From: Yann E. MORIN <yann.morin.1998@free.fr>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] package/libcurl: fix no-proxy build with bearssl and nss
Date: Thu, 9 Jul 2020 22:19:16 +0200 [thread overview]
Message-ID: <20200709201916.GC2273@scaer> (raw)
In-Reply-To: <c4509d9911d8202601895685017a1295768a1871.1594274810.git.baruch@tkos.co.il>
Baruch, All,
On 2020-07-09 09:06 +0300, Baruch Siach spake thusly:
> Add two patches fixing build against BearSSL and NSS TLS implementations
> when BR2_PACKAGE_LIBCURL_PROXY_SUPPORT is disabled.
>
> Fixes:
> http://autobuild.buildroot.net/results/4d37d9163bfece536974f15f16b2ebfc5fabc539/
> http://autobuild.buildroot.net/results/387e8baa13d0f07ed4dfd5b6ee3b933d4843c0e8/
>
> Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Applied to master, thanks.
Regards,
Yann E. MORIN.
> ---
> ...ix-build-with-disabled-proxy-support.patch | 50 ++++++
> ...ix-build-with-disabled-proxy-support.patch | 159 ++++++++++++++++++
> 2 files changed, 209 insertions(+)
> create mode 100644 package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch
> create mode 100644 package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch
>
> diff --git a/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch b/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch
> new file mode 100644
> index 000000000000..b6d89859b93c
> --- /dev/null
> +++ b/package/libcurl/0001-bearssl-fix-build-with-disabled-proxy-support.patch
> @@ -0,0 +1,50 @@
> +From 3a46be47cad5a3498b5f6d6007b7d1fe5b8dff78 Mon Sep 17 00:00:00 2001
> +Message-Id: <3a46be47cad5a3498b5f6d6007b7d1fe5b8dff78.1594274321.git.baruch@tkos.co.il>
> +From: Baruch Siach <baruch@tkos.co.il>
> +Date: Thu, 9 Jul 2020 08:14:49 +0300
> +Subject: [PATCH] bearssl: fix build with disabled proxy support
> +
> +Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
> +defined.
> +
> +Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> +---
> +Upstream status: https://github.com/curl/curl/pull/5666
> +
> + lib/vtls/bearssl.c | 11 +++++++++--
> + 1 file changed, 9 insertions(+), 2 deletions(-)
> +
> +diff --git a/lib/vtls/bearssl.c b/lib/vtls/bearssl.c
> +index 628e16a124a9..44e7406e8e39 100644
> +--- a/lib/vtls/bearssl.c
> ++++ b/lib/vtls/bearssl.c
> +@@ -300,8 +300,12 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
> + struct ssl_connect_data *connssl = &conn->ssl[sockindex];
> + struct ssl_backend_data *backend = connssl->backend;
> + const char * const ssl_cafile = SSL_CONN_CONFIG(CAfile);
> ++#ifndef CURL_DISABLE_PROXY
> + const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
> + conn->host.name;
> ++#else
> ++ const char *hostname = conn->host.name;
> ++#endif
> + const bool verifypeer = SSL_CONN_CONFIG(verifypeer);
> + const bool verifyhost = SSL_CONN_CONFIG(verifyhost);
> + CURLcode ret;
> +@@ -386,8 +390,11 @@ static CURLcode bearssl_connect_step1(struct connectdata *conn, int sockindex)
> + */
> +
> + #ifdef USE_NGHTTP2
> +- if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
> +- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
> ++ if(data->set.httpversion >= CURL_HTTP_VERSION_2
> ++#ifndef CURL_DISABLE_PROXY
> ++ && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
> ++#endif
> ++ ) {
> + backend->protocols[cur++] = NGHTTP2_PROTO_VERSION_ID;
> + infof(data, "ALPN, offering %s\n", NGHTTP2_PROTO_VERSION_ID);
> + }
> +--
> +2.27.0
> +
> diff --git a/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch b/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch
> new file mode 100644
> index 000000000000..0d1286338e41
> --- /dev/null
> +++ b/package/libcurl/0002-nss-fix-build-with-disabled-proxy-support.patch
> @@ -0,0 +1,159 @@
> +From d040da28f57d0b3fcd6f63809a8c85a600f87a62 Mon Sep 17 00:00:00 2001
> +Message-Id: <d040da28f57d0b3fcd6f63809a8c85a600f87a62.1594274337.git.baruch@tkos.co.il>
> +From: Baruch Siach <baruch@tkos.co.il>
> +Date: Thu, 9 Jul 2020 08:14:49 +0300
> +Subject: [PATCH] nss: fix build with disabled proxy support
> +
> +Avoid reference to fields that do not exist when CURL_DISABLE_PROXY is
> +defined.
> +
> +Signed-off-by: Baruch Siach <baruch@tkos.co.il>
> +---
> +Upstream status: https://github.com/curl/curl/pull/5667
> +
> + lib/vtls/nss.c | 44 +++++++++++++++++++++++++++++++++++---------
> + 1 file changed, 35 insertions(+), 9 deletions(-)
> +
> +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
> +index fca292613815..0f0d1ee6c80f 100644
> +--- a/lib/vtls/nss.c
> ++++ b/lib/vtls/nss.c
> +@@ -1027,9 +1027,11 @@ static SECStatus BadCertHandler(void *arg, PRFileDesc *sock)
> + CERTCertificate *cert;
> +
> + /* remember the cert verification result */
> ++#ifndef CURL_DISABLE_PROXY
> + if(SSL_IS_PROXY())
> + data->set.proxy_ssl.certverifyresult = err;
> + else
> ++#endif
> + data->set.ssl.certverifyresult = err;
> +
> + if(err == SSL_ERROR_BAD_CERT_DOMAIN && !SSL_CONN_CONFIG(verifyhost))
> +@@ -1553,24 +1555,32 @@ static void nss_close(struct ssl_connect_data *connssl)
> + static void Curl_nss_close(struct connectdata *conn, int sockindex)
> + {
> + struct ssl_connect_data *connssl = &conn->ssl[sockindex];
> ++#ifndef CURL_DISABLE_PROXY
> + struct ssl_connect_data *connssl_proxy = &conn->proxy_ssl[sockindex];
> ++#endif
> + struct ssl_backend_data *backend = connssl->backend;
> +
> +- if(backend->handle || connssl_proxy->backend->handle) {
> ++ if(backend->handle
> ++#ifndef CURL_DISABLE_PROXY
> ++ || connssl_proxy->backend->handle
> ++#endif
> ++ ) {
> + /* NSS closes the socket we previously handed to it, so we must mark it
> + as closed to avoid double close */
> + fake_sclose(conn->sock[sockindex]);
> + conn->sock[sockindex] = CURL_SOCKET_BAD;
> + }
> +
> ++#ifndef CURL_DISABLE_PROXY
> + if(backend->handle)
> + /* nss_close(connssl) will transitively close also
> + connssl_proxy->backend->handle if both are used. Clear it to avoid
> + a double close leading to crash. */
> + connssl_proxy->backend->handle = NULL;
> +
> +- nss_close(connssl);
> + nss_close(connssl_proxy);
> ++#endif
> ++ nss_close(connssl);
> + }
> +
> + /* return true if NSS can provide error code (and possibly msg) for the
> +@@ -1828,6 +1838,12 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
> + CURLcode result;
> + bool second_layer = FALSE;
> + SSLVersionRange sslver_supported;
> ++#ifndef CURL_DISABLE_PROXY
> ++ const char *hostname = SSL_IS_PROXY() ? conn->http_proxy.host.name :
> ++ conn->host.name;
> ++#else
> ++ const char *hostname = conn->host.name;
> ++#endif
> +
> + SSLVersionRange sslver = {
> + SSL_LIBRARY_VERSION_TLS_1_0, /* min */
> +@@ -1932,9 +1948,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
> + goto error;
> +
> + /* not checked yet */
> ++#ifndef CURL_DISABLE_PROXY
> + if(SSL_IS_PROXY())
> + data->set.proxy_ssl.certverifyresult = 0;
> + else
> ++#endif
> + data->set.ssl.certverifyresult = 0;
> +
> + if(SSL_BadCertHook(model, BadCertHandler, conn) != SECSuccess)
> +@@ -1991,12 +2009,14 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
> + goto error;
> + }
> +
> ++#ifndef CURL_DISABLE_PROXY
> + if(conn->proxy_ssl[sockindex].use) {
> + DEBUGASSERT(ssl_connection_complete == conn->proxy_ssl[sockindex].state);
> + DEBUGASSERT(conn->proxy_ssl[sockindex].backend->handle != NULL);
> + nspr_io = conn->proxy_ssl[sockindex].backend->handle;
> + second_layer = TRUE;
> + }
> ++#endif
> + else {
> + /* wrap OS file descriptor by NSPR's file descriptor abstraction */
> + nspr_io = PR_ImportTCPSocket(sockfd);
> +@@ -2077,8 +2097,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
> + unsigned char protocols[128];
> +
> + #ifdef USE_NGHTTP2
> +- if(data->set.httpversion >= CURL_HTTP_VERSION_2 &&
> +- (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)) {
> ++ if(data->set.httpversion >= CURL_HTTP_VERSION_2
> ++#ifndef CURL_DISABLE_PROXY
> ++ && (!SSL_IS_PROXY() || !conn->bits.tunnel_proxy)
> ++#endif
> ++ ) {
> + protocols[cur++] = NGHTTP2_PROTO_VERSION_ID_LEN;
> + memcpy(&protocols[cur], NGHTTP2_PROTO_VERSION_ID,
> + NGHTTP2_PROTO_VERSION_ID_LEN);
> +@@ -2101,14 +2124,11 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
> + goto error;
> +
> + /* propagate hostname to the TLS layer */
> +- if(SSL_SetURL(backend->handle, SSL_IS_PROXY() ? conn->http_proxy.host.name :
> +- conn->host.name) != SECSuccess)
> ++ if(SSL_SetURL(backend->handle, hostname) != SECSuccess)
> + goto error;
> +
> + /* prevent NSS from re-using the session for a different hostname */
> +- if(SSL_SetSockPeerID(backend->handle, SSL_IS_PROXY() ?
> +- conn->http_proxy.host.name : conn->host.name)
> +- != SECSuccess)
> ++ if(SSL_SetSockPeerID(backend->handle, hostname) != SECSuccess)
> + goto error;
> +
> + return CURLE_OK;
> +@@ -2127,11 +2147,17 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
> + struct Curl_easy *data = conn->data;
> + CURLcode result = CURLE_SSL_CONNECT_ERROR;
> + PRUint32 timeout;
> ++#ifndef CURL_DISABLE_PROXY
> + long * const certverifyresult = SSL_IS_PROXY() ?
> + &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
> + const char * const pinnedpubkey = SSL_IS_PROXY() ?
> + data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
> + data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
> ++#else
> ++ long * const certverifyresult = &data->set.ssl.certverifyresult;
> ++ const char * const pinnedpubkey =
> ++ data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
> ++#endif
> +
> +
> + /* check timeout situation */
> +--
> +2.27.0
> +
> --
> 2.27.0
>
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
.-----------------.--------------------.------------------.--------------------.
| Yann E. MORIN | Real-Time Embedded | /"\ ASCII RIBBON | Erics' conspiracy: |
| +33 662 376 056 | Software Designer | \ / CAMPAIGN | ___ |
| +33 561 099 427 `------------.-------: X AGAINST | \e/ There is no |
| http://ymorin.is-a-geek.org/ | _/*\_ | / \ HTML MAIL | v conspiracy. |
'------------------------------^-------^------------------^--------------------'
next prev parent reply other threads:[~2020-07-09 20:19 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-07-09 6:06 [Buildroot] [PATCH] package/libcurl: fix no-proxy build with bearssl and nss Baruch Siach
2020-07-09 20:19 ` Yann E. MORIN [this message]
2020-07-16 15:50 ` Peter Korsgaard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200709201916.GC2273@scaer \
--to=yann.morin.1998@free.fr \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.