summaryrefslogtreecommitdiff
path: root/external/curl
diff options
context:
space:
mode:
authorCédric Bosdonnat <cedric.bosdonnat@free.fr>2013-11-19 14:51:15 +0100
committerCédric Bosdonnat <cedric.bosdonnat@free.fr>2013-11-19 14:52:39 +0100
commit01d26477a1c8852b2fec6025da3d3189199b5528 (patch)
treecd95e867512b22360163997e064b8398969b7e1e /external/curl
parent7586bea9fb4c51e7221e403fa965067c8e1cd4a2 (diff)
Backported commit f6c335d63f2da025a0a3efde1fe59e3bb7189b70 from curl
This commit enables CURLINFO_CERTINFO when curl is built with NSS support but not openssl. Change-Id: I1482b34d83a0ae0f47d524a940bb90ed072363a6
Diffstat (limited to 'external/curl')
-rw-r--r--external/curl/NSS-support-for-CERTINFO-feature.patch391
-rw-r--r--external/curl/UnpackedTarball_curl.mk1
2 files changed, 392 insertions, 0 deletions
diff --git a/external/curl/NSS-support-for-CERTINFO-feature.patch b/external/curl/NSS-support-for-CERTINFO-feature.patch
new file mode 100644
index 000000000000..7976a08685e4
--- /dev/null
+++ b/external/curl/NSS-support-for-CERTINFO-feature.patch
@@ -0,0 +1,391 @@
+From f6c335d63f2da025a0a3efde1fe59e3bb7189b70 Mon Sep 17 00:00:00 2001
+From: Patrick Monnerat <pm@datasphere.ch>
+Date: Wed, 30 Oct 2013 11:12:06 +0100
+Subject: [PATCH] NSS: support for CERTINFO feature
+
+---
+ docs/libcurl/curl_easy_getinfo.3 | 6 +--
+ docs/libcurl/curl_easy_setopt.3 | 5 +-
+ lib/hostcheck.c | 4 +-
+ lib/nss.c | 46 ++++++++++++++++--
+ lib/url.c | 3 +-
+ lib/x509asn1.c | 100 +++++++++++++++++++++++++--------------
+ lib/x509asn1.h | 4 +-
+ 7 files changed, 119 insertions(+), 49 deletions(-)
+
+diff --git a/docs/libcurl/curl_easy_getinfo.3 b/docs/libcurl/curl_easy_getinfo.3
+index 62d8ae4..db0f4d6 100644
+--- a/docs/libcurl/curl_easy_getinfo.3
++++ b/docs/libcurl/curl_easy_getinfo.3
+@@ -5,7 +5,7 @@
+ .\" * | (__| |_| | _ <| |___
+ .\" * \___|\___/|_| \_\_____|
+ .\" *
+-.\" * Copyright (C) 1998 - 2012, Daniel Stenberg, <daniel@haxx.se>, et al.
++.\" * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ .\" *
+ .\" * This software is licensed as described in the file COPYING, which
+ .\" * you should have received as part of this distribution. The terms
+@@ -219,8 +219,8 @@ done. The struct reports how many certs it found and then you can extract info
+ for each of those certs by following the linked lists. The info chain is
+ provided in a series of data in the format "name:content" where the content is
+ for the specific named data. See also the certinfo.c example. NOTE: this
+-option is only available in libcurl built with OpenSSL support. (Added in
+-7.19.1)
++option is only available in libcurl built with OpenSSL, NSS, GSKit or QsoSSL
++support. (Added in 7.19.1)
+ .IP CURLINFO_CONDITION_UNMET
+ Pass a pointer to a long to receive the number 1 if the condition provided in
+ the previous request didn't match (see \fICURLOPT_TIMECONDITION\fP). Alas, if
+diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
+index f58c8fb..2887483 100644
+--- a/docs/libcurl/curl_easy_setopt.3
++++ b/docs/libcurl/curl_easy_setopt.3
+@@ -2549,9 +2549,10 @@ is ignored.
+
+ .IP CURLOPT_CERTINFO
+ Pass a long set to 1 to enable libcurl's certificate chain info gatherer. With
+-this enabled, libcurl (if built with OpenSSL) will extract lots of information
++this enabled, libcurl (if built with OpenSSL, NSS, GSKit or QsoSSL) will
++extract lots of information
+ and data about the certificates in the certificate chain used in the SSL
+-connection. This data is then possible to extract after a transfer using
++connection. This data may then be retrieved after a transfer using
+ \fIcurl_easy_getinfo(3)\fP and its option \fICURLINFO_CERTINFO\fP. (Added in
+ 7.19.1)
+ .IP CURLOPT_RANDOM_FILE
+diff --git a/lib/hostcheck.c b/lib/hostcheck.c
+index abd1fa0..4be5baa 100644
+--- a/lib/hostcheck.c
++++ b/lib/hostcheck.c
+@@ -23,7 +23,7 @@
+ #include "curl_setup.h"
+
+ #if defined(USE_SSLEAY) || defined(USE_AXTLS) || defined(USE_QSOSSL) || \
+- defined(USE_GSKIT)
++ defined(USE_GSKIT) || defined(USE_NSS)
+ /* these backends use functions from this file */
+
+ #include "hostcheck.h"
+@@ -94,4 +94,4 @@ int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
+ return 0;
+ }
+
+-#endif /* SSLEAY or AXTLS or QSOSSL or GSKIT */
++#endif /* SSLEAY or AXTLS or QSOSSL or GSKIT or NSS */
+diff --git a/lib/nss.c b/lib/nss.c
+index 43576e6..2562fcf 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -653,6 +653,10 @@ static void display_conn_info(struct connectdata *conn, PRFileDesc *sock)
+ SSLChannelInfo channel;
+ SSLCipherSuiteInfo suite;
+ CERTCertificate *cert;
++ CERTCertificate *cert2;
++ CERTCertificate *cert3;
++ PRTime now;
++ int i;
+
+ if(SSL_GetChannelInfo(sock, &channel, sizeof channel) ==
+ SECSuccess && channel.length == sizeof channel &&
+@@ -663,11 +667,45 @@ static void display_conn_info(struct connectdata *conn, PRFileDesc *sock)
+ }
+ }
+
+- infof(conn->data, "Server certificate:\n");
+-
+ cert = SSL_PeerCertificate(sock);
+- display_cert_info(conn->data, cert);
+- CERT_DestroyCertificate(cert);
++
++ if(cert) {
++ infof(conn->data, "Server certificate:\n");
++
++ if(!conn->data->set.ssl.certinfo) {
++ display_cert_info(conn->data, cert);
++ CERT_DestroyCertificate(cert);
++ }
++ else {
++ /* Count certificates in chain. */
++ now = PR_Now();
++ i = 1;
++ if(!cert->isRoot) {
++ cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
++ while(cert2) {
++ i++;
++ if(cert2->isRoot) {
++ CERT_DestroyCertificate(cert2);
++ break;
++ }
++ cert3 = CERT_FindCertIssuer(cert2, now, certUsageSSLCA);
++ CERT_DestroyCertificate(cert2);
++ cert2 = cert3;
++ }
++ }
++ Curl_ssl_init_certinfo(conn->data, i);
++ for(i = 0; cert; cert = cert2) {
++ Curl_extract_certinfo(conn, i++, cert->derCert.data,
++ cert->derCert.data + cert->derCert.len);
++ if(cert->isRoot) {
++ CERT_DestroyCertificate(cert);
++ break;
++ }
++ cert2 = CERT_FindCertIssuer(cert, now, certUsageSSLCA);
++ CERT_DestroyCertificate(cert);
++ }
++ }
++ }
+
+ return;
+ }
+diff --git a/lib/url.c b/lib/url.c
+index e86fbc2..03c7607 100644
+--- a/lib/url.c
++++ b/lib/url.c
+@@ -1926,7 +1926,8 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
+ data->set.ssl.fsslctxp = va_arg(param, void *);
+ break;
+ #endif
+-#if defined(USE_SSLEAY) || defined(USE_QSOSSL) || defined(USE_GSKIT)
++#if defined(USE_SSLEAY) || defined(USE_QSOSSL) || defined(USE_GSKIT) || \
++ defined(USE_NSS)
+ case CURLOPT_CERTINFO:
+ data->set.ssl.certinfo = (0 != va_arg(param, long))?TRUE:FALSE;
+ break;
+diff --git a/lib/x509asn1.c b/lib/x509asn1.c
+index 94b89b2..d6aa045 100644
+--- a/lib/x509asn1.c
++++ b/lib/x509asn1.c
+@@ -22,7 +22,7 @@
+
+ #include "curl_setup.h"
+
+-#if defined(USE_QSOSSL) || defined(USE_GSKIT)
++#if defined(USE_QSOSSL) || defined(USE_GSKIT) || defined(USE_NSS)
+
+ #include <curl/curl.h>
+ #include "urldata.h"
+@@ -803,7 +803,7 @@ static const char * dumpAlgo(curl_asn1Element * param,
+ return OID2str(oid.beg, oid.end, TRUE);
+ }
+
+-static void do_pubkey_field(struct SessionHandle *data, int certnum,
++static void do_pubkey_field(struct SessionHandle * data, int certnum,
+ const char * label, curl_asn1Element * elem)
+ {
+ const char * output;
+@@ -812,8 +812,10 @@ static void do_pubkey_field(struct SessionHandle *data, int certnum,
+
+ output = Curl_ASN1tostr(elem, 0);
+ if(output) {
+- Curl_ssl_push_certinfo(data, certnum, label, output);
+- infof(data, " %s: %s\n", label, output);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, label, output);
++ if(!certnum)
++ infof(data, " %s: %s\n", label, output);
+ free((char *) output);
+ }
+ }
+@@ -845,11 +847,14 @@ static void do_pubkey(struct SessionHandle * data, int certnum,
+ len--;
+ if(len > 32)
+ elem.beg = q; /* Strip leading zero bytes. */
+- infof(data, " RSA Public Key (%lu bits)\n", len);
+- q = curl_maprintf("%lu", len);
+- if(q) {
+- Curl_ssl_push_certinfo(data, certnum, "RSA Public Key", q);
+- free((char *) q);
++ if(!certnum)
++ infof(data, " RSA Public Key (%lu bits)\n", len);
++ if(data->set.ssl.certinfo) {
++ q = curl_maprintf("%lu", len);
++ if(q) {
++ Curl_ssl_push_certinfo(data, certnum, "RSA Public Key", q);
++ free((char *) q);
++ }
+ }
+ /* Generate coefficients. */
+ do_pubkey_field(data, certnum, "rsa(n)", &elem);
+@@ -896,6 +901,10 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
+ size_t i;
+ size_t j;
+
++ if(!data->set.ssl.certinfo)
++ if(certnum)
++ return CURLE_OK;
++
+ /* Prepare the certificate information for curl_easy_getinfo(). */
+
+ /* Extract the certificate ASN.1 elements. */
+@@ -905,35 +914,44 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
+ ccp = Curl_DNtostr(&cert.subject);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Subject", ccp);
+- infof(data, "%2d Subject: %s\n", certnum, ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Subject", ccp);
++ if(!certnum)
++ infof(data, "%2d Subject: %s\n", certnum, ccp);
+ free((char *) ccp);
+
+ /* Issuer. */
+ ccp = Curl_DNtostr(&cert.issuer);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Issuer", ccp);
+- infof(data, " Issuer: %s\n", ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Issuer", ccp);
++ if(!certnum)
++ infof(data, " Issuer: %s\n", ccp);
+ free((char *) ccp);
+
+ /* Version (always fits in less than 32 bits). */
+ version = 0;
+ for(ccp = cert.version.beg; ccp < cert.version.end; ccp++)
+ version = (version << 8) | *(const unsigned char *) ccp;
+- ccp = curl_maprintf("%lx", version);
+- if(!ccp)
+- return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Version", ccp);
+- free((char *) ccp);
+- infof(data, " Version: %lu (0x%lx)\n", version + 1, version);
++ if(data->set.ssl.certinfo) {
++ ccp = curl_maprintf("%lx", version);
++ if(!ccp)
++ return CURLE_OUT_OF_MEMORY;
++ Curl_ssl_push_certinfo(data, certnum, "Version", ccp);
++ free((char *) ccp);
++ }
++ if(!certnum)
++ infof(data, " Version: %lu (0x%lx)\n", version + 1, version);
+
+ /* Serial number. */
+ ccp = Curl_ASN1tostr(&cert.serialNumber, 0);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Serial Number", ccp);
+- infof(data, " Serial Number: %s\n", ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Serial Number", ccp);
++ if(!certnum)
++ infof(data, " Serial Number: %s\n", ccp);
+ free((char *) ccp);
+
+ /* Signature algorithm .*/
+@@ -941,24 +959,30 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
+ cert.signatureAlgorithm.end);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Signature Algorithm", ccp);
+- infof(data, " Signature Algorithm: %s\n", ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Signature Algorithm", ccp);
++ if(!certnum)
++ infof(data, " Signature Algorithm: %s\n", ccp);
+ free((char *) ccp);
+
+ /* Start Date. */
+ ccp = Curl_ASN1tostr(&cert.notBefore, 0);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Start Date", ccp);
+- infof(data, " Start Date: %s\n", ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Start Date", ccp);
++ if(!certnum)
++ infof(data, " Start Date: %s\n", ccp);
+ free((char *) ccp);
+
+ /* Expire Date. */
+ ccp = Curl_ASN1tostr(&cert.notAfter, 0);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Expire Date", ccp);
+- infof(data, " Expire Date: %s\n", ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Expire Date", ccp);
++ if(!certnum)
++ infof(data, " Expire Date: %s\n", ccp);
+ free((char *) ccp);
+
+ /* Public Key Algorithm. */
+@@ -966,8 +990,10 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
+ cert.subjectPublicKeyAlgorithm.end);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Public Key Algorithm", ccp);
+- infof(data, " Public Key Algorithm: %s\n", ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Public Key Algorithm", ccp);
++ if(!certnum)
++ infof(data, " Public Key Algorithm: %s\n", ccp);
+ do_pubkey(data, certnum, ccp, &param, &cert.subjectPublicKey);
+ free((char *) ccp);
+
+@@ -977,8 +1003,10 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
+ ccp = Curl_ASN1tostr(&cert.signature, 0);
+ if(!ccp)
+ return CURLE_OUT_OF_MEMORY;
+- Curl_ssl_push_certinfo(data, certnum, "Signature", ccp);
+- infof(data, " Signature: %s\n", ccp);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Signature", ccp);
++ if(!certnum)
++ infof(data, " Signature: %s\n", ccp);
+ free((char *) ccp);
+
+ /* Generate PEM certificate. */
+@@ -987,7 +1015,7 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
+ &cp1, &cl1);
+ if(cc != CURLE_OK)
+ return cc;
+- /* Compute the number of charaters in final certificate string. Format is:
++ /* Compute the number of characters in final certificate string. Format is:
+ -----BEGIN CERTIFICATE-----\n
+ <max 64 base64 characters>\n
+ .
+@@ -1008,8 +1036,10 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn,
+ i += copySubstring(cp2 + i, "-----END CERTIFICATE-----");
+ cp2[i] = '\0';
+ free(cp1);
+- Curl_ssl_push_certinfo(data, certnum, "Cert", cp2);
+- infof(data, "%s\n", cp2);
++ if(data->set.ssl.certinfo)
++ Curl_ssl_push_certinfo(data, certnum, "Cert", cp2);
++ if(!certnum)
++ infof(data, "%s\n", cp2);
+ free(cp2);
+ return CURLE_OK;
+ }
+@@ -1148,4 +1178,4 @@ CURLcode Curl_verifyhost(struct connectdata * conn,
+ return CURLE_PEER_FAILED_VERIFICATION;
+ }
+
+-#endif /* USE_QSOSSL or USE_GSKIT */
++#endif /* USE_QSOSSL or USE_GSKIT or USE_NSS */
+diff --git a/lib/x509asn1.h b/lib/x509asn1.h
+index 2276b5b..1741d6d 100644
+--- a/lib/x509asn1.h
++++ b/lib/x509asn1.h
+@@ -25,7 +25,7 @@
+
+ #include "curl_setup.h"
+
+-#if defined(USE_QSOSSL) || defined(USE_GSKIT)
++#if defined(USE_QSOSSL) || defined(USE_GSKIT) || defined(USE_NSS)
+
+ #include "urldata.h"
+
+@@ -125,5 +125,5 @@ CURLcode Curl_extract_certinfo(struct connectdata * conn, int certnum,
+ CURLcode Curl_verifyhost(struct connectdata * conn,
+ const char * beg, const char * end);
+
+-#endif /* USE_QSOSSL or USE_GSKIT */
++#endif /* USE_QSOSSL or USE_GSKIT or USE_NSS */
+ #endif /* HEADER_CURL_X509ASN1_H */
+--
+1.8.4.2
+
diff --git a/external/curl/UnpackedTarball_curl.mk b/external/curl/UnpackedTarball_curl.mk
index 2e4d4cc1283c..f6542e5217f8 100644
--- a/external/curl/UnpackedTarball_curl.mk
+++ b/external/curl/UnpackedTarball_curl.mk
@@ -23,6 +23,7 @@ $(eval $(call gb_UnpackedTarball_add_patches,curl,\
external/curl/curl-msvc-schannel.patch.1 \
external/curl/curl-7.26.0_mingw.patch \
external/curl/curl-7.26.0_win-proxy.patch \
+ external/curl/NSS-support-for-CERTINFO-feature.patch \
))
ifeq ($(OS),ANDROID)