diff options
| -rw-r--r-- | 0001-curl-7.21.7-a7864c4.patch | 453 | ||||
| -rw-r--r-- | 0001-curl-7.27.0-1f8518c5.patch | 34 | ||||
| -rw-r--r-- | 0002-curl-7.21.7-5eb2396.patch | 30 | ||||
| -rw-r--r-- | 0002-curl-7.27.0-f05e5136.patch | 197 | ||||
| -rw-r--r-- | 0003-curl-7.21.7-5538904.patch | 131 | ||||
| -rw-r--r-- | 0003-curl-7.27.0-382429e7.patch | 32 | ||||
| -rw-r--r-- | 0004-curl-7.21.7-d6f319f.patch | 118 | ||||
| -rw-r--r-- | 0004-curl-7.27.0-52b6eda4.patch | 115 | ||||
| -rw-r--r-- | 0005-curl-7.21.7-61ae7e9.patch | 46 | ||||
| -rw-r--r-- | 0005-curl-7.27.0-f208bf5a.patch | 190 | ||||
| -rw-r--r-- | 0006-curl-7.21.7-3445fa2.patch | 146 | ||||
| -rw-r--r-- | 0006-curl-7.27.0-68d2830e.patch | 68 | ||||
| -rw-r--r-- | 0007-curl-7.27.0-b36f1d26.patch | 55 | ||||
| -rw-r--r-- | 0008-curl-7.27.0-26613d78.patch | 30 | ||||
| -rw-r--r-- | 0009-curl-7.27.0-f206d6c0.patch | 69 | ||||
| -rw-r--r-- | 0010-curl-7.27.0-57ccdfa8.patch | 158 | ||||
| -rw-r--r-- | 0101-curl-7.27.0-multilib.patch (renamed from 0101-curl-7.21.1-multilib.patch) | 12 | ||||
| -rw-r--r-- | 0102-curl-7.27.0-debug.patch | 58 | ||||
| -rw-r--r-- | 0105-curl-7.21.3-disable-test1112.patch | 30 | ||||
| -rw-r--r-- | 0108-curl-7.27.0-utf8.patch | 86 | ||||
| -rw-r--r-- | curl.spec | 83 |
21 files changed, 1147 insertions, 994 deletions
diff --git a/0001-curl-7.21.7-a7864c4.patch b/0001-curl-7.21.7-a7864c4.patch deleted file mode 100644 index 477f1e1..0000000 --- a/0001-curl-7.21.7-a7864c4.patch +++ /dev/null @@ -1,453 +0,0 @@ -From fd86734fca0945b2d6b90d6d7d0224cf0732114a Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Wed, 3 Aug 2011 12:48:49 +0200 -Subject: [PATCH 1/2] curl - rhbz #719939 - ---- - docs/libcurl/curl_easy_setopt.3 | 8 ++++++ - docs/libcurl/symbols-in-versions | 4 +++ - include/curl/curl.h | 7 +++++ - lib/Makefile.in | 18 +++++++++++--- - lib/Makefile.inc | 4 +- - lib/curl_gssapi.c | 44 ++++++++++++++++++++++++++++++++++++ - lib/curl_gssapi.h | 46 ++++++++++++++++++++++++++++++++++++++ - lib/http_negotiate.c | 6 ++++- - lib/krb5.c | 6 ++++- - lib/socks_gssapi.c | 7 ++++- - lib/url.c | 6 +++++ - lib/urldata.h | 3 ++ - 12 files changed, 149 insertions(+), 10 deletions(-) - create mode 100644 lib/curl_gssapi.c - create mode 100644 lib/curl_gssapi.h - -diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 -index c2804f3..3b7826b 100644 ---- a/docs/libcurl/curl_easy_setopt.3 -+++ b/docs/libcurl/curl_easy_setopt.3 -@@ -2105,6 +2105,14 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos - support for FTP. - - (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3) -+.IP CURLOPT_GSSAPI_DELEGATION -+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI -+credential delegation. The delegation is disabled by default since 7.21.7. -+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if -+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is -+supported by the GSSAPI implementation and the definition of -+GSS_C_DELEG_POLICY_FLAG was available at compile-time. -+(Added in 7.21.8) - .SH SSH OPTIONS - .IP CURLOPT_SSH_AUTH_TYPES - Pass a long set to a bitmask consisting of one or more of -diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index 9257fb1..3c8f715 100644 ---- a/docs/libcurl/symbols-in-versions -+++ b/docs/libcurl/symbols-in-versions -@@ -186,6 +186,9 @@ CURLFTPSSL_TRY 7.11.0 7.17.0 - CURLFTP_CREATE_DIR 7.19.4 - CURLFTP_CREATE_DIR_NONE 7.19.4 - CURLFTP_CREATE_DIR_RETRY 7.19.4 -+CURLGSSAPI_DELEGATION_FLAG 7.21.8 -+CURLGSSAPI_DELEGATION_NONE 7.21.8 -+CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8 - CURLINFO_APPCONNECT_TIME 7.19.0 - CURLINFO_CERTINFO 7.19.1 - CURLINFO_CONDITION_UNMET 7.19.4 -@@ -344,6 +347,7 @@ CURLOPT_FTP_SSL_CCC 7.16.1 - CURLOPT_FTP_USE_EPRT 7.10.5 - CURLOPT_FTP_USE_EPSV 7.9.2 - CURLOPT_FTP_USE_PRET 7.20.0 -+CURLOPT_GSSAPI_DELEGATION 7.21.8 - CURLOPT_HEADER 7.1 - CURLOPT_HEADERDATA 7.10 - CURLOPT_HEADERFUNCTION 7.7.2 -diff --git a/include/curl/curl.h b/include/curl/curl.h -index a9d42fa..bcbab86 100644 ---- a/include/curl/curl.h -+++ b/include/curl/curl.h -@@ -614,6 +614,10 @@ typedef enum { - #define CURLSSH_AUTH_KEYBOARD (1<<3) /* keyboard interactive */ - #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY - -+#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */ -+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */ -+#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */ -+ - #define CURL_ERROR_SIZE 256 - - struct curl_khkey { -@@ -1483,6 +1487,9 @@ typedef enum { - CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208), - CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209), - -+ /* allow GSSAPI credential delegation */ -+ CINIT(GSSAPI_DELEGATION, LONG, 210), -+ - CURLOPT_LASTENTRY /* the last unused */ - } CURLoption; - -diff --git a/lib/Makefile.in b/lib/Makefile.in -index a99f5e9..d5c65e7 100644 ---- a/lib/Makefile.in -+++ b/lib/Makefile.in -@@ -94,7 +94,7 @@ am__objects_1 = file.lo timeval.lo base64.lo hostip.lo progress.lo \ - curl_threads.lo warnless.lo hmac.lo polarssl.lo curl_rtmp.lo \ - openldap.lo curl_gethostname.lo gopher.lo axtls.lo \ - idn_win32.lo http_negotiate_sspi.lo cyassl.lo http_proxy.lo \ -- non-ascii.lo asyn-ares.lo asyn-thread.lo -+ non-ascii.lo asyn-ares.lo asyn-thread.lo curl_gssapi.lo - am__objects_2 = - am_libcurl_la_OBJECTS = $(am__objects_1) $(am__objects_2) - libcurl_la_OBJECTS = $(am_libcurl_la_OBJECTS) -@@ -144,7 +144,8 @@ am__objects_3 = libcurlu_la-file.lo libcurlu_la-timeval.lo \ - libcurlu_la-axtls.lo libcurlu_la-idn_win32.lo \ - libcurlu_la-http_negotiate_sspi.lo libcurlu_la-cyassl.lo \ - libcurlu_la-http_proxy.lo libcurlu_la-non-ascii.lo \ -- libcurlu_la-asyn-ares.lo libcurlu_la-asyn-thread.lo -+ libcurlu_la-asyn-ares.lo libcurlu_la-asyn-thread.lo \ -+ libcurlu_la-curl_gssapi.lo - am_libcurlu_la_OBJECTS = $(am__objects_3) $(am__objects_2) - libcurlu_la_OBJECTS = $(am_libcurlu_la_OBJECTS) - @BUILD_UNITTESTS_TRUE@am_libcurlu_la_rpath = -@@ -479,7 +480,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ - pingpong.c rtsp.c curl_threads.c warnless.c hmac.c polarssl.c \ - curl_rtmp.c openldap.c curl_gethostname.c gopher.c axtls.c \ - idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c \ -- asyn-ares.c asyn-thread.c -+ asyn-ares.c asyn-thread.c curl_gssapi.c - - HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ - progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \ -@@ -494,7 +495,7 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ - curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \ - curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \ - warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \ -- gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h -+ gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_gssapi.h - - - # Makefile.inc provides the CSOURCES and HHEADERS defines -@@ -612,6 +613,7 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_addrinfo.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_fnmatch.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_gethostname.Plo@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_gssapi.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_memrchr.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_rand.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_rtmp.Plo@am__quote@ -@@ -662,6 +664,7 @@ distclean-compile: - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_addrinfo.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_fnmatch.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_gethostname.Plo@am__quote@ -+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_gssapi.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_memrchr.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_rand.Plo@am__quote@ - @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_rtmp.Plo@am__quote@ -@@ -1488,6 +1491,13 @@ libcurlu_la-asyn-thread.lo: asyn-thread.c - @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ - @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-asyn-thread.lo `test -f 'asyn-thread.c' || echo '$(srcdir)/'`asyn-thread.c - -+libcurlu_la-curl_gssapi.lo: curl_gssapi.c -+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libcurlu_la-curl_gssapi.lo -MD -MP -MF $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c -+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo $(DEPDIR)/libcurlu_la-curl_gssapi.Plo -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='curl_gssapi.c' object='libcurlu_la-curl_gssapi.lo' libtool=yes @AMDEPBACKSLASH@ -+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c -+ - mostlyclean-libtool: - -rm -f *.lo - -diff --git a/lib/Makefile.inc b/lib/Makefile.inc -index 04285b5..51fc919 100644 ---- a/lib/Makefile.inc -+++ b/lib/Makefile.inc -@@ -22,7 +22,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ - pingpong.c rtsp.c curl_threads.c warnless.c hmac.c polarssl.c \ - curl_rtmp.c openldap.c curl_gethostname.c gopher.c axtls.c \ - idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c \ -- asyn-ares.c asyn-thread.c -+ asyn-ares.c asyn-thread.c curl_gssapi.c - - HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ - progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \ -@@ -37,4 +37,4 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ - curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \ - curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \ - warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \ -- gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h -+ gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_gssapi.h -diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c -new file mode 100644 -index 0000000..e55c9cc ---- /dev/null -+++ b/lib/curl_gssapi.c -@@ -0,0 +1,44 @@ -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at http://curl.haxx.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ ***************************************************************************/ -+ -+#include "setup.h" -+ -+#ifdef HAVE_GSSAPI -+ -+#include "curl_gssapi.h" -+ -+void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data) -+{ -+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) { -+#ifdef GSS_C_DELEG_POLICY_FLAG -+ *req_flags |= GSS_C_DELEG_POLICY_FLAG; -+#else -+ infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not " -+ "compiled in\n"); -+#endif -+ } -+ -+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG) -+ *req_flags |= GSS_C_DELEG_FLAG; -+} -+ -+#endif /* HAVE_GSSAPI */ -diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h -new file mode 100644 -index 0000000..02aa527 ---- /dev/null -+++ b/lib/curl_gssapi.h -@@ -0,0 +1,46 @@ -+#ifndef HEADER_CURL_GSSAPI_H -+#define HEADER_CURL_GSSAPI_H -+/*************************************************************************** -+ * _ _ ____ _ -+ * Project ___| | | | _ \| | -+ * / __| | | | |_) | | -+ * | (__| |_| | _ <| |___ -+ * \___|\___/|_| \_\_____| -+ * -+ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al. -+ * -+ * This software is licensed as described in the file COPYING, which -+ * you should have received as part of this distribution. The terms -+ * are also available at http://curl.haxx.se/docs/copyright.html. -+ * -+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell -+ * copies of the Software, and permit persons to whom the Software is -+ * furnished to do so, under the terms of the COPYING file. -+ * -+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -+ * KIND, either express or implied. -+ * -+ ***************************************************************************/ -+ -+#include "setup.h" -+#include "urldata.h" -+ -+#ifdef HAVE_GSSAPI -+ -+#ifdef HAVE_GSSGNU -+# include <gss.h> -+#elif defined HAVE_GSSMIT -+ /* MIT style */ -+# include <gssapi/gssapi.h> -+# include <gssapi/gssapi_generic.h> -+# include <gssapi/gssapi_krb5.h> -+#else -+ /* Heimdal-style */ -+# include <gssapi.h> -+#endif -+ -+void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data); -+ -+#endif /* HAVE_GSSAPI */ -+ -+#endif /* HEADER_CURL_GSSAPI_H */ -diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c -index 5127e64..8cb69fe 100644 ---- a/lib/http_negotiate.c -+++ b/lib/http_negotiate.c -@@ -40,6 +40,7 @@ - #include "curl_base64.h" - #include "http_negotiate.h" - #include "curl_memory.h" -+#include "curl_gssapi.h" - - #ifdef HAVE_SPNEGO - # include <spnegohelp.h> -@@ -144,6 +145,9 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, - bool gss; - const char* protocol; - -+ OM_uint32 req_flags = 0; -+ Curl_gss_req_flags(&req_flags, conn->data); -+ - while(*header && ISSPACE(*header)) - header++; - if(checkprefix("GSS-Negotiate", header)) { -@@ -243,7 +247,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, - &neg_ctx->context, - neg_ctx->server_name, - GSS_C_NO_OID, -- 0, -+ req_flags, - 0, - GSS_C_NO_CHANNEL_BINDINGS, - &input_token, -diff --git a/lib/krb5.c b/lib/krb5.c -index f128d51..08f70f9 100644 ---- a/lib/krb5.c -+++ b/lib/krb5.c -@@ -65,6 +65,7 @@ - #include "sendf.h" - #include "krb4.h" - #include "curl_memory.h" -+#include "curl_gssapi.h" - - #define _MPRINTF_REPLACE /* use our functions only */ - #include <curl/mprintf.h> -@@ -185,6 +186,9 @@ krb5_auth(void *app_data, struct connectdata *conn) - gss_ctx_id_t *context = app_data; - struct gss_channel_bindings_struct chan; - -+ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; -+ Curl_gss_req_flags(&req_flags, data); -+ - if(getsockname(conn->sock[FIRSTSOCKET], - (struct sockaddr *)LOCAL_ADDR, &l) < 0) - perror("getsockname()"); -@@ -247,7 +251,7 @@ krb5_auth(void *app_data, struct connectdata *conn) - context, - gssname, - GSS_C_NO_OID, -- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, -+ req_flags, - 0, - &chan, - gssresp, -diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c -index 653306c..57048be 100644 ---- a/lib/socks_gssapi.c -+++ b/lib/socks_gssapi.c -@@ -43,6 +43,7 @@ - #include "timeval.h" - #include "socks.h" - #include "warnless.h" -+#include "curl_gssapi.h" - - #define _MPRINTF_REPLACE /* use our functions only */ - #include <curl/mprintf.h> -@@ -137,6 +138,9 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, - unsigned char socksreq[4]; /* room for gssapi exchange header only */ - char *serviceptr = data->set.str[STRING_SOCKS5_GSSAPI_SERVICE]; - -+ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; -+ Curl_gss_req_flags(&req_flags, data); -+ - /* get timeout */ - timeout = Curl_timeleft(data, NULL, TRUE); - -@@ -187,8 +191,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, - GSS_C_NO_CREDENTIAL, - &gss_context, server, - GSS_C_NULL_OID, -- GSS_C_MUTUAL_FLAG | -- GSS_C_REPLAY_FLAG, -+ req_flags, - 0, - NULL, - gss_token, -diff --git a/lib/url.c b/lib/url.c -index c5b642f..39e04af 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -1985,6 +1985,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, - va_arg(param, char *)); - data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]); - break; -+ case CURLOPT_GSSAPI_DELEGATION: -+ /* -+ * GSSAPI credential delegation -+ */ -+ data->set.gssapi_delegation = va_arg(param, long); -+ break; - case CURLOPT_SSL_VERIFYPEER: - /* - * Enable peer SSL verifying. -diff --git a/lib/urldata.h b/lib/urldata.h -index d256968..d3cfec3 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1517,6 +1517,9 @@ struct UserDefined { - curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds - to pattern (e.g. if WILDCARDMATCH is on) */ - void *fnmatch_data; -+ -+ long gssapi_delegation; /* GSSAPI credential delegation, see the -+ documentation of CURLOPT_GSSAPI_DELEGATION */ - }; - - struct Names { --- -1.7.4.4 - - -From d4ea7258b1703497fd0c06e08369a6bd3e37d2e8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Wed, 3 Aug 2011 18:00:07 +0200 -Subject: [PATCH 2/2] curl_gssapi: add a missing include of sendf.h - -... to avoid build failure when GSS_C_DELEG_POLICY_FLAG is not defined. - -Reported by: Paul Howarth ---- - lib/curl_gssapi.c | 3 ++- - lib/curl_gssapi.h | 2 +- - 2 files changed, 3 insertions(+), 2 deletions(-) - -diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c -index e55c9cc..d1b1715 100644 ---- a/lib/curl_gssapi.c -+++ b/lib/curl_gssapi.c -@@ -25,8 +25,9 @@ - #ifdef HAVE_GSSAPI - - #include "curl_gssapi.h" -+#include "sendf.h" - --void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data) -+void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data) - { - if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) { - #ifdef GSS_C_DELEG_POLICY_FLAG -diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h -index 02aa527..c8ffefc 100644 ---- a/lib/curl_gssapi.h -+++ b/lib/curl_gssapi.h -@@ -39,7 +39,7 @@ - # include <gssapi.h> - #endif - --void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data); -+void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data); - - #endif /* HAVE_GSSAPI */ - --- -1.7.4.4 - diff --git a/0001-curl-7.27.0-1f8518c5.patch b/0001-curl-7.27.0-1f8518c5.patch new file mode 100644 index 0000000..02e2e6e --- /dev/null +++ b/0001-curl-7.27.0-1f8518c5.patch @@ -0,0 +1,34 @@ +From e693b8e6591366ef2c077ba90fe0315a8a0b00c5 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 30 Jul 2012 14:20:07 +0200 +Subject: [PATCH] file: use fdopen() for uploaded files if available + +It eliminates noisy events when using inotify and fixes a TOCTOU issue. + +Bug: https://bugzilla.redhat.com/844385 + +[upstream commit 1f8518c5d9aaa369dae85620973f9b5c1add3277] +--- + lib/file.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +diff --git a/lib/file.c b/lib/file.c +index 4447c73..1025022 100644 +--- a/lib/file.c ++++ b/lib/file.c +@@ -351,8 +351,12 @@ static CURLcode file_upload(struct connectdata *conn) + failf(data, "Can't open %s for writing", file->path); + return CURLE_WRITE_ERROR; + } ++#ifdef HAVE_FDOPEN ++ fp = fdopen(fd, "wb"); ++#else + close(fd); + fp = fopen(file->path, "wb"); ++#endif + } + + if(!fp) { +-- +1.7.1 + diff --git a/0002-curl-7.21.7-5eb2396.patch b/0002-curl-7.21.7-5eb2396.patch deleted file mode 100644 index ded2da9..0000000 --- a/0002-curl-7.21.7-5eb2396.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 5eb2396cd15cbbf73b02ad6bbcc313167330c2b5 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Thu, 4 Aug 2011 23:22:48 +0200 -Subject: [PATCH] segfault fixed - -When using both -J and a single -O with multiple URLs, a missing init -could cause badness. - -Bug: http://curl.haxx.se/mail/lib-2011-07/0126.html and - http://bugzilla.redhat.com/723075 -Reported by: Paul Howarth and Garrett Holmstrom ---- - src/main.c | 1 + - 1 files changed, 1 insertions(+), 0 deletions(-) - -diff --git a/src/main.c b/src/main.c -index 6dcf333..eae45de 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -4866,6 +4866,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) - outs.stream = stdout; - outs.config = config; - outs.bytes = 0; /* nothing written yet */ -+ outs.filename = NULL; - - /* save outfile pattern before expansion */ - if(urlnode->outfile) { --- -1.7.4.4 - diff --git a/0002-curl-7.27.0-f05e5136.patch b/0002-curl-7.27.0-f05e5136.patch new file mode 100644 index 0000000..7413ed6 --- /dev/null +++ b/0002-curl-7.27.0-f05e5136.patch @@ -0,0 +1,197 @@ +From ce515e993fe7bc7e95549317fe5180b196454d4c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Wed, 12 Sep 2012 16:06:18 +0200 +Subject: [PATCH 1/3] ssh: move the fingerprint checking code to a separate fnc + +--- + lib/ssh.c | 71 +++++++++++++++++++++++++++++++++--------------------------- + 1 files changed, 39 insertions(+), 32 deletions(-) + +diff --git a/lib/ssh.c b/lib/ssh.c +index c76a48e..4455d44 100644 +--- a/lib/ssh.c ++++ b/lib/ssh.c +@@ -635,6 +635,43 @@ static CURLcode ssh_knownhost(struct connectdata *conn) + return result; + } + ++static bool ssh_check_fingerprint(struct connectdata *conn) ++{ ++ struct ssh_conn *sshc = &conn->proto.sshc; ++ struct SessionHandle *data = conn->data; ++ const char *pubkey_md5 = data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]; ++ char md5buffer[33]; ++ int i; ++ ++ const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session, ++ LIBSSH2_HOSTKEY_HASH_MD5); ++ ++ /* The fingerprint points to static storage (!), don't free() it. */ ++ for(i = 0; i < 16; i++) ++ snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); ++ infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); ++ ++ /* Before we authenticate we check the hostkey's MD5 fingerprint ++ * against a known fingerprint, if available. ++ */ ++ if(pubkey_md5 && strlen(pubkey_md5) == 32) { ++ if(!strequal(md5buffer, pubkey_md5)) { ++ failf(data, ++ "Denied establishing ssh session: mismatch md5 fingerprint. " ++ "Remote %s is not equal to %s", md5buffer, pubkey_md5); ++ state(conn, SSH_SESSION_FREE); ++ sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; ++ return sshc->actualcode; ++ } ++ else { ++ infof(data, "MD5 checksum match!\n"); ++ /* as we already matched, we skip the check for known hosts */ ++ return CURLE_OK; ++ } ++ } ++ else ++ return ssh_knownhost(conn); ++} + + /* + * ssh_statemach_act() runs the SSH state machine as far as it can without +@@ -650,10 +687,8 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) + struct SSHPROTO *sftp_scp = data->state.proto.ssh; + struct ssh_conn *sshc = &conn->proto.sshc; + curl_socket_t sock = conn->sock[FIRSTSOCKET]; +- const char *fingerprint; +- char md5buffer[33]; + char *new_readdir_line; +- int rc = LIBSSH2_ERROR_NONE, i; ++ int rc = LIBSSH2_ERROR_NONE; + int err; + int seekerr = CURL_SEEKFUNC_OK; + *block = 0; /* we're not blocking by default */ +@@ -694,35 +729,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) + * against our known hosts. How that is handled (reading from file, + * whatever) is up to us. + */ +- fingerprint = libssh2_hostkey_hash(sshc->ssh_session, +- LIBSSH2_HOSTKEY_HASH_MD5); +- +- /* The fingerprint points to static storage (!), don't free() it. */ +- for(i = 0; i < 16; i++) +- snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); +- infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); +- +- /* Before we authenticate we check the hostkey's MD5 fingerprint +- * against a known fingerprint, if available. +- */ +- if(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5] && +- strlen(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) == 32) { +- if(!strequal(md5buffer, +- data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5])) { +- failf(data, +- "Denied establishing ssh session: mismatch md5 fingerprint. " +- "Remote %s is not equal to %s", +- md5buffer, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]); +- state(conn, SSH_SESSION_FREE); +- result = sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; +- } +- else +- infof(data, "MD5 checksum match!\n"); +- /* as we already matched, we skip the check for known hosts */ +- } +- else +- result = ssh_knownhost(conn); +- ++ result = ssh_check_fingerprint(conn); + if(!result) + state(conn, SSH_AUTHLIST); + break; +-- +1.7.1 + + +From f05e51362f310cb04b0ad8d086b9cf693aad5c9d Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Wed, 12 Sep 2012 16:18:36 +0200 +Subject: [PATCH 2/3] ssh: do not crash if MD5 fingerprint is not provided by libssh2 + +The MD5 fingerprint cannot be computed when running in FIPS mode. +--- + lib/ssh.c | 22 ++++++++++++++-------- + 1 files changed, 14 insertions(+), 8 deletions(-) + +diff --git a/lib/ssh.c b/lib/ssh.c +index 4455d44..466566c 100644 +--- a/lib/ssh.c ++++ b/lib/ssh.c +@@ -646,19 +646,25 @@ static bool ssh_check_fingerprint(struct connectdata *conn) + const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session, + LIBSSH2_HOSTKEY_HASH_MD5); + +- /* The fingerprint points to static storage (!), don't free() it. */ +- for(i = 0; i < 16; i++) +- snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); +- infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); ++ if(fingerprint) { ++ /* The fingerprint points to static storage (!), don't free() it. */ ++ for(i = 0; i < 16; i++) ++ snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); ++ infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); ++ } + + /* Before we authenticate we check the hostkey's MD5 fingerprint + * against a known fingerprint, if available. + */ + if(pubkey_md5 && strlen(pubkey_md5) == 32) { +- if(!strequal(md5buffer, pubkey_md5)) { +- failf(data, +- "Denied establishing ssh session: mismatch md5 fingerprint. " +- "Remote %s is not equal to %s", md5buffer, pubkey_md5); ++ if(!fingerprint || !strequal(md5buffer, pubkey_md5)) { ++ if(fingerprint) ++ failf(data, ++ "Denied establishing ssh session: mismatch md5 fingerprint. " ++ "Remote %s is not equal to %s", md5buffer, pubkey_md5); ++ else ++ failf(data, ++ "Denied establishing ssh session: md5 fingerprint not available"); + state(conn, SSH_SESSION_FREE); + sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; + return sshc->actualcode; +-- +1.7.1 + + +From 1ab6c353635760e8e25bacc13ae0cab2f97f7338 Mon Sep 17 00:00:00 2001 +From: Marc Hoersken <info@marc-hoersken.de> +Date: Fri, 14 Sep 2012 14:48:55 +0200 +Subject: [PATCH 3/3] ssh.c: Fixed warning: implicit conversion from enumeration type + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/ssh.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/ssh.c b/lib/ssh.c +index 466566c..e8b7172 100644 +--- a/lib/ssh.c ++++ b/lib/ssh.c +@@ -635,7 +635,7 @@ static CURLcode ssh_knownhost(struct connectdata *conn) + return result; + } + +-static bool ssh_check_fingerprint(struct connectdata *conn) ++static CURLcode ssh_check_fingerprint(struct connectdata *conn) + { + struct ssh_conn *sshc = &conn->proto.sshc; + struct SessionHandle *data = conn->data; +@@ -736,7 +736,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) + * whatever) is up to us. + */ + result = ssh_check_fingerprint(conn); +- if(!result) ++ if(result == CURLE_OK) + state(conn, SSH_AUTHLIST); + break; + +-- +1.7.1 + diff --git a/0003-curl-7.21.7-5538904.patch b/0003-curl-7.21.7-5538904.patch deleted file mode 100644 index 1374ad8..0000000 --- a/0003-curl-7.21.7-5538904.patch +++ /dev/null @@ -1,131 +0,0 @@ -From 9698db7fd56b08cc8f9bdeb2182bc9afdbcb4f90 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Fri, 12 Aug 2011 14:48:32 +0200 -Subject: [PATCH 1/2] added --delegation - -Using this option with an argument being set to one of -none/policy/always instructs libcurl how to deal with GSS -credentials. Or rather how it tells the server that delegation is fine -or not. - -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - src/main.c | 29 ++++++++++++++++++++++++++--- - 1 files changed, 26 insertions(+), 3 deletions(-) - -diff --git a/src/main.c b/src/main.c -index d85bf62..3a2595c 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -659,6 +659,7 @@ struct Configurable { - basically each given URL to transfer */ - struct OutStruct *outs; - bool xattr; /* store metadata in extended attributes */ -+ long gssapi_delegation; - }; - - #define WARN_PREFIX "Warning: " -@@ -817,6 +818,7 @@ static void help(void) - " --data-binary <data> HTTP POST binary data (H)", - " --data-urlencode <name=data/name@filename> " - "HTTP POST data url encoded (H)", -+ " --delegation STRING GSS-API delegation permission", - " --digest Use HTTP Digest Authentication (H)", - " --disable-eprt Inhibit using EPRT or LPRT (F)", - " --disable-epsv Inhibit using EPSV (F)", -@@ -1823,6 +1825,18 @@ static int sockoptcallback(void *clientp, curl_socket_t curlfd, - return 0; - } - -+static long delegation(struct Configurable *config, -+ char *str) -+{ -+ if(curlx_raw_equal("none", str)) -+ return CURLGSSAPI_DELEGATION_NONE; -+ if(curlx_raw_equal("policy", str)) -+ return CURLGSSAPI_DELEGATION_POLICY_FLAG; -+ if(curlx_raw_equal("always", str)) -+ return CURLGSSAPI_DELEGATION_FLAG; -+ warnf(config, "unrecognized delegation method '%s', using none\n", str); -+ return CURLGSSAPI_DELEGATION_NONE; -+} - - static ParameterError getparameter(char *flag, /* f or -long-flag */ - char *nextarg, /* NULL if unset */ -@@ -1942,6 +1956,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ - {"$D", "proto", TRUE}, - {"$E", "proto-redir", TRUE}, - {"$F", "resolve", TRUE}, -+ {"$G", "delegation", TRUE}, - {"0", "http1.0", FALSE}, - {"1", "tlsv1", FALSE}, - {"2", "sslv2", FALSE}, -@@ -2516,6 +2531,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ - if(err) - return err; - break; -+ case 'G': /* --delegation LEVEL */ -+ config->gssapi_delegation = delegation(config, nextarg); -+ break; - } - break; - case '#': /* --progress-bar */ -@@ -5564,9 +5582,14 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) - /* new in 7.21.3 */ - my_setopt(curl, CURLOPT_RESOLVE, config->resolve); - -- /* TODO: new in ### */ -- curl_easy_setopt(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username); -- curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password); -+ /* new in 7.21.4 */ -+ my_setopt_str(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username); -+ my_setopt_str(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password); -+ -+ /* new in 7.22.0 */ -+ if(config->gssapi_delegation) -+ my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION, -+ config->gssapi_delegation); - - retry_numretries = config->req_retry; - --- -1.7.4.4 - - -From 8e404e1c3846cc98a1977514af5b0432ae2de755 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Fri, 12 Aug 2011 23:51:41 +0200 -Subject: [PATCH 2/2] docs: --delegation - - -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - docs/curl.1 | 12 ++++++++++++ - 1 files changed, 12 insertions(+), 0 deletions(-) - -diff --git a/docs/curl.1 b/docs/curl.1 -index 812b2eb..eee3481 100644 ---- a/docs/curl.1 -+++ b/docs/curl.1 -@@ -320,6 +320,18 @@ URL-encode that data and pass it on in the POST. The name part gets an equal - sign appended, resulting in \fIname=urlencoded-file-content\fP. Note that the - name is expected to be URL-encoded already. - .RE -+.IP "--delegation LEVEL" -+Set \fILEVEL\fP to tell the server what it is allowed to delegate when it -+comes to user credentials. Used with GSS/kerberos. -+.RS -+.IP "none" -+Don't allow any delegation. -+.IP "policy" -+Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos -+service ticket, which is a matter of realm policy. -+.IP "always" -+Unconditionally allow the server to delegate. -+.RE - .IP "--digest" - (HTTP) Enables HTTP Digest authentication. This is a authentication that - prevents the password from being sent over the wire in clear text. Use this in --- -1.7.4.4 - diff --git a/0003-curl-7.27.0-382429e7.patch b/0003-curl-7.27.0-382429e7.patch new file mode 100644 index 0000000..f25fe71 --- /dev/null +++ b/0003-curl-7.27.0-382429e7.patch @@ -0,0 +1,32 @@ +From 382429e7601de68564f08a88cc867dbcd6e2556a Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 7 Aug 2012 14:13:09 +0200 +Subject: [PATCH] curl-config: parentheses fix + +Braces, not parentheses, should be used for shell variable names. + +Bug: http://curl.haxx.se/bug/view.cgi?id=3551460 +Reported by: Edward Sheldrake +--- + curl-config.in | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/curl-config.in b/curl-config.in +index a3ca8b5..731761c 100644 +--- a/curl-config.in ++++ b/curl-config.in +@@ -135,9 +135,9 @@ while test $# -gt 0; do + CPPFLAG_CURL_STATICLIB="" + fi + if test "X@includedir@" = "X/usr/include"; then +- echo "$(CPPFLAG_CURL_STATICLIB)" ++ echo "$CPPFLAG_CURL_STATICLIB" + else +- echo "$(CPPFLAG_CURL_STATICLIB)-I@includedir@" ++ echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@" + fi + ;; + +-- +1.7.1 + diff --git a/0004-curl-7.21.7-d6f319f.patch b/0004-curl-7.21.7-d6f319f.patch deleted file mode 100644 index 33f430d..0000000 --- a/0004-curl-7.21.7-d6f319f.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 857fed6e245a9620b0f25a2f4ca6d6dc01584674 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Mon, 15 Aug 2011 13:48:45 +0200 -Subject: [PATCH] nss: start with no database if the selected database is - broken - -Bug: https://bugzilla.redhat.com/728562 - -Signed-off-by: Kamil Dudka <kdudka@redhat.com> ---- - lib/nss.c | 63 +++++++++++++++++++++++++++++++++++++----------------------- - 1 files changed, 39 insertions(+), 24 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index 3dc0ba6..94a530b 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -898,10 +898,42 @@ isTLSIntoleranceError(PRInt32 err) - } - } - --static CURLcode init_nss(struct SessionHandle *data) -+static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) -+{ -+ if(NSS_IsInitialized()) -+ return CURLE_OK; -+ -+ if(cert_dir) { -+ SECStatus rv; -+ const bool use_sql = NSS_VersionCheck("3.12.0"); -+ char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir); -+ if(!certpath) -+ return CURLE_OUT_OF_MEMORY; -+ -+ infof(data, "Initializing NSS with certpath: %s\n", certpath); -+ rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); -+ free(certpath); -+ -+ if(rv == SECSuccess) -+ return CURLE_OK; -+ -+ infof(data, "Unable to initialize NSS database\n"); -+ } -+ -+ infof(data, "Initializing NSS with certpath: none\n"); -+ if(NSS_NoDB_Init(NULL) == SECSuccess) -+ return CURLE_OK; -+ -+ infof(data, "Unable to initialize NSS\n"); -+ return CURLE_SSL_CACERT_BADFILE; -+} -+ -+static CURLcode nss_init(struct SessionHandle *data) - { - char *cert_dir; - struct_stat st; -+ CURLcode rv; -+ - if(initialized) - return CURLE_OK; - -@@ -922,31 +954,14 @@ static CURLcode init_nss(struct SessionHandle *data) - } - } - -- if(!NSS_IsInitialized()) { -- SECStatus rv; -- initialized = 1; -- infof(data, "Initializing NSS with certpath: %s\n", -- cert_dir ? cert_dir : "none"); -- if(!cert_dir) { -- rv = NSS_NoDB_Init(NULL); -- } -- else { -- char *certpath = -- PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "", -- cert_dir); -- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); -- PR_smprintf_free(certpath); -- } -- if(rv != SECSuccess) { -- infof(data, "Unable to initialize NSS database\n"); -- initialized = 0; -- return CURLE_SSL_CACERT_BADFILE; -- } -- } -+ rv = nss_init_core(data, cert_dir); -+ if(rv) -+ return rv; - - if(num_enabled_ciphers() == 0) - NSS_SetDomesticPolicy(); - -+ initialized = 1; - return CURLE_OK; - } - -@@ -981,7 +996,7 @@ CURLcode Curl_nss_force_init(struct SessionHandle *data) - } - - PR_Lock(nss_initlock); -- rv = init_nss(data); -+ rv = nss_init(data); - PR_Unlock(nss_initlock); - return rv; - } -@@ -1184,7 +1199,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - - /* FIXME. NSS doesn't support multiple databases open at the same time. */ - PR_Lock(nss_initlock); -- curlerr = init_nss(conn->data); -+ curlerr = nss_init(conn->data); - if(CURLE_OK != curlerr) { - PR_Unlock(nss_initlock); - goto error; --- -1.7.4.4 - diff --git a/0004-curl-7.27.0-52b6eda4.patch b/0004-curl-7.27.0-52b6eda4.patch new file mode 100644 index 0000000..a6b751b --- /dev/null +++ b/0004-curl-7.27.0-52b6eda4.patch @@ -0,0 +1,115 @@ +From fea7914a32b7d7a8ec4bbf4de0c2be74a32969bb Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Thu, 9 Aug 2012 09:40:00 +0200 +Subject: [PATCH 1/2] nss: do not print misleading NSS error codes + +[upstream commit 52b6eda4f2a006e33358c6964ef6a00b09ae59ab] +--- + lib/nss.c | 42 ++++++++++++++++++++++++++++++------------ + 1 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index b11796c..a8e08f4 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1084,17 +1084,31 @@ int Curl_nss_close_all(struct SessionHandle *data) + return 0; + } + +-/* return true if the given error code is related to a client certificate */ +-static bool is_cc_error(PRInt32 err) ++/* return true if NSS can provide error code (and possibly msg) for the error */ ++static bool is_nss_error(CURLcode err) + { + switch(err) { +- case SSL_ERROR_BAD_CERT_ALERT: ++ case CURLE_PEER_FAILED_VERIFICATION: ++ case CURLE_SSL_CACERT: ++ case CURLE_SSL_CACERT_BADFILE: ++ case CURLE_SSL_CERTPROBLEM: ++ case CURLE_SSL_CONNECT_ERROR: ++ case CURLE_SSL_CRL_BADFILE: ++ case CURLE_SSL_ISSUER_ERROR: + return true; + +- case SSL_ERROR_REVOKED_CERT_ALERT: +- return true; ++ default: ++ return false; ++ } ++} + ++/* return true if the given error code is related to a client certificate */ ++static bool is_cc_error(PRInt32 err) ++{ ++ switch(err) { ++ case SSL_ERROR_BAD_CERT_ALERT: + case SSL_ERROR_EXPIRED_CERT_ALERT: ++ case SSL_ERROR_REVOKED_CERT_ALERT: + return true; + + default: +@@ -1388,6 +1402,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + time_left = Curl_timeleft(data, NULL, TRUE); + if(time_left < 0L) { + failf(data, "timed out before SSL handshake"); ++ curlerr = CURLE_OPERATION_TIMEDOUT; + goto error; + } + timeout = PR_MillisecondsToInterval((PRUint32) time_left); +@@ -1432,15 +1447,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + /* reset the flag to avoid an infinite loop */ + data->state.ssl_connect_retry = FALSE; + +- err = PR_GetError(); +- if(is_cc_error(err)) +- curlerr = CURLE_SSL_CERTPROBLEM; ++ if(is_nss_error(curlerr)) { ++ /* read NSPR error code */ ++ err = PR_GetError(); ++ if(is_cc_error(err)) ++ curlerr = CURLE_SSL_CERTPROBLEM; + +- /* print the error number and error string */ +- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); ++ /* print the error number and error string */ ++ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); + +- /* print a human-readable message describing the error if available */ +- nss_print_error_message(data, err); ++ /* print a human-readable message describing the error if available */ ++ nss_print_error_message(data, err); ++ } + + if(model) + PR_Close(model); +-- +1.7.1 + + +From b00ba010d0cd0a6ee77692fd4e38e6680b07a82e Mon Sep 17 00:00:00 2001 +From: Marc Hoersken <info@marc-hoersken.de> +Date: Tue, 11 Sep 2012 09:49:23 +0200 +Subject: [PATCH 2/2] nss.c: Fixed warning: 'err' may be used uninitialized in this function + +[upstream commit e6ba0487013085afc5bc1ca7d7c8a15a13367ba6] +--- + lib/nss.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index a8e08f4..fef7c3d 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1173,7 +1173,7 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, + + CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { +- PRInt32 err; ++ PRErrorCode err = 0; + PRFileDesc *model = NULL; + PRBool ssl2 = PR_FALSE; + PRBool ssl3 = PR_FALSE; +-- +1.7.1 + diff --git a/0005-curl-7.21.7-61ae7e9.patch b/0005-curl-7.21.7-61ae7e9.patch deleted file mode 100644 index 46cfe47..0000000 --- a/0005-curl-7.21.7-61ae7e9.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 61ae7e9ce77af86a7290fca8bf73c9798f80845c Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg <daniel@haxx.se> -Date: Sun, 21 Aug 2011 12:59:06 +0200 -Subject: [PATCH] main: fix segfault - -Follow-up to commit 5eb2396cd as that wasn't complete. - -At times HEADERFUNCTION+HEADERDATA was set only to have only HEADERDATA -set in the subsequent loop which could cause a NULL to get sent as -userdata to 'header_callback' which wasn't made to handle that. - -Now HEADERFUNCTION is explicitly set to NULL if it isn't set to the -callback. ---- - src/main.c | 8 ++++++-- - 1 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/src/main.c b/src/main.c -index 276718b..56cd133 100644 ---- a/src/main.c -+++ b/src/main.c -@@ -5371,8 +5371,6 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) - my_setopt(curl, CURLOPT_QUOTE, config->quote); - my_setopt(curl, CURLOPT_POSTQUOTE, config->postquote); - my_setopt(curl, CURLOPT_PREQUOTE, config->prequote); -- my_setopt(curl, CURLOPT_HEADERDATA, -- config->headerfile?&heads:NULL); - my_setopt_str(curl, CURLOPT_COOKIEFILE, config->cookiefile); - /* cookie jar was added in 7.9 */ - if(config->cookiejar) -@@ -5577,6 +5575,12 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) - my_setopt(curl, CURLOPT_HEADERFUNCTION, header_callback); - my_setopt(curl, CURLOPT_HEADERDATA, &outs); - } -+ else { -+ /* if HEADERFUNCTION was set to something in the previous loop, it -+ is important that we set it (back) to NULL now */ -+ my_setopt(curl, CURLOPT_HEADERFUNCTION, NULL); -+ my_setopt(curl, CURLOPT_HEADERDATA, config->headerfile?&heads:NULL); -+ } - - if(config->resolve) - /* new in 7.21.3 */ --- -1.7.6 - diff --git a/0005-curl-7.27.0-f208bf5a.patch b/0005-curl-7.27.0-f208bf5a.patch new file mode 100644 index 0000000..c164fd0 --- /dev/null +++ b/0005-curl-7.27.0-f208bf5a.patch @@ -0,0 +1,190 @@ +From c78462408b8033c99cb45e70f34586ceb8fa8276 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Thu, 9 Aug 2012 14:08:11 +0200 +Subject: [PATCH] docs: update the links to cipher-suites supported by NSS + +... and make the list of cipher-suites in nss.c readable by humans. + +Bug: http://curl.haxx.se/mail/archive-2012-08/0016.html + +[upstream commit f208bf5a2d622ae525690dfba2ab58abd8d72264] +--- + docs/curl.1 | 2 +- + docs/libcurl/curl_easy_setopt.3 | 2 +- + lib/nss.c | 105 +++++++++++++++++++-------------------- + 3 files changed, 53 insertions(+), 56 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 0e29ed5..5ba3d56 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -223,7 +223,7 @@ must specify valid ciphers. Read up on SSL cipher list details on this URL: + + NSS ciphers are done differently than OpenSSL and GnuTLS. The full list of + NSS ciphers is in the NSSCipherSuite entry at this URL: +-\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP ++\fIhttp://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives\fP + + If this option is used several times, the last one will override the others. + .IP "--compressed" +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 25a7d5e..d83afe8 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2367,7 +2367,7 @@ this option then all known ciphers are disabled and only those passed in + are enabled. + + You'll find more details about the NSS cipher lists on this URL: +-\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP ++\fIhttp://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives\fP + + .IP CURLOPT_SSL_SESSIONID_CACHE + Pass a long set to 0 to disable libcurl's use of SSL session-ID caching. Set +diff --git a/lib/nss.c b/lib/nss.c +index fef7c3d..705a625 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -89,7 +89,6 @@ volatile int initialized = 0; + typedef struct { + const char *name; + int num; +- PRInt32 version; /* protocol version valid for this cipher */ + } cipher_s; + + #define PK11_SETATTRS(_attr, _idx, _type, _val, _len) do { \ +@@ -101,65 +100,63 @@ typedef struct { + + #define CERT_NewTempCertificate __CERT_NewTempCertificate + +-enum sslversion { SSL2 = 1, SSL3 = 2, TLS = 4 }; +- + #define NUM_OF_CIPHERS sizeof(cipherlist)/sizeof(cipherlist[0]) + static const cipher_s cipherlist[] = { + /* SSL2 cipher suites */ +- {"rc4", SSL_EN_RC4_128_WITH_MD5, SSL2}, +- {"rc4-md5", SSL_EN_RC4_128_WITH_MD5, SSL2}, +- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL2}, +- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, SSL2}, +- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2}, +- {"des", SSL_EN_DES_64_CBC_WITH_MD5, SSL2}, +- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL2}, ++ {"rc4", SSL_EN_RC4_128_WITH_MD5}, ++ {"rc4-md5", SSL_EN_RC4_128_WITH_MD5}, ++ {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5}, ++ {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5}, ++ {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5}, ++ {"des", SSL_EN_DES_64_CBC_WITH_MD5}, ++ {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5}, + /* SSL3/TLS cipher suites */ +- {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, SSL3 | TLS}, +- {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, SSL3 | TLS}, +- {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL3 | TLS}, +- {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, SSL3 | TLS}, +- {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL3 | TLS}, +- {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL3 | TLS}, +- {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, SSL3 | TLS}, +- {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, SSL3 | TLS}, +- {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL3 | TLS}, +- {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL3 | TLS}, +- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL3 | TLS}, +- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL3 | TLS}, +- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL3 | TLS}, ++ {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5}, ++ {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA}, ++ {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA}, ++ {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA}, ++ {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5}, ++ {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5}, ++ {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, ++ {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, ++ {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA}, ++ {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA}, ++ {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA}, ++ {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA}, ++ {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA}, + /* TLS 1.0: Exportable 56-bit Cipher Suites. */ +- {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL3 | TLS}, +- {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL3 | TLS}, ++ {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, ++ {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, + /* AES ciphers. */ +- {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, SSL3 | TLS}, +- {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, SSL3 | TLS}, ++ {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, ++ {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, + #ifdef NSS_ENABLE_ECC + /* ECC ciphers. */ +- {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS}, +- {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS}, +- {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS}, +- {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS}, +- {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS}, +- {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS}, +- {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS}, +- {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS}, +- {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS}, +- {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS}, +- {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, TLS}, +- {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS}, +- {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS}, +- {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS}, +- {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS}, +- {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, TLS}, +- {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS}, +- {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS}, +- {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS}, +- {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS}, +- {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, TLS}, +- {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, TLS}, +- {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS}, +- {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS}, +- {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS}, ++ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA}, ++ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA}, ++ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA}, ++ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA}, ++ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA}, ++ {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA}, ++ {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA}, ++ {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA}, ++ {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}, ++ {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}, ++ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA}, ++ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA}, ++ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA}, ++ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA}, ++ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA}, ++ {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA}, ++ {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA}, ++ {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA}, ++ {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, ++ {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, ++ {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA}, ++ {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA}, ++ {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA}, ++ {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA}, ++ {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, + #endif + }; + +@@ -248,7 +245,7 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, + for(i=0; i<NUM_OF_CIPHERS; i++) { + rv = SSL_CipherPrefSet(model, cipherlist[i].num, cipher_state[i]); + if(rv != SECSuccess) { +- failf(data, "Unknown cipher in cipher list"); ++ failf(data, "cipher-suite not supported by NSS: %s", cipherlist[i].name); + return SECFailure; + } + } +@@ -1084,7 +1081,7 @@ int Curl_nss_close_all(struct SessionHandle *data) + return 0; + } + +-/* return true if NSS can provide error code (and possibly msg) for the error */ ++/* true if NSS can provide error code (and possibly a message) for the error */ + static bool is_nss_error(CURLcode err) + { + switch(err) { +-- +1.7.1 + diff --git a/0006-curl-7.21.7-3445fa2.patch b/0006-curl-7.21.7-3445fa2.patch deleted file mode 100644 index fe9cf74..0000000 --- a/0006-curl-7.21.7-3445fa2.patch +++ /dev/null @@ -1,146 +0,0 @@ -From 3445fa2e3f28b359a3acd2a884f4e119b11e0a57 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka <kdudka@redhat.com> -Date: Fri, 26 Aug 2011 11:10:58 +0200 -Subject: [PATCH] tests: break busy loops in tests 502, 555, and 573 - ---- - tests/libtest/lib502.c | 23 +++++++++++++++++++++-- - tests/libtest/lib555.c | 23 +++++++++++++++++++++-- - tests/libtest/lib573.c | 23 +++++++++++++++++++++-- - 3 files changed, 63 insertions(+), 6 deletions(-) - -diff --git a/tests/libtest/lib502.c b/tests/libtest/lib502.c -index 9ade12a..9040b2b 100644 ---- a/tests/libtest/lib502.c -+++ b/tests/libtest/lib502.c -@@ -73,6 +73,10 @@ int test(char *URL) - mp_start = tutil_tvnow(); - - while (running) { -+ static struct timeval timeout = /* 100 ms */ { 0, 100000L }; -+ fd_set fdread, fdwrite, fdexcep; -+ int maxfd = -1; -+ - res = (int)curl_multi_perform(m, &running); - if (tutil_tvdiff(tutil_tvnow(), mp_start) > - MULTI_PERFORM_HANG_TIMEOUT) { -@@ -83,11 +87,26 @@ int test(char *URL) - fprintf(stderr, "nothing left running.\n"); - break; - } -+ -+ FD_ZERO(&fdread); -+ FD_ZERO(&fdwrite); -+ FD_ZERO(&fdexcep); -+ curl_multi_fdset(m, &fdread, &fdwrite, &fdexcep, &maxfd); -+ -+ /* In a real-world program you OF COURSE check the return code of the -+ function calls. On success, the value of maxfd is guaranteed to be -+ greater or equal than -1. We call select(maxfd + 1, ...), specially in -+ case of (maxfd == -1), we call select(0, ...), which is basically equal -+ to sleep. */ -+ -+ if (select(maxfd + 1, &fdread, &fdwrite, &fdexcep, &timeout) == -1) { -+ res = ~CURLM_OK; -+ break; -+ } - } - - if (mp_timedout) { -- if (mp_timedout) fprintf(stderr, "mp_timedout\n"); -- fprintf(stderr, "ABORTING TEST, since it seems " -+ fprintf(stderr, "mp_timedout\nABORTING TEST, since it seems " - "that it would have run forever.\n"); - res = TEST_ERR_RUNS_FOREVER; - } -diff --git a/tests/libtest/lib555.c b/tests/libtest/lib555.c -index c675015..1e73a5a 100644 ---- a/tests/libtest/lib555.c -+++ b/tests/libtest/lib555.c -@@ -135,6 +135,10 @@ int test(char *URL) - mp_start = tutil_tvnow(); - - while (running) { -+ static struct timeval timeout = /* 100 ms */ { 0, 100000L }; -+ fd_set fdread, fdwrite, fdexcep; -+ int maxfd = -1; -+ - res = (int)curl_multi_perform(m, &running); - if (tutil_tvdiff(tutil_tvnow(), mp_start) > - MULTI_PERFORM_HANG_TIMEOUT) { -@@ -148,11 +152,26 @@ int test(char *URL) - fprintf(stderr, "nothing left running.\n"); - break; - } -+ -+ FD_ZERO(&fdread); -+ FD_ZERO(&fdwrite); -+ FD_ZERO(&fdexcep); -+ curl_multi_fdset(m, &fdread, &fdwrite, &fdexcep, &maxfd); -+ -+ /* In a real-world program you OF COURSE check the return code of the -+ function calls. On success, the value of maxfd is guaranteed to be -+ greater or equal than -1. We call select(maxfd + 1, ...), specially in -+ case of (maxfd == -1), we call select(0, ...), which is basically equal -+ to sleep. */ -+ -+ if (select(maxfd + 1, &fdread, &fdwrite, &fdexcep, &timeout) == -1) { -+ res = ~CURLM_OK; -+ break; -+ } - } - - if (mp_timedout) { -- if (mp_timedout) fprintf(stderr, "mp_timedout\n"); -- fprintf(stderr, "ABORTING TEST, since it seems " -+ fprintf(stderr, "mp_timedout\nABORTING TEST, since it seems " - "that it would have run forever.\n"); - res = TEST_ERR_RUNS_FOREVER; - } -diff --git a/tests/libtest/lib573.c b/tests/libtest/lib573.c -index 4661858..b5fafe1 100644 ---- a/tests/libtest/lib573.c -+++ b/tests/libtest/lib573.c -@@ -76,6 +76,10 @@ int test(char *URL) - mp_start = tutil_tvnow(); - - while (running) { -+ static struct timeval timeout = /* 100 ms */ { 0, 100000L }; -+ fd_set fdread, fdwrite, fdexcep; -+ int maxfd = -1; -+ - res = (int)curl_multi_perform(m, &running); - if (tutil_tvdiff(tutil_tvnow(), mp_start) > - MULTI_PERFORM_HANG_TIMEOUT) { -@@ -86,11 +90,26 @@ int test(char *URL) - fprintf(stderr, "nothing left running.\n"); - break; - } -+ -+ FD_ZERO(&fdread); -+ FD_ZERO(&fdwrite); -+ FD_ZERO(&fdexcep); -+ curl_multi_fdset(m, &fdread, &fdwrite, &fdexcep, &maxfd); -+ -+ /* In a real-world program you OF COURSE check the return code of the -+ function calls. On success, the value of maxfd is guaranteed to be -+ greater or equal than -1. We call select(maxfd + 1, ...), specially in -+ case of (maxfd == -1), we call select(0, ...), which is basically equal -+ to sleep. */ -+ -+ if (select(maxfd + 1, &fdread, &fdwrite, &fdexcep, &timeout) == -1) { -+ res = ~CURLM_OK; -+ break; -+ } - } - - if (mp_timedout) { -- if (mp_timedout) fprintf(stderr, "mp_timedout\n"); -- fprintf(stderr, "ABORTING TEST, since it seems " -+ fprintf(stderr, "mp_timedout\nABORTING TEST, since it seems " - "that it would have run forever.\n"); - res = TEST_ERR_RUNS_FOREVER; - } --- -1.7.4.4 - diff --git a/0006-curl-7.27.0-68d2830e.patch b/0006-curl-7.27.0-68d2830e.patch new file mode 100644 index 0000000..be8c558 --- /dev/null +++ b/0006-curl-7.27.0-68d2830e.patch @@ -0,0 +1,68 @@ +From c011938e10bf3af5896d0f7f5ecffc22150303f3 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 3 Dec 2012 13:17:50 +0100 +Subject: [PATCH 1/3] nss: prevent NSS from crashing on client auth hook failure + +Although it is not explicitly stated in the documentation, NSS uses +*pRetCert and *pRetKey even if the client authentication hook returns +a failure. Namely, if we destroy *pRetCert without clearing *pRetCert +afterwards, NSS destroys the certificate once again, which causes a +double free. + +Reported by: Bob Relyea + +[upstream commit 68d2830ee9df50961e481e81c1baaa290c33f03e] +--- + lib/nss.c | 17 +++++++++++------ + 1 files changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 22b53bf..794eccb 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -757,6 +757,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, + static const char pem_slotname[] = "PEM Token #1"; + SECItem cert_der = { 0, NULL, 0 }; + void *proto_win = SSL_RevealPinArg(sock); ++ struct CERTCertificateStr *cert; ++ struct SECKEYPrivateKeyStr *key; + + PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname); + if(NULL == slot) { +@@ -771,24 +773,27 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, + return SECFailure; + } + +- *pRetCert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win); ++ cert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win); + SECITEM_FreeItem(&cert_der, PR_FALSE); +- if(NULL == *pRetCert) { ++ if(NULL == cert) { + failf(data, "NSS: client certificate from file not found"); + PK11_FreeSlot(slot); + return SECFailure; + } + +- *pRetKey = PK11_FindPrivateKeyFromCert(slot, *pRetCert, NULL); ++ key = PK11_FindPrivateKeyFromCert(slot, cert, NULL); + PK11_FreeSlot(slot); +- if(NULL == *pRetKey) { ++ if(NULL == key) { + failf(data, "NSS: private key from file not found"); +- CERT_DestroyCertificate(*pRetCert); ++ CERT_DestroyCertificate(cert); + return SECFailure; + } + + infof(data, "NSS: client certificate from file\n"); +- display_cert_info(data, *pRetCert); ++ display_cert_info(data, cert); ++ ++ *pRetCert = cert; ++ *pRetKey = key; + return SECSuccess; + } + +-- +1.7.1 + diff --git a/0007-curl-7.27.0-b36f1d26.patch b/0007-curl-7.27.0-b36f1d26.patch new file mode 100644 index 0000000..c712da0 --- /dev/null +++ b/0007-curl-7.27.0-b36f1d26.patch @@ -0,0 +1,55 @@ +From fefd7cdcde39c56651f6e2c32be9cd79354ffdc4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Fri, 11 Jan 2013 10:24:21 +0100 +Subject: [PATCH 2/3] nss: clear session cache if a client cert from file is used + +This commit fixes a regression introduced in 052a08ff. + +NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback +and if we connect second time to the same server, the cached cert/key +pair is used. If we use multiple client certificates for different +paths on the same server, we need to clear the session cache to force +NSS to call the hook again. The commit 052a08ff prevented the session +cache from being cleared if a client certificate from file was used. + +The condition is now fixed to cover both cases: consssl->client_nickname +is not NULL if a client certificate from the NSS database is used and +connssl->obj_clicert is not NULL if a client certificate from file is +used. + +Review by: Kai Engert + +[upstream commit b36f1d26f830453ebaa17238f9bd1e396f618720] +--- + lib/nss.c | 12 ++++++++---- + 1 files changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 794eccb..f97090a 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1058,13 +1058,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) + as closed to avoid double close */ + fake_sclose(conn->sock[sockindex]); + conn->sock[sockindex] = CURL_SOCKET_BAD; ++ ++ if((connssl->client_nickname != NULL) || (connssl->obj_clicert != NULL)) ++ /* A server might require different authentication based on the ++ * particular path being requested by the client. To support this ++ * scenario, we must ensure that a connection will never reuse the ++ * authentication data from a previous connection. */ ++ SSL_InvalidateSession(connssl->handle); ++ + if(connssl->client_nickname != NULL) { + free(connssl->client_nickname); + connssl->client_nickname = NULL; +- +- /* force NSS to ask again for a client cert when connecting +- * next time to the same server */ +- SSL_InvalidateSession(connssl->handle); + } + /* destroy all NSS objects in order to avoid failure of NSS shutdown */ + Curl_llist_destroy(connssl->obj_list, NULL); +-- +1.7.1 + diff --git a/0008-curl-7.27.0-26613d78.patch b/0008-curl-7.27.0-26613d78.patch new file mode 100644 index 0000000..27e381c --- /dev/null +++ b/0008-curl-7.27.0-26613d78.patch @@ -0,0 +1,30 @@ +From afd2d98b4a9c69fb47048122629fd4be1d40f906 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Tue, 15 Jan 2013 12:58:08 +0100 +Subject: [PATCH 3/3] nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE + +Do not use the error messages from NSS for errors not occurring in NSS. + +[upstream commit 26613d781725e39b0f601301a65c64e146977d8f] +--- + lib/nss.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index f97090a..c5dcf52 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1096,10 +1096,8 @@ static bool is_nss_error(CURLcode err) + switch(err) { + case CURLE_PEER_FAILED_VERIFICATION: + case CURLE_SSL_CACERT: +- case CURLE_SSL_CACERT_BADFILE: + case CURLE_SSL_CERTPROBLEM: + case CURLE_SSL_CONNECT_ERROR: +- case CURLE_SSL_CRL_BADFILE: + case CURLE_SSL_ISSUER_ERROR: + return true; + +-- +1.7.1 + diff --git a/0009-curl-7.27.0-f206d6c0.patch b/0009-curl-7.27.0-f206d6c0.patch new file mode 100644 index 0000000..f904907 --- /dev/null +++ b/0009-curl-7.27.0-f206d6c0.patch @@ -0,0 +1,69 @@ +From 46890e837c3b27195e4b0285d221d900f2ad48cc Mon Sep 17 00:00:00 2001 +From: Eldar Zaitov <kyprizel@volema.com> +Date: Wed, 30 Jan 2013 23:22:27 +0100 +Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow + +When negotiating SASL DIGEST-MD5 authentication, the function +Curl_sasl_create_digest_md5_message() uses the data provided from the +server without doing the proper length checks and that data is then +appended to a local fixed-size buffer on the stack. + +This vulnerability can be exploited by someone who is in control of a +server that a libcurl based program is accessing with POP3, SMTP or +IMAP. For applications that accept user provided URLs, it is also +thinkable that a malicious user would feed an application with a URL to +a server hosting code targetting this flaw. + +Bug: http://curl.haxx.se/docs/adv_20130206.html + +[upstream commit f206d6c055d1008f0edb6d5d5920f0f300b9983a] + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/curl_sasl.c | 23 ++++++----------------- + 1 files changed, 6 insertions(+), 17 deletions(-) + +diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c +index ccb54a8..e42b850 100644 +--- a/lib/curl_sasl.c ++++ b/lib/curl_sasl.c +@@ -345,9 +345,7 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, + snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]); + + /* Prepare the URL string */ +- strcpy(uri, service); +- strcat(uri, "/"); +- strcat(uri, realm); ++ snprintf(uri, sizeof(uri), "%s/%s", service, realm); + + /* Calculate H(A2) */ + ctxt = Curl_MD5_init(Curl_DIGEST_MD5); +@@ -391,20 +389,11 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, + for(i = 0; i < MD5_DIGEST_LEN; i++) + snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]); + +- strcpy(response, "username=\""); +- strcat(response, userp); +- strcat(response, "\",realm=\""); +- strcat(response, realm); +- strcat(response, "\",nonce=\""); +- strcat(response, nonce); +- strcat(response, "\",cnonce=\""); +- strcat(response, cnonce); +- strcat(response, "\",nc="); +- strcat(response, nonceCount); +- strcat(response, ",digest-uri=\""); +- strcat(response, uri); +- strcat(response, "\",response="); +- strcat(response, resp_hash_hex); ++ snprintf(response, sizeof(response), ++ "username=\"%s\",realm=\"%s\",nonce=\"%s\"," ++ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s", ++ userp, realm, nonce, ++ cnonce, nonceCount, uri, resp_hash_hex); + + /* Base64 encode the reply */ + return Curl_base64_encode(data, response, 0, outptr, outlen); +-- +1.7.1 + diff --git a/0010-curl-7.27.0-57ccdfa8.patch b/0010-curl-7.27.0-57ccdfa8.patch new file mode 100644 index 0000000..cc4be82 --- /dev/null +++ b/0010-curl-7.27.0-57ccdfa8.patch @@ -0,0 +1,158 @@ +From fba5ed6d23b8fab97150da2b49a35236a8f4684c Mon Sep 17 00:00:00 2001 +From: Zdenek Pavlas <zpavlas@redhat.com> +Date: Mon, 11 Mar 2013 14:57:07 +0100 +Subject: [PATCH] curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag + +The flag can be used in pycurl-based applications where using the multi +interface would not be acceptable because of the performance lost caused +by implementing the select() loop in python. + +Bug: http://curl.haxx.se/bug/view.cgi?id=1168 +Downstream Bug: https://bugzilla.redhat.com/919127 + +[upstream commit 57ccdfa8d2bb6275388223f4676cd623ebd01697] + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + docs/libcurl/curl_global_init.3 | 4 ++++ + docs/libcurl/symbols-in-versions | 1 + + include/curl/curl.h | 1 + + lib/easy.c | 6 +++++- + lib/select.c | 17 ++--------------- + lib/select.h | 6 ++++++ + 6 files changed, 19 insertions(+), 16 deletions(-) + +diff --git a/docs/libcurl/curl_global_init.3 b/docs/libcurl/curl_global_init.3 +index d91e1bd..6a08383 100644 +--- a/docs/libcurl/curl_global_init.3 ++++ b/docs/libcurl/curl_global_init.3 +@@ -70,6 +70,10 @@ Initialise nothing extra. This sets no bit. + .B CURL_GLOBAL_DEFAULT + A sensible default. It will init both SSL and Win32. Right now, this equals + the functionality of the \fBCURL_GLOBAL_ALL\fP mask. ++.TP ++.B CURL_GLOBAL_ACK_EINTR ++When this flag is set, curl will acknowledge EINTR condition when connecting ++or when waiting for data. Otherwise, curl waits until full timeout elapses. + .SH RETURN VALUE + If this function returns non-zero, something went wrong and you cannot use the + other curl functions. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 41705fd..c528208 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -612,6 +612,7 @@ CURL_GLOBAL_DEFAULT 7.8 + CURL_GLOBAL_NOTHING 7.8 + CURL_GLOBAL_SSL 7.8 + CURL_GLOBAL_WIN32 7.8.1 ++CURL_GLOBAL_ACK_EINTR 7.30.0 + CURL_HTTP_VERSION_1_0 7.9.1 + CURL_HTTP_VERSION_1_1 7.9.1 + CURL_HTTP_VERSION_NONE 7.9.1 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 2cad282..63e7056 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -2022,6 +2022,7 @@ typedef enum { + #define CURL_GLOBAL_ALL (CURL_GLOBAL_SSL|CURL_GLOBAL_WIN32) + #define CURL_GLOBAL_NOTHING 0 + #define CURL_GLOBAL_DEFAULT CURL_GLOBAL_ALL ++#define CURL_GLOBAL_ACK_EINTR (1<<2) + + + /***************************************************************************** +diff --git a/lib/easy.c b/lib/easy.c +index 6e8ff77..88f4a60 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -267,6 +267,8 @@ CURLcode curl_global_init(long flags) + } + #endif + ++ Curl_ack_eintr = flags & CURL_GLOBAL_ACK_EINTR; ++ + init_flags = flags; + + /* Preset pseudo-random number sequence. */ +@@ -459,9 +461,11 @@ CURLcode curl_easy_perform(CURL *easy) + select. This whole alternative version should probably rather use the + curl_multi_socket() approach. */ + +- if(rc == -1) ++ if(rc == -1) { + /* select error */ ++ code = CURLE_RECV_ERROR; + break; ++ } + + /* timeout or data to send/receive => loop! */ + } while(still_running); +diff --git a/lib/select.c b/lib/select.c +index 40673ec..bb8b773 100644 +--- a/lib/select.c ++++ b/lib/select.c +@@ -50,11 +50,8 @@ + + #define elapsed_ms (int)curlx_tvdiff(curlx_tvnow(), initial_tv) + +-#ifdef CURL_ACKNOWLEDGE_EINTR +-#define error_not_EINTR (1) +-#else +-#define error_not_EINTR (error != EINTR) +-#endif ++int Curl_ack_eintr = 0; ++#define error_not_EINTR (Curl_ack_eintr || error != EINTR) + + /* + * Internal function used for waiting a specific amount of ms +@@ -67,10 +64,6 @@ + * Timeout resolution, accuracy, as well as maximum supported + * value is system dependent, neither factor is a citical issue + * for the intended use of this function in the library. +- * On non-DOS and non-Winsock platforms, when compiled with +- * CURL_ACKNOWLEDGE_EINTR defined, EINTR condition is honored +- * and function might exit early without awaiting full timeout, +- * otherwise EINTR will be ignored and full timeout will elapse. + * + * Return values: + * -1 = system call error, invalid timeout value, or interrupted +@@ -133,9 +126,6 @@ int Curl_wait_ms(int timeout_ms) + * A negative timeout value makes this function wait indefinitely, + * unles no valid file descriptor is given, when this happens the + * negative timeout is ignored and the function times out immediately. +- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition +- * is honored and function might exit early without awaiting timeout, +- * otherwise EINTR will be ignored. + * + * Return values: + * -1 = system call error or fd >= FD_SETSIZE +@@ -347,9 +337,6 @@ int Curl_socket_check(curl_socket_t readfd0, /* two sockets to read from */ + * A negative timeout value makes this function wait indefinitely, + * unles no valid file descriptor is given, when this happens the + * negative timeout is ignored and the function times out immediately. +- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition +- * is honored and function might exit early without awaiting timeout, +- * otherwise EINTR will be ignored. + * + * Return values: + * -1 = system call error or fd >= FD_SETSIZE +diff --git a/lib/select.h b/lib/select.h +index b50604b..4f0e464 100644 +--- a/lib/select.h ++++ b/lib/select.h +@@ -99,6 +99,12 @@ int Curl_socket_check(curl_socket_t readfd, curl_socket_t readfd2, + + int Curl_poll(struct pollfd ufds[], unsigned int nfds, int timeout_ms); + ++/* On non-DOS and non-Winsock platforms, when Curl_ack_eintr is set, ++ * EINTR condition is honored and function might exit early without ++ * awaiting full timeout. Otherwise EINTR will be ignored and full ++ * timeout will elapse. */ ++extern int Curl_ack_eintr; ++ + int Curl_wait_ms(int timeout_ms); + + #ifdef TPF +-- +1.7.1 + diff --git a/0101-curl-7.21.1-multilib.patch b/0101-curl-7.27.0-multilib.patch index cbb5bab..09acf78 100644 --- a/0101-curl-7.21.1-multilib.patch +++ b/0101-curl-7.27.0-multilib.patch @@ -7,7 +7,7 @@ diff --git a/curl-config.in b/curl-config.in index 150004d..95d0759 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -74,7 +74,7 @@ while test $# -gt 0; do +@@ -75,7 +75,7 @@ while test $# -gt 0; do ;; --cc) @@ -16,7 +16,7 @@ index 150004d..95d0759 100644 ;; --prefix) -@@ -136,24 +136,14 @@ while test $# -gt 0; do +@@ -142,24 +142,14 @@ while test $# -gt 0; do ;; --libs) @@ -26,9 +26,9 @@ index 150004d..95d0759 100644 - CURLLIBDIR="" - fi - if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then -- echo ${CURLLIBDIR}-lcurl @LDFLAGS@ @LIBCURL_LIBS@ @LIBS@ +- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ @LIBS@ - else -- echo ${CURLLIBDIR}-lcurl @LDFLAGS@ @LIBS@ +- echo ${CURLLIBDIR}-lcurl @LIBS@ - fi + pkg-config libcurl --libs ;; @@ -39,7 +39,7 @@ index 150004d..95d0759 100644 --configure) - echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' ;; *) @@ -47,7 +47,7 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1 index c4f4e2b..3e0ea60 100644 --- a/docs/curl-config.1 +++ b/docs/curl-config.1 -@@ -65,7 +65,9 @@ be listed using uppercase and are separated by newlines. There may be none, +@@ -65,7 +65,9 @@ be listed using uppercase and are separa one, or several protocols in the list. (Added in 7.13.0) .IP "--static-libs" Shows the complete set of libs and other linker options you will need in order diff --git a/0102-curl-7.27.0-debug.patch b/0102-curl-7.27.0-debug.patch new file mode 100644 index 0000000..0f10d40 --- /dev/null +++ b/0102-curl-7.27.0-debug.patch @@ -0,0 +1,58 @@ + configure | 15 ++++----------- + m4/curl-compilers.m4 | 15 ++++----------- + 2 files changed, 8 insertions(+), 22 deletions(-) + +diff --git a/configure b/configure +index d3ecf69..6d8f085 100755 +--- a/configure ++++ b/configure +@@ -15093,18 +15093,11 @@ $as_echo "yes" >&6; } + gccvhi=`echo $gccver | cut -d . -f1` + gccvlo=`echo $gccver | cut -d . -f2` + compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" +- flags_dbg_off="-g0" +- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" +- flags_opt_yes="-O2" ++ flags_dbg_off="" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + + if test -z "$SED"; then +diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 +index 1ea4d17..868d65a 100644 +--- a/m4/curl-compilers.m4 ++++ b/m4/curl-compilers.m4 +@@ -148,18 +148,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ + gccvhi=`echo $gccver | cut -d . -f1` + gccvlo=`echo $gccver | cut -d . -f2` + compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" +- flags_dbg_off="-g0" +- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" +- flags_opt_yes="-O2" ++ flags_dbg_off="" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + CURL_CHECK_DEF([_WIN32], [], [silent]) + else diff --git a/0105-curl-7.21.3-disable-test1112.patch b/0105-curl-7.21.3-disable-test1112.patch deleted file mode 100644 index d1c0292..0000000 --- a/0105-curl-7.21.3-disable-test1112.patch +++ /dev/null @@ -1,30 +0,0 @@ - tests/data/Makefile.am | 2 +- - tests/data/Makefile.in | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am -index 9370974..b553f54 100644 ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -69,7 +69,7 @@ test1078 test1079 test1080 test1081 test1082 test1083 test1084 test1085 \ - test1086 test1087 test1088 test1089 test1090 test1091 test1092 test1093 \ - test1094 test1095 test1096 test1097 test1098 test1099 test1100 test1101 \ - test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 \ --test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ -+test1110 test1111 test1113 test1114 test1115 test1116 test1117 \ - test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ - test1126 test1127 test1128 test1200 test1201 test1202 test1203 test1300 \ - test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 \ -diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in -index 435b126..1d71c4e 100644 ---- a/tests/data/Makefile.in -+++ b/tests/data/Makefile.in -@@ -317,7 +317,7 @@ test1078 test1079 test1080 test1081 test1082 test1083 test1084 test1085 \ - test1086 test1087 test1088 test1089 test1090 test1091 test1092 test1093 \ - test1094 test1095 test1096 test1097 test1098 test1099 test1100 test1101 \ - test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 \ --test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ -+test1110 test1111 test1113 test1114 test1115 test1116 test1117 \ - test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ - test1126 test1127 test1128 test1200 test1201 test1202 test1203 test1300 \ - test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 \ diff --git a/0108-curl-7.27.0-utf8.patch b/0108-curl-7.27.0-utf8.patch new file mode 100644 index 0000000..b740b17 --- /dev/null +++ b/0108-curl-7.27.0-utf8.patch @@ -0,0 +1,86 @@ + CHANGES | 16 ++++++++-------- + README | 2 +- + 2 files changed, 9 insertions(+), 9 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 2335841..d4d37c2 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -272,7 +272,7 @@ Daniel Stenberg (9 Jul 2012) + + - cookie: fixed typo in comment + +-- [Christian Hägele brought this change] ++- [Christian Hägele brought this change] + + https_getsock: provided for schannel backend as well + +@@ -454,7 +454,7 @@ Yang Tse (3 Jul 2012) + testcurl.pl: fix missing semicolon + + Daniel Stenberg (2 Jul 2012) +-- [Christian Hägele brought this change] ++- [Christian Hägele brought this change] + + unicode NTLM SSPI: heap corruption fixed + +@@ -2563,18 +2563,18 @@ Daniel Stenberg (1 Apr 2012) + Reported by: Michael Wallner + + Steve Holme (31 Mar 2012) +-- [Gökhan Şengün brought this change] ++- [Gökhan Åengün brought this change] + + smtp: Add support for DIGEST-MD5 authentication + +-- [Gökhan Şengün brought this change] ++- [Gökhan Åengün brought this change] + + smtp: Cody tidy up of md5 digest length + + Replaced the hard coded md5 digest length (16) with a preprocessor + constant + +-- [Gökhan Şengün brought this change] ++- [Gökhan Åengün brought this change] + + md5: Add support for calculating the md5 sum of buffers incrementally + +@@ -3866,7 +3866,7 @@ Daniel Stenberg (20 Dec 2011) + This offers an alternative to the existing Curl_socket_ready() API which + only checks one socket for read and one for write. + +-- [Cédric Deltheil brought this change] ++- [CeÌdric Deltheil brought this change] + + curl.h: add __ANDROID__ macro check + +@@ -4079,7 +4079,7 @@ Daniel Stenberg (12 Dec 2011) + linking with a static openssl requires a set of more libs to be linked + on Windows. + +- Thanks also to Steve Holme and Martin Storsj for additional feedback. ++ Thanks also to Steve Holme and Martin Storsjö for additional feedback. + + Bug: http://curl.haxx.se/mail/lib-2011-12/0063.html + Reported by: Ward Willats +@@ -5333,7 +5333,7 @@ Daniel Stenberg (25 Sep 2011) + damaging. + + Bug: http://curl.haxx.se/bug/view.cgi?id=3413181 +- Reported by: Taneli Vhkangas ++ Reported by: Taneli Vähäkangas + + Yang Tse (24 Sep 2011) + - curl tool: fix a compiler warning +diff --git a/README b/README +index 2ffacc3..cfd6760 100644 +--- a/README ++++ b/README +@@ -45,5 +45,5 @@ GIT + NOTICE + + Curl contains pieces of source code that is Copyright (c) 1998, 1999 +- Kungliga Tekniska Hgskolan. This notice is included here to comply with the ++ Kungliga Tekniska Högskolan. This notice is included here to comply with the + distribution terms. @@ -1,47 +1,62 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.21.7 -Release: 5%{?dist}.2 +Version: 7.27.0 +Release: 7%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 Source2: curlbuild.h Source3: hide_selinux.c -# add a new option CURLOPT_GSSAPI_DELEGATION (#719939) -Patch1: 0001-curl-7.21.7-a7864c4.patch +# eliminate unnecessary inotify events on upload via file protocol (#844385) +Patch1: 0001-curl-7.27.0-1f8518c5.patch -# fix SIGSEGV of curl -O -J given more than one URLs (#723075) -Patch2: 0002-curl-7.21.7-5eb2396.patch -Patch5: 0005-curl-7.21.7-61ae7e9.patch +# do not crash if MD5 fingerprint is not provided by libssh2 +Patch2: 0002-curl-7.27.0-f05e5136.patch -# introduce the --delegation option of curl (#730444) -Patch3: 0003-curl-7.21.7-5538904.patch +# fix a syntax error in curl-config (#871317) +Patch3: 0003-curl-7.27.0-382429e7.patch -# initialize NSS with no database if the selected database is broken (#728562) -Patch4: 0004-curl-7.21.7-d6f319f.patch +# do not print misleading NSS error codes +Patch4: 0004-curl-7.27.0-52b6eda4.patch -# break busy loops in tests 502, 555, and 573 -Patch6: 0006-curl-7.21.7-3445fa2.patch +# update the links to cipher-suites supported by NSS +Patch5: 0005-curl-7.27.0-f208bf5a.patch + +# prevent NSS from crashing on client auth hook failure +Patch6: 0006-curl-7.27.0-68d2830e.patch + +# clear session cache if a client cert from file is used +Patch7: 0007-curl-7.27.0-b36f1d26.patch + +# fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE +Patch8: 0008-curl-7.27.0-26613d78.patch + +# fix buffer overflow when negotiating SASL DIGEST-MD5 auth (CVE-2013-0249) +Patch9: 0009-curl-7.27.0-f206d6c0.patch + +# curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag +Patch10: 0010-curl-7.27.0-57ccdfa8.patch # patch making libcurl multilib ready -Patch101: 0101-curl-7.21.1-multilib.patch +Patch101: 0101-curl-7.27.0-multilib.patch # prevent configure script from discarding -g in CFLAGS (#496778) -Patch102: 0102-curl-7.21.2-debug.patch +Patch102: 0102-curl-7.27.0-debug.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch -# exclude test1112 from the test suite (#565305) -Patch105: 0105-curl-7.21.3-disable-test1112.patch - # disable valgrind for certain test-cases (libssh2 problem) Patch106: 0106-curl-7.21.0-libssh2-valgrind.patch # work around valgrind bug (#678518) Patch107: 0107-curl-7.21.4-libidn-valgrind.patch +# Fix character encoding of docs, which are of mixed encoding originally so +# a simple iconv can't fix them +Patch108: 0108-curl-7.27.0-utf8.patch + Provides: webclient URL: http://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -58,7 +73,7 @@ BuildRequires: stunnel BuildRequires: zlib-devel # valgrind is not available on s390(x), sparc or arm5 -%ifnarch s390 s390x %{sparc} %{arm} +%ifnarch s390 s390x %{sparc} %{arm} ppc BuildRequires: valgrind %endif @@ -68,8 +83,8 @@ Requires: libcurl = %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0) -# older version doesn't provides "ldap_init_fd" -%global openldap_version 2.3.43-12.el5_6.5 +# older version than 12.el5_6.5 doesn't provides "ldap_init_fd" +%global openldap_version 2.3.43-25.el5_8.1 %description curl is a command line tool for transferring data with URL syntax, supporting @@ -119,20 +134,17 @@ documentation of the library, too. %prep %setup -q -# Convert docs to UTF-8 -# NOTE: we do this _before_ applying of all patches, which are already UTF-8 -for f in CHANGES README; do - iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8 - mv -f ${f}.utf8 ${f} -done - -# upstream patches (already applied) +# upstream patches %patch1 -p1 %patch2 -p1 %patch3 -p1 %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch7 -p1 +%patch8 -p1 +%patch9 -p1 +%patch10 -p1 # Fedora patches %patch101 -p1 @@ -140,10 +152,7 @@ done %patch104 -p1 %patch106 -p1 %patch107 -p1 - -# exclude test1112 from the test suite (#565305) -%patch105 -p1 -rm -f tests/data/test1112 +%patch108 -p1 # replace hard wired port numbers in the test suite %ifarch x86_64 @@ -207,13 +216,16 @@ DISABLED= %install rm -rf $RPM_BUILD_ROOT -make DESTDIR=$RPM_BUILD_ROOT INSTALL="%{__install} -p" install +make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal +# drop man page for a script we do not distribute +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1 + # Make libcurl-devel multilib-ready (bug #488922) %ifarch x86_64 %define _curlbuild_h curlbuild-64.h @@ -258,6 +270,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Mon Oct 17 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.27.0-7 +- sync with 7.27.0-7 from F18 + * Mon Oct 17 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.21.7-5.2 - dump release and build against libssh2 1.2.7 |