do not ignore failure of SSL handshake

(upstream commit 7aa2d10)
2011-02-22 14:34:40 +01:00 · 2011-02-22 14:34:40 +01:00 · e0ab81d1c1
commit e0ab81d1c1
parent 65e324d678
2 changed files with 52 additions and 1 deletions
--- a/0002-curl-7.21.4-7aa2d10.patch
+++ b/0002-curl-7.21.4-7aa2d10.patch
@ -0,0 +1,44 @@
+From 1f009bb739514d08efef093adf5e1813db6333ec Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 22 Feb 2011 13:13:53 +0100
+Subject: [PATCH] nss: do not ignore failure of SSL handshake
+
+Flaw introduced in fc77790 and present in curl-7.21.4.
+Bug: https://bugzilla.redhat.com/669702#c16
+---
+ lib/nss.c |   12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index d26ad5b..be26253 100644
+--- a/lib/nss.c
+++ b/lib/nss.c
+@@ -1157,7 +1157,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   struct SessionHandle *data = conn->data;
+   curl_socket_t sockfd = conn->sock[sockindex];
+   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+-  int curlerr;
+  CURLcode curlerr;
+   const int *cipher_to_enable;
+   PRSocketOptionData sock_opt;
+   long time_left;
+@@ -1289,9 +1289,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+                            NULL) != SECSuccess)
+     goto error;
+ 
+-  if(data->set.ssl.verifypeer && (CURLE_OK !=
+-        (curlerr = nss_load_ca_certificates(conn, sockindex))))
+-    goto error;
+  if(data->set.ssl.verifypeer) {
+    const CURLcode rv = nss_load_ca_certificates(conn, sockindex);
+    if(CURLE_OK != rv) {
+      curlerr = rv;
+      goto error;
+    }
+  }
+ 
+   if (data->set.ssl.CRLfile) {
+     if(SECSuccess != nss_load_crl(data->set.ssl.CRLfile)) {
+-- 
+1.7.4
+
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.21.4
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@ -11,6 +11,9 @@ Source3: hide_selinux.c
 # avoid memory leak on SSL connection failure
 Patch1: 0001-curl-7.21.4-a40f58d.patch

+# do not ignore failure of SSL handshake
+Patch2: 0002-curl-7.21.4-7aa2d10.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.21.1-multilib.patch

@ -111,6 +114,7 @@ done

 # upstream patches (already applied)
 %patch1 -p1
+%patch2 -p1

 # Fedora patches
 %patch101 -p1
@ -224,6 +228,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4

 %changelog
+* Tue Feb 22 2011 Kamil Dudka <kdudka@redhat.com> 7.21.4-2
+- do not ignore failure of SSL handshake (upstream commit 7aa2d10)
+
 * Fri Feb 18 2011 Kamil Dudka <kdudka@redhat.com> 7.21.4-1
 - new upstream release
 - avoid memory leak on SSL connection failure (upstream commit a40f58d)