[curl/f17] use human-readable error messages provided by NSS
Kamil Dudka
kdudka at fedoraproject.org
Wed Aug 1 08:30:10 UTC 2012
commit 41aa23258eb006b787d75ba5d76120d95fab2f04
Author: Kamil Dudka <kdudka at redhat.com>
Date: Mon May 28 11:56:16 2012 +0200
use human-readable error messages provided by NSS
upstream commit 72f4b534
0004-curl-7.24.0-72f4b534.patch | 254 +++++++++++++++++++++++++++++++++++++++
curl.spec | 9 ++-
2 files changed, 262 insertions(+), 1 deletions(-)
---
diff --git a/0004-curl-7.24.0-72f4b534.patch b/0004-curl-7.24.0-72f4b534.patch
new file mode 100644
index 0000000..61db410
--- /dev/null
+++ b/0004-curl-7.24.0-72f4b534.patch
@@ -0,0 +1,254 @@
+From 77be030f1304a6a13eec3f201811b09fe0733695 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Mon, 21 May 2012 16:31:21 +0200
+Subject: [PATCH 1/2] nss: avoid using explicit casts of code pointers
+
+---
+ lib/nss.c | 11 ++++-------
+ 1 files changed, 4 insertions(+), 7 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index b7ac60b..49d2efc 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -669,11 +669,10 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
+ /**
+ * Inform the application that the handshake is complete.
+ */
+-static SECStatus HandshakeCallback(PRFileDesc *sock, void *arg)
++static void HandshakeCallback(PRFileDesc *sock, void *arg)
+ {
+ (void)sock;
+ (void)arg;
+- return SECSuccess;
+ }
+
+ static void display_cert_info(struct SessionHandle *data,
+@@ -1326,12 +1325,10 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ goto error;
+
+ data->set.ssl.certverifyresult=0; /* not checked yet */
+- if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn)
+- != SECSuccess) {
++ if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
+ goto error;
+- }
+- if(SSL_HandshakeCallback(model, (SSLHandshakeCallback) HandshakeCallback,
+- NULL) != SECSuccess)
++
++ if(SSL_HandshakeCallback(model, HandshakeCallback, NULL) != SECSuccess)
+ goto error;
+
+ if(data->set.ssl.verifypeer) {
+--
+1.7.1
+
+
+From 6d07d758810916593d636f597cf1f033de6027ef Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Mon, 21 May 2012 16:19:12 +0200
+Subject: [PATCH 2/2] nss: use human-readable error messages provided by NSS
+
+Bug: http://lists.baseurl.org/pipermail/yum-devel/2012-January/009002.html
+---
+ lib/nss.c | 128 +++++++++++++++++++++++++++----------------------------------
+ 1 files changed, 57 insertions(+), 71 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 49d2efc..ff3afd5 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -186,6 +186,11 @@ static const char* nss_error_to_name(PRErrorCode code)
+ return "unknown error";
+ }
+
++static void nss_print_error_message(struct SessionHandle *data, PRUint32 err)
++{
++ failf(data, "%s", PR_ErrorToString(err, PR_LANGUAGE_I_DEFAULT));
++}
++
+ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
+ char *cipher_list)
+ {
+@@ -611,61 +616,6 @@ static SECStatus nss_auth_cert_hook(void *arg, PRFileDesc *fd, PRBool checksig,
+ return SSL_AuthCertificate(CERT_GetDefaultCertDB(), fd, checksig, isServer);
+ }
+
+-static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
+-{
+- SECStatus result = SECFailure;
+- struct connectdata *conn = (struct connectdata *)arg;
+- PRErrorCode err = PR_GetError();
+- CERTCertificate *cert = NULL;
+- char *subject, *subject_cn, *issuer;
+-
+- conn->data->set.ssl.certverifyresult=err;
+- cert = SSL_PeerCertificate(sock);
+- subject = CERT_NameToAscii(&cert->subject);
+- subject_cn = CERT_GetCommonName(&cert->subject);
+- issuer = CERT_NameToAscii(&cert->issuer);
+- CERT_DestroyCertificate(cert);
+-
+- switch(err) {
+- case SEC_ERROR_CA_CERT_INVALID:
+- infof(conn->data, "Issuer certificate is invalid: '%s'\n", issuer);
+- break;
+- case SEC_ERROR_UNTRUSTED_ISSUER:
+- infof(conn->data, "Certificate is signed by an untrusted issuer: '%s'\n",
+- issuer);
+- break;
+- case SSL_ERROR_BAD_CERT_DOMAIN:
+- if(conn->data->set.ssl.verifyhost) {
+- failf(conn->data, "SSL: certificate subject name '%s' does not match "
+- "target host name '%s'", subject_cn, conn->host.dispname);
+- }
+- else {
+- result = SECSuccess;
+- infof(conn->data, "warning: SSL: certificate subject name '%s' does not "
+- "match target host name '%s'\n", subject_cn, conn->host.dispname);
+- }
+- break;
+- case SEC_ERROR_EXPIRED_CERTIFICATE:
+- infof(conn->data, "Remote Certificate has expired.\n");
+- break;
+- case SEC_ERROR_UNKNOWN_ISSUER:
+- infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n",
+- issuer);
+- break;
+- default:
+- infof(conn->data, "Bad certificate received. Subject = '%s', "
+- "Issuer = '%s'\n", subject, issuer);
+- break;
+- }
+- if(result == SECSuccess)
+- infof(conn->data, "SSL certificate verify ok.\n");
+- PR_Free(subject);
+- PR_Free(subject_cn);
+- PR_Free(issuer);
+-
+- return result;
+-}
+-
+ /**
+ * Inform the application that the handshake is complete.
+ */
+@@ -727,6 +677,31 @@ static void display_conn_info(struct connectdata *conn, PRFileDesc *sock)
+ return;
+ }
+
++static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
++{
++ struct connectdata *conn = (struct connectdata *)arg;
++ struct SessionHandle *data = conn->data;
++ PRErrorCode err = PR_GetError();
++ CERTCertificate *cert;
++
++ /* remember the cert verification result */
++ data->set.ssl.certverifyresult = err;
++
++ if(err == SSL_ERROR_BAD_CERT_DOMAIN && !data->set.ssl.verifyhost)
++ /* we are asked not to verify the host name */
++ return SECSuccess;
++
++ /* print only info about the cert, the error is printed off the callback */
++ cert = SSL_PeerCertificate(sock);
++ if(cert) {
++ infof(data, "Server certificate:\n");
++ display_cert_info(data, cert);
++ CERT_DestroyCertificate(cert);
++ }
++
++ return SECFailure;
++}
++
+ /**
+ *
+ * Check that the Peer certificate's issuer certificate matches the one found
+@@ -1106,20 +1081,17 @@ int Curl_nss_close_all(struct SessionHandle *data)
+ return 0;
+ }
+
+-/* handle client certificate related errors if any; return false otherwise */
+-static bool handle_cc_error(PRInt32 err, struct SessionHandle *data)
++/* return true if the given error code is related to a client certificate */
++static bool is_cc_error(PRInt32 err)
+ {
+ switch(err) {
+ case SSL_ERROR_BAD_CERT_ALERT:
+- failf(data, "SSL error: SSL_ERROR_BAD_CERT_ALERT");
+ return true;
+
+ case SSL_ERROR_REVOKED_CERT_ALERT:
+- failf(data, "SSL error: SSL_ERROR_REVOKED_CERT_ALERT");
+ return true;
+
+ case SSL_ERROR_EXPIRED_CERT_ALERT:
+- failf(data, "SSL error: SSL_ERROR_EXPIRED_CERT_ALERT");
+ return true;
+
+ default:
+@@ -1445,10 +1417,14 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ data->state.ssl_connect_retry = FALSE;
+
+ err = PR_GetError();
+- if(handle_cc_error(err, data))
++ if(is_cc_error(err))
+ curlerr = CURLE_SSL_CERTPROBLEM;
+- else
+- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
++
++ /* print the error number and error string */
++ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
++
++ /* print a human-readable message describing the error if available */
++ nss_print_error_message(data, err);
+
+ if(model)
+ PR_Close(model);
+@@ -1481,12 +1457,17 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */
+ PRInt32 err = PR_GetError();
+ if(err == PR_WOULD_BLOCK_ERROR)
+ *curlcode = CURLE_AGAIN;
+- else if(handle_cc_error(err, conn->data))
+- *curlcode = CURLE_SSL_CERTPROBLEM;
+ else {
++ /* print the error number and error string */
+ const char *err_name = nss_error_to_name(err);
+- failf(conn->data, "SSL write: error %d (%s)", err, err_name);
+- *curlcode = CURLE_SEND_ERROR;
++ infof(conn->data, "SSL write: error %d (%s)\n", err, err_name);
++
++ /* print a human-readable message describing the error if available */
++ nss_print_error_message(conn->data, err);
++
++ *curlcode = (is_cc_error(err))
++ ? CURLE_SSL_CERTPROBLEM
++ : CURLE_SEND_ERROR;
+ }
+ return -1;
+ }
+@@ -1508,12 +1489,17 @@ static ssize_t nss_recv(struct connectdata * conn, /* connection data */
+
+ if(err == PR_WOULD_BLOCK_ERROR)
+ *curlcode = CURLE_AGAIN;
+- else if(handle_cc_error(err, conn->data))
+- *curlcode = CURLE_SSL_CERTPROBLEM;
+ else {
++ /* print the error number and error string */
+ const char *err_name = nss_error_to_name(err);
+- failf(conn->data, "SSL read: errno %d (%s)", err, err_name);
+- *curlcode = CURLE_RECV_ERROR;
++ infof(conn->data, "SSL read: errno %d (%s)\n", err, err_name);
++
++ /* print a human-readable message describing the error if available */
++ nss_print_error_message(conn->data, err);
++
++ *curlcode = (is_cc_error(err))
++ ? CURLE_SSL_CERTPROBLEM
++ : CURLE_RECV_ERROR;
+ }
+ return -1;
+ }
+--
+1.7.1
+
diff --git a/curl.spec b/curl.spec
index c48810f..81b7ba5 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.24.0
-Release: 4%{?dist}
+Release: 5%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@@ -17,6 +17,9 @@ Patch2: 0002-curl-7.24.0-a60edcc6.patch
# fix duplicated SSL handshake with multi interface and proxy (#788526)
Patch3: 0003-curl-7.24.0-68857e40.patch
+# use human-readable error messages provided by NSS
+Patch4: 0004-curl-7.24.0-72f4b534.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.21.1-multilib.patch
@@ -119,6 +122,7 @@ done
%patch1 -p1
%patch2 -p1
%patch3 -p1
+%patch4 -p1
# Fedora patches
%patch101 -p1
@@ -232,6 +236,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Wed Aug 01 2012 Kamil Dudka <kdudka at redhat.com> 7.24.0-5
+- use human-readable error messages provided by NSS (upstream commit 72f4b534)
+
* Sat Jun 09 2012 Kamil Dudka <kdudka at redhat.com> 7.24.0-4
- fix duplicated SSL handshake with multi interface and proxy (#788526)
More information about the scm-commits
mailing list