diff --git a/curl-7.20.0-cc-err.patch b/curl-7.20.0-cc-err.patch new file mode 100644 index 0000000..f79d598 --- /dev/null +++ b/curl-7.20.0-cc-err.patch @@ -0,0 +1,134 @@ +From df39ccc590abcfa275907ce8ed259fb11da33623 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 18 Mar 2010 22:07:21 +0100 +Subject: [PATCH 2/2] throw CURLE_SSL_CERTPROBLEM in case peer rejects a cert + +... supported only by NSS for now. It may be extended for OpenSSL at +some point if anybody helps with deciphering of its error codes. + +Signed-off-by: Kamil Dudka +--- + lib/nss.c | 30 ++++++++++++++++++++++++++++-- + lib/sendf.c | 18 ++++++++++++------ + lib/urldata.h | 3 +++ + 3 files changed, 43 insertions(+), 8 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 9dd84a2..a5523dc 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1341,6 +1341,29 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + return curlerr; + } + ++/* handle certificate related errors during send/recv, return false otherwise */ ++static bool handle_cert_error(PRInt32 err, struct connectdata *conn, int num) ++{ ++ switch(err) { ++ case SSL_ERROR_BAD_CERT_ALERT: ++ failf(conn->data, "SSL error: SSL_ERROR_BAD_CERT_ALERT"); ++ break; ++ case SSL_ERROR_REVOKED_CERT_ALERT: ++ failf(conn->data, "SSL error: SSL_ERROR_REVOKED_CERT_ALERT"); ++ break; ++ case SSL_ERROR_EXPIRED_CERT_ALERT: ++ failf(conn->data, "SSL error: SSL_ERROR_EXPIRED_CERT_ALERT"); ++ break; ++ default: ++ /* handle it as a ususal error during send/recv */ ++ conn->ssl[num].err = CURLE_OK; ++ return false; ++ } ++ ++ conn->ssl[num].err = CURLE_SSL_CERTPROBLEM; ++ return true; ++} ++ + /* return number of sent (non-SSL) bytes */ + int Curl_nss_send(struct connectdata *conn, /* connection data */ + int sockindex, /* socketindex */ +@@ -1352,7 +1375,9 @@ int Curl_nss_send(struct connectdata *conn, /* connection data */ + rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0, -1); + + if(rc < 0) { +- failf(conn->data, "SSL write: error %d", PR_GetError()); ++ PRInt32 err = PR_GetError(); ++ if(!handle_cert_error(err, conn, sockindex)) ++ failf(conn->data, "SSL write: error %d", err); + return -1; + } + return rc; /* number of bytes */ +@@ -1381,7 +1406,8 @@ ssize_t Curl_nss_recv(struct connectdata * conn, /* connection data */ + *wouldblock = TRUE; + return -1; /* basically EWOULDBLOCK */ + } +- failf(conn->data, "SSL read: errno %d", err); ++ if(!handle_cert_error(err, conn, num)) ++ failf(conn->data, "SSL read: errno %d", err); + return -1; + } + return nread; +diff --git a/lib/sendf.c b/lib/sendf.c +index a366fd1..223fac2 100644 +--- a/lib/sendf.c ++++ b/lib/sendf.c +@@ -277,10 +277,10 @@ CURLcode Curl_write(struct connectdata *conn, + ssize_t *written) + { + ssize_t bytes_written; +- CURLcode retcode; + int num = (sockfd == conn->sock[SECONDARYSOCKET]); ++ const bool do_ssl = (conn->ssl[num].state == ssl_connection_complete); + +- if(conn->ssl[num].state == ssl_connection_complete) ++ if(do_ssl) + bytes_written = Curl_ssl_send(conn, num, mem, len); + else if(Curl_ssh_enabled(conn, PROT_SCP)) + bytes_written = Curl_scp_send(conn, num, mem, len); +@@ -292,9 +292,13 @@ CURLcode Curl_write(struct connectdata *conn, + bytes_written = send_plain(conn, num, mem, len); + + *written = bytes_written; +- retcode = (-1 != bytes_written)?CURLE_OK:CURLE_SEND_ERROR; ++ if(-1 == bytes_written) ++ /* send error */ ++ return (do_ssl && conn->ssl[num].err) ++ ? (conn->ssl[num].err) ++ : CURLE_SEND_ERROR; + +- return retcode; ++ return CURLE_OK; + } + + /* +@@ -540,9 +544,11 @@ int Curl_read(struct connectdata *conn, /* connection data */ + + if(nread == -1) + return -1; /* -1 from Curl_ssl_recv() means EWOULDBLOCK */ +- else if(nread == -2) ++ else if(nread == -2) { + /* -2 from Curl_ssl_recv() means a true error, not EWOULDBLOCK */ +- return CURLE_RECV_ERROR; ++ CURLcode ssl_err = conn->ssl[num].err; ++ return ssl_err?ssl_err:CURLE_RECV_ERROR; ++ } + } + else if(Curl_ssh_enabled(conn, (PROT_SCP|PROT_SFTP))) { + if(conn->protocol & PROT_SCP) +diff --git a/lib/urldata.h b/lib/urldata.h +index d03146a..c24a450 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -222,6 +222,9 @@ struct ssl_connect_data { + current state of the connection. */ + bool use; + ssl_connection_state state; ++ /* If an error occurs in curlssl_recv() or Curl_ssl_send() and ERR is ++ non-zero, it contains the error code. */ ++ CURLcode err; + #ifdef USE_SSLEAY + /* these ones requires specific SSL-types */ + SSL_CTX* ctx; +-- +1.7.0.2 + diff --git a/curl-7.20.0-read.patch b/curl-7.20.0-read.patch new file mode 100644 index 0000000..d16a127 --- /dev/null +++ b/curl-7.20.0-read.patch @@ -0,0 +1,70 @@ +From 5ec0b463ea3e788e20d381ae97302f5965b1d4c5 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 18 Mar 2010 22:06:14 +0100 +Subject: [PATCH 1/2] Curl_read: do not silently ingore an error + +thrown from Curl_ssl_recv() + +Signed-off-by: Kamil Dudka +--- + lib/sendf.c | 6 ++++-- + lib/sslgen.c | 10 +++++----- + 2 files changed, 9 insertions(+), 7 deletions(-) + +diff --git a/lib/sendf.c b/lib/sendf.c +index 359f43d..a366fd1 100644 +--- a/lib/sendf.c ++++ b/lib/sendf.c +@@ -538,9 +538,11 @@ int Curl_read(struct connectdata *conn, /* connection data */ + if(conn->ssl[num].state == ssl_connection_complete) { + nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket); + +- if(nread == -1) { ++ if(nread == -1) + return -1; /* -1 from Curl_ssl_recv() means EWOULDBLOCK */ +- } ++ else if(nread == -2) ++ /* -2 from Curl_ssl_recv() means a true error, not EWOULDBLOCK */ ++ return CURLE_RECV_ERROR; + } + else if(Curl_ssh_enabled(conn, (PROT_SCP|PROT_SFTP))) { + if(conn->protocol & PROT_SCP) +diff --git a/lib/sslgen.c b/lib/sslgen.c +index 9167bf7..78ff8a3 100644 +--- a/lib/sslgen.c ++++ b/lib/sslgen.c +@@ -399,7 +399,7 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data) + return curlssl_engines_list(data); + } + +-/* return number of sent (non-SSL) bytes */ ++/* return number of sent (non-SSL) bytes; -1 on error */ + ssize_t Curl_ssl_send(struct connectdata *conn, + int sockindex, + const void *mem, +@@ -411,8 +411,8 @@ ssize_t Curl_ssl_send(struct connectdata *conn, + /* return number of received (decrypted) bytes */ + + /* +- * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return +- * a regular CURLcode value. ++ * If the read would block (EWOULDBLOCK) we return -1. If an error occurs during ++ * the read, we return -2. Otherwise we return the count of bytes transfered. + */ + ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ + int sockindex, /* socketindex */ +@@ -425,9 +425,9 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */ + nread = curlssl_recv(conn, sockindex, mem, len, &block); + if(nread == -1) { + if(!block) +- return 0; /* this is a true error, not EWOULDBLOCK */ ++ return -2; /* this is a true error, not EWOULDBLOCK */ + else +- return -1; ++ return -1; /* EWOULDBLOCK */ + } + + return nread; +-- +1.7.0.2 + diff --git a/curl.spec b/curl.spec index b8f8651..af1079e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,12 +1,18 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.20.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h +# http://permalink.gmane.org/gmane.comp.web.curl.library/27110 +Patch0: curl-7.20.0-read.patch + +# http://permalink.gmane.org/gmane.comp.web.curl.library/27111 +Patch1: curl-7.20.0-cc-err.patch + # patch making libcurl multilib ready (by excluding static libraries) Patch101: curl-7.15.3-multilib.patch @@ -48,11 +54,11 @@ BuildRequires: openssh-server BuildRequires: pkgconfig BuildRequires: stunnel -# valgrind is not available on some architectures, however it's going to be -# used only by the test-suite anyway -%ifnarch s390 s390x -BuildRequires: valgrind -%endif +# valgrind temporarily disabled (#574889) +# # valgrind is not available on s390(x) +# %ifnarch s390 s390x +# BuildRequires: valgrind +# %endif BuildRequires: zlib-devel Requires: libcurl = %{version}-%{release} @@ -92,6 +98,10 @@ use cURL's capabilities internally. %prep %setup -q +# upstream patches (not yet applied) +%patch0 -p1 +%patch1 -p1 + # Fedora patches %patch101 -p1 %patch102 -p1 @@ -114,25 +124,40 @@ sed -i s/899\\\([0-9]\\\)/%{?__isa_bits}9\\1/ tests/data/test* # Convert docs to UTF-8 for f in CHANGES README; do - iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8 - mv -f ${f}.utf8 ${f} + iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8 + mv -f ${f}.utf8 ${f} done %build -%configure --without-ssl --with-nss --enable-ipv6 \ - --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ - --with-gssapi=%{_prefix}/kerberos --with-libidn \ - --enable-ldaps --disable-static --with-libssh2 --enable-manual --enable-ares +%configure --disable-static \ + --enable-ares \ + --enable-ipv6 \ + --enable-ldaps \ + --enable-manual \ + --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ + --with-gssapi \ + --with-libidn \ + --with-libssh2 \ + --without-ssl --with-nss + +# uncomment to turn off optimizations +# find -name Makefile | xargs sed -i 's/-O2/-O0/' # Remove bogus rpath sed -i \ - -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \ - -e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool + -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \ + -e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool make %{?_smp_mflags} %check export LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir} + +# uncomment to use the non-stripped library in tests +# LD_PRELOAD=`find -name \*.so` +# LD_PRELOAD=`readlink -f $LD_PRELOAD` +# export LD_PRELOAD + cd tests make %{?_smp_mflags} @@ -194,6 +219,11 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 +- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) +- valgrind temporarily disabled (#574889) +- kerberos installation prefix has changed + * Wed Feb 24 2010 Kamil Dudka 7.20.0-2 - exclude test1112 from the test suite (#565305)