From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp0.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms13.migadu.com with LMTPS id mMimEW04aGdLEQEAqHPOHw:P1 (envelope-from ) for ; Sun, 22 Dec 2024 16:03:57 +0000 Received: from aspmx1.migadu.com ([2001:41d0:403:4876::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp0.migadu.com with LMTPS id mMimEW04aGdLEQEAqHPOHw (envelope-from ) for ; Sun, 22 Dec 2024 17:03:57 +0100 X-Envelope-To: larch@yhetil.org Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=b3eBMc42; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=iL6tr2HY; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1734883436; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=Zd3wenHZT8AnsyaeTa2n4L24e/8O6ujRCvy1v5y8M0Y=; b=NrYJWmCUwU6/+zjUYRMHdgXh5ZXKMNjNeVyS5HqXfJWzWOFJ47WGeagvCWMz78GyFZMJhV GrNpffHD+A7E2nvtmSdfvuTxUWw5iyBl5rRss+PbNeE62XXe71UIqor8nad0c/5YI8uSym F43HZcRBNn3X4l9oXGCHeZQJe7y64hagGv3Tg0R6l79r8tlFVSmXDc04g7mk6JTDtSoAoF tisG+BqZxEJP+n6M4XERMUNzNQUPZD6fZwIvBVck83m+6kmZcwUbHvWnBElBVFbKLODn6b YG7w0QBBRdqSaMbfT74PYAlDHlcy/IrcFX4cbUCFLyOqA8x0QnWmP7KPd/KEug== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=pass header.d=debbugs.gnu.org header.s=debbugs-gnu-org header.b=b3eBMc42; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20230601 header.b=iL6tr2HY; spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org"; dmarc=fail reason="SPF not aligned (relaxed), DKIM not aligned (relaxed)" header.from=gmail.com (policy=none) ARC-Seal: i=1; s=key1; d=yhetil.org; t=1734883436; a=rsa-sha256; cv=none; b=GmxSnu7UfWjqgM7Sc3ovbCX6TcGLESIe0kCC+AegOIS/WALVNv7dpJ0AdRDwnn5SvwsmyH tpfY7fCDnn1CPOt1h+/Lm2hjiTVd9yebyVKsEGc/vWPULOO2yijDwwLt2RqDCzx1i8gEma JGYA3NWaKz3qr3c9jSngOHhtF5amj3MNGpucxAaFPCMBWudTSuHeugUZICwi3LEePUmlsM vADpCS4Qx+WUiJik+sCbsoOZQpL1M0+KKJ2OKDzbgQz8Y2pJIn+/lN6+ZEtuCN5utXyHod +lUvBfs4oJTiV6I+kQDTajbA4PqWFEE7cza1vMbWIAm8cT46afxn/ghNjYCS/Q== Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AC0579FB99 for ; Sun, 22 Dec 2024 17:03:56 +0100 (CET) Received: from localhost ([::1] helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1tPOQ8-0005Rt-5u; Sun, 22 Dec 2024 11:03:08 -0500 Received: from eggs.gnu.org ([2001:470:142:3::10]) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1tPOQ5-0005Qj-Jo for guix-patches@gnu.org; Sun, 22 Dec 2024 11:03:05 -0500 Received: from debbugs.gnu.org ([2001:470:142:5::43]) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1tPOQ5-0008Va-B7 for guix-patches@gnu.org; Sun, 22 Dec 2024 11:03:05 -0500 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=debbugs.gnu.org; s=debbugs-gnu-org; h=MIME-Version:References:In-Reply-To:Date:From:To:Subject; bh=Zd3wenHZT8AnsyaeTa2n4L24e/8O6ujRCvy1v5y8M0Y=; b=b3eBMc426/oIIPs2P6zlHJzSAyxVEU1UFu8TqvIUcsc1X0n0eZiR+j6Cej0Y3NjTYiDsIpe8lOgEt4JwpfeOSP/5aSNNDqRRpj70WOA+1foul4TFws+SAGtAd8BdwVDcMhAp3JXkdYrZg5i8dw/6ppH8YsGGcuQDCqiRvstXaIHa4iiBSm29fBkOxOnDC4DtOS7grQlz7HiHZbeiPeloDSW8ZgqJvE1mYHLfy6PXrrk1U/zYB07j5TchRUQmOQ1FYzeUfEUIl+4Ll0Trkl43e0BpJkBoGOF2pIgRJsXieOBsVCu6Q8O7mzR4td+Umzdq+TC03JYjgCIuqt2yxnbvAA==; Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1tPOQ5-0003eq-6r for guix-patches@gnu.org; Sun, 22 Dec 2024 11:03:05 -0500 X-Loop: help-debbugs@gnu.org Subject: [bug#75026] [PATCH core-updates 6/7] gnu: curl: Update to 8.11.1 and ungraft. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Sun, 22 Dec 2024 16:03:05 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 75026 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: 75026@debbugs.gnu.org Cc: Maxim Cournoyer Received: via spool by 75026-submit@debbugs.gnu.org id=B75026.173488337714000 (code B ref 75026); Sun, 22 Dec 2024 16:03:05 +0000 Received: (at 75026) by debbugs.gnu.org; 22 Dec 2024 16:02:57 +0000 Received: from localhost ([127.0.0.1]:51584 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tPOPw-0003dk-Oc for submit@debbugs.gnu.org; Sun, 22 Dec 2024 11:02:57 -0500 Received: from mail-pl1-f177.google.com ([209.85.214.177]:61766) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1tPOPm-0003cZ-DX for 75026@debbugs.gnu.org; Sun, 22 Dec 2024 11:02:47 -0500 Received: by mail-pl1-f177.google.com with SMTP id d9443c01a7336-21669fd5c7cso31817735ad.3 for <75026@debbugs.gnu.org>; Sun, 22 Dec 2024 08:02:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1734883300; x=1735488100; darn=debbugs.gnu.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=Zd3wenHZT8AnsyaeTa2n4L24e/8O6ujRCvy1v5y8M0Y=; b=iL6tr2HYLdY0C9XSAZXDeH5r9n6pNEfC7p39EXvC7J0qbulMWDh0iTZZoT/9V3ylGL Kv0yUbfNrzgkzvE9Q+jNvpzBGUdkKDDAkxS8TpFpbIyC8Bhdd3tYMuuDN2Smv7Bm4r14 PaCb1WVo8l98AGZlz+pwmvLI0Om4pducpm/dcZ1YgC6wGH6FgJ/aze5AtaV1ShWheKka T7sQqW+nCyLn2Azc1zgDdP5BQ1YHTmwwotSmNkN2OuxyWnHrW3FW3nB/5I6BOqHu97Xe wMnYmCVGKZDUSE4lqJv9yaoZhLnKCdrmhU7es7SbwXJ/QQcxeKS6NKikOeP0klNgQkEt FCxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1734883300; x=1735488100; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=Zd3wenHZT8AnsyaeTa2n4L24e/8O6ujRCvy1v5y8M0Y=; b=MZrvI1JeZzPGbkP9j3WN9Wx74JtRxlwKY6RQBvzP1zTjCUGN7fOYGoCnlNCUyUx3HX yu5rp8L1SfSkADn0BsRhVP8QpZCMP/zzd32jtL/8qTtNRPfoqPNkDRZF8P8u7GHMB5bj cLxRziHNRwQ/C0sxDWOoG2wXKS7/JuG0uRfEACuuNSngN8lgmX2oiYlmIFEi18GTpGB/ KEKLYPq8swy4Y39//ZyMGptb+0vgEsYTr1kGkwlp0ukVLkIRoIaUMdDrQCK+zzOjMJGI xCU+nv/sspg4kcaUnAAV4aIR6IGeLbxJFzXRwNfLljHyB/qWr1JlRFsWigQ5QTCzZgQe z+kA== X-Gm-Message-State: AOJu0YzZBzFLPorsBMLGN4GWLUZO/x6xf/CaWlHpPBIrhYlxL8KZV//1 bZqsoHODw0InAFtycXXOzSPAY1veNqShw2tDtqwObilVrDBDZWRh2nhIaA== X-Gm-Gg: ASbGnct0GgyJlV2lgYZAmnn1NAZ9lfn0mAokkNIICG3vV4+4to8o9lNL9hXm9W4khXf P/ky6rOnWdQMtVKymyKuu0jQ3eASkZiOs5H1RXMvxSNxJkjJ7uhtE6TT11dlSqGHq+SWm3SBEx/ lyyrglHl7L145yTlz2rZlxzrmvmSBAUvHDorxEEB38c4cBAWNoRdyb/kQ7EZXjtvI2xqfl4Jskx Z/ob7ph3RV3eUTO8KQgtfFlGW8eVlBi4smEEwtVlXUUCkXAcVs3BW0UG/DjsGf50yMRjTXT8+s= X-Google-Smtp-Source: AGHT+IF26nUcF2ULqKQ6+CF2Gsw96DMNhttCn1MVChRt5RJiSMKXVTi3NLT0IoIq+jodCg1RJisFzQ== X-Received: by 2002:a17:902:ec8e:b0:216:7926:8d69 with SMTP id d9443c01a7336-219e6f42b41mr111221455ad.47.1734883299788; Sun, 22 Dec 2024 08:01:39 -0800 (PST) Received: from localhost.localdomain ([2405:6586:be0:0:c8ff:1707:9b9:af89]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-219dc9f68e4sm58423495ad.211.2024.12.22.08.01.37 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 22 Dec 2024 08:01:38 -0800 (PST) From: Maxim Cournoyer Date: Mon, 23 Dec 2024 01:01:04 +0900 Message-ID: <4782535fb3ee717b4e077d5c1624dcb9c7b964a9.1734882716.git.maxim.cournoyer@gmail.com> X-Mailer: git-send-email 2.46.0 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: guix-patches-bounces+larch=yhetil.org@gnu.org X-Migadu-Country: US X-Migadu-Flow: FLOW_IN X-Migadu-Spam-Score: -4.68 X-Spam-Score: -4.68 X-Migadu-Queue-Id: AC0579FB99 X-Migadu-Scanner: mx10.migadu.com X-TUID: ihoFl27j8wEs * gnu/packages/curl.scm (curl): Update to 8.11.1. [replacement]: Delete field. [arguments] <#:configure-flags>: Add --with-libssh2. <#:phases>: Simplify check phase override, and newly skip the 165, 962, 963, 964, 965, 966, 967, 1448, 2046 and 2047 test cases. [native-inputs]: Add libssh2. (curl/fixed): Delete variable. * gnu/packages/patches/curl-CVE-2024-8096.patch: Delete file. * gnu/local.mk (dist_patch_DATA): De-register it. Change-Id: I8e1a8516e78370645e4148d33e57114f98a26404 --- gnu/local.mk | 1 - gnu/packages/curl.scm | 47 ++-- gnu/packages/patches/curl-CVE-2024-8096.patch | 200 ------------------ 3 files changed, 19 insertions(+), 229 deletions(-) delete mode 100644 gnu/packages/patches/curl-CVE-2024-8096.patch diff --git a/gnu/local.mk b/gnu/local.mk index a4f2e71134..4ffaf89ba4 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -1128,7 +1128,6 @@ dist_patch_DATA = \ %D%/packages/patches/clucene-contribs-lib.patch \ %D%/packages/patches/cube-nocheck.patch \ %D%/packages/patches/cups-minimal-Address-PPD-injection-issues.patch \ - %D%/packages/patches/curl-CVE-2024-8096.patch \ %D%/packages/patches/curl-use-ssl-cert-env.patch \ %D%/packages/patches/curlftpfs-fix-error-closing-file.patch \ %D%/packages/patches/curlftpfs-fix-file-names.patch \ diff --git a/gnu/packages/curl.scm b/gnu/packages/curl.scm index e5e3342b6d..8645ce73f8 100644 --- a/gnu/packages/curl.scm +++ b/gnu/packages/curl.scm @@ -17,6 +17,7 @@ ;;; Copyright © 2023 Sharlatan Hellseher ;;; Copyright © 2023 John Kehayias ;;; Copyright © 2024 Ashish SHUKLA +;;; Copyright © 2024 Maxim Cournoyer ;;; ;;; This file is part of GNU Guix. ;;; @@ -67,15 +68,14 @@ (define-module (gnu packages curl) (define-public curl (package (name "curl") - (version "8.6.0") - (replacement curl/fixed) + (version "8.11.1") (source (origin (method url-fetch) (uri (string-append "https://curl.se/download/curl-" version ".tar.xz")) (sha256 (base32 - "05fv468yjrb7qwrxmfprxkrcckbkij0myql0vwwnalgr3bcmbk9w")) + "0mmb6sal02gi0dkdvkhx9wfwd6y10bd50hpkmqz78289ifs7vjn7")) (patches (search-patches "curl-use-ssl-cert-env.patch")))) (outputs '("out" "doc")) ;1.2 MiB of man3 pages @@ -89,6 +89,7 @@ (define-public curl (dirname (dirname (search-input-file %build-inputs "lib/libgssrpc.so")))) + "--with-libssh2" "--disable-static") #:test-target "test-nonflaky" ;avoid tests marked as "flaky" #:phases @@ -115,20 +116,20 @@ (define-public curl (if parallel-tests? (number->string (parallel-job-count)) "1"))) - ;; Ignore test 1477 due to a missing file in the 8.5.0 - ;; release. See - ;; . - (arguments `("-C" "tests" "test" - ,@make-flags - ,(if #$(or (system-hurd?) - (target-arm32?) - (target-aarch64?)) - ;; protocol FAIL - (string-append "TFLAGS=~1474 " - "!1477 " - job-count) - (string-append "TFLAGS=\"~1477 " - job-count "\""))))) + (arguments + `("-C" "tests" "test" + ,@make-flags + ,(string-append "TFLAGS=" + job-count " " + (if #$(or (system-hurd?) + (target-arm32?) + (target-aarch64?)) + "~1474 " ;protocol FAIL + "") + ;; protocol FAIL + "~962 ~963 ~964 ~965 ~966 ~967 " + ;; These fail for unknown reasons. + "~165 ~1448 ~2046 ~2047")))) ;; The top-level "make check" does "make -C tests quiet-test", which ;; is too quiet. Use the "test" target instead, which is more ;; verbose. @@ -152,7 +153,7 @@ (define-public curl (native-inputs (list nghttp2 perl pkg-config python-minimal-wrapper)) (inputs - (list gnutls libidn libpsl mit-krb5 `(,nghttp2 "lib") zlib)) + (list gnutls libidn libpsl libssh2 mit-krb5 `(,nghttp2 "lib") zlib)) (native-search-paths ;; These variables are introduced by curl-use-ssl-cert-env.patch. (list $SSL_CERT_DIR @@ -178,16 +179,6 @@ (define-public curl (license (license:non-copyleft "file://COPYING" "See COPYING in the distribution.")))) -(define-public curl/fixed - (hidden-package - (package - (inherit curl) - (replacement curl/fixed) - (source (origin - (inherit (package-source curl)) - (patches (append (origin-patches (package-source curl)) - (search-patches "curl-CVE-2024-8096.patch")))))))) - (define-public gnurl (deprecated-package "gnurl" curl)) (define-public curl-ssh diff --git a/gnu/packages/patches/curl-CVE-2024-8096.patch b/gnu/packages/patches/curl-CVE-2024-8096.patch deleted file mode 100644 index 0f780f08c3..0000000000 --- a/gnu/packages/patches/curl-CVE-2024-8096.patch +++ /dev/null @@ -1,200 +0,0 @@ -From aeb1a281cab13c7ba791cb104e556b20e713941f Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 20 Aug 2024 16:14:39 +0200 -Subject: [PATCH] gtls: fix OCSP stapling management - -Reported-by: Hiroki Kurosawa -Closes #14642 ---- - lib/vtls/gtls.c | 146 ++++++++++++++++++++++++------------------------ - 1 file changed, 73 insertions(+), 73 deletions(-) - -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 03d6fcc038aac3..c7589d9d39bc81 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -850,6 +850,13 @@ static CURLcode gtls_client_init(struct Curl_cfilter *cf, - init_flags |= GNUTLS_NO_TICKETS; - #endif - -+#if defined(GNUTLS_NO_STATUS_REQUEST) -+ if(!config->verifystatus) -+ /* Disable the "status_request" TLS extension, enabled by default since -+ GnuTLS 3.8.0. */ -+ init_flags |= GNUTLS_NO_STATUS_REQUEST; -+#endif -+ - rc = gnutls_init(>ls->session, init_flags); - if(rc != GNUTLS_E_SUCCESS) { - failf(data, "gnutls_init() failed: %d", rc); -@@ -1321,104 +1328,97 @@ Curl_gtls_verifyserver(struct Curl_easy *data, - infof(data, " server certificate verification SKIPPED"); - - if(config->verifystatus) { -- if(gnutls_ocsp_status_request_is_checked(session, 0) == 0) { -- gnutls_datum_t status_request; -- gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_datum_t status_request; -+ gnutls_ocsp_resp_t ocsp_resp; -+ gnutls_ocsp_cert_status_t status; -+ gnutls_x509_crl_reason_t reason; - -- gnutls_ocsp_cert_status_t status; -- gnutls_x509_crl_reason_t reason; -+ rc = gnutls_ocsp_status_request_get(session, &status_request); - -- rc = gnutls_ocsp_status_request_get(session, &status_request); -+ if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -+ failf(data, "No OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- infof(data, " server certificate status verification FAILED"); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- if(rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) { -- failf(data, "No OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ gnutls_ocsp_resp_init(&ocsp_resp); - -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -+ if(rc < 0) { -+ failf(data, "Invalid OCSP response received"); -+ return CURLE_SSL_INVALIDCERTSTATUS; -+ } - -- gnutls_ocsp_resp_init(&ocsp_resp); -+ (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -+ &status, NULL, NULL, NULL, &reason); - -- rc = gnutls_ocsp_resp_import(ocsp_resp, &status_request); -- if(rc < 0) { -- failf(data, "Invalid OCSP response received"); -- return CURLE_SSL_INVALIDCERTSTATUS; -- } -+ switch(status) { -+ case GNUTLS_OCSP_CERT_GOOD: -+ break; - -- (void)gnutls_ocsp_resp_get_single(ocsp_resp, 0, NULL, NULL, NULL, NULL, -- &status, NULL, NULL, NULL, &reason); -+ case GNUTLS_OCSP_CERT_REVOKED: { -+ const char *crl_reason; - -- switch(status) { -- case GNUTLS_OCSP_CERT_GOOD: -+ switch(reason) { -+ default: -+ case GNUTLS_X509_CRLREASON_UNSPECIFIED: -+ crl_reason = "unspecified reason"; - break; - -- case GNUTLS_OCSP_CERT_REVOKED: { -- const char *crl_reason; -- -- switch(reason) { -- default: -- case GNUTLS_X509_CRLREASON_UNSPECIFIED: -- crl_reason = "unspecified reason"; -- break; -- -- case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -- crl_reason = "private key compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_CACOMPROMISE: -- crl_reason = "CA compromised"; -- break; -- -- case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -- crl_reason = "affiliation has changed"; -- break; -+ case GNUTLS_X509_CRLREASON_KEYCOMPROMISE: -+ crl_reason = "private key compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_SUPERSEDED: -- crl_reason = "certificate superseded"; -- break; -+ case GNUTLS_X509_CRLREASON_CACOMPROMISE: -+ crl_reason = "CA compromised"; -+ break; - -- case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -- crl_reason = "operation has ceased"; -- break; -+ case GNUTLS_X509_CRLREASON_AFFILIATIONCHANGED: -+ crl_reason = "affiliation has changed"; -+ break; - -- case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -- crl_reason = "certificate is on hold"; -- break; -+ case GNUTLS_X509_CRLREASON_SUPERSEDED: -+ crl_reason = "certificate superseded"; -+ break; - -- case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -- crl_reason = "will be removed from delta CRL"; -- break; -+ case GNUTLS_X509_CRLREASON_CESSATIONOFOPERATION: -+ crl_reason = "operation has ceased"; -+ break; - -- case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -- crl_reason = "privilege withdrawn"; -- break; -+ case GNUTLS_X509_CRLREASON_CERTIFICATEHOLD: -+ crl_reason = "certificate is on hold"; -+ break; - -- case GNUTLS_X509_CRLREASON_AACOMPROMISE: -- crl_reason = "AA compromised"; -- break; -- } -+ case GNUTLS_X509_CRLREASON_REMOVEFROMCRL: -+ crl_reason = "will be removed from delta CRL"; -+ break; - -- failf(data, "Server certificate was revoked: %s", crl_reason); -+ case GNUTLS_X509_CRLREASON_PRIVILEGEWITHDRAWN: -+ crl_reason = "privilege withdrawn"; - break; -- } - -- default: -- case GNUTLS_OCSP_CERT_UNKNOWN: -- failf(data, "Server certificate status is unknown"); -+ case GNUTLS_X509_CRLREASON_AACOMPROMISE: -+ crl_reason = "AA compromised"; - break; - } - -- gnutls_ocsp_resp_deinit(ocsp_resp); -+ failf(data, "Server certificate was revoked: %s", crl_reason); -+ break; -+ } - -- return CURLE_SSL_INVALIDCERTSTATUS; -+ default: -+ case GNUTLS_OCSP_CERT_UNKNOWN: -+ failf(data, "Server certificate status is unknown"); -+ break; - } -- else -- infof(data, " server certificate status verification OK"); -+ -+ gnutls_ocsp_resp_deinit(ocsp_resp); -+ if(status != GNUTLS_OCSP_CERT_GOOD) -+ return CURLE_SSL_INVALIDCERTSTATUS; - } - else - infof(data, " server certificate status verification SKIPPED"); -- 2.46.0