- new upstream release, dropped applied patches
- changed NSS code to not ignore the value of ssl.verifyhost and produce more verbose error messages (#516056)
This commit is contained in:
parent
e28fb68964
commit
c735169085
@ -1 +1,2 @@
|
|||||||
curl-7.19.5.tar.lzma
|
curl-7.19.5.tar.lzma
|
||||||
|
curl-7.19.6.tar.lzma
|
||||||
|
@ -1,13 +0,0 @@
|
|||||||
diff -ruNp curl-7.19.3.orig/lib/ftp.c curl-7.19.3/lib/ftp.c
|
|
||||||
--- curl-7.19.3.orig/lib/ftp.c 2009-02-11 10:57:33.334280000 +0100
|
|
||||||
+++ curl-7.19.3/lib/ftp.c 2009-02-11 10:59:43.957585266 +0100
|
|
||||||
@@ -3222,7 +3222,8 @@ static CURLcode ftp_done(struct connectd
|
|
||||||
/* Note that we keep "use" set to TRUE since that (next) connection is
|
|
||||||
still requested to use SSL */
|
|
||||||
}
|
|
||||||
- sclose(conn->sock[SECONDARYSOCKET]);
|
|
||||||
+ if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])
|
|
||||||
+ sclose(conn->sock[SECONDARYSOCKET]);
|
|
||||||
|
|
||||||
conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD;
|
|
||||||
}
|
|
@ -1,304 +0,0 @@
|
|||||||
diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c
|
|
||||||
--- curl-7.19.5.orig/lib/nss.c 2009-07-22 10:30:03.010106586 +0200
|
|
||||||
+++ curl-7.19.5/lib/nss.c 2009-07-22 10:30:54.069293169 +0200
|
|
||||||
@@ -585,48 +585,6 @@ static char * nss_get_password(PK11SlotI
|
|
||||||
return (char *)PORT_Strdup((char *)arg);
|
|
||||||
}
|
|
||||||
|
|
||||||
-static SECStatus nss_Init_Tokens(struct connectdata * conn)
|
|
||||||
-{
|
|
||||||
- PK11SlotList *slotList;
|
|
||||||
- PK11SlotListElement *listEntry;
|
|
||||||
- SECStatus ret, status = SECSuccess;
|
|
||||||
-
|
|
||||||
- PK11_SetPasswordFunc(nss_get_password);
|
|
||||||
-
|
|
||||||
- slotList =
|
|
||||||
- PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_TRUE, NULL);
|
|
||||||
-
|
|
||||||
- for(listEntry = PK11_GetFirstSafe(slotList);
|
|
||||||
- listEntry; listEntry = listEntry->next) {
|
|
||||||
- PK11SlotInfo *slot = listEntry->slot;
|
|
||||||
-
|
|
||||||
- if(PK11_NeedLogin(slot) && PK11_NeedUserInit(slot)) {
|
|
||||||
- if(slot == PK11_GetInternalKeySlot()) {
|
|
||||||
- failf(conn->data, "The NSS database has not been initialized");
|
|
||||||
- }
|
|
||||||
- else {
|
|
||||||
- failf(conn->data, "The token %s has not been initialized",
|
|
||||||
- PK11_GetTokenName(slot));
|
|
||||||
- }
|
|
||||||
- PK11_FreeSlot(slot);
|
|
||||||
- continue;
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- ret = PK11_Authenticate(slot, PR_TRUE,
|
|
||||||
- conn->data->set.str[STRING_KEY_PASSWD]);
|
|
||||||
- if(SECSuccess != ret) {
|
|
||||||
- if(PR_GetError() == SEC_ERROR_BAD_PASSWORD)
|
|
||||||
- infof(conn->data, "The password for token '%s' is incorrect\n",
|
|
||||||
- PK11_GetTokenName(slot));
|
|
||||||
- status = SECFailure;
|
|
||||||
- break;
|
|
||||||
- }
|
|
||||||
- PK11_FreeSlot(slot);
|
|
||||||
- }
|
|
||||||
-
|
|
||||||
- return status;
|
|
||||||
-}
|
|
||||||
-
|
|
||||||
static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
|
|
||||||
{
|
|
||||||
SECStatus success = SECSuccess;
|
|
||||||
@@ -692,15 +650,37 @@ static SECStatus HandshakeCallback(PRFil
|
|
||||||
return SECSuccess;
|
|
||||||
}
|
|
||||||
|
|
||||||
+static void display_cert_info(struct SessionHandle *data, CERTCertificate *cert) {
|
|
||||||
+ char *subject, *issuer, *common_name;
|
|
||||||
+ PRExplodedTime printableTime;
|
|
||||||
+ char timeString[256];
|
|
||||||
+ PRTime notBefore, notAfter;
|
|
||||||
+
|
|
||||||
+ subject = CERT_NameToAscii(&cert->subject);
|
|
||||||
+ issuer = CERT_NameToAscii(&cert->issuer);
|
|
||||||
+ common_name = CERT_GetCommonName(&cert->subject);
|
|
||||||
+ infof(data, "\tsubject: %s\n", subject);
|
|
||||||
+
|
|
||||||
+ CERT_GetCertTimes(cert, ¬Before, ¬After);
|
|
||||||
+ PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime);
|
|
||||||
+ PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
|
|
||||||
+ infof(data, "\tstart date: %s\n", timeString);
|
|
||||||
+ PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime);
|
|
||||||
+ PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
|
|
||||||
+ infof(data, "\texpire date: %s\n", timeString);
|
|
||||||
+ infof(data, "\tcommon name: %s\n", common_name);
|
|
||||||
+ infof(data, "\tissuer: %s\n", issuer);
|
|
||||||
+
|
|
||||||
+ PR_Free(subject);
|
|
||||||
+ PR_Free(issuer);
|
|
||||||
+ PR_Free(common_name);
|
|
||||||
+}
|
|
||||||
+
|
|
||||||
static void display_conn_info(struct connectdata *conn, PRFileDesc *sock)
|
|
||||||
{
|
|
||||||
SSLChannelInfo channel;
|
|
||||||
SSLCipherSuiteInfo suite;
|
|
||||||
CERTCertificate *cert;
|
|
||||||
- char *subject, *issuer, *common_name;
|
|
||||||
- PRExplodedTime printableTime;
|
|
||||||
- char timeString[256];
|
|
||||||
- PRTime notBefore, notAfter;
|
|
||||||
|
|
||||||
if(SSL_GetChannelInfo(sock, &channel, sizeof channel) ==
|
|
||||||
SECSuccess && channel.length == sizeof channel &&
|
|
||||||
@@ -714,25 +694,7 @@ static void display_conn_info(struct con
|
|
||||||
infof(conn->data, "Server certificate:\n");
|
|
||||||
|
|
||||||
cert = SSL_PeerCertificate(sock);
|
|
||||||
- subject = CERT_NameToAscii(&cert->subject);
|
|
||||||
- issuer = CERT_NameToAscii(&cert->issuer);
|
|
||||||
- common_name = CERT_GetCommonName(&cert->subject);
|
|
||||||
- infof(conn->data, "\tsubject: %s\n", subject);
|
|
||||||
-
|
|
||||||
- CERT_GetCertTimes(cert, ¬Before, ¬After);
|
|
||||||
- PR_ExplodeTime(notBefore, PR_GMTParameters, &printableTime);
|
|
||||||
- PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
|
|
||||||
- infof(conn->data, "\tstart date: %s\n", timeString);
|
|
||||||
- PR_ExplodeTime(notAfter, PR_GMTParameters, &printableTime);
|
|
||||||
- PR_FormatTime(timeString, 256, "%b %d %H:%M:%S %Y GMT", &printableTime);
|
|
||||||
- infof(conn->data, "\texpire date: %s\n", timeString);
|
|
||||||
- infof(conn->data, "\tcommon name: %s\n", common_name);
|
|
||||||
- infof(conn->data, "\tissuer: %s\n", issuer);
|
|
||||||
-
|
|
||||||
- PR_Free(subject);
|
|
||||||
- PR_Free(issuer);
|
|
||||||
- PR_Free(common_name);
|
|
||||||
-
|
|
||||||
+ display_cert_info(conn->data, cert);
|
|
||||||
CERT_DestroyCertificate(cert);
|
|
||||||
|
|
||||||
return;
|
|
||||||
@@ -786,48 +748,71 @@ static SECStatus SelectClientCert(void *
|
|
||||||
struct CERTCertificateStr **pRetCert,
|
|
||||||
struct SECKEYPrivateKeyStr **pRetKey)
|
|
||||||
{
|
|
||||||
- SECKEYPrivateKey *privKey = NULL;
|
|
||||||
- CERTCertificate *cert;
|
|
||||||
- struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
|
|
||||||
- char *nickname = connssl->client_nickname;
|
|
||||||
- void *proto_win = NULL;
|
|
||||||
- SECStatus secStatus = SECFailure;
|
|
||||||
- PK11SlotInfo *slot;
|
|
||||||
- (void)caNames;
|
|
||||||
+ static const char pem_nickname[] = "PEM Token #1";
|
|
||||||
+ const char *pem_slotname = pem_nickname;
|
|
||||||
|
|
||||||
- proto_win = SSL_RevealPinArg(sock);
|
|
||||||
+ struct ssl_connect_data *connssl = (struct ssl_connect_data *)arg;
|
|
||||||
+ struct SessionHandle *data = connssl->data;
|
|
||||||
+ const char *nickname = connssl->client_nickname;
|
|
||||||
|
|
||||||
- if(!nickname)
|
|
||||||
- return secStatus;
|
|
||||||
+ if (mod && nickname &&
|
|
||||||
+ 0 == strncmp(nickname, pem_nickname, /* length of "PEM Token" */ 9)) {
|
|
||||||
|
|
||||||
- cert = PK11_FindCertFromNickname(nickname, proto_win);
|
|
||||||
- if(cert) {
|
|
||||||
- if(!strncmp(nickname, "PEM Token", 9)) {
|
|
||||||
- CK_SLOT_ID slotID = 1; /* hardcoded for now */
|
|
||||||
- char slotname[SLOTSIZE];
|
|
||||||
- snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
|
|
||||||
- slot = PK11_FindSlotByName(slotname);
|
|
||||||
- privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
|
|
||||||
- PK11_FreeSlot(slot);
|
|
||||||
- if(privKey) {
|
|
||||||
- secStatus = SECSuccess;
|
|
||||||
- }
|
|
||||||
+ /* use the cert/key provided by PEM reader */
|
|
||||||
+ PK11SlotInfo *slot;
|
|
||||||
+ void *proto_win = SSL_RevealPinArg(sock);
|
|
||||||
+ *pRetKey = NULL;
|
|
||||||
+
|
|
||||||
+ *pRetCert = PK11_FindCertFromNickname(nickname, proto_win);
|
|
||||||
+ if (NULL == *pRetCert) {
|
|
||||||
+ failf(data, "NSS: client certificate not found: %s", nickname);
|
|
||||||
+ return SECFailure;
|
|
||||||
}
|
|
||||||
- else {
|
|
||||||
- privKey = PK11_FindKeyByAnyCert(cert, proto_win);
|
|
||||||
- if(privKey)
|
|
||||||
- secStatus = SECSuccess;
|
|
||||||
+
|
|
||||||
+ slot = PK11_FindSlotByName(pem_slotname);
|
|
||||||
+ if (NULL == slot) {
|
|
||||||
+ failf(data, "NSS: PK11 slot not found: %s", pem_slotname);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ *pRetKey = PK11_FindPrivateKeyFromCert(slot, *pRetCert, NULL);
|
|
||||||
+ PK11_FreeSlot(slot);
|
|
||||||
+ if (NULL == *pRetKey) {
|
|
||||||
+ failf(data, "NSS: private key not found for certificate: %s", nickname);
|
|
||||||
+ return SECFailure;
|
|
||||||
}
|
|
||||||
+
|
|
||||||
+ infof(data, "NSS: Client client certificate: %s\n", nickname);
|
|
||||||
+ display_cert_info(data, *pRetCert);
|
|
||||||
+ return SECSuccess;
|
|
||||||
}
|
|
||||||
|
|
||||||
- *pRetCert = cert;
|
|
||||||
- *pRetKey = privKey;
|
|
||||||
-
|
|
||||||
- /* There's no need to destroy either cert or privKey as
|
|
||||||
- * NSS will do that for us even if returning SECFailure
|
|
||||||
- */
|
|
||||||
+ /* use the default NSS hook */
|
|
||||||
+ if (SECSuccess != NSS_GetClientAuthData((void *)nickname, sock, caNames,
|
|
||||||
+ pRetCert, pRetKey)
|
|
||||||
+ || NULL == *pRetCert) {
|
|
||||||
|
|
||||||
- return secStatus;
|
|
||||||
+ if (NULL == nickname)
|
|
||||||
+ failf(data, "NSS: client certificate not found (nickname not specified)");
|
|
||||||
+ else
|
|
||||||
+ failf(data, "NSS: client certificate not found: %s", nickname);
|
|
||||||
+
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ /* get certificate nickname if any */
|
|
||||||
+ nickname = (*pRetCert)->nickname;
|
|
||||||
+ if (NULL == nickname)
|
|
||||||
+ nickname = "[unknown]";
|
|
||||||
+
|
|
||||||
+ if (NULL == *pRetKey) {
|
|
||||||
+ failf(data, "NSS: private key not found for certificate: %s", nickname);
|
|
||||||
+ return SECFailure;
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
+ infof(data, "NSS: using client certificate: %s\n", nickname);
|
|
||||||
+ display_cert_info(data, *pRetCert);
|
|
||||||
+ return SECSuccess;
|
|
||||||
}
|
|
||||||
|
|
||||||
/**
|
|
||||||
@@ -955,6 +940,8 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
if (connssl->state == ssl_connection_complete)
|
|
||||||
return CURLE_OK;
|
|
||||||
|
|
||||||
+ connssl->data = data;
|
|
||||||
+
|
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
|
||||||
connssl->cacert[0] = NULL;
|
|
||||||
connssl->cacert[1] = NULL;
|
|
||||||
@@ -1017,6 +1004,9 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
}
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
+
|
|
||||||
+ PK11_SetPasswordFunc(nss_get_password);
|
|
||||||
+
|
|
||||||
}
|
|
||||||
PR_Unlock(nss_initlock);
|
|
||||||
|
|
||||||
@@ -1164,11 +1154,7 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
else {
|
|
||||||
nickname = data->set.str[STRING_CERT];
|
|
||||||
}
|
|
||||||
- if(nss_Init_Tokens(conn) != SECSuccess) {
|
|
||||||
- if(nickname_alloc)
|
|
||||||
- free(nickname);
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
+
|
|
||||||
if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
|
|
||||||
data->set.str[STRING_KEY])) {
|
|
||||||
/* failf() is already done in cert_stuff() */
|
|
||||||
@@ -1183,16 +1169,15 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
if(!connssl->client_nickname)
|
|
||||||
return CURLE_OUT_OF_MEMORY;
|
|
||||||
|
|
||||||
- if(SSL_GetClientAuthDataHook(model,
|
|
||||||
- (SSLGetClientAuthData) SelectClientCert,
|
|
||||||
- (void *)connssl) != SECSuccess) {
|
|
||||||
- curlerr = CURLE_SSL_CERTPROBLEM;
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
}
|
|
||||||
else
|
|
||||||
connssl->client_nickname = NULL;
|
|
||||||
|
|
||||||
+ if(SSL_GetClientAuthDataHook(model, SelectClientCert,
|
|
||||||
+ (void *)connssl) != SECSuccess) {
|
|
||||||
+ curlerr = CURLE_SSL_CERTPROBLEM;
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
|
|
||||||
/* Import our model socket onto the existing file descriptor */
|
|
||||||
connssl->handle = PR_ImportTCPSocket(sockfd);
|
|
||||||
@@ -1201,6 +1186,11 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
goto error;
|
|
||||||
PR_Close(model); /* We don't need this any more */
|
|
||||||
|
|
||||||
+ /* This is the password associated with the cert that we're using */
|
|
||||||
+ if (data->set.str[STRING_KEY_PASSWD]) {
|
|
||||||
+ SSL_SetPKCS11PinArg(connssl->handle, data->set.str[STRING_KEY_PASSWD]);
|
|
||||||
+ }
|
|
||||||
+
|
|
||||||
/* Force handshake on next I/O */
|
|
||||||
SSL_ResetHandshake(connssl->handle, /* asServer */ PR_FALSE);
|
|
||||||
|
|
||||||
diff -ruNp curl-7.19.5.orig/lib/urldata.h curl-7.19.5/lib/urldata.h
|
|
||||||
--- curl-7.19.5.orig/lib/urldata.h 2009-07-22 10:30:03.007106061 +0200
|
|
||||||
+++ curl-7.19.5/lib/urldata.h 2009-07-22 10:30:54.070293354 +0200
|
|
||||||
@@ -211,6 +211,7 @@ struct ssl_connect_data {
|
|
||||||
#ifdef USE_NSS
|
|
||||||
PRFileDesc *handle;
|
|
||||||
char *client_nickname;
|
|
||||||
+ struct SessionHandle *data;
|
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
|
||||||
PK11GenericObject *key;
|
|
||||||
PK11GenericObject *cacert[2];
|
|
@ -1,101 +0,0 @@
|
|||||||
diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c
|
|
||||||
--- curl-7.19.5.orig/lib/nss.c 2009-05-11 11:13:49.000000000 +0200
|
|
||||||
+++ curl-7.19.5/lib/nss.c 2009-07-10 13:26:15.000000000 +0200
|
|
||||||
@@ -786,7 +786,8 @@ static SECStatus SelectClientCert(void *
|
|
||||||
struct CERTCertificateStr **pRetCert,
|
|
||||||
struct SECKEYPrivateKeyStr **pRetKey)
|
|
||||||
{
|
|
||||||
- SECKEYPrivateKey *privKey;
|
|
||||||
+ SECKEYPrivateKey *privKey = NULL;
|
|
||||||
+ CERTCertificate *cert;
|
|
||||||
struct ssl_connect_data *connssl = (struct ssl_connect_data *) arg;
|
|
||||||
char *nickname = connssl->client_nickname;
|
|
||||||
void *proto_win = NULL;
|
|
||||||
@@ -799,36 +800,32 @@ static SECStatus SelectClientCert(void *
|
|
||||||
if(!nickname)
|
|
||||||
return secStatus;
|
|
||||||
|
|
||||||
- connssl->client_cert = PK11_FindCertFromNickname(nickname, proto_win);
|
|
||||||
- if(connssl->client_cert) {
|
|
||||||
-
|
|
||||||
+ cert = PK11_FindCertFromNickname(nickname, proto_win);
|
|
||||||
+ if(cert) {
|
|
||||||
if(!strncmp(nickname, "PEM Token", 9)) {
|
|
||||||
CK_SLOT_ID slotID = 1; /* hardcoded for now */
|
|
||||||
char slotname[SLOTSIZE];
|
|
||||||
snprintf(slotname, SLOTSIZE, "PEM Token #%ld", slotID);
|
|
||||||
slot = PK11_FindSlotByName(slotname);
|
|
||||||
- privKey = PK11_FindPrivateKeyFromCert(slot, connssl->client_cert, NULL);
|
|
||||||
+ privKey = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
|
|
||||||
PK11_FreeSlot(slot);
|
|
||||||
if(privKey) {
|
|
||||||
secStatus = SECSuccess;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
else {
|
|
||||||
- privKey = PK11_FindKeyByAnyCert(connssl->client_cert, proto_win);
|
|
||||||
+ privKey = PK11_FindKeyByAnyCert(cert, proto_win);
|
|
||||||
if(privKey)
|
|
||||||
secStatus = SECSuccess;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
- if(secStatus == SECSuccess) {
|
|
||||||
- *pRetCert = connssl->client_cert;
|
|
||||||
- *pRetKey = privKey;
|
|
||||||
- }
|
|
||||||
- else {
|
|
||||||
- if(connssl->client_cert)
|
|
||||||
- CERT_DestroyCertificate(connssl->client_cert);
|
|
||||||
- connssl->client_cert = NULL;
|
|
||||||
- }
|
|
||||||
+ *pRetCert = cert;
|
|
||||||
+ *pRetKey = privKey;
|
|
||||||
+
|
|
||||||
+ /* There's no need to destroy either cert or privKey as
|
|
||||||
+ * NSS will do that for us even if returning SECFailure
|
|
||||||
+ */
|
|
||||||
|
|
||||||
return secStatus;
|
|
||||||
}
|
|
||||||
@@ -912,14 +909,14 @@ void Curl_nss_close(struct connectdata *
|
|
||||||
free(connssl->client_nickname);
|
|
||||||
connssl->client_nickname = NULL;
|
|
||||||
}
|
|
||||||
- if(connssl->client_cert)
|
|
||||||
- CERT_DestroyCertificate(connssl->client_cert);
|
|
||||||
+#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
|
||||||
if(connssl->key)
|
|
||||||
(void)PK11_DestroyGenericObject(connssl->key);
|
|
||||||
if(connssl->cacert[1])
|
|
||||||
(void)PK11_DestroyGenericObject(connssl->cacert[1]);
|
|
||||||
if(connssl->cacert[0])
|
|
||||||
(void)PK11_DestroyGenericObject(connssl->cacert[0]);
|
|
||||||
+#endif
|
|
||||||
connssl->handle = NULL;
|
|
||||||
}
|
|
||||||
}
|
|
||||||
@@ -955,10 +952,11 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
if (connssl->state == ssl_connection_complete)
|
|
||||||
return CURLE_OK;
|
|
||||||
|
|
||||||
- connssl->client_cert = NULL;
|
|
||||||
+#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
|
||||||
connssl->cacert[0] = NULL;
|
|
||||||
connssl->cacert[1] = NULL;
|
|
||||||
connssl->key = NULL;
|
|
||||||
+#endif
|
|
||||||
|
|
||||||
/* FIXME. NSS doesn't support multiple databases open at the same time. */
|
|
||||||
PR_Lock(nss_initlock);
|
|
||||||
diff -ruNp curl-7.19.5.orig/lib/urldata.h curl-7.19.5/lib/urldata.h
|
|
||||||
--- curl-7.19.5.orig/lib/urldata.h 2009-05-11 09:53:38.000000000 +0200
|
|
||||||
+++ curl-7.19.5/lib/urldata.h 2009-07-10 13:30:55.000000000 +0200
|
|
||||||
@@ -211,7 +211,6 @@ struct ssl_connect_data {
|
|
||||||
#ifdef USE_NSS
|
|
||||||
PRFileDesc *handle;
|
|
||||||
char *client_nickname;
|
|
||||||
- CERTCertificate *client_cert;
|
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
|
||||||
PK11GenericObject *key;
|
|
||||||
PK11GenericObject *cacert[2];
|
|
@ -1,68 +0,0 @@
|
|||||||
diff -ruNp curl-7.19.5.orig/lib/nss.c curl-7.19.5/lib/nss.c
|
|
||||||
--- curl-7.19.5.orig/lib/nss.c 2009-07-22 10:28:01.254355601 +0200
|
|
||||||
+++ curl-7.19.5/lib/nss.c 2009-07-22 10:29:02.437231090 +0200
|
|
||||||
@@ -857,9 +857,15 @@ void Curl_nss_cleanup(void)
|
|
||||||
*/
|
|
||||||
PR_Lock(nss_initlock);
|
|
||||||
if (initialized) {
|
|
||||||
- if(mod)
|
|
||||||
+ /* Free references to client certificates held in the SSL session cache.
|
|
||||||
+ * Omitting this hampers destruction of the security module owning
|
|
||||||
+ * the certificates. */
|
|
||||||
+ SSL_ClearSessionCache();
|
|
||||||
+
|
|
||||||
+ if(mod && SECSuccess == SECMOD_UnloadUserModule(mod)) {
|
|
||||||
SECMOD_DestroyModule(mod);
|
|
||||||
- mod = NULL;
|
|
||||||
+ mod = NULL;
|
|
||||||
+ }
|
|
||||||
NSS_Shutdown();
|
|
||||||
}
|
|
||||||
PR_Unlock(nss_initlock);
|
|
||||||
@@ -940,9 +946,6 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
curl_socket_t sockfd = conn->sock[sockindex];
|
|
||||||
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
|
|
||||||
SECStatus rv;
|
|
||||||
-#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
|
||||||
- char *configstring = NULL;
|
|
||||||
-#endif
|
|
||||||
char *certDir = NULL;
|
|
||||||
int curlerr;
|
|
||||||
const int *cipher_to_enable;
|
|
||||||
@@ -995,21 +998,23 @@ CURLcode Curl_nss_connect(struct connect
|
|
||||||
NSS_SetDomesticPolicy();
|
|
||||||
|
|
||||||
#ifdef HAVE_PK11_CREATEGENERICOBJECT
|
|
||||||
- configstring = aprintf("library=%s name=PEM", pem_library);
|
|
||||||
- if(!configstring) {
|
|
||||||
- PR_Unlock(nss_initlock);
|
|
||||||
- goto error;
|
|
||||||
- }
|
|
||||||
- mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
|
|
||||||
- free(configstring);
|
|
||||||
+ if(!mod) {
|
|
||||||
+ char *configstring = aprintf("library=%s name=PEM", pem_library);
|
|
||||||
+ if(!configstring) {
|
|
||||||
+ PR_Unlock(nss_initlock);
|
|
||||||
+ goto error;
|
|
||||||
+ }
|
|
||||||
+ mod = SECMOD_LoadUserModule(configstring, NULL, PR_FALSE);
|
|
||||||
+ free(configstring);
|
|
||||||
|
|
||||||
- if(!mod || !mod->loaded) {
|
|
||||||
- if(mod) {
|
|
||||||
- SECMOD_DestroyModule(mod);
|
|
||||||
- mod = NULL;
|
|
||||||
+ if(!mod || !mod->loaded) {
|
|
||||||
+ if(mod) {
|
|
||||||
+ SECMOD_DestroyModule(mod);
|
|
||||||
+ mod = NULL;
|
|
||||||
+ }
|
|
||||||
+ infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL "
|
|
||||||
+ "PEM certificates will not work.\n", pem_library);
|
|
||||||
}
|
|
||||||
- infof(data, "WARNING: failed to load NSS PEM library %s. Using OpenSSL "
|
|
||||||
- "PEM certificates will not work.\n", pem_library);
|
|
||||||
}
|
|
||||||
#endif
|
|
||||||
}
|
|
54
curl-7.19.6-verifyhost.patch
Normal file
54
curl-7.19.6-verifyhost.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c
|
||||||
|
--- curl-7.19.6.orig/lib/nss.c 2009-08-14 11:14:45.423733097 +0200
|
||||||
|
+++ curl-7.19.6/lib/nss.c 2009-08-14 11:15:04.142733360 +0200
|
||||||
|
@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar
|
||||||
|
issuer);
|
||||||
|
break;
|
||||||
|
case SSL_ERROR_BAD_CERT_DOMAIN:
|
||||||
|
- if(conn->data->set.ssl.verifypeer)
|
||||||
|
+ if(conn->data->set.ssl.verifyhost) {
|
||||||
|
+ failf(conn->data, "common name '%s' does not match '%s'",
|
||||||
|
+ subject, conn->host.dispname);
|
||||||
|
success = SECFailure;
|
||||||
|
- infof(conn->data, "common name: %s (does not match '%s')\n",
|
||||||
|
- subject, conn->host.dispname);
|
||||||
|
+ } else {
|
||||||
|
+ infof(conn->data, "warning: common name '%s' does not match '%s'\n",
|
||||||
|
+ subject, conn->host.dispname);
|
||||||
|
+ }
|
||||||
|
break;
|
||||||
|
case SEC_ERROR_EXPIRED_CERTIFICATE:
|
||||||
|
if(conn->data->set.ssl.verifypeer)
|
||||||
|
success = SECFailure;
|
||||||
|
infof(conn->data, "Remote Certificate has expired.\n");
|
||||||
|
break;
|
||||||
|
+ case SEC_ERROR_UNKNOWN_ISSUER:
|
||||||
|
+ if(conn->data->set.ssl.verifypeer)
|
||||||
|
+ success = SECFailure;
|
||||||
|
+ infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
|
||||||
|
+ issuer);
|
||||||
|
+ break;
|
||||||
|
default:
|
||||||
|
if(conn->data->set.ssl.verifypeer)
|
||||||
|
success = SECFailure;
|
||||||
|
@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ if(data->set.ssl.verifyhost == 1)
|
||||||
|
+ infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n");
|
||||||
|
+
|
||||||
|
data->set.ssl.certverifyresult=0; /* not checked yet */
|
||||||
|
if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
|
||||||
|
!= SECSuccess) {
|
||||||
|
@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect
|
||||||
|
if(SSL_ForceHandshakeWithTimeout(connssl->handle,
|
||||||
|
PR_SecondsToInterval(HANDSHAKE_TIMEOUT))
|
||||||
|
!= SECSuccess) {
|
||||||
|
- if(conn->data->set.ssl.certverifyresult!=0)
|
||||||
|
+ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
|
||||||
|
+ curlerr = CURLE_PEER_FAILED_VERIFICATION;
|
||||||
|
+ else if(conn->data->set.ssl.certverifyresult!=0)
|
||||||
|
curlerr = CURLE_SSL_CACERT;
|
||||||
|
goto error;
|
||||||
|
}
|
33
curl.spec
33
curl.spec
@ -1,18 +1,15 @@
|
|||||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||||
Name: curl
|
Name: curl
|
||||||
Version: 7.19.5
|
Version: 7.19.6
|
||||||
Release: 10%{?dist}
|
Release: 1%{?dist}
|
||||||
License: MIT
|
License: MIT
|
||||||
Group: Applications/Internet
|
Group: Applications/Internet
|
||||||
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
|
||||||
Source2: curlbuild.h
|
Source2: curlbuild.h
|
||||||
Patch1: curl-7.15.3-multilib.patch
|
Patch1: curl-7.19.6-verifyhost.patch
|
||||||
Patch2: curl-7.16.0-privlibs.patch
|
Patch101: curl-7.15.3-multilib.patch
|
||||||
Patch3: curl-7.17.1-badsocket.patch
|
Patch102: curl-7.16.0-privlibs.patch
|
||||||
Patch4: curl-7.19.4-debug.patch
|
Patch103: curl-7.19.4-debug.patch
|
||||||
Patch5: curl-7.19.5-cc_refcnt-1.patch
|
|
||||||
Patch6: curl-7.19.5-cc_refcnt-2.patch
|
|
||||||
Patch7: curl-7.19.5-cc.patch
|
|
||||||
Provides: webclient
|
Provides: webclient
|
||||||
URL: http://curl.haxx.se/
|
URL: http://curl.haxx.se/
|
||||||
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
|
||||||
@ -53,13 +50,14 @@ use cURL's capabilities internally.
|
|||||||
|
|
||||||
%prep
|
%prep
|
||||||
%setup -q
|
%setup -q
|
||||||
|
|
||||||
|
# upstream patches
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
%patch2 -p1
|
|
||||||
%patch3 -p1
|
# Fedora patches
|
||||||
%patch4 -p1
|
%patch101 -p1
|
||||||
%patch5 -p1
|
%patch102 -p1
|
||||||
%patch6 -p1
|
%patch103 -p1
|
||||||
%patch7 -p1
|
|
||||||
|
|
||||||
# Convert docs to UTF-8
|
# Convert docs to UTF-8
|
||||||
for f in CHANGES README; do
|
for f in CHANGES README; do
|
||||||
@ -142,6 +140,11 @@ rm -rf $RPM_BUILD_ROOT
|
|||||||
%{_datadir}/aclocal/libcurl.m4
|
%{_datadir}/aclocal/libcurl.m4
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Fri Aug 14 2009 Kamil Dudka <kdudka@redhat.com> 7.19.6-1
|
||||||
|
- new upstream release, dropped applied patches
|
||||||
|
- changed NSS code to not ignore the value of ssl.verifyhost and produce more
|
||||||
|
verbose error messages (#516056)
|
||||||
|
|
||||||
* Wed Aug 12 2009 Ville Skyttä <ville.skytta@iki.fi> - 7.19.5-10
|
* Wed Aug 12 2009 Ville Skyttä <ville.skytta@iki.fi> - 7.19.5-10
|
||||||
- Use lzma compressed upstream tarball.
|
- Use lzma compressed upstream tarball.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user