From a3e77b68ce048e9a54ef1817eec81e86d0e8ded7 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@fedoraproject.org>
Date: Wed, 2 Sep 2009 14:19:19 +0000
Subject: [PATCH] - use pkg-config to find nss and libssh2 if possible - better
 patch (not only) for SCP/SFTP polling - improve error message for not
 matching common name (#516056)

---
 curl-7.19.6-autoconf.patch  |  95 +++++++++++++++++++++++++++++
 curl-7.19.6-nss-cn.patch    |  45 ++++++++++++++
 curl-7.19.6-poll.patch      | 115 ++++++++++++++++++++++++++++++++++++
 curl-7.19.6-sftp-poll.patch |  18 ------
 curl.spec                   |  24 +++++---
 5 files changed, 271 insertions(+), 26 deletions(-)
 create mode 100644 curl-7.19.6-autoconf.patch
 create mode 100644 curl-7.19.6-nss-cn.patch
 create mode 100644 curl-7.19.6-poll.patch
 delete mode 100644 curl-7.19.6-sftp-poll.patch

diff --git a/curl-7.19.6-autoconf.patch b/curl-7.19.6-autoconf.patch
new file mode 100644
index 0000000..a08660d
--- /dev/null
+++ b/curl-7.19.6-autoconf.patch
@@ -0,0 +1,95 @@
+diff -rup curl-7.19.6.orig/configure.ac curl-7.19.6/configure.ac
+--- curl-7.19.6.orig/configure.ac	2009-09-02 15:46:09.396519773 +0200
++++ curl-7.19.6/configure.ac	2009-09-02 15:56:18.750831674 +0200
+@@ -1455,22 +1455,37 @@ if test X"$OPT_LIBSSH2" != Xno; then
+   case "$OPT_LIBSSH2" in
+   yes)
+     dnl --with-libssh2 (without path) used
+-    PREFIX_LIBSSH2=/usr/local/lib
+-    LIB_LIBSSH2="$PREFIX_LIBSSH2$libsuff"
++    CURL_CHECK_PKGCONFIG(libssh2)
++
++    if test "$PKGCONFIG" != "no" ; then
++      LIB_SSH2=`$PKGCONFIG --libs-only-l libssh2`
++      LD_SSH2=`$PKGCONFIG --libs-only-L libssh2`
++      CPP_SSH2=`$PKGCONFIG --cflags-only-I libssh2`
++      version=`$PKGCONFIG --modversion libssh2`
++      DIR_SSH2=`echo $LD_SSH2 | $SED -e 's/-L//'`
++    fi
++    
+     ;;
+   off)
+     dnl no --with-libssh2 option given, just check default places
+-    PREFIX_LIBSSH2=
+     ;;
+   *)
+     dnl use the given --with-libssh2 spot
+-    PREFIX_LIBSSH2=$OPT_LIBSSH2
+-    LIB_LIBSSH2="$PREFIX_LIBSSH2/lib$libsuff"
+-    LDFLAGS="$LDFLAGS -L$LIB_LIBSSH2"
+-    CPPFLAGS="$CPPFLAGS -I$PREFIX_LIBSSH2/include"
++    PREFIX_SSH2=$OPT_LIBSSH2
+     ;;
+   esac
+ 
++  dnl if given with a prefix, we set -L and -I based on that
++  if test -n "$PREFIX_SSH2"; then
++    LD_SSH2=-L${PREFIX_SSH2}/lib
++    CPP_SSH2=-I${PREFIX_SSH2}/include
++    DIR_SSH2=${PREFIX_SSH2}/lib
++  fi
++
++  LDFLAGS="$LDFLAGS $LD_SSH2"
++  CPPFLAGS="$CPPFLAGS $CPP_SSH2"
++  LIBS="$LIBS $LIB_SSH2"
++
+   AC_CHECK_LIB(ssh2, libssh2_channel_open_ex)
+ 
+   AC_CHECK_HEADERS(libssh2.h,
+@@ -1494,10 +1509,15 @@ if test X"$OPT_LIBSSH2" != Xno; then
+        dnl libssh2_version is a post 1.0 addition
+        AC_CHECK_FUNCS( libssh2_version )
+ 
+-       LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_LIBSSH2"
++       LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$DIR_SSH2"
+        export LD_LIBRARY_PATH
+-       AC_MSG_NOTICE([Added $LIB_LIBSSH2 to LD_LIBRARY_PATH])
++       AC_MSG_NOTICE([Added $DIR_SSH2 to LD_LIBRARY_PATH])
+     fi
++  else
++    dnl no libssh2, revert back to clean variables
++    LDFLAGS=$CLEANLDFLAGS
++    CPPFLAGS=$CLEANCPPFLAGS
++    LIBS=$CLEANLIBS
+   fi
+ fi
+ 
+@@ -1665,13 +1685,21 @@ if test "$OPENSSL_ENABLED" != "1" -a "$G
+         addcflags=`$PKGCONFIG --cflags nss`
+         version=`$PKGCONFIG --modversion nss`
+         nssprefix=`$PKGCONFIG --variable=prefix nss`
++      else
++        dnl Without pkg-config, we check for nss-config
++
++        check=`nss-config --version 2>/dev/null`
++        if test -n "$check"; then
++          addlib=`nss-config --libs`
++          addcflags=`nss-config --cflags`
++          version=`nss-config --version`
++          nssprefix=`nss-config --prefix`
++        else
++          addlib="-lnss3"
++          addcflags=""
++          version="unknown"
++        fi
+       fi
+-    else
+-      # Without pkg-config, we'll kludge in some defaults
+-      addlib="-L$OPT_NSS/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl"
+-      addcflags="-I$OPT_NSS/include"
+-      version="unknown"
+-      nssprefix=$OPT_NSS
+     fi
+ 
+     dnl Check for functionPK11_CreateGenericObject
+Only in curl-7.19.6.orig: configure.ac.orig
diff --git a/curl-7.19.6-nss-cn.patch b/curl-7.19.6-nss-cn.patch
new file mode 100644
index 0000000..83520ee
--- /dev/null
+++ b/curl-7.19.6-nss-cn.patch
@@ -0,0 +1,45 @@
+diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
+--- curl-7.19.6.orig/lib/nss.c	2009-08-25 12:27:08.664828503 +0200
++++ curl-7.19.6/lib/nss.c	2009-08-28 11:51:37.764523702 +0200
+@@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *ar
+   struct connectdata *conn = (struct connectdata *)arg;
+   PRErrorCode err = PR_GetError();
+   CERTCertificate *cert = NULL;
+-  char *subject, *issuer;
++  char *subject, *subject_cn, *issuer;
+ 
+   if(conn->data->set.ssl.certverifyresult!=0)
+     return success;
+@@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *ar
+   conn->data->set.ssl.certverifyresult=err;
+   cert = SSL_PeerCertificate(sock);
+   subject = CERT_NameToAscii(&cert->subject);
++  subject_cn = CERT_GetCommonName(&cert->subject);
+   issuer = CERT_NameToAscii(&cert->issuer);
+   CERT_DestroyCertificate(cert);
+ 
+@@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *ar
+     break;
+   case SSL_ERROR_BAD_CERT_DOMAIN:
+     if(conn->data->set.ssl.verifyhost) {
+-      failf(conn->data, "common name '%s' does not match '%s'",
+-            subject, conn->host.dispname);
++      failf(conn->data, "SSL: certificate subject name '%s' does not match "
++            "target host name '%s'", subject_cn, conn->host.dispname);
+       success = SECFailure;
+     } else {
+-      infof(conn->data, "warning: common name '%s' does not match '%s'\n",
+-            subject, conn->host.dispname);
++      infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
++            "match target host name '%s'\n", subject_cn, conn->host.dispname);
+     }
+     break;
+   case SEC_ERROR_EXPIRED_CERTIFICATE:
+@@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *ar
+   if(success == SECSuccess)
+     infof(conn->data, "SSL certificate verify ok.\n");
+   PR_Free(subject);
++  PR_Free(subject_cn);
+   PR_Free(issuer);
+ 
+   return success;
diff --git a/curl-7.19.6-poll.patch b/curl-7.19.6-poll.patch
new file mode 100644
index 0000000..759cc02
--- /dev/null
+++ b/curl-7.19.6-poll.patch
@@ -0,0 +1,115 @@
+diff -rup curl-7.19.6.orig/lib/ssh.c curl-7.19.6/lib/ssh.c
+--- curl-7.19.6.orig/lib/ssh.c	2009-07-25 00:21:50.000000000 +0200
++++ curl-7.19.6/lib/ssh.c	2009-09-02 15:43:13.337644271 +0200
+@@ -2235,10 +2235,10 @@ static int ssh_perform_getsock(const str
+ 
+   sock[0] = conn->sock[FIRSTSOCKET];
+ 
+-  if(conn->proto.sshc.waitfor & KEEP_RECV)
++  if(conn->waitfor & KEEP_RECV)
+     bitmap |= GETSOCK_READSOCK(FIRSTSOCKET);
+ 
+-  if(conn->proto.sshc.waitfor & KEEP_SEND)
++  if(conn->waitfor & KEEP_SEND)
+     bitmap |= GETSOCK_WRITESOCK(FIRSTSOCKET);
+ 
+   return bitmap;
+@@ -2282,15 +2282,17 @@ static void ssh_block2waitfor(struct con
+ {
+   struct ssh_conn *sshc = &conn->proto.sshc;
+   int dir;
+-  if(block && (dir = libssh2_session_block_directions(sshc->ssh_session))) {
++  if(!block)
++    conn->waitfor = 0;
++  else if((dir = libssh2_session_block_directions(sshc->ssh_session))) {
+     /* translate the libssh2 define bits into our own bit defines */
+-    sshc->waitfor = ((dir&LIBSSH2_SESSION_BLOCK_INBOUND)?KEEP_RECV:0) |
++    conn->waitfor = ((dir&LIBSSH2_SESSION_BLOCK_INBOUND)?KEEP_RECV:0) |
+       ((dir&LIBSSH2_SESSION_BLOCK_OUTBOUND)?KEEP_SEND:0);
+   }
+   else
+     /* It didn't block or libssh2 didn't reveal in which direction, put back
+        the original set */
+-    sshc->waitfor = sshc->orig_waitfor;
++    conn->waitfor = sshc->orig_waitfor;
+ }
+ #else
+   /* no libssh2 directional support so we simply don't know */
+diff -rup curl-7.19.6.orig/lib/transfer.c curl-7.19.6/lib/transfer.c
+--- curl-7.19.6.orig/lib/transfer.c	2009-07-22 22:09:53.000000000 +0200
++++ curl-7.19.6/lib/transfer.c	2009-09-02 15:43:13.338644150 +0200
+@@ -1884,33 +1884,46 @@ Transfer(struct connectdata *conn)
+     return CURLE_OK;
+ 
+   while(!done) {
+-    curl_socket_t fd_read;
+-    curl_socket_t fd_write;
++    curl_socket_t fd_read = conn->sockfd;
++    curl_socket_t fd_write = conn->writesockfd;
++    int keepon = k->keepon;
++
++#if defined(USE_LIBSSH2)
++    if(conn->protocol & (PROT_SCP|PROT_SFTP)) {
++      fd_read = conn->sock[FIRSTSOCKET];
++      fd_write = conn->sock[FIRSTSOCKET];
++    }
++#endif /* USE_LIBSSH2 */
++
++    if(conn->waitfor) {
++      /* if waitfor is set, get the RECV and SEND bits from that but keep the
++         other bits */
++      keepon &= ~ (KEEP_RECV|KEEP_SEND);
++      keepon |= conn->waitfor & (KEEP_RECV|KEEP_SEND);
++    }
+ 
+     /* limit-rate logic: if speed exceeds threshold, then do not include fd in
+        select set. The current speed is recalculated in each Curl_readwrite()
+        call */
+-    if((k->keepon & KEEP_SEND) &&
++    if((keepon & KEEP_SEND) &&
+         (!data->set.max_send_speed ||
+          (data->progress.ulspeed < data->set.max_send_speed) )) {
+-      fd_write = conn->writesockfd;
+       k->keepon &= ~KEEP_SEND_HOLD;
+     }
+     else {
+       fd_write = CURL_SOCKET_BAD;
+-      if(k->keepon & KEEP_SEND)
++      if(keepon & KEEP_SEND)
+         k->keepon |= KEEP_SEND_HOLD; /* hold it */
+     }
+ 
+-    if((k->keepon & KEEP_RECV) &&
++    if((keepon & KEEP_RECV) &&
+         (!data->set.max_recv_speed ||
+          (data->progress.dlspeed < data->set.max_recv_speed)) ) {
+-      fd_read = conn->sockfd;
+       k->keepon &= ~KEEP_RECV_HOLD;
+     }
+     else {
+       fd_read = CURL_SOCKET_BAD;
+-      if(k->keepon & KEEP_RECV)
++      if(keepon & KEEP_RECV)
+         k->keepon |= KEEP_RECV_HOLD; /* hold it */
+     }
+ 
+diff -rup curl-7.19.6.orig/lib/urldata.h curl-7.19.6/lib/urldata.h
+--- curl-7.19.6.orig/lib/urldata.h	2009-07-23 00:49:56.000000000 +0200
++++ curl-7.19.6/lib/urldata.h	2009-09-02 15:43:13.339644227 +0200
+@@ -565,7 +565,6 @@ struct ssh_conn {
+   LIBSSH2_CHANNEL *ssh_channel; /* Secure Shell channel handle */
+   LIBSSH2_SFTP *sftp_session;   /* SFTP handle */
+   LIBSSH2_SFTP_HANDLE *sftp_handle;
+-  int waitfor;                  /* current READ/WRITE bits to wait for */
+   int orig_waitfor;             /* default READ/WRITE bits wait for */
+ 
+   /* note that HAVE_LIBSSH2_KNOWNHOST_API is a define set in the libssh2.h
+@@ -1070,6 +1069,8 @@ struct connectdata {
+   } proto;
+ 
+   int cselect_bits; /* bitmask of socket events */
++  int waitfor;      /* current READ/WRITE bits to wait for */
++
+ #if defined(HAVE_GSSAPI) || defined(USE_WINDOWS_SSPI)
+   int socks5_gssapi_enctype;
+ #endif
diff --git a/curl-7.19.6-sftp-poll.patch b/curl-7.19.6-sftp-poll.patch
deleted file mode 100644
index 164e499..0000000
--- a/curl-7.19.6-sftp-poll.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-diff -rup curl-7.19.6.orig/lib/ssh.c curl-7.19.6/lib/ssh.c
---- curl-7.19.6.orig/lib/ssh.c	2009-08-20 15:33:43.007858118 +0200
-+++ curl-7.19.6/lib/ssh.c	2009-08-20 15:35:31.806608061 +0200
-@@ -2753,8 +2753,13 @@ ssize_t Curl_sftp_send(struct connectdat
- 
-   ssh_block2waitfor(conn, (nwrite == LIBSSH2_ERROR_EAGAIN)?TRUE:FALSE);
- 
--  if(nwrite == LIBSSH2_ERROR_EAGAIN)
-+  if(nwrite == LIBSSH2_ERROR_EAGAIN) {
-+    if (conn->proto.sshc.waitfor & KEEP_RECV)
-+      /* wait for the socket to become ready */
-+      Curl_socket_ready(conn->sock[FIRSTSOCKET], CURL_SOCKET_BAD, 1000);
-+
-     return 0;
-+  }
- 
-   return nwrite;
- }
diff --git a/curl.spec b/curl.spec
index 82e3c9f..d57dbac 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,16 +1,18 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.19.6
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 Source2: curlbuild.h
 Patch1: curl-7.19.6-verifyhost.patch
+Patch2: curl-7.19.6-nss-cn.patch
+Patch3: curl-7.19.6-poll.patch
+Patch4: curl-7.19.6-autoconf.patch
 Patch101: curl-7.15.3-multilib.patch
 Patch102: curl-7.16.0-privlibs.patch
 Patch103: curl-7.19.4-debug.patch
-Patch201: curl-7.19.6-sftp-poll.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -53,17 +55,19 @@ use cURL's capabilities internally.
 %prep
 %setup -q
 
-# upstream patches
+# upstream patches (already applied)
 %patch1 -p1
+%patch2 -p1
+
+# upstream patches (not yet applied)
+%patch3 -p1
+%patch4 -p1
 
 # Fedora patches
 %patch101 -p1
 %patch102 -p1
 %patch103 -p1
 
-# workarounds (not intended to be applied upstream)
-%patch201 -p1
-
 # Convert docs to UTF-8
 for f in CHANGES README; do
 	iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8
@@ -72,8 +76,7 @@ done
 
 %build
 autoconf
-export CPPFLAGS="$(pkg-config --cflags nss) -DHAVE_PK11_CREATEGENERICOBJECT"
-%configure --without-ssl --with-nss=%{_prefix} --enable-ipv6 \
+%configure --without-ssl --with-nss --enable-ipv6 \
 	--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
 	--with-gssapi=%{_prefix}/kerberos --with-libidn \
 	--enable-ldaps --disable-static --with-libssh2 --enable-manual
@@ -145,6 +148,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Wed Sep 02 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-4
+- use pkg-config to find nss and libssh2 if possible
+- better patch (not only) for SCP/SFTP polling
+- improve error message for not matching common name (#516056)
+
 * Fri Aug 21 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-3
 - avoid tight loop during a sftp upload
 - http://permalink.gmane.org/gmane.comp.web.curl.library/24744