* [PATCH v2] gnu: curl: Update to 7.41.0. Fix #20121.
@ 2015-03-27 22:33 Tomáš Čech
2015-03-31 16:54 ` Mark H Weaver
0 siblings, 1 reply; 3+ messages in thread
From: Tomáš Čech @ 2015-03-27 22:33 UTC (permalink / raw)
To: guix-devel
* gnu/packages/patches/curl-gss-api-fix.patch: Delete file.
* gnu/packages/patches/curl-enable_capath-conf.patch: New file.
* gnu/packages/patches/curl-enable_capath.patch: New file.
* gnu-system.am (dist_patch_DATA): Add new patches, remove old one.
* gnu/packages/curl.scm (curl): Update to 7.41.0. Remove old patch, add two
new ones. Disable one unit test.
---
gnu-system.am | 3 +-
gnu/packages/curl.scm | 17 +++-
gnu/packages/patches/curl-enable_capath-conf.patch | 16 ++++
gnu/packages/patches/curl-enable_capath.patch | 103 +++++++++++++++++++++
gnu/packages/patches/curl-gss-api-fix.patch | 38 --------
5 files changed, 134 insertions(+), 43 deletions(-)
create mode 100644 gnu/packages/patches/curl-enable_capath-conf.patch
create mode 100644 gnu/packages/patches/curl-enable_capath.patch
delete mode 100644 gnu/packages/patches/curl-gss-api-fix.patch
diff --git a/gnu-system.am b/gnu-system.am
index 44a4971..e6493a4 100644
--- a/gnu-system.am
+++ b/gnu-system.am
@@ -397,8 +397,9 @@ dist_patch_DATA = \
gnu/packages/patches/cssc-gets-undeclared.patch \
gnu/packages/patches/cssc-missing-include.patch \
gnu/packages/patches/clucene-contribs-lib.patch \
- gnu/packages/patches/curl-gss-api-fix.patch \
gnu/packages/patches/cursynth-wave-rand.patch \
+ gnu/packages/patches/curl-enable_capath.patch \
+ gnu/packages/patches/curl-enable_capath-conf.patch \
gnu/packages/patches/dbus-localstatedir.patch \
gnu/packages/patches/diffutils-gets-undeclared.patch \
gnu/packages/patches/dfu-programmer-fix-libusb.patch \
diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
index 821a957..f466dcc 100644
--- a/gnu/packages/curl.scm
+++ b/gnu/packages/curl.scm
@@ -37,15 +37,21 @@
(define-public curl
(package
(name "curl")
- (version "7.40.0")
+ (version "7.41.0")
(source (origin
(method url-fetch)
(uri (string-append "http://curl.haxx.se/download/curl-"
version ".tar.lzma"))
(sha256
(base32
- "1a15fdc26b3vwwmchzzpd3l1hfyhx06dn7b6lkikqd7kgwvg5ps7"))
- (patches (list (search-patch "curl-gss-api-fix.patch")))))
+ "08n7vrhdfzziy3a7n93r7qjhzk8p26q464hxg8w9irdk3v60pi62"))
+ ;; This is backport of patch which fixes handling of both
+ ;; --with-ca-path and --without-ca-path for curl built against
+ ;; GnuTLS. First patch is identical to upstream, second one changes
+ ;; configure script accordingly without need of reconfigure.
+ ;; Fixes #20121.
+ (patches (list (search-patch "curl-enable_capath.patch")
+ (search-patch "curl-enable_capath-conf.patch")))))
(build-system gnu-build-system)
(inputs `(("gnutls" ,gnutls)
("gss" ,gss)
@@ -68,7 +74,10 @@
(lambda _
(substitute* "tests/runtests.pl"
(("/bin/sh") (which "sh")))
-
+ ;; Test #1135 requires extern-scan.pl, which is not part of the
+ ;; tarball due to mistake. It was fixed already in upstream. We can
+ ;; simply ignore the test as it aims VMS and OS/400.
+ (delete-file "tests/data/test1135")
;; The top-level "make check" does "make -C tests quiet-test", which
;; is too quiet. Use the "test" target instead, which is more
;; verbose.
diff --git a/gnu/packages/patches/curl-enable_capath-conf.patch b/gnu/packages/patches/curl-enable_capath-conf.patch
new file mode 100644
index 0000000..6d4ba8e
--- /dev/null
+++ b/gnu/packages/patches/curl-enable_capath-conf.patch
@@ -0,0 +1,16 @@
+Following patch allows --with-ca-path for curl built against GnuTLS even
+without need of reconfigure.
+
+--- a/configure 2015-03-22 01:11:23.178743705 +0100
++++ b/configure 2015-02-25 00:05:37.000000000 +0100
+@@ -23952,8 +24432,8 @@
+ ca="$want_ca"
+ capath="no"
+ elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
+- if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
+- as_fn_error $? "--with-ca-path only works with openSSL or PolarSSL" "$LINENO" 5
++ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
++ as_fn_error $? "--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL" "$LINENO" 5
+ fi
+ capath="$want_capath"
+ ca="no"
diff --git a/gnu/packages/patches/curl-enable_capath.patch b/gnu/packages/patches/curl-enable_capath.patch
new file mode 100644
index 0000000..0094a1b
--- /dev/null
+++ b/gnu/packages/patches/curl-enable_capath.patch
@@ -0,0 +1,103 @@
+Following patch allows to use --with-ca-path for curl built against GnuTLS.
+
+
+From 5a1614cecdd57cab8b4ae3e9bc19dfff5ba77e80 Mon Sep 17 00:00:00 2001
+From: Alessandro Ghedini <alessandro@ghedini.me>
+Date: Sun, 8 Mar 2015 20:11:06 +0100
+Subject: [PATCH] gtls: add support for CURLOPT_CAPATH
+
+---
+ acinclude.m4 | 4 ++--
+ docs/libcurl/opts/CURLOPT_CAPATH.3 | 5 ++---
+ lib/vtls/gtls.c | 22 ++++++++++++++++++++++
+ lib/vtls/gtls.h | 3 +++
+ 4 files changed, 29 insertions(+), 5 deletions(-)
+
+diff --git a/acinclude.m4 b/acinclude.m4
+index 6ed7ffb..ca01869 100644
+--- a/acinclude.m4
++++ b/acinclude.m4
+@@ -2615,8 +2615,8 @@ AC_HELP_STRING([--without-ca-path], [Don't use a default CA path]),
+ capath="no"
+ elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
+ dnl --with-ca-path given
+- if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
+- AC_MSG_ERROR([--with-ca-path only works with openSSL or PolarSSL])
++ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
++ AC_MSG_ERROR([--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL])
+ fi
+ capath="$want_capath"
+ ca="no"
+diff --git a/docs/libcurl/opts/CURLOPT_CAPATH.3 b/docs/libcurl/opts/CURLOPT_CAPATH.3
+index 642953d..6695f9f 100644
+--- a/docs/libcurl/opts/CURLOPT_CAPATH.3
++++ b/docs/libcurl/opts/CURLOPT_CAPATH.3
+@@ -43,9 +43,8 @@ All TLS based protocols: HTTPS, FTPS, IMAPS, POP3, SMTPS etc.
+ .SH EXAMPLE
+ TODO
+ .SH AVAILABILITY
+-This option is OpenSSL-specific and does nothing if libcurl is built to use
+-GnuTLS. NSS-powered libcurl provides the option only for backward
+-compatibility.
++This option is supported by the OpenSSL, GnuTLS and PolarSSL backends. The NSS
++backend provides the option only for backward compatibility.
+ .SH RETURN VALUE
+ Returns CURLE_OK if TLS enabled, and CURLE_UNKNOWN_OPTION if not, or
+ CURLE_OUT_OF_MEMORY if there was insufficient heap space.
+diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
+index 05aef19..c792540 100644
+--- a/lib/vtls/gtls.c
++++ b/lib/vtls/gtls.c
+@@ -97,6 +97,10 @@ static bool gtls_inited = FALSE;
+ # if (GNUTLS_VERSION_NUMBER >= 0x03020d)
+ # define HAS_OCSP
+ # endif
++
++# if (GNUTLS_VERSION_NUMBER >= 0x030306)
++# define HAS_CAPATH
++# endif
+ #endif
+
+ #ifdef HAS_OCSP
+@@ -462,6 +466,24 @@ gtls_connect_step1(struct connectdata *conn,
+ rc, data->set.ssl.CAfile);
+ }
+
++#ifdef HAS_CAPATH
++ if(data->set.ssl.CApath) {
++ /* set the trusted CA cert directory */
++ rc = gnutls_certificate_set_x509_trust_dir(conn->ssl[sockindex].cred,
++ data->set.ssl.CApath,
++ GNUTLS_X509_FMT_PEM);
++ if(rc < 0) {
++ infof(data, "error reading ca cert file %s (%s)\n",
++ data->set.ssl.CAfile, gnutls_strerror(rc));
++ if(data->set.ssl.verifypeer)
++ return CURLE_SSL_CACERT_BADFILE;
++ }
++ else
++ infof(data, "found %d certificates in %s\n",
++ rc, data->set.ssl.CApath);
++ }
++#endif
++
+ if(data->set.ssl.CRLfile) {
+ /* set the CRL list file */
+ rc = gnutls_certificate_set_x509_crl_file(conn->ssl[sockindex].cred,
+diff --git a/lib/vtls/gtls.h b/lib/vtls/gtls.h
+index c3867e5..af1cb5b 100644
+--- a/lib/vtls/gtls.h
++++ b/lib/vtls/gtls.h
+@@ -54,6 +54,9 @@ bool Curl_gtls_cert_status_request(void);
+ /* Set the API backend definition to GnuTLS */
+ #define CURL_SSL_BACKEND CURLSSLBACKEND_GNUTLS
+
++/* this backend supports the CAPATH option */
++#define have_curlssl_ca_path 1
++
+ /* API setup for GnuTLS */
+ #define curlssl_init Curl_gtls_init
+ #define curlssl_cleanup Curl_gtls_cleanup
+--
+2.2.1
+
diff --git a/gnu/packages/patches/curl-gss-api-fix.patch b/gnu/packages/patches/curl-gss-api-fix.patch
deleted file mode 100644
index ea838ae..0000000
--- a/gnu/packages/patches/curl-gss-api-fix.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-Copied from upstream:
-https://github.com/bagder/curl/commit/5c0e66d63214e0306197c5a3f162441e074f3401.patch
-
-From 5c0e66d63214e0306197c5a3f162441e074f3401 Mon Sep 17 00:00:00 2001
-From: Steve Holme <steve_holme@hotmail.com>
-Date: Thu, 8 Jan 2015 19:23:53 +0000
-Subject: [PATCH] sasl_gssapi: Fixed build on NetBSD with built-in GSS-API
-
-Bug: http://curl.haxx.se/bug/view.cgi?id=1469
-Reported-by: Thomas Klausner
----
- lib/curl_sasl_gssapi.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/lib/curl_sasl_gssapi.c b/lib/curl_sasl_gssapi.c
-index 6dda0e9..a50646a 100644
---- a/lib/curl_sasl_gssapi.c
-+++ b/lib/curl_sasl_gssapi.c
-@@ -6,6 +6,7 @@
- * \___|\___/|_| \_\_____|
- *
- * Copyright (C) 2014, Steve Holme, <steve_holme@hotmail.com>.
-+ * Copyright (C) 2015, Daniel Stenberg, <daniel@haxx.se>, et al.
- *
- * This software is licensed as described in the file COPYING, which
- * you should have received as part of this distribution. The terms
-@@ -126,7 +127,7 @@ CURLcode Curl_sasl_create_gssapi_user_message(struct SessionHandle *data,
-
- /* Import the SPN */
- gss_major_status = gss_import_name(&gss_minor_status, &spn_token,
-- gss_nt_service_name, &krb5->spn);
-+ GSS_C_NT_HOSTBASED_SERVICE, &krb5->spn);
- if(GSS_ERROR(gss_major_status)) {
- Curl_gss_log_error(data, gss_minor_status, "gss_import_name() failed: ");
-
---
-2.2.1
-
--
2.2.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH v2] gnu: curl: Update to 7.41.0. Fix #20121.
2015-03-27 22:33 [PATCH v2] gnu: curl: Update to 7.41.0. Fix #20121 Tomáš Čech
@ 2015-03-31 16:54 ` Mark H Weaver
2015-04-10 5:06 ` Mark H Weaver
0 siblings, 1 reply; 3+ messages in thread
From: Mark H Weaver @ 2015-03-31 16:54 UTC (permalink / raw)
To: Tomáš Čech; +Cc: guix-devel
Tomáš Čech <sleep_walker@gnu.org> writes:
> * gnu/packages/patches/curl-gss-api-fix.patch: Delete file.
> * gnu/packages/patches/curl-enable_capath-conf.patch: New file.
> * gnu/packages/patches/curl-enable_capath.patch: New file.
Why the mixture of dashes and underscores in the patch name?
Normally we use dashes. How about calling them:
curl-support-capath-on-gnutls.patch
curl-support-capath-on-gnutls-conf.patch
> * gnu-system.am (dist_patch_DATA): Add new patches, remove old one.
> * gnu/packages/curl.scm (curl): Update to 7.41.0. Remove old patch, add two
> new ones. Disable one unit test.
Please put two spaces between sentences. Also, instead of writing
"Fix #20121" in the summary line, which will mean nothing to someone who
doesn't remember that bug by its number, we prefer to summarize the
actual changes made. When fixing bugs, we include the short URL to the
bug report on its own line.
So, how about something like this:
--8<---------------cut here---------------start------------->8---
gnu: curl: Update to 7.41.0. Support CURLOPT_CAPATH on GnuTLS.
Fixes <http://bugs.gnu.org/20121>.
* gnu/packages/patches/curl-gss-api-fix.patch: Delete file.
* gnu/packages/patches/curl-enable_capath-conf.patch: New file.
* gnu/packages/patches/curl-enable_capath.patch: New file.
* gnu-system.am (dist_patch_DATA): Add new patches, remove old one.
* gnu/packages/curl.scm (curl): Update to 7.41.0. Remove old patch, add
two new ones. Disable one unit test.
--8<---------------cut here---------------end--------------->8---
> diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm
> index 821a957..f466dcc 100644
> --- a/gnu/packages/curl.scm
> +++ b/gnu/packages/curl.scm
Please add your copyright line to this file.
> @@ -37,15 +37,21 @@
> (define-public curl
> (package
> (name "curl")
> - (version "7.40.0")
> + (version "7.41.0")
> (source (origin
> (method url-fetch)
> (uri (string-append "http://curl.haxx.se/download/curl-"
> version ".tar.lzma"))
> (sha256
> (base32
> - "1a15fdc26b3vwwmchzzpd3l1hfyhx06dn7b6lkikqd7kgwvg5ps7"))
> - (patches (list (search-patch "curl-gss-api-fix.patch")))))
> + "08n7vrhdfzziy3a7n93r7qjhzk8p26q464hxg8w9irdk3v60pi62"))
> + ;; This is backport of patch which fixes handling of both
> + ;; --with-ca-path and --without-ca-path for curl built against
> + ;; GnuTLS. First patch is identical to upstream, second one changes
> + ;; configure script accordingly without need of reconfigure.
> + ;; Fixes #20121.
This comment talks about enabling a feature that we don't use, namely
the --with-ca-path configure flag. The important aspect of the patch is
that it adds support for CURLOPT_CAPATH in the GnuTLS backend.
Anyway, I think it's best to remove this entire comment. The
description of the patch belongs in the patch itself, and needn't be
reproduced here.
> + (patches (list (search-patch "curl-enable_capath.patch")
> + (search-patch "curl-enable_capath-conf.patch")))))
> (build-system gnu-build-system)
> (inputs `(("gnutls" ,gnutls)
> ("gss" ,gss)
> @@ -68,7 +74,10 @@
> (lambda _
> (substitute* "tests/runtests.pl"
> (("/bin/sh") (which "sh")))
> -
> + ;; Test #1135 requires extern-scan.pl, which is not part of the
> + ;; tarball due to mistake. It was fixed already in upstream. We can
> + ;; simply ignore the test as it aims VMS and OS/400.
> + (delete-file "tests/data/test1135")
Two spaces between sentences please.
s/mistake/a mistake/
s/It was fixed already in upstream/It has been fixed upstream/
s/ignore/disable/
s/as it aims/as it is specific to/
Please add a blank line after the 'delete-file' call.
> diff --git a/gnu/packages/patches/curl-enable_capath-conf.patch b/gnu/packages/patches/curl-enable_capath-conf.patch
> new file mode 100644
> index 0000000..6d4ba8e
> --- /dev/null
> +++ b/gnu/packages/patches/curl-enable_capath-conf.patch
> @@ -0,0 +1,16 @@
> +Following patch allows --with-ca-path for curl built against GnuTLS even
> +without need of reconfigure.
> +
How about this instead:
This patch updates 'configure' as autoreconf would have done after
applying curl-support-capath-on-gnutls.patch.
> +--- a/configure 2015-03-22 01:11:23.178743705 +0100
> ++++ b/configure 2015-02-25 00:05:37.000000000 +0100
> +@@ -23952,8 +24432,8 @@
> + ca="$want_ca"
> + capath="no"
> + elif test "x$want_capath" != "xno" -a "x$want_capath" != "xunset"; then
> +- if test "x$OPENSSL_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
> +- as_fn_error $? "--with-ca-path only works with openSSL or PolarSSL" "$LINENO" 5
> ++ if test "x$OPENSSL_ENABLED" != "x1" -a "x$GNUTLS_ENABLED" != "x1" -a "x$POLARSSL_ENABLED" != "x1"; then
> ++ as_fn_error $? "--with-ca-path only works with OpenSSL, GnuTLS or PolarSSL" "$LINENO" 5
> + fi
> + capath="$want_capath"
> + ca="no"
> diff --git a/gnu/packages/patches/curl-enable_capath.patch b/gnu/packages/patches/curl-enable_capath.patch
> new file mode 100644
> index 0000000..0094a1b
> --- /dev/null
> +++ b/gnu/packages/patches/curl-enable_capath.patch
> @@ -0,0 +1,103 @@
> +Following patch allows to use --with-ca-path for curl built against GnuTLS.
> +
> +
How about this instead:
This patch adds support for CURLOPT_CAPATH in the GnuTLS backend.
Can you send an updated patch?
Thanks!
Mark
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH v2] gnu: curl: Update to 7.41.0. Fix #20121.
2015-03-31 16:54 ` Mark H Weaver
@ 2015-04-10 5:06 ` Mark H Weaver
0 siblings, 0 replies; 3+ messages in thread
From: Mark H Weaver @ 2015-04-10 5:06 UTC (permalink / raw)
To: Tomáš Čech; +Cc: guix-devel
Mark H Weaver <mhw@netris.org> writes:
> Can you send an updated patch?
I went ahead and pushed this to core-updates with my suggested changes,
commit a55e2b221c121503045fd8e8fcecc4a8c1f47a29.
Thanks!
Mark
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-04-10 5:06 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-27 22:33 [PATCH v2] gnu: curl: Update to 7.41.0. Fix #20121 Tomáš Čech
2015-03-31 16:54 ` Mark H Weaver
2015-04-10 5:06 ` Mark H Weaver
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).