diff options
-rw-r--r-- | compat-libcurl3.spec | 43 | ||||
-rw-r--r-- | curl-7.15.5-bz652557.patch | 16 | ||||
-rw-r--r-- | curl-7.15.5-bz657396.patch | 465 | ||||
-rw-r--r-- | curl-7.15.5-bz688871.patch | 28 | ||||
-rw-r--r-- | curl-7.15.5-bz723643.patch | 124 | ||||
-rw-r--r-- | curl-7.15.5-bz746849.patch | 125 |
6 files changed, 798 insertions, 3 deletions
diff --git a/compat-libcurl3.spec b/compat-libcurl3.spec index 6692433..1f593ed 100644 --- a/compat-libcurl3.spec +++ b/compat-libcurl3.spec @@ -1,7 +1,9 @@ +%global rhelrel 15-el5 + Summary: A utility for getting files from remote servers (FTP, HTTP, and others). Name: compat-libcurl3 Version: 7.15.5 -Release: 1%{?dist} +Release: 2%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/curl-%{version}.tar.bz2 @@ -18,6 +20,11 @@ Patch9: curl-7.15.5-bz532069.patch Patch10: curl-7.15.5-bz563220.patch Patch11: curl-7.15.5-bz655073.patch Patch12: curl-7.15.5-CVE-2011-2192.patch +Patch13: curl-7.15.5-bz723643.patch +Patch14: curl-7.15.5-bz652557.patch +Patch15: curl-7.15.5-bz657396.patch +Patch16: curl-7.15.5-bz688871.patch +Patch17: curl-7.15.5-bz746849.patch URL: http://curl.haxx.se/ BuildRoot: %{_tmppath}/%{name}-%{version}-root BuildRequires: openssl-devel, libtool, pkgconfig, libidn-devel @@ -31,7 +38,8 @@ offers many useful capabilities, like proxy support, user authentication, FTP upload, HTTP post, and file transfer resume. %{name} is provided for compatibility for package build against old -libcurl (libcurl.so.3 provided by version < 7.16) +libcurl (libcurl.so.3 provided by version < 7.16). +In sync with curl-%{version}-%{rhelrel}. %package devel @@ -63,6 +71,11 @@ rm -rf $RPM_BUILD_ROOT %patch10 -p1 -b .bz563220 %patch11 -p1 -b .bz655073 %patch12 -p1 -b .CVE-2011-2192 +%patch13 -p1 -b .bz723643 +%patch14 -p1 -b .bz652557 +%patch15 -p1 -b .bz657396 +%patch16 -p1 -b .bz688871 +%patch17 -p1 -b .bz746849 %build aclocal @@ -119,15 +132,39 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man3/* %changelog -* Tue Aug 16 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.21.7-3 +* Sun Jun 24 2012 Remi Collet <RPMS@FamilleCollet.com> - 7.15.5-2 +- sync with curl 7.15.5-15 + +* Thu Oct 27 2011 Kamil Dudka <kdudka@redhat.com> 7.15.5-15 +- introduce the --delegation option of curl (#746849) + +* Fri Oct 21 2011 Kamil Dudka <kdudka@redhat.com> 7.15.5-14 +- fix stack smashing in the FTP implementation (#652557) +- fix proxy kerberos authentication (#657396) +- update running_handles counter properly in curl_multi_remove_handle (#688871) + +* Tue Aug 16 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.15.5-1 - build as compat-libcurl3 for remi repository +- sync with 7.15.5-9.el5_6.3 + +* Wed Aug 03 2011 Kamil Dudka <kdudka@redhat.com> 7.15.5-13 +- add a new option CURLOPT_GSSAPI_DELEGATION (#723643) + +* Thu Jun 23 2011 Kamil Dudka <kdudka@redhat.com> 7.15.5-12 +- do not delegate GSSAPI credentials (CVE-2011-2192) * Thu Jun 23 2011 Kamil Dudka <kdudka@redhat.com> 7.15.5-9.el5_6.3 - do not delegate GSSAPI credentials (CVE-2011-2192) +* Mon Jan 24 2011 Kamil Dudka <kdudka@redhat.com> - 7.15.5-11 +- avoid use of uninitialized variable on failure of a LDAP request (#655073) + * Mon Jan 24 2011 Kamil Dudka <kdudka@redhat.com> - 7.15.5-9.el5_6.2 - avoid use of uninitialized variable on failure of a LDAP request (#670523) +* Tue Jan 18 2011 Kamil Dudka <kdudka@redhat.com> - 7.15.5-10 +- proxy tunnel support for LDAP requests (#655073) + * Tue Jan 18 2011 Kamil Dudka <kdudka@redhat.com> - 7.15.5-9.el5_6.1 - proxy tunnel support for LDAP requests (#670523) diff --git a/curl-7.15.5-bz652557.patch b/curl-7.15.5-bz652557.patch new file mode 100644 index 0000000..9aba025 --- /dev/null +++ b/curl-7.15.5-bz652557.patch @@ -0,0 +1,16 @@ +diff --git a/lib/ftp.c b/lib/ftp.c +index cd067e0..b1f61f9 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -214,8 +214,10 @@ static CURLcode AllowServerConnect(struct connectdata *conn) + socklen_t size = (socklen_t) sizeof(struct sockaddr_in); + struct sockaddr_in add; + +- if(0 == getsockname(sock, (struct sockaddr *) &add, &size)) ++ if(0 == getsockname(sock, (struct sockaddr *) &add, &size)) { ++ size = sizeof(add); + s=accept(sock, (struct sockaddr *) &add, &size); ++ } + + sclose(sock); /* close the first socket */ + diff --git a/curl-7.15.5-bz657396.patch b/curl-7.15.5-bz657396.patch new file mode 100644 index 0000000..8abba2c --- /dev/null +++ b/curl-7.15.5-bz657396.patch @@ -0,0 +1,465 @@ +From 795a6b48946f22d4562e6ad859306ac62eb3f6a0 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 3 Nov 2006 12:43:55 +0000 +Subject: [PATCH 1/4] Olaf Stueben provided a patch that I edited slightly. It + fixes the notorious KNOWN_BUGS #25, which happens when + a proxy closes the connection when libcurl has sent + CONNECT, as part of an authentication negotiation. + Starting now, libcurl will re-connect accordingly and + continue the authentication as it should. + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/http.c | 15 +++++++++++++++ + lib/url.c | 54 +++++++++++++++++++++++++++++++++--------------------- + lib/urldata.h | 3 +++ + 3 files changed, 51 insertions(+), 21 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 0fd0cbe..4d39a98 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1095,6 +1095,7 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn, + curl_socket_t tunnelsocket = conn->sock[sockindex]; + send_buffer *req_buffer; + curl_off_t cl=0; ++ bool closeConnection = FALSE; + + #define SELECT_OK 0 + #define SELECT_ERROR 1 +@@ -1102,6 +1103,7 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn, + int error = SELECT_OK; + + infof(data, "Establish HTTP proxy tunnel to %s:%d\n", hostname, remote_port); ++ conn->bits.proxy_connect_closed = FALSE; + + do { + if(conn->newurl) { +@@ -1295,6 +1297,9 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn, + cl = curlx_strtoofft(line_start + strlen("Content-Length:"), + NULL, 10); + } ++ else if(Curl_compareheader(line_start, ++ "Connection:", "close")) ++ closeConnection = TRUE; + else if(2 == sscanf(line_start, "HTTP/1.%d %d", + &subversion, + &k->httpcode)) { +@@ -1321,11 +1326,21 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn, + headers. 'newurl' is set to a new URL if we must loop. */ + Curl_http_auth_act(conn); + ++ if (closeConnection && conn->newurl) { ++ /* Connection closed by server. Don't use it anymore */ ++ sclose(conn->sock[sockindex]); ++ conn->sock[sockindex] = CURL_SOCKET_BAD; ++ break; ++ } + } while(conn->newurl); + + if(200 != k->httpcode) { + failf(data, "Received HTTP code %d from proxy after CONNECT", + k->httpcode); ++ ++ if (closeConnection && conn->newurl) ++ conn->bits.proxy_connect_closed = TRUE; ++ + return CURLE_RECV_ERROR; + } + +diff --git a/lib/url.c b/lib/url.c +index 1a0c206..bf4a3dd 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2484,7 +2484,8 @@ CURLcode Curl_protocol_connect(struct connectdata *conn, bool *protocol_done) + + /* it has started, possibly even completed but that knowledge isn't stored + in this bit! */ +- conn->bits.protoconnstart = TRUE; ++ if (!result) ++ conn->bits.protoconnstart = TRUE; + } + + return result; /* pass back status */ +@@ -3981,30 +3982,41 @@ static CURLcode SetupConnection(struct connectdata *conn, + data->state.crlf_conversions = 0; /* reset CRLF conversion counter */ + #endif /* CURL_DO_LINEEND_CONV */ + +- if(CURL_SOCKET_BAD == conn->sock[FIRSTSOCKET]) { +- bool connected = FALSE; ++ for(;;) { ++ /* loop for CURL_SERVER_CLOSED_CONNECTION */ + +- /* Connect only if not already connected! */ +- result = ConnectPlease(conn, hostaddr, &connected); ++ if(CURL_SOCKET_BAD == conn->sock[FIRSTSOCKET]) { ++ bool connected = FALSE; + +- if(connected) { +- result = Curl_protocol_connect(conn, protocol_done); +- if(CURLE_OK == result) +- conn->bits.tcpconnect = TRUE; +- } +- else +- conn->bits.tcpconnect = FALSE; ++ /* Connect only if not already connected! */ ++ result = ConnectPlease(conn, hostaddr, &connected); + ++ if(connected) { ++ result = Curl_protocol_connect(conn, protocol_done); ++ if(CURLE_OK == result) ++ conn->bits.tcpconnect = TRUE; ++ } ++ else ++ conn->bits.tcpconnect = FALSE; + +- if(CURLE_OK != result) +- return result; +- } +- else { +- Curl_pgrsTime(data, TIMER_CONNECT); /* we're connected already */ +- conn->bits.tcpconnect = TRUE; +- *protocol_done = TRUE; +- if(data->set.verbose) +- verboseconnect(conn); ++ /* if the connection was closed by the server while exchanging ++ authentication informations, retry with the new set ++ authentication information */ ++ if(conn->bits.proxy_connect_closed) ++ continue; ++ ++ if(CURLE_OK != result) ++ return result; ++ } ++ else { ++ Curl_pgrsTime(data, TIMER_CONNECT); /* we're connected already */ ++ conn->bits.tcpconnect = TRUE; ++ *protocol_done = TRUE; ++ if(data->set.verbose) ++ verboseconnect(conn); ++ } ++ /* Stop the loop now */ ++ break; + } + + conn->now = Curl_tvnow(); /* time this *after* the connect is done, we +diff --git a/lib/urldata.h b/lib/urldata.h +index d092113..3ac8fbf 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -454,6 +454,9 @@ struct ConnectBits { + when Curl_done() is called, to prevent Curl_done() to + get invoked twice when the multi interface is + used. */ ++ bool proxy_connect_closed; /* set true if a proxy disconnected the ++ connection in a CONNECT request with auth, so ++ that libcurl should reconnect and continue. */ + }; + + struct hostname { +-- +1.7.4.4 + + +From e3c76c19fd8d61f41b4025c4f085413dd9935e28 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Tue, 10 Jul 2007 22:31:13 +0000 +Subject: [PATCH 2/4] Giancarlo Formicuccia reported and fixed a problem with + a closed connection to a proxy during CONNECT auth + negotiation. + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/http.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index 4d39a98..6481fa0 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -1300,6 +1300,9 @@ CURLcode Curl_proxyCONNECT(struct connectdata *conn, + else if(Curl_compareheader(line_start, + "Connection:", "close")) + closeConnection = TRUE; ++ else if(Curl_compareheader(line_start, ++ "Proxy-Connection:", "close")) ++ closeConnection = TRUE; + else if(2 == sscanf(line_start, "HTTP/1.%d %d", + &subversion, + &k->httpcode)) { +-- +1.7.4.4 + + +From c1bfdb84733e58b11dce10eb2c99bf4c1f5c8806 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 21 Sep 2007 11:05:31 +0000 +Subject: [PATCH 3/4] Mark Davies fixed Negotiate authentication over proxy, + and also introduced the --proxy-negotiate command line + option to allow a user to explicitly select it. + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + docs/curl.1 | 11 +++++++++++ + lib/http.c | 16 ++++++++++++++-- + lib/http_negotiate.c | 14 +++++++------- + lib/http_negotiate.h | 4 ++-- + src/main.c | 11 +++++++++++ + 5 files changed, 45 insertions(+), 11 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index e62be55..2658954 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -688,6 +688,9 @@ meant as a support for Kerberos5 authentication but may be also used along + with another authentication methods. For more information see IETF draft + draft-brezak-spnego-http-04.txt. + ++If you want to enable Negotiate for your proxy authentication, then use ++\fI--proxy-negotiate\fP. ++ + This option requires that the library was built with GSSAPI support. This is + not very common. Use \fI-V/--version\fP to see if your version supports + GSS-Negotiate. +@@ -768,6 +771,14 @@ Tells curl to use HTTP Digest authentication when communicating with the given + proxy. Use \fI--digest\fP for enabling HTTP Digest with a remote host. + + If this option is used twice, the second will again disable proxy HTTP Digest. ++.IP "--proxy-negotiate" ++Tells curl to use HTTP Negotiate authentication when communicating ++with the given proxy. Use \fI--negotiate\fP for enabling HTTP Negotiate ++with a remote host. ++ ++If this option is used twice, the second will again disable proxy HTTP ++Negotiate. ++ + .IP "--proxy-ntlm" + Tells curl to use HTTP NTLM authentication when communicating with the given + proxy. Use \fI--ntlm\fP for enabling NTLM with a remote host. +diff --git a/lib/http.c b/lib/http.c +index 6481fa0..033ee9b 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -416,6 +416,18 @@ Curl_http_output_auth(struct connectdata *conn, + /* Send proxy authentication header if needed */ + if (conn->bits.httpproxy && + (conn->bits.tunnel_proxy == proxytunnel)) { ++#ifdef HAVE_GSSAPI ++ if((authproxy->picked == CURLAUTH_GSSNEGOTIATE) && ++ data->state.negotiate.context && ++ !GSS_ERROR(data->state.negotiate.status)) { ++ auth="GSS-Negotiate"; ++ result = Curl_output_negotiate(conn, TRUE); ++ if (result) ++ return result; ++ authproxy->done = TRUE; ++ } ++ else ++#endif + #ifdef USE_NTLM + if(authproxy->picked == CURLAUTH_NTLM) { + auth=(char *)"NTLM"; +@@ -478,7 +490,7 @@ Curl_http_output_auth(struct connectdata *conn, + data->state.negotiate.context && + !GSS_ERROR(data->state.negotiate.status)) { + auth=(char *)"GSS-Negotiate"; +- result = Curl_output_negotiate(conn); ++ result = Curl_output_negotiate(conn, FALSE); + if (result) + return result; + authhost->done = TRUE; +@@ -585,7 +597,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, + authp->avail |= CURLAUTH_GSSNEGOTIATE; + if(authp->picked == CURLAUTH_GSSNEGOTIATE) { + /* if exactly this is wanted, go */ +- int neg = Curl_input_negotiate(conn, start); ++ int neg = Curl_input_negotiate(conn, (bool)(httpcode == 407), start); + if (neg == 0) { + conn->newurl = strdup(data->change.url); + data->state.authproblem = (conn->newurl == NULL); +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 3fc678f..73deda5 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -49,7 +49,7 @@ + #include "memdebug.h" + + static int +-get_gss_name(struct connectdata *conn, gss_name_t *server) ++get_gss_name(struct connectdata *conn, bool proxy, gss_name_t *server) + { + struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + OM_uint32 major_status, minor_status; +@@ -69,11 +69,11 @@ get_gss_name(struct connectdata *conn, gss_name_t *server) + else + service = "HTTP"; + +- token.length = strlen(service) + 1 + strlen(conn->host.name) + 1; ++ token.length = strlen(service) + 1 + strlen(proxy ? conn->proxy.name : conn->host.name) + 1; + if (token.length + 1 > sizeof(name)) + return EMSGSIZE; + +- snprintf(name, sizeof(name), "%s@%s", service, conn->host.name); ++ snprintf(name, sizeof(name), "%s@%s", service, proxy ? conn->proxy.name : conn->host.name); + + token.value = (void *) name; + major_status = gss_import_name(&minor_status, +@@ -113,7 +113,7 @@ log_gss_error(struct connectdata *conn, OM_uint32 error_status, char *prefix) + infof(conn->data, "%s", buf); + } + +-int Curl_input_negotiate(struct connectdata *conn, char *header) ++int Curl_input_negotiate(struct connectdata *conn, bool proxy, char *header) + { + struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + OM_uint32 major_status, minor_status, minor_status2; +@@ -169,7 +169,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) + } + + if (neg_ctx->server_name == NULL && +- (ret = get_gss_name(conn, &neg_ctx->server_name))) ++ (ret = get_gss_name(conn, proxy, &neg_ctx->server_name))) + return ret; + + header += strlen(neg_ctx->protocol); +@@ -258,7 +258,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) + } + + +-CURLcode Curl_output_negotiate(struct connectdata *conn) ++CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) + { + struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + char *encoded = NULL; +@@ -310,7 +310,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn) + return CURLE_OUT_OF_MEMORY; + + conn->allocptr.userpwd = +- aprintf("Authorization: %s %s\r\n", neg_ctx->protocol, encoded); ++ aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded); + free(encoded); + Curl_cleanup_negotiate (conn->data); + return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; +diff --git a/lib/http_negotiate.h b/lib/http_negotiate.h +index cf8b048..8604a0c 100644 +--- a/lib/http_negotiate.h ++++ b/lib/http_negotiate.h +@@ -27,10 +27,10 @@ + #ifdef HAVE_GSSAPI + + /* this is for Negotiate header input */ +-int Curl_input_negotiate(struct connectdata *conn, char *header); ++int Curl_input_negotiate(struct connectdata *conn, bool proxy, char *header); + + /* this is for creating Negotiate header output */ +-CURLcode Curl_output_negotiate(struct connectdata *conn); ++CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy); + + void Curl_cleanup_negotiate(struct SessionHandle *data); + +diff --git a/src/main.c b/src/main.c +index 9f378db..44dd2c4 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -309,6 +309,7 @@ struct Configurable { + bool create_dirs; + bool ftp_create_dirs; + bool ftp_skip_ip; ++ bool proxynegotiate; + bool proxyntlm; + bool proxydigest; + bool proxybasic; +@@ -555,6 +556,7 @@ static void help(void) + " --proxy-anyauth Pick \"any\" proxy authentication method (H)", + " --proxy-basic Use Basic authentication on the proxy (H)", + " --proxy-digest Use Digest authentication on the proxy (H)", ++ " --proxy-negotiate Use Negotiate authentication on the proxy (H)", + " --proxy-ntlm Use NTLM authentication on the proxy (H)", + " -P/--ftp-port <address> Use PORT with address instead of PASV (F)", + " -q If used as the first parameter disables .curlrc", +@@ -1347,6 +1349,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ + {"$t", "socks4", TRUE}, + {"$u", "ftp-alternative-to-user", TRUE}, + {"$v", "ftp-ssl-reqd", FALSE}, ++ {"$w", "proxy-negotiate", FALSE}, + + {"0", "http1.0", FALSE}, + {"1", "tlsv1", FALSE}, +@@ -1789,6 +1792,12 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ + case 'v': /* --ftp-ssl-reqd */ + config->ftp_ssl_reqd ^= TRUE; + break; ++ case 'w': /* --proxy-negotiate */ ++ if(curlinfo->features & CURL_VERSION_GSSNEGOTIATE) ++ config->proxynegotiate ^= TRUE; ++ else ++ return PARAM_LIBCURL_DOESNT_SUPPORT; ++ break; + } + break; + case '#': /* --progress-bar */ +@@ -3960,6 +3969,8 @@ operate(struct Configurable *config, int argc, char *argv[]) + config->ftp_create_dirs); + if(config->proxyanyauth) + curl_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_ANY); ++ else if(config->proxynegotiate) ++ curl_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_GSSNEGOTIATE); + else if(config->proxyntlm) + curl_easy_setopt(curl, CURLOPT_PROXYAUTH, CURLAUTH_NTLM); + else if(config->proxydigest) +-- +1.7.4.4 + + +From 88507544781155092ccee225bff92a0177e0f4df Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Mon, 16 Aug 2010 22:19:38 +0200 +Subject: [PATCH 4/4] negotiation: Wrong proxy authorization + +There's an error in http_negotiation.c where a mistake is using only +userpwd even for proxy requests. Ludek provided a patch, but I decided +to write the fix slightly different using his patch as inspiration. + +Reported by: Ludek Finstrle +Bug: http://curl.haxx.se/bug/view.cgi?id=3046066 + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/http_negotiate.c | 12 +++++++++--- + 1 files changed, 9 insertions(+), 3 deletions(-) + +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 73deda5..1d6119d 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -263,6 +263,7 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) + struct negotiatedata *neg_ctx = &conn->data->state.negotiate; + char *encoded = NULL; + int len; ++ char *userp; + + #ifdef HAVE_SPNEGO /* Handle SPNEGO */ + if (checkprefix("Negotiate",neg_ctx->protocol)) { +@@ -309,11 +310,16 @@ CURLcode Curl_output_negotiate(struct connectdata *conn, bool proxy) + if (len < 0) + return CURLE_OUT_OF_MEMORY; + +- conn->allocptr.userpwd = +- aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", neg_ctx->protocol, encoded); ++ userp = aprintf("%sAuthorization: %s %s\r\n", proxy ? "Proxy-" : "", ++ neg_ctx->protocol, encoded); ++ ++ if(proxy) ++ conn->allocptr.proxyuserpwd = userp; ++ else ++ conn->allocptr.userpwd = userp; + free(encoded); + Curl_cleanup_negotiate (conn->data); +- return (conn->allocptr.userpwd == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; ++ return (userp == NULL) ? CURLE_OUT_OF_MEMORY : CURLE_OK; + } + + void Curl_cleanup_negotiate(struct SessionHandle *data) +-- +1.7.4.4 + diff --git a/curl-7.15.5-bz688871.patch b/curl-7.15.5-bz688871.patch new file mode 100644 index 0000000..5904fc7 --- /dev/null +++ b/curl-7.15.5-bz688871.patch @@ -0,0 +1,28 @@ +From e1e8d68d8d731ab38aa55328ab5ed32bd26d8c94 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 25 Aug 2006 13:53:20 +0000 +Subject: [PATCH] curl - rhbz #688871 + +backport of upstream 2ff609d +--- + lib/multi.c | 4 ++++ + 1 files changed, 4 insertions(+), 0 deletions(-) + +diff --git a/lib/multi.c b/lib/multi.c +index 89a1f99..0bcc744 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -386,6 +386,10 @@ CURLMcode curl_multi_remove_handle(CURLM *multi_handle, + if(easy) { + /* If the 'state' is not INIT or COMPLETED, we might need to do something + nice to put the easy_handle in a good known state when this returns. */ ++ if(easy->state != CURLM_STATE_COMPLETED) ++ /* this handle is "alive" so we need to count down the total number of ++ alive connections when this is removed */ ++ multi->num_alive--; + + /* The timer must be shut down before easy->multi is set to NULL, + else the timenode will remain in the splay tree after +-- +1.7.4.4 + diff --git a/curl-7.15.5-bz723643.patch b/curl-7.15.5-bz723643.patch new file mode 100644 index 0000000..f354c5b --- /dev/null +++ b/curl-7.15.5-bz723643.patch @@ -0,0 +1,124 @@ +From 5a40e781345ed1c6eb5ae8fd7103719ebacd66e8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Wed, 3 Aug 2011 14:30:45 +0200 +Subject: [PATCH] curl - rhbz #723643 + +--- + docs/libcurl/curl_easy_setopt.3 | 8 ++++++++ + include/curl/curl.h | 7 +++++++ + lib/http_negotiate.c | 15 ++++++++++++++- + lib/url.c | 6 ++++++ + lib/urldata.h | 3 +++ + 5 files changed, 38 insertions(+), 1 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 00a819b..c259c5a 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -1330,6 +1330,14 @@ krb4 awareness. This is a string, 'clear', 'safe', 'confidential' or + \&'private'. If the string is set but doesn't match one of these, 'private' + will be used. Set the string to NULL to disable kerberos4. The kerberos + support only works for FTP. ++.IP CURLOPT_GSSAPI_DELEGATION ++Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI ++credential delegation. The delegation is disabled by default since 7.21.7. ++Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if ++the OK-AS-DELEGATE flag is set in the service ticket in case this feature is ++supported by the GSSAPI implementation and the definition of ++GSS_C_DELEG_POLICY_FLAG was available at compile-time. ++(Added in 7.21.8) + .SH OTHER OPTIONS + .IP CURLOPT_PRIVATE + Pass a char * as parameter, pointing to data that should be associated with +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 8ff213b..c4a0cab 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -388,6 +388,10 @@ typedef enum { + #define CURLE_FTP_BAD_DOWNLOAD_RESUME CURLE_BAD_DOWNLOAD_RESUME + #endif + ++#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */ ++#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */ ++#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */ ++ + #define CURL_ERROR_SIZE 256 + + /* parameter for the CURLOPT_FTP_SSL option */ +@@ -1012,6 +1016,9 @@ typedef enum { + to CURLPROTO_ALL & ~CURLPROTO_FILE. */ + CINIT(REDIR_PROTOCOLS, LONG, 182), + ++ /* allow GSSAPI credential delegation */ ++ CINIT(GSSAPI_DELEGATION, LONG, 210), ++ + CURLOPT_LASTENTRY /* the last unused */ + } CURLoption; + +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 4015e2f..7758049 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -123,6 +123,19 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) + size_t len; + bool gss; + const char* protocol; ++ OM_uint32 req_flags = 0; ++ ++ if(conn->data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) { ++#ifdef GSS_C_DELEG_POLICY_FLAG ++ req_flags |= GSS_C_DELEG_POLICY_FLAG; ++#else ++ infof(conn->data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG " ++ "not compiled in\n"); ++#endif ++ } ++ ++ if(conn->data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG) ++ req_flags |= GSS_C_DELEG_FLAG; + + while(*header && isspace((int)*header)) + header++; +@@ -216,7 +229,7 @@ int Curl_input_negotiate(struct connectdata *conn, char *header) + &neg_ctx->context, + neg_ctx->server_name, + GSS_C_NO_OID, +- 0, ++ req_flags, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, +diff --git a/lib/url.c b/lib/url.c +index 0528605..1a0c206 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1322,6 +1322,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + data->set.krb4_level = va_arg(param, char *); + data->set.krb4=data->set.krb4_level?TRUE:FALSE; + break; ++ case CURLOPT_GSSAPI_DELEGATION: ++ /* ++ * GSSAPI credential delegation ++ */ ++ data->set.gssapi_delegation = va_arg(param, long); ++ break; + case CURLOPT_SSL_VERIFYPEER: + /* + * Enable peer SSL verifying. +diff --git a/lib/urldata.h b/lib/urldata.h +index 0ef49d5..d092113 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1156,6 +1156,9 @@ struct UserDefined { + bool connect_only; /* make connection, let application use the socket */ + long allowed_protocols; + long redir_protocols; ++ ++ long gssapi_delegation; /* GSSAPI credential delegation, see the ++ documentation of CURLOPT_GSSAPI_DELEGATION */ + }; + + struct Names { +-- +1.7.4.4 + diff --git a/curl-7.15.5-bz746849.patch b/curl-7.15.5-bz746849.patch new file mode 100644 index 0000000..0994c83 --- /dev/null +++ b/curl-7.15.5-bz746849.patch @@ -0,0 +1,125 @@ +From 85d002123e5dea3de2499617d619253023335d8e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 12 Aug 2011 14:48:32 +0200 +Subject: [PATCH 1/2] added --delegation + +Using this option with an argument being set to one of +none/policy/always instructs libcurl how to deal with GSS +credentials. Or rather how it tells the server that delegation is fine +or not. + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + src/main.c | 24 ++++++++++++++++++++++++ + 1 files changed, 24 insertions(+), 0 deletions(-) + +diff --git a/src/main.c b/src/main.c +index 44dd2c4..0753429 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -359,6 +359,7 @@ struct Configurable { + int ftp_filemethod; + + bool ignorecl; /* --ignore-content-length */ ++ long gssapi_delegation; + }; + + #define WARN_PREFIX "Warning: " +@@ -489,6 +490,7 @@ static void help(void) + " --data-ascii <data> HTTP POST ASCII data (H)", + " --data-binary <data> HTTP POST binary data (H)", + " --negotiate Use HTTP Negotiate Authentication (H)", ++ " --delegation STRING GSS-API delegation permission", + " --digest Use HTTP Digest Authentication (H)", + " --disable-eprt Inhibit using EPRT or LPRT (F)", + " --disable-epsv Inhibit using EPSV (F)", +@@ -1097,6 +1099,18 @@ static int formparse(struct Configurable *config, + return 0; + } + ++static long delegation(struct Configurable *config, ++ char *str) ++{ ++ if(!strcasecmp("none", str)) ++ return CURLGSSAPI_DELEGATION_NONE; ++ if(!strcasecmp("policy", str)) ++ return CURLGSSAPI_DELEGATION_POLICY_FLAG; ++ if(!strcasecmp("always", str)) ++ return CURLGSSAPI_DELEGATION_FLAG; ++ warnf(config, "unrecognized delegation method '%s', using none\n", str); ++ return CURLGSSAPI_DELEGATION_NONE; ++} + + typedef enum { + PARAM_OK, +@@ -1351,6 +1365,8 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ + {"$v", "ftp-ssl-reqd", FALSE}, + {"$w", "proxy-negotiate", FALSE}, + ++ {"$G", "delegation", TRUE}, ++ + {"0", "http1.0", FALSE}, + {"1", "tlsv1", FALSE}, + {"2", "sslv2", FALSE}, +@@ -1798,6 +1814,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ + else + return PARAM_LIBCURL_DOESNT_SUPPORT; + break; ++ case 'G': /* --delegation LEVEL */ ++ config->gssapi_delegation = delegation(config, nextarg); ++ break; + } + break; + case '#': /* --progress-bar */ +@@ -4029,6 +4048,11 @@ operate(struct Configurable *config, int argc, char *argv[]) + /* curl x.xx.x */ + curl_easy_setopt(curl, CURLOPT_FTP_ALTERNATIVE_TO_USER, config->ftp_alternative_to_user); + ++ /* new in 7.22.0 */ ++ if(config->gssapi_delegation) ++ curl_easy_setopt(curl, CURLOPT_GSSAPI_DELEGATION, ++ config->gssapi_delegation); ++ + retry_numretries = config->req_retry; + + retrystart = curlx_tvnow(); +-- +1.7.1 + + +From 1a5566b1e84d0143899538f469596caf8f10d666 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 12 Aug 2011 23:51:41 +0200 +Subject: [PATCH 2/2] docs: --delegation + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + docs/curl.1 | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 2658954..61bd4e9 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -256,6 +256,18 @@ the \fI--data-ascii\fP option, this is for you. + + If this option is used several times, the ones following the first will + append data. ++.IP "--delegation LEVEL" ++Set \fILEVEL\fP to tell the server what it is allowed to delegate when it ++comes to user credentials. Used with GSS/kerberos. ++.RS ++.IP "none" ++Don't allow any delegation. ++.IP "policy" ++Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos ++service ticket, which is a matter of realm policy. ++.IP "always" ++Unconditionally allow the server to delegate. ++.RE + .IP "--digest" + (HTTP) Enables HTTP Digest authentication. This is a authentication that + prevents the password from being sent over the wire in clear text. Use this in +-- +1.7.1 + |