From 69a7693fea7ca3d3914084c74338c0f1761a0ddc Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Fri, 14 Aug 2009 09:43:48 +0000 Subject: [PATCH] - new upstream release, dropped applied patches - changed NSS code to not ignore the value of ssl.verifyhost and produce more verbose error messages (#516056) --- .cvsignore | 2 +- curl-7.17.1-badsocket.patch | 13 --------- curl-7.19.4-infloop.patch | 12 -------- curl-7.19.6-verifyhost.patch | 54 ++++++++++++++++++++++++++++++++++++ curl.spec | 31 +++++++++++++-------- sources | 2 +- 6 files changed, 75 insertions(+), 39 deletions(-) delete mode 100644 curl-7.17.1-badsocket.patch delete mode 100644 curl-7.19.4-infloop.patch create mode 100644 curl-7.19.6-verifyhost.patch diff --git a/.cvsignore b/.cvsignore index 5cafa0e..b22a168 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -curl-7.19.4.tar.bz2 +curl-7.19.6.tar.bz2 diff --git a/curl-7.17.1-badsocket.patch b/curl-7.17.1-badsocket.patch deleted file mode 100644 index 86cdab4..0000000 --- a/curl-7.17.1-badsocket.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff -ruNp curl-7.19.3.orig/lib/ftp.c curl-7.19.3/lib/ftp.c ---- curl-7.19.3.orig/lib/ftp.c 2009-02-11 10:57:33.334280000 +0100 -+++ curl-7.19.3/lib/ftp.c 2009-02-11 10:59:43.957585266 +0100 -@@ -3222,7 +3222,8 @@ static CURLcode ftp_done(struct connectd - /* Note that we keep "use" set to TRUE since that (next) connection is - still requested to use SSL */ - } -- sclose(conn->sock[SECONDARYSOCKET]); -+ if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET]) -+ sclose(conn->sock[SECONDARYSOCKET]); - - conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD; - } diff --git a/curl-7.19.4-infloop.patch b/curl-7.19.4-infloop.patch deleted file mode 100644 index c742b1b..0000000 --- a/curl-7.19.4-infloop.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c ---- curl-7.19.4.orig/lib/nss.c 2009-05-11 10:21:19.136924000 +0200 -+++ curl-7.19.4/lib/nss.c 2009-05-11 10:22:31.190315791 +0200 -@@ -591,7 +591,7 @@ static char * nss_get_password(PK11SlotI - parg = (pphrase_arg_t *) arg; - - (void)slot; /* unused */ -- if(retry > 2) -+ if(retry) - return NULL; - if(parg->data->set.str[STRING_KEY_PASSWD]) - return (char *)PORT_Strdup((char *)parg->data->set.str[STRING_KEY_PASSWD]); diff --git a/curl-7.19.6-verifyhost.patch b/curl-7.19.6-verifyhost.patch new file mode 100644 index 0000000..ce0abd1 --- /dev/null +++ b/curl-7.19.6-verifyhost.patch @@ -0,0 +1,54 @@ +diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c +--- curl-7.19.6.orig/lib/nss.c 2009-08-14 11:14:45.423733097 +0200 ++++ curl-7.19.6/lib/nss.c 2009-08-14 11:15:04.142733360 +0200 +@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar + issuer); + break; + case SSL_ERROR_BAD_CERT_DOMAIN: +- if(conn->data->set.ssl.verifypeer) ++ if(conn->data->set.ssl.verifyhost) { ++ failf(conn->data, "common name '%s' does not match '%s'", ++ subject, conn->host.dispname); + success = SECFailure; +- infof(conn->data, "common name: %s (does not match '%s')\n", +- subject, conn->host.dispname); ++ } else { ++ infof(conn->data, "warning: common name '%s' does not match '%s'\n", ++ subject, conn->host.dispname); ++ } + break; + case SEC_ERROR_EXPIRED_CERTIFICATE: + if(conn->data->set.ssl.verifypeer) + success = SECFailure; + infof(conn->data, "Remote Certificate has expired.\n"); + break; ++ case SEC_ERROR_UNKNOWN_ISSUER: ++ if(conn->data->set.ssl.verifypeer) ++ success = SECFailure; ++ infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n", ++ issuer); ++ break; + default: + if(conn->data->set.ssl.verifypeer) + success = SECFailure; +@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect + } + } + ++ if(data->set.ssl.verifyhost == 1) ++ infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n"); ++ + data->set.ssl.certverifyresult=0; /* not checked yet */ + if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn) + != SECSuccess) { +@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect + if(SSL_ForceHandshakeWithTimeout(connssl->handle, + PR_SecondsToInterval(HANDSHAKE_TIMEOUT)) + != SECSuccess) { +- if(conn->data->set.ssl.certverifyresult!=0) ++ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) ++ curlerr = CURLE_PEER_FAILED_VERIFICATION; ++ else if(conn->data->set.ssl.certverifyresult!=0) + curlerr = CURLE_SSL_CACERT; + goto error; + } diff --git a/curl.spec b/curl.spec index c6730a3..6eeaea2 100644 --- a/curl.spec +++ b/curl.spec @@ -1,15 +1,14 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.19.4 -Release: 6%{?dist} +Version: 7.19.6 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 -Patch1: curl-7.15.3-multilib.patch -Patch2: curl-7.16.0-privlibs.patch -Patch3: curl-7.17.1-badsocket.patch -Patch4: curl-7.19.4-debug.patch -Patch5: curl-7.19.4-infloop.patch +Patch1: curl-7.19.6-verifyhost.patch +Patch101: curl-7.15.3-multilib.patch +Patch102: curl-7.16.0-privlibs.patch +Patch103: curl-7.19.4-debug.patch Provides: webclient URL: http://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -49,11 +48,14 @@ use cURL's capabilities internally. %prep %setup -q -%patch1 -p1 -b .multilib -%patch2 -p1 -b .privlibs -%patch3 -p1 -b .badsocket -%patch4 -p1 -b .debug -%patch5 -p1 -b .infloop + +# upstream patches +%patch1 -p1 + +# Fedora patches +%patch101 -p1 +%patch102 -p1 +%patch103 -p1 # Convert docs to UTF-8 for f in CHANGES README; do @@ -146,6 +148,11 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 +- new upstream release, dropped applied patches +- changed NSS code to not ignore the value of ssl.verifyhost and produce more + verbose error messages (#516056) + * Wed Jun 10 2009 Kamil Dudka 7.19.4-6 - avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) diff --git a/sources b/sources index 988cd13..d5dd42c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -2734167c1e5f7ce6be99b75d2d371d85 curl-7.19.4.tar.bz2 +8402c1f654c51ad7287aad57c3aa79be curl-7.19.6.tar.bz2