data->set.ssl.verifyhost) {
+      failf(conn->data, "common name '%s' does not match '%s'",
+            subject, conn->host.dispname);
+       success = SECFailure;
+-    infof(conn->data, "common name: %s (does not match '%s')\n",
+-          subject, conn->host.dispname);
+    } else {
+      infof(conn->data, "warning: common name '%s' does not match '%s'\n",
+            subject, conn->host.dispname);
+    }
+     break;
+   case SEC_ERROR_EXPIRED_CERTIFICATE:
+     if(conn->data->set.ssl.verifypeer)
+       success = SECFailure;
+     infof(conn->data, "Remote Certificate has expired.\n");
+     break;
+  case SEC_ERROR_UNKNOWN_ISSUER:
+    if(conn->data->set.ssl.verifypeer)
+      success = SECFailure;
+    infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
+          issuer);
+    break;
+   default:
+     if(conn->data->set.ssl.verifypeer)
+       success = SECFailure;
+@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect
+     }
+   }
+ 
+  if(data->set.ssl.verifyhost == 1)
+    infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
+
+   data->set.ssl.certverifyresult=0; /* not checked yet */
+   if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
+      != SECSuccess) {
+@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect
+   if(SSL_ForceHandshakeWithTimeout(connssl->handle,
+                                     PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
+       != SECSuccess) {
+-    if(conn->data->set.ssl.certverifyresult!=0)
+    if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
+      curlerr = CURLE_PEER_FAILED_VERIFICATION;
+    else if(conn->data->set.ssl.certverifyresult!=0)
+       curlerr = CURLE_SSL_CACERT;
+     goto error;
+   }
--- a/curl.spec
+++ b/curl.spec
@ -1,15 +1,14 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.19.4
-Release: 6%{?dist}
+Version: 7.19.6
+Release: 1%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
-Patch1: curl-7.15.3-multilib.patch
-Patch2: curl-7.16.0-privlibs.patch
-Patch3: curl-7.17.1-badsocket.patch
-Patch4: curl-7.19.4-debug.patch
-Patch5: curl-7.19.4-infloop.patch
+Patch1: curl-7.19.6-verifyhost.patch
+Patch101: curl-7.15.3-multilib.patch
+Patch102: curl-7.16.0-privlibs.patch
+Patch103: curl-7.19.4-debug.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -49,11 +48,14 @@ use cURL's capabilities internally.

 %prep
 %setup -q
-%patch1 -p1 -b .multilib
-%patch2 -p1 -b .privlibs
-%patch3 -p1 -b .badsocket
-%patch4 -p1 -b .debug
-%patch5 -p1 -b .infloop
+
+# upstream patches
+%patch1 -p1
+
+# Fedora patches
+%patch101 -p1
+%patch102 -p1
+%patch103 -p1

 # Convert docs to UTF-8
 for f in CHANGES README; do
@ -146,6 +148,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4

 %changelog
+* Fri Aug 14 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-1
+- new upstream release, dropped applied patches
+- changed NSS code to not ignore the value of ssl.verifyhost and produce more
+  verbose error messages (#516056)
+
 * Wed Jun 10 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-6
 - avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857)

--- a/2
+++ b/2
@ -1 +1 @@
-2734167c1e5f7ce6be99b75d2d371d85  curl-7.19.4.tar.bz2
+8402c1f654c51ad7287aad57c3aa79be  curl-7.19.6.tar.bz2