[PATCH core-updates 0/7] Update gnutls and curl.

  • Open
  • quality assurance status badge
Details
One participant
  • Maxim Cournoyer
Owner
unassigned
Submitted by
Maxim Cournoyer
Severity
normal
M
M
Maxim Cournoyer wrote 9 hours ago
(address . guix-patches@gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
cover.1734882716.git.maxim.cournoyer@gmail.com
Maxim Cournoyer (7):
gnu: gnutls: Update to 3.8.8.
gnu: gnutls: Enable zstd compression.
gnu: gnutls: Streamline mips64el conditionals.
gnu: brotli: Update to 1.1.0.
gnu: libidn: Update to 1.42.
gnu: curl: Update to 8.11.1 and ungraft.
gnu: curl: Enable zstd support.

gnu/local.mk | 2 -
gnu/packages/compression.scm | 47 ++--
gnu/packages/curl.scm | 59 +++---
gnu/packages/libidn.scm | 4 +-
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
.../gnutls-skip-trust-store-test.patch | 15 --
gnu/packages/tls.scm | 50 ++---
7 files changed, 74 insertions(+), 303 deletions(-)
delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch
delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch


base-commit: 42ba1aa8b3090f3a4957d36be14e93c5e36f1825
--
2.46.0
M
M
Maxim Cournoyer wrote 9 hours ago
[PATCH core-updates 2/7] gnu: gnutls: Enable zstd compression.
(address . 75026@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
3dc2fc9d3a6402283ee034647c08c505a0fd6f53.1734882716.git.maxim.cournoyer@gmail.com
* gnu/packages/tls.scm [inputs]: Add zstd:lib.

Change-Id: I7cfce764181eebe12a32019107061c88edaa877a
---
gnu/packages/tls.scm | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

Toggle diff (15 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index ecdfb5c0e5..c0efb66d96 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -283,7 +283,7 @@ (define-public gnutls
iproute ;for 'ss'
socat ;several tests rely on it
datefudge)))) ;tests rely on 'datefudge'
- (inputs (list libunistring))
+ (inputs (list libunistring `(,zstd "lib")))
(propagated-inputs
;; These are all in the 'Requires.private' field of gnutls.pc.
(append (list libtasn1 libidn2 nettle zlib)
--
2.46.0
M
M
Maxim Cournoyer wrote 9 hours ago
[PATCH core-updates 1/7] gnu: gnutls: Update to 3.8.8.
(address . 75026@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
15d3101d6383ecf47a655610199699fb910674ab.1734882716.git.maxim.cournoyer@gmail.com
* gnu/packages/tls.scm (gnutls): Update to 3.8.8.
[source]: Delete patches.
[arguments]: Mark failing tests via XFAIL_TESTS make flag.
* gnu/packages/patches/gnutls-skip-trust-store-test.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.

Change-Id: I6519b789896dba00de6a1af7a6f772906ce660c1
---
gnu/local.mk | 1 -
.../gnutls-skip-trust-store-test.patch | 15 -----------
gnu/packages/tls.scm | 25 ++++++++++---------
3 files changed, 13 insertions(+), 28 deletions(-)
delete mode 100644 gnu/packages/patches/gnutls-skip-trust-store-test.patch

Toggle diff (89 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index 8155a5ae34..a4f2e71134 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1477,7 +1477,6 @@ dist_patch_DATA = \
%D%/packages/patches/gnumach-version.patch \
%D%/packages/patches/gnupg-default-pinentry.patch \
%D%/packages/patches/gnupg-1-build-with-gcc10.patch \
- %D%/packages/patches/gnutls-skip-trust-store-test.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \
%D%/packages/patches/gobject-introspection-absolute-shlib-path-1.72.patch \
%D%/packages/patches/gobject-introspection-cc.patch \
diff --git a/gnu/packages/patches/gnutls-skip-trust-store-test.patch b/gnu/packages/patches/gnutls-skip-trust-store-test.patch
deleted file mode 100644
index e0536712a5..0000000000
--- a/gnu/packages/patches/gnutls-skip-trust-store-test.patch
+++ /dev/null
@@ -1,15 +0,0 @@
-Version 3.5.11 added a test to check that the default trust store is readable.
-It does not exist in the build environment, so pretend everything is fine.
-
-diff a/tests/trust-store.c b/tests/trust-store.c
---- a/tests/trust-store.c
-+++ b/tests/trust-store.c
-@@ -61,7 +61,7 @@
- } else if (ret < 0) {
- fail("error loading system trust store: %s\n", gnutls_strerror(ret));
- } else if (ret == 0) {
-- fail("no certificates were found in system trust store!\n");
-+ success("no trust store in the Guix build environment!\n");
- }
-
- gnutls_certificate_free_credentials(x509_cred);
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index 5f3bc72f6e..ecdfb5c0e5 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -201,7 +201,7 @@ (define-public p11-kit
(define-public gnutls
(package
(name "gnutls")
- (version "3.8.3")
+ (version "3.8.8")
(source (origin
(method url-fetch)
;; Note: Releases are no longer on ftp.gnu.org since the
@@ -209,10 +209,9 @@ (define-public gnutls
(uri (string-append "mirror://gnupg/gnutls/v"
(version-major+minor version)
"/gnutls-" version ".tar.xz"))
- (patches (search-patches "gnutls-skip-trust-store-test.patch"))
(sha256
(base32
- "0ghpyhhfa3nsraph6dws50jb3dc8g2cfl7dizdnyrm179fawakzp"))))
+ "1yyq74lzlnkgwbr269mddi9vqi1j0dcnw8pdh09vb01qb0704kxc"))))
(build-system gnu-build-system)
(arguments
(list #:tests? (not (or (%current-target-system)
@@ -242,17 +241,19 @@ (define-public gnutls
;; not working on mips64el.
"--without-p11-kit")
'())))
-
+ #:make-flags
+ #~(list (string-append
+ "XFAIL_TESTS="
+ ;; This test checks that the default trust store is
+ ;; readable; expect it to fail since the trust store
+ ;; doesn't exist in the build environment.
+ "trust-store "
+ ;; This one fails only inside the build environment, for
+ ;; reasons unknown (see:
+ ;; <https://gitlab.com/gnutls/gnutls/-/issues/1634>).
+ "tls13/compress-cert-neg2 "))
#:phases
#~(modify-phases %standard-phases
- ;; fastopen.sh fails to connect to the server in the builder
- ;; environment (see:
- ;; https://gitlab.com/gnutls/gnutls/-/issues/1095).
- (add-after 'unpack 'disable-failing-tests
- (lambda _
- (substitute* "tests/fastopen.sh"
- (("^unset RETCODE")
- "exit 77\n")))) ;skip
#$@(if (target-ppc32?)
;; https://gitlab.com/gnutls/gnutls/-/issues/1354
;; Extend the test timeout from the default of 20 * 1000
--
2.46.0
M
M
Maxim Cournoyer wrote 9 hours ago
[PATCH core-updates 3/7] gnu: gnutls: Streamline mips64el conditionals.
(address . 75026@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
d906ecefdabf12176b128ed4192e38f94ea33d2c.1734882716.git.maxim.cournoyer@gmail.com
* gnu/packages/tls.scm (gnutls) [arguments]: Use target-mips64el? procedure in
#:configure-flags.
[propagated-inputs]: Likewise.

Change-Id: Ia4b603ef57cebe78df1d3e40222fe9c49d9ee8cc
---
gnu/packages/tls.scm | 23 +++++++++--------------
1 file changed, 9 insertions(+), 14 deletions(-)

Toggle diff (43 lines)
diff --git a/gnu/packages/tls.scm b/gnu/packages/tls.scm
index c0efb66d96..90d6ad5c95 100644
--- a/gnu/packages/tls.scm
+++ b/gnu/packages/tls.scm
@@ -232,15 +232,12 @@ (define-public gnutls
;; fallback, and users have to configure each program
;; independently. This seems suboptimal.
"--with-default-trust-store-dir=/etc/ssl/certs"
-
- (let ((system #$(or (%current-target-system)
- (%current-system))))
- (if (string-prefix? "mips64el" system)
- (list
- ;; FIXME: Temporarily disable p11-kit support since it is
- ;; not working on mips64el.
- "--without-p11-kit")
- '())))
+ (if #$(target-mips64el?)
+ (list
+ ;; FIXME: Temporarily disable p11-kit support since it is
+ ;; not working on mips64el.
+ "--without-p11-kit")
+ '()))
#:make-flags
#~(list (string-append
"XFAIL_TESTS="
@@ -287,11 +284,9 @@ (define-public gnutls
(propagated-inputs
;; These are all in the 'Requires.private' field of gnutls.pc.
(append (list libtasn1 libidn2 nettle zlib)
- (let ((system (or (%current-target-system)
- (%current-system))))
- (if (string-prefix? "mips64el" system)
- '()
- (list p11-kit)))))
+ (if (target-mips64el?)
+ '()
+ (list p11-kit))))
(home-page "https://gnutls.org")
(synopsis "Transport layer security library")
(description
--
2.46.0
M
M
Maxim Cournoyer wrote 9 hours ago
[PATCH core-updates 4/7] gnu: brotli: Update to 1.1.0.
(address . 75026@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
f565959c06d550ff7a751d358f577d94df9c288f.1734882716.git.maxim.cournoyer@gmail.com
* gnu/packages/compression.scm (brotli): Update to 1.1.0.
[source]: Delete obsolete snippet.
[arguments]: Use gexps.

Change-Id: I4fe13683ff33f528ef897bb65bbb239d4d4985c6
---
gnu/packages/compression.scm | 47 +++++++++++++++---------------------
1 file changed, 19 insertions(+), 28 deletions(-)

Toggle diff (69 lines)
diff --git a/gnu/packages/compression.scm b/gnu/packages/compression.scm
index 44461bb87c..93b6cd070b 100644
--- a/gnu/packages/compression.scm
+++ b/gnu/packages/compression.scm
@@ -2351,7 +2351,7 @@ (define-public isa-l
(define-public brotli
(package
(name "brotli")
- (version "1.0.9")
+ (version "1.1.0")
(source
(origin
(method git-fetch)
@@ -2360,35 +2360,26 @@ (define-public brotli
(commit (string-append "v" version))))
(file-name (git-file-name name version))
(sha256
- (base32 "1fikasxf7r2dwlk8mv8w7nmjkn0jw5ic31ky3mvpkdzwgd4xfndl"))
- (modules '((guix build utils)))
- (snippet
- '(begin
- ;; Cherry-picked from upstream since the latest release
- ;; https://github.com/google/brotli/commit/09b0992b6acb7faa6fd3b23f9bc036ea117230fc
- (substitute* (find-files "scripts" "^lib.*pc\\.in")
- (("-R\\$\\{libdir\\} ") ""))
- #t))))
+ (base32 "0cvcq302wpjpd1a2cmxcp9a01lwvc2kkir8vsdb3x11djnxc0nsk"))))
(build-system cmake-build-system)
(arguments
- `(#:phases
- (modify-phases %standard-phases
- (add-after 'install 'rename-static-libraries
- ;; The build tools put a 'static' suffix on the static libraries, but
- ;; other applications don't know how to find these.
- (lambda* (#:key outputs #:allow-other-keys)
- (let ((lib (string-append (assoc-ref %outputs "out") "/lib/")))
- (rename-file (string-append lib "libbrotlicommon-static.a")
- (string-append lib "libbrotlicommon.a"))
- (rename-file (string-append lib "libbrotlidec-static.a")
- (string-append lib "libbrotlidec.a"))
- (rename-file (string-append lib "libbrotlienc-static.a")
- (string-append lib "libbrotlienc.a"))
- #t))))
- #:configure-flags
- (list ;; Defaults to "lib64" on 64-bit archs.
- (string-append "-DCMAKE_INSTALL_LIBDIR="
- (assoc-ref %outputs "out") "/lib"))))
+ (list
+ #:phases
+ #~(modify-phases %standard-phases
+ (add-after 'install 'rename-static-libraries
+ ;; The build tools put a 'static' suffix on the static libraries, but
+ ;; other applications don't know how to find these.
+ (lambda _
+ (let ((lib (string-append #$output "/lib/")))
+ (rename-file (string-append lib "libbrotlicommon-static.a")
+ (string-append lib "libbrotlicommon.a"))
+ (rename-file (string-append lib "libbrotlidec-static.a")
+ (string-append lib "libbrotlidec.a"))
+ (rename-file (string-append lib "libbrotlienc-static.a")
+ (string-append lib "libbrotlienc.a"))))))
+ #:configure-flags
+ #~(list ;; Defaults to "lib64" on 64-bit archs.
+ (string-append "-DCMAKE_INSTALL_LIBDIR=" #$output "/lib"))))
(home-page "https://github.com/google/brotli")
(synopsis "General-purpose lossless compression")
(description "This package provides the reference implementation of Brotli,
--
2.46.0
M
M
Maxim Cournoyer wrote 9 hours ago
[PATCH core-updates 5/7] gnu: libidn: Update to 1.42.
(address . 75026@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
7a31d42f8326a9e2f2a4307586f2b4df7a86bddf.1734882716.git.maxim.cournoyer@gmail.com
* gnu/packages/libidn.scm (libidn): Update to 1.42.

Change-Id: I7f65377334d6de889ee0fa08ae941a03c6c4e4ca
---
gnu/packages/libidn.scm | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

Toggle diff (23 lines)
diff --git a/gnu/packages/libidn.scm b/gnu/packages/libidn.scm
index 80350db495..8b12fa87d8 100644
--- a/gnu/packages/libidn.scm
+++ b/gnu/packages/libidn.scm
@@ -34,14 +34,14 @@ (define-module (gnu packages libidn)
(define-public libidn
(package
(name "libidn")
- (version "1.41")
+ (version "1.42")
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/libidn/libidn-" version
".tar.gz"))
(sha256
(base32
- "0ic9zlqqppwaqr3i0r8lb8f47rrazzc8d5pfgg8vs6mqciip0kc8"))))
+ "08s7rgg8rnmdrk8zyj6m1rb3j3cs6h44pjv0jckzxr06v3f9khfn"))))
(build-system gnu-build-system)
;; FIXME: No Java and C# libraries are currently built.
(arguments
--
2.46.0
M
M
Maxim Cournoyer wrote 9 hours ago
[PATCH core-updates 7/7] gnu: curl: Enable zstd support.
(address . 75026@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
7b1446a9c5c29e43297c462e4041fa2fb9f615a3.1734882716.git.maxim.cournoyer@gmail.com
* gnu/packages/curl.scm [inputs]: Add zstd:lib.

Change-Id: I48e1099c3a445bcbdeaf16c5a79d956bd1b51307
---
gnu/packages/curl.scm | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)

Toggle diff (28 lines)
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 8645ce73f8..d0c8c5c2a6 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -151,9 +151,19 @@ (define-public curl
(close port)))))
#~()))))
(native-inputs
- (list nghttp2 perl pkg-config python-minimal-wrapper))
+ (list nghttp2
+ perl
+ pkg-config
+ python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls
+ libidn
+ libpsl
+ libssh2
+ mit-krb5
+ `(,nghttp2 "lib")
+ zlib
+ `(,zstd "lib")))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
--
2.46.0
M
M
Maxim Cournoyer wrote 9 hours ago
[PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft.
(address . 75026@debbugs.gnu.org)(name . Maxim Cournoyer)(address . maxim.cournoyer@gmail.com)
4782535fb3ee717b4e077d5c1624dcb9c7b964a9.1734882716.git.maxim.cournoyer@gmail.com
* gnu/packages/curl.scm (curl): Update to 8.11.1.
[replacement]: Delete field.
[arguments]
<#:configure-flags>: Add --with-libssh2.
<#:phases>: Simplify check phase override, and newly skip the 165, 962, 963,
964, 965, 966, 967, 1448, 2046 and 2047 test cases.
[native-inputs]: Add libssh2.
(curl/fixed): Delete variable.
* gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file.
* gnu/local.mk (dist_patch_DATA): De-register it.

Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404
---
gnu/local.mk | 1 -
gnu/packages/curl.scm | 47 ++--
gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------
3 files changed, 19 insertions(+), 229 deletions(-)
delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch

Toggle diff (218 lines)
diff --git a/gnu/local.mk b/gnu/local.mk
index a4f2e71134..4ffaf89ba4 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -1128,7 +1128,6 @@ dist_patch_DATA = \
%D%/packages/patches/clucene-contribs-lib.patch \
%D%/packages/patches/cube-nocheck.patch \
%D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \
- %D%/packages/patches/curl-CVE-2024-8096.patch \
%D%/packages/patches/curl-use-ssl-cert-env.patch \
%D%/packages/patches/curlftpfs-fix-error-closing-file.patch \
%D%/packages/patches/curlftpfs-fix-file-names.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index e5e3342b6d..8645ce73f8 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -17,6 +17,7 @@
;;; Copyright © 2023 Sharlatan Hellseher <sharlatanus@gmail.com>
;;; Copyright © 2023 John Kehayias <john.kehayias@protonmail.com>
;;; Copyright © 2024 Ashish SHUKLA <ashish.is@lostca.se>
+;;; Copyright © 2024 Maxim Cournoyer <maxim.cournoyer@gmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -67,15 +68,14 @@ (define-module (gnu packages curl)
(define-public curl
(package
(name "curl")
- (version "8.6.0")
- (replacement curl/fixed)
+ (version "8.11.1")
(source (origin
(method url-fetch)
(uri (string-append "https://curl.se/download/curl-"
version ".tar.xz"))
(sha256
(base32
- "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w"))
+ "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7"))
(patches (search-patches "curl-use-ssl-cert-env.patch"))))
(outputs '("out"
"doc")) ;1.2 MiB of man3 pages
@@ -89,6 +89,7 @@ (define-public curl
(dirname (dirname
(search-input-file
%build-inputs "lib/libgssrpc.so"))))
+ "--with-libssh2"
"--disable-static")
#:test-target "test-nonflaky" ;avoid tests marked as "flaky"
#:phases
@@ -115,20 +116,20 @@ (define-public curl
(if parallel-tests?
(number->string (parallel-job-count))
"1")))
- ;; Ignore test 1477 due to a missing file in the 8.5.0
- ;; release. See
- ;; <https://github.com/curl/curl/issues/12462>.
- (arguments `("-C" "tests" "test"
- ,@make-flags
- ,(if #$(or (system-hurd?)
- (target-arm32?)
- (target-aarch64?))
- ;; protocol FAIL
- (string-append "TFLAGS=~1474 "
- "!1477 "
- job-count)
- (string-append "TFLAGS=\"~1477 "
- job-count "\"")))))
+ (arguments
+ `("-C" "tests" "test"
+ ,@make-flags
+ ,(string-append "TFLAGS="
+ job-count " "
+ (if #$(or (system-hurd?)
+ (target-arm32?)
+ (target-aarch64?))
+ "~1474 " ;protocol FAIL
+ "")
+ ;; protocol FAIL
+ "~962 ~963 ~964 ~965 ~966 ~967 "
+ ;; These fail for unknown reasons.
+ "~165 ~1448 ~2046 ~2047"))))
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
@@ -152,7 +153,7 @@ (define-public curl
(native-inputs
(list nghttp2 perl pkg-config python-minimal-wrapper))
(inputs
- (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib))
+ (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib))
(native-search-paths
;; These variables are introduced by curl-use-ssl-cert-env.patch.
(list $SSL_CERT_DIR
@@ -178,16 +179,6 @@ (define-public curl
(license (license:non-copyleft "file://COPYING"
"See COPYING in the distribution."))))
-(define-public curl/fixed
- (hidden-package
- (package
- (inherit curl)
- (replacement curl/fixed)
- (source (origin
- (inherit (package-source curl))
- (patches (append (origin-patches (package-source curl))
- (search-patches "curl-CVE-2024-8096.patch"))))))))
-
(define-public gnurl (deprecated-package "gnurl" curl))
(define-public curl-ssh
diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch
deleted file mode 100644
index 0f780f08c3..0000000000
--- a/gnu/packages/patches/curl-CVE-2024-8096.patch
+++ /dev/null
@@ -1,200 +0,0 @@
-From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 20 Aug 2024 16:14:39 +0200
-Subject: [PATCH] gtls: fix OCSP stapling management
-
-Reported-by: Hiroki Kurosawa
-Closes #14642
----
- lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------
- 1 file changed, 73 insertions(+), 73 deletions(-)
-
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 03d6fcc038aac3..c7589d9d39bc81 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf,
- init_flags |= GNUTLS_NO_TICKETS;
- #endif
-
-+#if defined(GNUTLS_NO_STATUS_REQUEST)
-+ if(!config->verifystatus)
-+ /* Disable the "status_request" TLS extension, enabled by default since
-+ GnuTLS 3.8.0. */
-+ init_flags |= GNUTLS_NO_STATUS_REQUEST;
-+#endif
-+
- rc = gnutls_init(&gtls->session, init_flags);
- if(rc != GNUTLS_E_SUCCESS) {
- failf(data, "gnutls_init() failed: %d", rc);
-@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data,
- infof(data, " server certificate verification SKIPPED");
-
- if(config->verifystatus) {
-- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) {
-- gnutls_datum_t status_request;
-- gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_datum_t status_request;
-+ gnutls_ocsp_resp_t ocsp_resp;
-+ gnutls_ocsp_cert_status_t status;
-+ gnutls_x509_crl_reason_t reason;
-
-- gnutls_ocsp_cert_status_t status;
-- gnutls_x509_crl_reason_t reason;
-+ rc = gnutls_ocsp_status_request_get(session, &status_request);
-
-- rc = gnutls_ocsp_status_request_get(session, &status_request);
-+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-+ failf(data, "No OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- infof(data, " server certificate status verification FAILED");
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
-- failf(data, "No OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ gnutls_ocsp_resp_init(&ocsp_resp);
-
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-+ if(rc < 0) {
-+ failf(data, "Invalid OCSP response received");
-+ return CURLE_SSL_INVALIDCERTSTATUS;
-+ }
-
-- gnutls_ocsp_resp_init(&ocsp_resp);
-+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-+ &status, NULL, NULL, NULL, &reason);
-
-- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request);
-- if(rc < 0) {
-- failf(data, "Invalid OCSP response received");
-- return CURLE_SSL_INVALIDCERTSTATUS;
-- }
-+ switch(status) {
-+ case GNUTLS_OCSP_CERT_GOOD:
-+ break;
-
-- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL,
-- &status, NULL, NULL, NULL, &reason);
-+ case GNUTLS_OCSP_CERT_REVOKED: {
-+ const char *crl_reason;
-
-- switch(status) {
-- case GNUTLS_OCSP_CERT_GOOD:
-+ switch(reason) {
-+ default:
-+ case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-+ crl_reason = "unspecified reason";
- break;
-
-- case GNUTLS_OCSP_CERT_REVOKED: {
-- const char *crl_reason;
--
-- switch(reason) {
-- default:
-- case GNUTLS_X509_CRLREASON_UNSPECIFIED:
-- crl_reason = "unspecified reason";
-- break;
--
-- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-- crl_reason = "private key compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-- crl_reason = "CA compromised";
-- break;
--
-- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-- crl_reason = "affiliation has changed";
-- break;
-+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE:
-+ crl_reason = "private key compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_SUPERSEDED:
-- crl_reason = "certificate superseded";
-- break;
-+ case GNUTLS_X509_CRLREASON_CACOMPROMISE:
-+ crl_reason = "CA compromised";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-- crl_reason = "operation has ceased";
-- break;
-+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED:
-+ crl_reason = "affiliation has changed";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-- crl_reason = "certificate is on hold";
-- break;
-+ case GNUTLS_X509_CRLREASON_SUPERSEDED:
-+ crl_reason = "certificate superseded";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-- crl_reason = "will be removed from delta CRL";
-- break;
-+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION:
-+ crl_reason = "operation has ceased";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-- crl_reason = "privilege withdrawn";
-- break;
-+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD:
-+ crl_reason = "certificate is on hold";
-+ break;
-
-- case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-- crl_reason = "AA compromised";
-- break;
-- }
-+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL:
-+ crl_reason = "will be removed from delta CRL";
-+ break;
-
-- failf(data, "Server certificate was revoked: %s", crl_reason);
-+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN:
-+ crl_reason = "privilege withdrawn";
- break;
-- }
-
-- default:
-- case GNUTLS_OCSP_CERT_UNKNOWN:
-- failf(data, "Server certificate status is unknown");
-+ case GNUTLS_X509_CRLREASON_AACOMPROMISE:
-+ crl_reason = "AA compromised";
- break;
- }
-
-- gnutls_ocsp_resp_deinit(ocsp_resp);
-+ failf(data, "Server certificate was revoked: %s", crl_reason);
-+ break;
-+ }
-
-- return CURLE_SSL_INVALIDCERTSTATUS;
-+ default:
-+ case GNUTLS_OCSP_CERT_UNKNOWN:
-+ failf(data, "Server certificate status is unknown");
-+ break;
- }
-- else
-- infof(data, " server certificate status verification OK");
-+
-+ gnutls_ocsp_resp_deinit(ocsp_resp);
-+ if(status != GNUTLS_OCSP_CERT_GOOD)
-+ return CURLE_SSL_INVALIDCERTSTATUS;
- }
- else
- infof(data, " server certificate status verification SKIPPED");
--
2.46.0
?
Your comment

Commenting via the web interface is currently disabled.

To comment on this conversation send an email to 75026@debbugs.gnu.org

To respond to this issue using the mumi CLI, first switch to it
mumi current 75026
Then, you may apply the latest patchset in this issue (with sign off)
mumi am -- -s
Or, compose a reply to this issue
mumi compose
Or, send patches to this issue
mumi send-email *.patch