- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972)

- valgrind temporarily disabled (#574889)
- kerberos installation prefix has changed

curl-7.20.0-cc-err.patch

@@ -0,0 +1,134 @@
+From df39ccc590abcfa275907ce8ed259fb11da33623 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 18 Mar 2010 22:07:21 +0100
+Subject: [PATCH 2/2] throw CURLE_SSL_CERTPROBLEM in case peer rejects a cert
+
+... supported only by NSS for now. It may be extended for OpenSSL at
+some point if anybody helps with deciphering of its error codes.
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/nss.c     |   30 ++++++++++++++++++++++++++++--
+ lib/sendf.c   |   18 ++++++++++++------
+ lib/urldata.h |    3 +++
+ 3 files changed, 43 insertions(+), 8 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 9dd84a2..a5523dc 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1341,6 +1341,29 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+   return curlerr;
+ }
+ 
++/* handle certificate related errors during send/recv, return false otherwise */
++static bool handle_cert_error(PRInt32 err, struct connectdata *conn, int num)
++{
++  switch(err) {
++  case SSL_ERROR_BAD_CERT_ALERT:
++    failf(conn->data, "SSL error: SSL_ERROR_BAD_CERT_ALERT");
++    break;
++  case SSL_ERROR_REVOKED_CERT_ALERT:
++    failf(conn->data, "SSL error: SSL_ERROR_REVOKED_CERT_ALERT");
++    break;
++  case SSL_ERROR_EXPIRED_CERT_ALERT:
++    failf(conn->data, "SSL error: SSL_ERROR_EXPIRED_CERT_ALERT");
++    break;
++  default:
++    /* handle it as a ususal error during send/recv */
++    conn->ssl[num].err = CURLE_OK;
++    return false;
++  }
++
++  conn->ssl[num].err = CURLE_SSL_CERTPROBLEM;
++  return true;
++}
++
+ /* return number of sent (non-SSL) bytes */
+ int Curl_nss_send(struct connectdata *conn,  /* connection data */
+                   int sockindex,             /* socketindex */
+@@ -1352,7 +1375,9 @@ int Curl_nss_send(struct connectdata *conn,  /* connection data */
+   rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0, -1);
+ 
+   if(rc < 0) {
+-    failf(conn->data, "SSL write: error %d", PR_GetError());
++    PRInt32 err = PR_GetError();
++    if(!handle_cert_error(err, conn, sockindex))
++      failf(conn->data, "SSL write: error %d", err);
+     return -1;
+   }
+   return rc; /* number of bytes */
+@@ -1381,7 +1406,8 @@ ssize_t Curl_nss_recv(struct connectdata * conn, /* connection data */
+       *wouldblock = TRUE;
+       return -1; /* basically EWOULDBLOCK */
+     }
+-    failf(conn->data, "SSL read: errno %d", err);
++    if(!handle_cert_error(err, conn, num))
++      failf(conn->data, "SSL read: errno %d", err);
+     return -1;
+   }
+   return nread;
+diff --git a/lib/sendf.c b/lib/sendf.c
+index a366fd1..223fac2 100644
+--- a/lib/sendf.c
++++ b/lib/sendf.c
+@@ -277,10 +277,10 @@ CURLcode Curl_write(struct connectdata *conn,
+                     ssize_t *written)
+ {
+   ssize_t bytes_written;
+-  CURLcode retcode;
+   int num = (sockfd == conn->sock[SECONDARYSOCKET]);
++  const bool do_ssl = (conn->ssl[num].state == ssl_connection_complete);
+ 
+-  if(conn->ssl[num].state == ssl_connection_complete)
++  if(do_ssl)
+     bytes_written = Curl_ssl_send(conn, num, mem, len);
+   else if(Curl_ssh_enabled(conn, PROT_SCP))
+     bytes_written = Curl_scp_send(conn, num, mem, len);
+@@ -292,9 +292,13 @@ CURLcode Curl_write(struct connectdata *conn,
+     bytes_written = send_plain(conn, num, mem, len);
+ 
+   *written = bytes_written;
+-  retcode = (-1 != bytes_written)?CURLE_OK:CURLE_SEND_ERROR;
++  if(-1 == bytes_written)
++    /* send error */
++    return (do_ssl && conn->ssl[num].err)
++      ? (conn->ssl[num].err)
++      : CURLE_SEND_ERROR;
+ 
+-  return retcode;
++  return CURLE_OK;
+ }
+ 
+ /*
+@@ -540,9 +544,11 @@ int Curl_read(struct connectdata *conn, /* connection data */
+ 
+     if(nread == -1)
+       return -1; /* -1 from Curl_ssl_recv() means EWOULDBLOCK */
+-    else if(nread == -2)
++    else if(nread == -2) {
+       /* -2 from Curl_ssl_recv() means a true error, not EWOULDBLOCK */
+-      return CURLE_RECV_ERROR;
++      CURLcode ssl_err = conn->ssl[num].err;
++      return ssl_err?ssl_err:CURLE_RECV_ERROR;
++    }
+   }
+   else if(Curl_ssh_enabled(conn, (PROT_SCP|PROT_SFTP))) {
+     if(conn->protocol & PROT_SCP)
+diff --git a/lib/urldata.h b/lib/urldata.h
+index d03146a..c24a450 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -222,6 +222,9 @@ struct ssl_connect_data {
+      current state of the connection. */
+   bool use;
+   ssl_connection_state state;
++  /* If an error occurs in curlssl_recv() or Curl_ssl_send() and ERR is
++     non-zero, it contains the error code. */
++  CURLcode err;
+ #ifdef USE_SSLEAY
+   /* these ones requires specific SSL-types */
+   SSL_CTX* ctx;
+-- 
+1.7.0.2
+

curl-7.20.0-read.patch

@@ -0,0 +1,70 @@
+From 5ec0b463ea3e788e20d381ae97302f5965b1d4c5 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 18 Mar 2010 22:06:14 +0100
+Subject: [PATCH 1/2] Curl_read: do not silently ingore an error
+
+thrown from Curl_ssl_recv()
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/sendf.c  |    6 ++++--
+ lib/sslgen.c |   10 +++++-----
+ 2 files changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/lib/sendf.c b/lib/sendf.c
+index 359f43d..a366fd1 100644
+--- a/lib/sendf.c
++++ b/lib/sendf.c
+@@ -538,9 +538,11 @@ int Curl_read(struct connectdata *conn, /* connection data */
+   if(conn->ssl[num].state == ssl_connection_complete) {
+     nread = Curl_ssl_recv(conn, num, buffertofill, bytesfromsocket);
+ 
+-    if(nread == -1) {
++    if(nread == -1)
+       return -1; /* -1 from Curl_ssl_recv() means EWOULDBLOCK */
+-    }
++    else if(nread == -2)
++      /* -2 from Curl_ssl_recv() means a true error, not EWOULDBLOCK */
++      return CURLE_RECV_ERROR;
+   }
+   else if(Curl_ssh_enabled(conn, (PROT_SCP|PROT_SFTP))) {
+     if(conn->protocol & PROT_SCP)
+diff --git a/lib/sslgen.c b/lib/sslgen.c
+index 9167bf7..78ff8a3 100644
+--- a/lib/sslgen.c
++++ b/lib/sslgen.c
+@@ -399,7 +399,7 @@ struct curl_slist *Curl_ssl_engines_list(struct SessionHandle *data)
+   return curlssl_engines_list(data);
+ }
+ 
+-/* return number of sent (non-SSL) bytes */
++/* return number of sent (non-SSL) bytes; -1 on error */
+ ssize_t Curl_ssl_send(struct connectdata *conn,
+                       int sockindex,
+                       const void *mem,
+@@ -411,8 +411,8 @@ ssize_t Curl_ssl_send(struct connectdata *conn,
+ /* return number of received (decrypted) bytes */
+ 
+ /*
+- * If the read would block (EWOULDBLOCK) we return -1. Otherwise we return
+- * a regular CURLcode value.
++ * If the read would block (EWOULDBLOCK) we return -1. If an error occurs during
++ * the read, we return -2. Otherwise we return the count of bytes transfered.
+  */
+ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */
+                       int sockindex,            /* socketindex */
+@@ -425,9 +425,9 @@ ssize_t Curl_ssl_recv(struct connectdata *conn, /* connection data */
+   nread = curlssl_recv(conn, sockindex, mem, len, &block);
+   if(nread == -1) {
+     if(!block)
+-      return 0; /* this is a true error, not EWOULDBLOCK */
++      return -2; /* this is a true error, not EWOULDBLOCK */
+     else
+-      return -1;
++      return -1; /* EWOULDBLOCK */
+   }
+ 
+   return nread;
+-- 
+1.7.0.2
+

curl.spec

@@ -1,12 +1,18 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.20.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
 Source2: curlbuild.h
 
+# http://permalink.gmane.org/gmane.comp.web.curl.library/27110
+Patch0: curl-7.20.0-read.patch
+
+# http://permalink.gmane.org/gmane.comp.web.curl.library/27111
+Patch1: curl-7.20.0-cc-err.patch
+
 # patch making libcurl multilib ready (by excluding static libraries)
 Patch101: curl-7.15.3-multilib.patch
 
@@ -48,11 +54,11 @@ BuildRequires: openssh-server
 BuildRequires: pkgconfig
 BuildRequires: stunnel
 
-# valgrind is not available on some architectures, however it's going to be
+# valgrind temporarily disabled (#574889)
-# used only by the test-suite anyway
+# # valgrind is not available on s390(x)
-%ifnarch s390 s390x
+# %ifnarch s390 s390x
-BuildRequires: valgrind
+# BuildRequires: valgrind
-%endif
+# %endif
 
 BuildRequires: zlib-devel
 Requires: libcurl = %{version}-%{release}
@@ -92,6 +98,10 @@ use cURL's capabilities internally.
 %prep
 %setup -q
 
+# upstream patches (not yet applied)
+%patch0 -p1
+%patch1 -p1
+
 # Fedora patches
 %patch101 -p1
 %patch102 -p1
@@ -119,10 +129,19 @@ for f in CHANGES README; do
 done
 
 %build
-%configure --without-ssl --with-nss --enable-ipv6 \
+%configure --disable-static \
+    --enable-ares \
+    --enable-ipv6 \
+    --enable-ldaps \
+    --enable-manual \
     --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
-	--with-gssapi=%{_prefix}/kerberos --with-libidn \
+    --with-gssapi \
-	--enable-ldaps --disable-static --with-libssh2 --enable-manual --enable-ares
+    --with-libidn \
+    --with-libssh2 \
+    --without-ssl --with-nss
+
+# uncomment to turn off optimizations
+# find -name Makefile | xargs sed -i 's/-O2/-O0/'
 
 # Remove bogus rpath
 sed -i \
@@ -133,6 +152,12 @@ make %{?_smp_mflags}
 
 %check
 export LD_LIBRARY_PATH=$RPM_BUILD_ROOT%{_libdir}
+
+# uncomment to use the non-stripped library in tests
+# LD_PRELOAD=`find -name \*.so`
+# LD_PRELOAD=`readlink -f $LD_PRELOAD`
+# export LD_PRELOAD
+
 cd tests
 make %{?_smp_mflags}
 
@@ -194,6 +219,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Fri Mar 19 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-3
+- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972)
+- valgrind temporarily disabled (#574889)
+- kerberos installation prefix has changed
+
 * Wed Feb 24 2010 Kamil Dudka <kdudka@redhat.com> 7.20.0-2
 - exclude test1112 from the test suite (#565305)