curl/0001-curl-7.26.0-72f4b534.patch
Kamil Dudka 78288ca25b use human-readable error messages provided by NSS
upstream commit 72f4b534
2012-05-28 11:56:16 +02:00

254 lines
8.2 KiB
Diff

From 74be99357669da26900ae23b5005ddeabb91b453 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 21 May 2012 16:31:21 +0200
Subject: [PATCH 1/2] nss: avoid using explicit casts of code pointers
---
lib/nss.c | 11 ++++-------
1 files changed, 4 insertions(+), 7 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index 6b93893..885a120 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -670,11 +670,10 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
/**
* Inform the application that the handshake is complete.
*/
-static SECStatus HandshakeCallback(PRFileDesc *sock, void *arg)
+static void HandshakeCallback(PRFileDesc *sock, void *arg)
{
(void)sock;
(void)arg;
- return SECSuccess;
}
static void display_cert_info(struct SessionHandle *data,
@@ -1341,12 +1340,10 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
goto error;
data->set.ssl.certverifyresult=0; /* not checked yet */
- if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
- != SECSuccess) {
+ if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
goto error;
- }
- if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback,
- NULL) != SECSuccess)
+
+ if(SSL_HandshakeCallback(model, HandshakeCallback, NULL) != SECSuccess)
goto error;
if(data->set.ssl.verifypeer) {
--
1.7.1
From 72f4b534c4f57a71c458257c4ea317d557cf59f5 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 21 May 2012 16:19:12 +0200
Subject: [PATCH 2/2] nss: use human-readable error messages provided by NSS
Bug: http://lists.baseurl.org/pipermail/yum-devel/2012-January/009002.html
---
lib/nss.c | 128 +++++++++++++++++++++++++-------------------------------
1 files changed, 57 insertions(+), 71 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index 885a120..d60b184 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -186,6 +186,11 @@ static const char* nss_error_to_name(PRErrorCode code)
return "unknown error";
}
+static void nss_print_error_message(struct SessionHandle *data, PRUint32 err)
+{
+ failf(data, "%s", PR_ErrorToString(err, PR_LANGUAGE_I_DEFAULT));
+}
+
static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
char *cipher_list)
{
@@ -612,61 +617,6 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
return SSL_AuthCertificate(CERT_GetDefaultCertDB(), fd, checksig, isServer);
}
-static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
-{
- SECStatus result = SECFailure;
- struct connectdata *conn = (struct connectdata *)arg;
- PRErrorCode err = PR_GetError();
- CERTCertificate *cert = NULL;
- char *subject, *subject_cn, *issuer;
-
- conn->data->set.ssl.certverifyresult=err;
- cert = SSL_PeerCertificate(sock);
- subject = CERT_NameToAscii(&cert->subject);
- subject_cn = CERT_GetCommonName(&cert->subject);
- issuer = CERT_NameToAscii(&cert->issuer);
- CERT_DestroyCertificate(cert);
-
- switch(err) {
- case SEC_ERROR_CA_CERT_INVALID:
- infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer);
- break;
- case SEC_ERROR_UNTRUSTED_ISSUER:
- infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n",
- issuer);
- break;
- case SSL_ERROR_BAD_CERT_DOMAIN:
- if(conn->data->set.ssl.verifyhost) {
- failf(conn->data, "SSL: certificate subject name '%s' does not match "
- "target host name '%s'", subject_cn, conn->host.dispname);
- }
- else {
- result = SECSuccess;
- infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
- "match target host name '%s'\n", subject_cn, conn->host.dispname);
- }
- break;
- case SEC_ERROR_EXPIRED_CERTIFICATE:
- infof(conn->data, "Remote Certificate has expired.\n");
- break;
- case SEC_ERROR_UNKNOWN_ISSUER:
- infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
- issuer);
- break;
- default:
- infof(conn->data, "Bad certificate received. Subject = '%s', "
- "Issuer = '%s'\n", subject, issuer);
- break;
- }
- if(result == SECSuccess)
- infof(conn->data, "SSL certificate verify ok.\n");
- PR_Free(subject);
- PR_Free(subject_cn);
- PR_Free(issuer);
-
- return result;
-}
-
/**
* Inform the application that the handshake is complete.
*/
@@ -728,6 +678,31 @@ static void display_conn_info(struct connectdata *conn, PRFileDesc *sock)
return;
}
+static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
+{
+ struct connectdata *conn = (struct connectdata *)arg;
+ struct SessionHandle *data = conn->data;
+ PRErrorCode err = PR_GetError();
+ CERTCertificate *cert;
+
+ /* remember the cert verification result */
+ data->set.ssl.certverifyresult = err;
+
+ if(err == SSL_ERROR_BAD_CERT_DOMAIN && !data->set.ssl.verifyhost)
+ /* we are asked not to verify the host name */
+ return SECSuccess;
+
+ /* print only info about the cert, the error is printed off the callback */
+ cert = SSL_PeerCertificate(sock);
+ if(cert) {
+ infof(data, "Server certificate:\n");
+ display_cert_info(data, cert);
+ CERT_DestroyCertificate(cert);
+ }
+
+ return SECFailure;
+}
+
/**
*
* Check that the Peer certificate's issuer certificate matches the one found
@@ -1108,20 +1083,17 @@ int Curl_nss_close_all(struct SessionHandle *data)
return 0;
}
-/* handle client certificate related errors if any; return false otherwise */
-static bool handle_cc_error(PRInt32 err, struct SessionHandle *data)
+/* return true if the given error code is related to a client certificate */
+static bool is_cc_error(PRInt32 err)
{
switch(err) {
case SSL_ERROR_BAD_CERT_ALERT:
- failf(data, "SSL error: SSL_ERROR_BAD_CERT_ALERT");
return true;
case SSL_ERROR_REVOKED_CERT_ALERT:
- failf(data, "SSL error: SSL_ERROR_REVOKED_CERT_ALERT");
return true;
case SSL_ERROR_EXPIRED_CERT_ALERT:
- failf(data, "SSL error: SSL_ERROR_EXPIRED_CERT_ALERT");
return true;
default:
@@ -1460,10 +1432,14 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
data->state.ssl_connect_retry = FALSE;
err = PR_GetError();
- if(handle_cc_error(err, data))
+ if(is_cc_error(err))
curlerr = CURLE_SSL_CERTPROBLEM;
- else
- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
+
+ /* print the error number and error string */
+ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
+
+ /* print a human-readable message describing the error if available */
+ nss_print_error_message(data, err);
if(model)
PR_Close(model);
@@ -1496,12 +1472,17 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */
PRInt32 err = PR_GetError();
if(err == PR_WOULD_BLOCK_ERROR)
*curlcode = CURLE_AGAIN;
- else if(handle_cc_error(err, conn->data))
- *curlcode = CURLE_SSL_CERTPROBLEM;
else {
+ /* print the error number and error string */
const char *err_name = nss_error_to_name(err);
- failf(conn->data, "SSL write: error %d (%s)", err, err_name);
- *curlcode = CURLE_SEND_ERROR;
+ infof(conn->data, "SSL write: error %d (%s)\n", err, err_name);
+
+ /* print a human-readable message describing the error if available */
+ nss_print_error_message(conn->data, err);
+
+ *curlcode = (is_cc_error(err))
+ ? CURLE_SSL_CERTPROBLEM
+ : CURLE_SEND_ERROR;
}
return -1;
}
@@ -1523,12 +1504,17 @@ static ssize_t nss_recv(struct connectdata * conn, /* connection data */
if(err == PR_WOULD_BLOCK_ERROR)
*curlcode = CURLE_AGAIN;
- else if(handle_cc_error(err, conn->data))
- *curlcode = CURLE_SSL_CERTPROBLEM;
else {
+ /* print the error number and error string */
const char *err_name = nss_error_to_name(err);
- failf(conn->data, "SSL read: errno %d (%s)", err, err_name);
- *curlcode = CURLE_RECV_ERROR;
+ infof(conn->data, "SSL read: errno %d (%s)\n", err, err_name);
+
+ /* print a human-readable message describing the error if available */
+ nss_print_error_message(conn->data, err);
+
+ *curlcode = (is_cc_error(err))
+ ? CURLE_SSL_CERTPROBLEM
+ : CURLE_RECV_ERROR;
}
return -1;
}
--
1.7.1