rpms/curl
8
0
Fork 1
Code Issues Pull Requests Releases Activity

- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972)

Browse Source 
- valgrind temporarily disabled (#574889)
- kerberos installation prefix has changed
This commit is contained in:
Kamil Dudka 2010-03-19 15:08:16 +00:00
parent 97dbc67861
commit ee823564dc
3 changed files with 248 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

134
curl-7.20.0-cc-err.patch Normal file
View File

@ -0,0 +1,134 @@
From df39ccc590abcfa275907ce8ed259fb11da33623 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 18 Mar 2010 22:07:21 +0100
Subject: [PATCH 2/2] throw CURLE_SSL_CERTPROBLEM in case peer rejects a cert
... supported only by NSS for now. It may be extended for OpenSSL at
some point if anybody helps with deciphering of its error codes.
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/nss.c | 30 ++++++++++++++++++++++++++++--
lib/sendf.c | 18 ++++++++++++------
lib/urldata.h | 3 +++
3 files changed, 43 insertions(+), 8 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index 9dd84a2..a5523dc 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1341,6 +1341,29 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
return curlerr;
}
+/* handle certificate related errors during send/recv, return false otherwise */
+static bool handle_cert_error(PRInt32 err, struct connectdata *conn, int num)
+{
+ switch(err) {
+ case SSL_ERROR_BAD_CERT_ALERT:
+ failf(conn->data, "SSL error: SSL_ERROR_BAD_CERT_ALERT");
+ break;
+ case SSL_ERROR_REVOKED_CERT_ALERT:
+ failf(conn->data, "SSL error: SSL_ERROR_REVOKED_CERT_ALERT");
+ break;
+ case SSL_ERROR_EXPIRED_CERT_ALERT:
+ failf(conn->data, "SSL error: SSL_ERROR_EXPIRED_CERT_ALERT");
+ break;
+ default:
+ /* handle it as a ususal error during send/recv */
+ conn->ssl[num].err = CURLE_OK;
+ return false;
+ }
+
+ conn->ssl[num].err = CURLE_SSL_CERTPROBLEM;
+ return true;
+}
+
/* return number of sent (non-SSL) bytes */
int Curl_nss_send(struct connectdata *conn, /* connection data */
int sockindex, /* socketindex */
@@ -1352,7 +1375,9 @@ int Curl_nss_send(struct connectdata *conn, /* connection data */
rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0, -1);
if(rc < 0) {
- failf(conn->data, "SSL write: error %d", PR_GetError());
+ PRInt32 err = PR_GetError();
+ if(!handle_cert_error(err, conn, sockindex))
+ failf(conn->data, "SSL write: error %d", err);
return -1;
}
return rc; /* number of bytes */
@@ -1381,7 +1406,8 @@ ssize_t Curl_nss_recv(struct connectdata * conn, /* connection data */
*wouldblock = TRUE;
return -1; /* basically EWOULDBLOCK */
}
- failf(conn->data, "SSL read: errno %d", err);
+ if(!handle_cert_error(err, conn, num))
+ failf(conn->data, "SSL read: errno %d", err);
return -1;
}
return nread;
diff --git a/lib/sendf.c b/lib/sendf.c
index a366fd1..223fac2 100644
--- a/lib/sendf.c
+++ b/lib/sendf.c
@@ -277,10 +277,10 @@ CURLcode Curl_write(struct connectdata *conn,
ssize_t *written)
{
ssize_t bytes_written;
- CURLcode retcode;
int num = (sockfd == conn->sock[SECONDARYSOCKET]);
+ const bool do_ssl = (conn->ssl[num].state == ssl_connection_complete);
- if(conn->ssl[num].state == ssl_connection_complete)
+ if(do_ssl)
bytes_written = Curl_ssl_send(conn, num, mem, len);
else if(Curl_ssh_enabled(conn, PROT_SCP))
bytes_written = Curl_scp_send(conn, num, mem, len);
@@ -292,9 +292,13 @@ CURLcode Curl_write(struct connectdata *conn,
bytes_written = send_plain(conn, num, mem, len);
*written = bytes_written;
- retcode = (-1 != bytes_written)?CURLE_OK:CURLE_SEND_ERROR;
+ if(-1 == bytes_written)
+ /* send error */
+ return (do_ssl && conn->ssl[num].err)
+ ? (conn->ssl[num].err)
+ : CURLE_SEND_ERROR;
- return retcode;
+ return CURLE_OK;
}
/*
@@ -540,9 +544,11 @@ int Curl_read(struct connectdata *conn, /* connection data */
if(nread == -1)
return -1; /* -1 from Curl_ssl_recv() means EWOULDBLOCK */
- else if(nread == -2)
+ else if(nread == -2) {
/* -2 from Curl_ssl_recv() means a true error, not EWOULDBLOCK */
- return CURLE_RECV_ERROR;
+ CURLcode ssl_err = conn->ssl[num].err;
+ return ssl_err?ssl_err:CURLE_RECV_ERROR;
+ }
}
else if(Curl_ssh_enabled(conn, (PROT_SCP|PROT_SFTP))) {
if(conn->protocol & PROT_SCP)
diff --git a/lib/urldata.h b/lib/urldata.h
index d03146a..c24a450 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -222,6 +222,9 @@ struct ssl_connect_data {
current state of the connection. */
bool use;
ssl_connection_state state;
+ /* If an error occurs in curlssl_recv() or Curl_ssl_send() and ERR is
+ non-zero, it contains the error code. */
+ CURLcode err;
#ifdef USE_SSLEAY
/* these ones requires specific SSL-types */
SSL_CTX* ctx;
--
1.7.0.2

70
curl-7.20.0-read.patch Normal file
View File

@ -0,0 +1,70 @@
From 5ec0b463ea3e788e20d381ae97302f5965b1d4c5 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 18 Mar 2010 22:06:14 +0100
Subject: [PATCH 1/2] Curl_read: do not silently ingore an error
thrown from Curl_ssl_recv()
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/sendf.c | 6 ++++--
lib/sslgen.c | 10 +++++-----
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/lib/sendf.c b/lib/sendf.c
index 359f43d..a366fd1 100644
--- a/lib/sendf.c
+++ b/lib/sendf.c
@@ -538,9 +538,11 @@ int Curl_read(struct connectdata *conn, /* connection data */
if(conn->ssl[num].state == ssl_connection_complete) {
nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket);
- if(nread == -1) {
+ if(nread == -1)
return -1; /* -1 from Curl_ssl_recv() means EWOULDBLOCK */
- }
+ else if(nread == -2)
+ /* -2 from Curl_ssl_recv() means a true error, not EWOULDBLOCK */
+ return CURLE_RECV_ERROR;
}
else if(Curl_ssh_enabled(conn, (PROT_SCP|PROT_SFTP))) {
if(conn->protocol & PROT_SCP)
diff --git a/lib/sslgen.c b/lib/sslgen.c
index 9167bf7..78ff8a3 100644
--- a/lib/sslgen.c
+++ b/lib/sslgen.c
@@ -399,7 +399,7 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data)
return curlssl_engines_list(data);
}
-/* return number of sent (non-SSL) bytes */
+/* return number of sent (non-SSL) bytes; -1 on error */
ssize_t Curl_ssl_send(struct connectdata *conn,
int sockindex,
const void *mem,
@@ -411,8 +411,8 @@ ssize_t Curl_ssl_send(struct connectdata *conn,
/* return number of received (decrypted) bytes */
/*
- * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return
- * a regular CURLcode value.
+ * If the read would block (EWOULDBLOCK) we return -1. If an error occurs during
+ * the read, we return -2. Otherwise we return the count of bytes transfered.
*/
ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */
int sockindex, /* socketindex */
@@ -425,9 +425,9 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */
nread = curlssl_recv(conn, sockindex, mem, len, &block);
if(nread == -1) {
if(!block)
- return 0; /* this is a true error, not EWOULDBLOCK */
+ return -2; /* this is a true error, not EWOULDBLOCK */
else
- return -1;
+ return -1; /* EWOULDBLOCK */
}
return nread;
--
1.7.0.2

58
curl.spec
View File

@ -1,12 +1,18 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.20.0
Release: 2%{?dist}
Release: 3%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
Source2: curlbuild.h
# http://permalink.gmane.org/gmane.comp.web.curl.library/27110
Patch0: curl-7.20.0-read.patch
# http://permalink.gmane.org/gmane.comp.web.curl.library/27111
Patch1: curl-7.20.0-cc-err.patch
# patch making libcurl multilib ready (by excluding static libraries)
Patch101: curl-7.15.3-multilib.patch
@ -48,11 +54,11 @@ BuildRequires: openssh-server
BuildRequires: pkgconfig
BuildRequires: stunnel
# valgrind is not available on some architectures, however it's going to be
# used only by the test-suite anyway
%ifnarch s390 s390x
BuildRequires: valgrind
%endif
# valgrind temporarily disabled (#574889)
# # valgrind is not available on s390(x)
# %ifnarch s390 s390x
# BuildRequires: valgrind
# %endif
BuildRequires: zlib-devel
Requires: libcurl = %{version}-%{release}
@ -92,6 +98,10 @@ use cURL's capabilities internally.
%prep
%setup -q
# upstream patches (not yet applied)
%patch0 -p1
%patch1 -p1
# Fedora patches
%patch101 -p1
%patch102 -p1
@ -114,25 +124,40 @@ sed -i s/899\\\([0-9]\\\)/%{?__isa_bits}9\\1/ tests/data/test*
# Convert docs to UTF-8
for f in CHANGES README; do
iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8
mv -f ${f}.utf8 ${f}
iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8
mv -f ${f}.utf8 ${f}
done
%build
%configure --without-ssl --with-nss --enable-ipv6 \
--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
--with-gssapi=%{_prefix}/kerberos --with-libidn \
--enable-ldaps --disable-static --with-libssh2 --enable-manual --enable-ares
%configure --disable-static \
--enable-ares \
--enable-ipv6 \
--enable-ldaps \
--enable-manual \
--with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
--with-gssapi \
--with-libidn \
--with-libssh2 \
--without-ssl --with-nss
# uncomment to turn off optimizations
# find -name Makefile | xargs sed -i 's/-O2/-O0/'
# Remove bogus rpath
sed -i \
-e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \
-e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
-e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \
-e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
make %{?_smp_mflags}
%check
export LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}
# uncomment to use the non-stripped library in tests
# LD_PRELOAD=`find -name \*.so`
# LD_PRELOAD=`readlink -f $LD_PRELOAD`
# export LD_PRELOAD
cd tests
make %{?_smp_mflags}
@ -194,6 +219,11 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
* Fri Mar 19 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-3
- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972)
- valgrind temporarily disabled (#574889)
- kerberos installation prefix has changed
* Wed Feb 24 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-2
- exclude test1112 from the test suite (#565305)