[libsoup/f15] Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not using a CA

Dan Winship danw at fedoraproject.org
Thu May 3 14:51:29 UTC 2012 

commit 057a648b015bfe9ec870f1a24a1f883e3bd7f435
Author: Dan Winship <danw at gnome.org>
Date:   Thu May 3 10:50:57 2012 -0400

    Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not using a CA
    
    rh #818231

 libsoup-trusted-cert.patch |   83 ++++++++++++++++++++++++++++++++++++++++++++
 libsoup.spec               |    9 ++++-
 2 files changed, 91 insertions(+), 1 deletions(-)
---
diff --git a/libsoup-trusted-cert.patch b/libsoup-trusted-cert.patch
new file mode 100644
index 0000000..b1c7170
--- /dev/null
+++ b/libsoup-trusted-cert.patch
@@ -0,0 +1,83 @@
+From 48a69f3cfe8c2f2df76a9ed50522b8b40bc9753a Mon Sep 17 00:00:00 2001
+From: Dan Winship <danw at gnome.org>
+Date: Tue, 1 May 2012 14:35:49 -0400
+Subject: [PATCH] Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not
+ using a CA
+
+The value of SOUP_MESSAGE_TRUSTED_CERTIFICATE is not supposed to be
+meaningful if SoupSession:ssl-ca-file is unset, but if someone does
+happen to look at it, "FALSE" probably represents what they were
+looking for better than "TRUE" does.
+---
+ libsoup/soup-socket.c |    7 +++----
+ libsoup/soup-ssl.c    |    4 +++-
+ libsoup/soup-ssl.h    |    3 ++-
+ 3 files changed, 8 insertions(+), 6 deletions(-)
+
+diff --git a/libsoup/soup-socket.c b/libsoup/soup-socket.c
+index 8d11841..6357ba4 100644
+--- a/libsoup/soup-socket.c
++++ b/libsoup/soup-socket.c
+@@ -74,9 +74,9 @@ typedef struct {
+ 	guint non_blocking:1;
+ 	guint is_server:1;
+ 	guint ssl_strict:1;
+-	guint ssl_ca_in_creds:1;
+ 	guint clean_dispose:1;
+ 	gpointer ssl_creds;
++	gboolean ssl_ca_in_creds;
+ 
+ 	GMainContext   *async_context;
+ 	GSource        *watch_src;
+@@ -875,10 +875,9 @@ soup_socket_accept_certificate (GTlsConnection *conn, GTlsCertificate *cert,
+ 	SoupSocketPrivate *priv = SOUP_SOCKET_GET_PRIVATE (sock);
+ 
+ 	if (soup_ssl_credentials_verify_certificate (priv->ssl_creds,
+-						     cert, errors)) {
+-		priv->ssl_ca_in_creds = TRUE;
++						     cert, errors,
++						     &priv->ssl_ca_in_creds))
+ 		return TRUE;
+-	}
+ 
+ 	return !priv->ssl_strict;
+ }
+diff --git a/libsoup/soup-ssl.c b/libsoup/soup-ssl.c
+index 74d87f2..4f14555 100644
+--- a/libsoup/soup-ssl.c
++++ b/libsoup/soup-ssl.c
+@@ -49,7 +49,8 @@ soup_ssl_get_client_credentials (const char *ca_file)
+ gboolean
+ soup_ssl_credentials_verify_certificate (SoupSSLCredentials   *creds,
+ 					 GTlsCertificate      *cert,
+-					 GTlsCertificateFlags  errors)
++					 GTlsCertificateFlags  errors,
++					 gboolean             *ca_in_creds)
+ {
+ 	errors = errors & creds->validation_flags;
+ 
+@@ -59,6 +60,7 @@ soup_ssl_credentials_verify_certificate (SoupSSLCredentials   *creds,
+ 		for (ca = creds->ca_list; ca; ca = ca->next) {
+ 			if ((g_tls_certificate_verify (cert, NULL, ca->data) & G_TLS_CERTIFICATE_UNKNOWN_CA) == 0) {
+ 				errors &= ~G_TLS_CERTIFICATE_UNKNOWN_CA;
++				*ca_in_creds = TRUE;
+ 				break;
+ 			}
+ 		}
+diff --git a/libsoup/soup-ssl.h b/libsoup/soup-ssl.h
+index 5858199..eac6de6 100644
+--- a/libsoup/soup-ssl.h
++++ b/libsoup/soup-ssl.h
+@@ -19,7 +19,8 @@ SoupSSLCredentials   *soup_ssl_get_client_credentials           (const char
+ void                  soup_ssl_free_client_credentials          (SoupSSLCredentials   *creds);
+ gboolean              soup_ssl_credentials_verify_certificate   (SoupSSLCredentials   *creds,
+ 								 GTlsCertificate      *cert,
+-								 GTlsCertificateFlags  errors);
++								 GTlsCertificateFlags  errors,
++								 gboolean             *ca_in_creds);
+ 
+ SoupSSLCredentials   *soup_ssl_get_server_credentials           (const char           *cert_file,
+ 								 const char           *key_file);
+-- 
+1.7.10
+
diff --git a/libsoup.spec b/libsoup.spec
index 7213738..962694f 100644
--- a/libsoup.spec
+++ b/libsoup.spec
@@ -4,13 +4,14 @@
 
 Name: libsoup
 Version: 2.34.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: LGPLv2
 Group: Development/Libraries
 Summary: Soup, an HTTP library implementation
 URL: http://live.gnome.org/LibSoup
 #VCS: git:git://git.gnome.org/libsoup
 Source: http://download.gnome.org/sources/libsoup/2.34/libsoup-%{version}.tar.bz2
+Patch1: libsoup-trusted-cert.patch
 Requires: glib-networking >= %{glib2_version}
 
 ### Build Dependencies ###
@@ -48,6 +49,8 @@ you to develop applications that use the libsoup library.
 %prep
 %setup -q
 
+%patch1 -p1 -b .trust
+
 %build
 %configure
 
@@ -86,6 +89,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/gtk-doc/html/%{name}-2.4
 
 %changelog
+* Thu May  3 2012 Dan Winship <danw at redhat.com> - 2.34.3-2
+- Flip the value of SOUP_MESSAGE_TRUSTED_CERTIFICATE when not using a
+  CA (rh #818231)
+
 * Thu Jul 28 2011 Dan Winship <danw at redhat.com> - 2.34.3-1
 - Update to 2.34.3, including fix for CVE-2011-2524

More information about the scm-commits mailing list