[libsoup/f15] Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not using a CA
Dan Winship
danw at fedoraproject.org
Thu May 3 14:51:29 UTC 2012
commit 057a648b015bfe9ec870f1a24a1f883e3bd7f435
Author: Dan Winship <danw at gnome.org>
Date: Thu May 3 10:50:57 2012 -0400
Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not using a CA
rh #818231
libsoup-trusted-cert.patch | 83 ++++++++++++++++++++++++++++++++++++++++++++
libsoup.spec | 9 ++++-
2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/libsoup-trusted-cert.patch b/libsoup-trusted-cert.patch
new file mode 100644
index 0000000..b1c7170
--- /dev/null
+++ b/libsoup-trusted-cert.patch
@@ -0,0 +1,83 @@
+From 48a69f3cfe8c2f2df76a9ed50522b8b40bc9753a Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Tue, 1 May 2012 14:35:49 -0400
+Subject: [PATCH] Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not
+ using a CA
+
+The value of SOUP_MESSAGE_TRUSTED_CERTIFICATE is not supposed to be
+meaningful if SoupSession:ssl-ca-file is unset, but if someone does
+happen to look at it, "FALSE" probably represents what they were
+looking for better than "TRUE" does.
+---
+ libsoup/soup-socket.c | 7 +++----
+ libsoup/soup-ssl.c | 4 +++-
+ libsoup/soup-ssl.h | 3 ++-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/libsoup/soup-socket.c b/libsoup/soup-socket.c
+index 8d11841..6357ba4 100644
+--- a/libsoup/soup-socket.c
++++ b/libsoup/soup-socket.c
+@@ -74,9 +74,9 @@ typedef struct {
+ guint non_blocking:1;
+ guint is_server:1;
+ guint ssl_strict:1;
+- guint ssl_ca_in_creds:1;
+ guint clean_dispose:1;
+ gpointer ssl_creds;
++ gboolean ssl_ca_in_creds;
+
+ GMainContext *async_context;
+ GSource *watch_src;
+@@ -875,10 +875,9 @@ soup_socket_accept_certificate (GTlsConnection *conn, GTlsCertificate *cert,
+ SoupSocketPrivate *priv = SOUP_SOCKET_GET_PRIVATE (sock);
+
+ if (soup_ssl_credentials_verify_certificate (priv->ssl_creds,
+- cert, errors)) {
+- priv->ssl_ca_in_creds = TRUE;
++ cert, errors,
++ &priv->ssl_ca_in_creds))
+ return TRUE;
+- }
+
+ return !priv->ssl_strict;
+ }
+diff --git a/libsoup/soup-ssl.c b/libsoup/soup-ssl.c
+index 74d87f2..4f14555 100644
+--- a/libsoup/soup-ssl.c
++++ b/libsoup/soup-ssl.c
+@@ -49,7 +49,8 @@ soup_ssl_get_client_credentials (const char *ca_file)
+ gboolean
+ soup_ssl_credentials_verify_certificate (SoupSSLCredentials *creds,
+ GTlsCertificate *cert,
+- GTlsCertificateFlags errors)
++ GTlsCertificateFlags errors,
++ gboolean *ca_in_creds)
+ {
+ errors = errors & creds->validation_flags;
+
+@@ -59,6 +60,7 @@ soup_ssl_credentials_verify_certificate (SoupSSLCredentials *creds,
+ for (ca = creds->ca_list; ca; ca = ca->next) {
+ if ((g_tls_certificate_verify (cert, NULL, ca->data) & G_TLS_CERTIFICATE_UNKNOWN_CA) == 0) {
+ errors &= ~G_TLS_CERTIFICATE_UNKNOWN_CA;
++ *ca_in_creds = TRUE;
+ break;
+ }
+ }
+diff --git a/libsoup/soup-ssl.h b/libsoup/soup-ssl.h
+index 5858199..eac6de6 100644
+--- a/libsoup/soup-ssl.h
++++ b/libsoup/soup-ssl.h
+@@ -19,7 +19,8 @@ SoupSSLCredentials *soup_ssl_get_client_credentials (const char
+ void soup_ssl_free_client_credentials (SoupSSLCredentials *creds);
+ gboolean soup_ssl_credentials_verify_certificate (SoupSSLCredentials *creds,
+ GTlsCertificate *cert,
+- GTlsCertificateFlags errors);
++ GTlsCertificateFlags errors,
++ gboolean *ca_in_creds);
+
+ SoupSSLCredentials *soup_ssl_get_server_credentials (const char *cert_file,
+ const char *key_file);
+--
+1.7.10
+
diff --git a/libsoup.spec b/libsoup.spec
index 7213738..962694f 100644
--- a/libsoup.spec
+++ b/libsoup.spec
@@ -4,13 +4,14 @@
Name: libsoup
Version: 2.34.3
-Release: 1%{?dist}
+Release: 2%{?dist}
License: LGPLv2
Group: Development/Libraries
Summary: Soup, an HTTP library implementation
URL: http://live.gnome.org/LibSoup
#VCS: git:git://git.gnome.org/libsoup
Source: http://download.gnome.org/sources/libsoup/2.34/libsoup-%{version}.tar.bz2
+Patch1: libsoup-trusted-cert.patch
Requires: glib-networking >= %{glib2_version}
### Build Dependencies ###
@@ -48,6 +49,8 @@ you to develop applications that use the libsoup library.
%prep
%setup -q
+%patch1 -p1 -b .trust
+
%build
%configure
@@ -86,6 +89,10 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/gtk-doc/html/%{name}-2.4
%changelog
+* Thu May 3 2012 Dan Winship <danw at redhat.com> - 2.34.3-2
+- Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not using a
+ CA (rh #818231)
+
* Thu Jul 28 2011 Dan Winship <danw at redhat.com> - 2.34.3-1
- Update to 2.34.3, including fix for CVE-2011-2524
More information about the scm-commits
mailing list