1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
|
From fea7914a32b7d7a8ec4bbf4de0c2be74a32969bb Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 9 Aug 2012 09:40:00 +0200
Subject: [PATCH 1/2] nss: do not print misleading NSS error codes
[upstream commit 52b6eda4f2a006e33358c6964ef6a00b09ae59ab]
---
lib/nss.c | 42 ++++++++++++++++++++++++++++++------------
1 files changed, 30 insertions(+), 12 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index b11796c..a8e08f4 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1084,17 +1084,31 @@ int Curl_nss_close_all(struct SessionHandle *data)
return 0;
}
-/* return true if the given error code is related to a client certificate */
-static bool is_cc_error(PRInt32 err)
+/* return true if NSS can provide error code (and possibly msg) for the error */
+static bool is_nss_error(CURLcode err)
{
switch(err) {
- case SSL_ERROR_BAD_CERT_ALERT:
+ case CURLE_PEER_FAILED_VERIFICATION:
+ case CURLE_SSL_CACERT:
+ case CURLE_SSL_CACERT_BADFILE:
+ case CURLE_SSL_CERTPROBLEM:
+ case CURLE_SSL_CONNECT_ERROR:
+ case CURLE_SSL_CRL_BADFILE:
+ case CURLE_SSL_ISSUER_ERROR:
return true;
- case SSL_ERROR_REVOKED_CERT_ALERT:
- return true;
+ default:
+ return false;
+ }
+}
+/* return true if the given error code is related to a client certificate */
+static bool is_cc_error(PRInt32 err)
+{
+ switch(err) {
+ case SSL_ERROR_BAD_CERT_ALERT:
case SSL_ERROR_EXPIRED_CERT_ALERT:
+ case SSL_ERROR_REVOKED_CERT_ALERT:
return true;
default:
@@ -1388,6 +1402,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
time_left = Curl_timeleft(data, NULL, TRUE);
if(time_left < 0L) {
failf(data, "timed out before SSL handshake");
+ curlerr = CURLE_OPERATION_TIMEDOUT;
goto error;
}
timeout = PR_MillisecondsToInterval((PRUint32) time_left);
@@ -1432,15 +1447,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
/* reset the flag to avoid an infinite loop */
data->state.ssl_connect_retry = FALSE;
- err = PR_GetError();
- if(is_cc_error(err))
- curlerr = CURLE_SSL_CERTPROBLEM;
+ if(is_nss_error(curlerr)) {
+ /* read NSPR error code */
+ err = PR_GetError();
+ if(is_cc_error(err))
+ curlerr = CURLE_SSL_CERTPROBLEM;
- /* print the error number and error string */
- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
+ /* print the error number and error string */
+ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
- /* print a human-readable message describing the error if available */
- nss_print_error_message(data, err);
+ /* print a human-readable message describing the error if available */
+ nss_print_error_message(data, err);
+ }
if(model)
PR_Close(model);
--
1.7.1
From b00ba010d0cd0a6ee77692fd4e38e6680b07a82e Mon Sep 17 00:00:00 2001
From: Marc Hoersken <info@marc-hoersken.de>
Date: Tue, 11 Sep 2012 09:49:23 +0200
Subject: [PATCH 2/2] nss.c: Fixed warning: 'err' may be used uninitialized in this function
[upstream commit e6ba0487013085afc5bc1ca7d7c8a15a13367ba6]
---
lib/nss.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/lib/nss.c b/lib/nss.c
index a8e08f4..fef7c3d 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -1173,7 +1173,7 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
{
- PRInt32 err;
+ PRErrorCode err = 0;
PRFileDesc *model = NULL;
PRBool ssl2 = PR_FALSE;
PRBool ssl3 = PR_FALSE;
--
1.7.1
|
