summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBertrand Jacquin <beber@meleeweb.net>2009-05-06 00:01:37 +0200
committerBertrand Jacquin <beber@meleeweb.net>2009-05-06 00:01:37 +0200
commit9839e851cdb949deeb5e549541dd126af5721958 (patch)
tree6acc67179c96a040631a1776b607000ebbdad912
parentiproute2: cross build issue with netem (diff)
downloadpatches-9839e851cdb949deeb5e549541dd126af5721958.tar.gz
curl: patch for 2.0.4 for gnutls issue
http://bugs.gentoo.org/show_bug.cgi?id=210295 http://lists.gnu.org/archive/html/help-gnutls/2008-02/msg00012.html
-rw-r--r--curl/curl-2.0.4-BJA-curl-correct-gnutls-madness.patch70
1 files changed, 70 insertions, 0 deletions
diff --git a/curl/curl-2.0.4-BJA-curl-correct-gnutls-madness.patch b/curl/curl-2.0.4-BJA-curl-correct-gnutls-madness.patch
new file mode 100644
index 0000000..a9aeec3
--- /dev/null
+++ b/curl/curl-2.0.4-BJA-curl-correct-gnutls-madness.patch
@@ -0,0 +1,70 @@
+Index: gtls.c
+===================================================================
+RCS file: /cvsroot/curl/curl/lib/gtls.c,v
+retrieving revision 1.37
+diff -u -r1.37 gtls.c
+--- gtls.c 8 Feb 2008 22:02:00 -0000 1.37
++++ gtls.c 15 Feb 2008 22:32:45 -0000
+@@ -336,38 +336,42 @@
+
+ chainp = gnutls_certificate_get_peers(session, &cert_list_size);
+ if(!chainp) {
+- if(data->set.ssl.verifyhost) {
++ if(data->set.ssl.verifypeer) {
+ failf(data, "failed to get server cert");
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+ infof(data, "\t common name: WARNING couldn't obtain\n");
+ }
+
+- /* This function will try to verify the peer's certificate and return its
+- status (trusted, invalid etc.). The value of status should be one or more
+- of the gnutls_certificate_status_t enumerated elements bitwise or'd. To
+- avoid denial of service attacks some default upper limits regarding the
+- certificate key size and chain size are set. To override them use
+- gnutls_certificate_set_verify_limits(). */
++ if(data->set.ssl.verifypeer) {
++ /* This function will try to verify the peer's certificate and return its
++ status (trusted, invalid etc.). The value of status should be one or
++ more of the gnutls_certificate_status_t enumerated elements bitwise
++ or'd. To avoid denial of service attacks some default upper limits
++ regarding the certificate key size and chain size are set. To override
++ them use gnutls_certificate_set_verify_limits(). */
+
+- rc = gnutls_certificate_verify_peers2(session, &verify_status);
+- if(rc < 0) {
+- failf(data, "server cert verify failed: %d", rc);
+- return CURLE_SSL_CONNECT_ERROR;
+- }
++ rc = gnutls_certificate_verify_peers2(session, &verify_status);
++ if(rc < 0) {
++ failf(data, "server cert verify failed: %d", rc);
++ return CURLE_SSL_CONNECT_ERROR;
++ }
+
+- /* verify_status is a bitmask of gnutls_certificate_status bits */
+- if(verify_status & GNUTLS_CERT_INVALID) {
+- if(data->set.ssl.verifypeer) {
+- failf(data, "server certificate verification failed. CAfile: %s",
+- data->set.ssl.CAfile?data->set.ssl.CAfile:"none");
+- return CURLE_SSL_CACERT;
++ /* verify_status is a bitmask of gnutls_certificate_status bits */
++ if(verify_status & GNUTLS_CERT_INVALID) {
++ if(data->set.ssl.verifypeer) {
++ failf(data, "server certificate verification failed. CAfile: %s",
++ data->set.ssl.CAfile?data->set.ssl.CAfile:"none");
++ return CURLE_SSL_CACERT;
++ }
++ else
++ infof(data, "\t server certificate verification FAILED\n");
+ }
+ else
+- infof(data, "\t server certificate verification FAILED\n");
++ infof(data, "\t server certificate verification OK\n");
+ }
+ else
+- infof(data, "\t server certificate verification OK\n");
++ infof(data, "\t server certificate verification SKIPPED\n");
+
+ /* initialize an X.509 certificate structure. */
+ gnutls_x509_crt_init(&x509_cert);