summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorRemi Collet <fedora@famillecollet.com>2013-03-20 12:53:53 +0100
committerRemi Collet <fedora@famillecollet.com>2013-03-20 12:53:53 +0100
commit3a7fae97dc994e8a1ac5f2253527c7b76c86e8be (patch)
tree4db0e04a1e4e1245fa1f8fc2efb7babe7c4dc478
parentbfa3b079bab342a5d18f754662c996de90c2ffcd (diff)
curl: sync with 7.27.0-7 from F18
-rw-r--r--0001-curl-7.21.7-a7864c4.patch453
-rw-r--r--0001-curl-7.27.0-1f8518c5.patch34
-rw-r--r--0002-curl-7.21.7-5eb2396.patch30
-rw-r--r--0002-curl-7.27.0-f05e5136.patch197
-rw-r--r--0003-curl-7.21.7-5538904.patch131
-rw-r--r--0003-curl-7.27.0-382429e7.patch32
-rw-r--r--0004-curl-7.21.7-d6f319f.patch118
-rw-r--r--0004-curl-7.27.0-52b6eda4.patch115
-rw-r--r--0005-curl-7.21.7-61ae7e9.patch46
-rw-r--r--0005-curl-7.27.0-f208bf5a.patch190
-rw-r--r--0006-curl-7.21.7-3445fa2.patch146
-rw-r--r--0006-curl-7.27.0-68d2830e.patch68
-rw-r--r--0007-curl-7.27.0-b36f1d26.patch55
-rw-r--r--0008-curl-7.27.0-26613d78.patch30
-rw-r--r--0009-curl-7.27.0-f206d6c0.patch69
-rw-r--r--0010-curl-7.27.0-57ccdfa8.patch158
-rw-r--r--0101-curl-7.27.0-multilib.patch (renamed from 0101-curl-7.21.1-multilib.patch)12
-rw-r--r--0102-curl-7.27.0-debug.patch58
-rw-r--r--0105-curl-7.21.3-disable-test1112.patch30
-rw-r--r--0108-curl-7.27.0-utf8.patch86
-rw-r--r--curl.spec83
21 files changed, 1147 insertions, 994 deletions
diff --git a/0001-curl-7.21.7-a7864c4.patch b/0001-curl-7.21.7-a7864c4.patch
deleted file mode 100644
index 477f1e1..0000000
--- a/0001-curl-7.21.7-a7864c4.patch
+++ /dev/null
@@ -1,453 +0,0 @@
-From fd86734fca0945b2d6b90d6d7d0224cf0732114a Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 3 Aug 2011 12:48:49 +0200
-Subject: [PATCH 1/2] curl - rhbz #719939
-
----
- docs/libcurl/curl_easy_setopt.3 | 8 ++++++
- docs/libcurl/symbols-in-versions | 4 +++
- include/curl/curl.h | 7 +++++
- lib/Makefile.in | 18 +++++++++++---
- lib/Makefile.inc | 4 +-
- lib/curl_gssapi.c | 44 ++++++++++++++++++++++++++++++++++++
- lib/curl_gssapi.h | 46 ++++++++++++++++++++++++++++++++++++++
- lib/http_negotiate.c | 6 ++++-
- lib/krb5.c | 6 ++++-
- lib/socks_gssapi.c | 7 ++++-
- lib/url.c | 6 +++++
- lib/urldata.h | 3 ++
- 12 files changed, 149 insertions(+), 10 deletions(-)
- create mode 100644 lib/curl_gssapi.c
- create mode 100644 lib/curl_gssapi.h
-
-diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
-index c2804f3..3b7826b 100644
---- a/docs/libcurl/curl_easy_setopt.3
-+++ b/docs/libcurl/curl_easy_setopt.3
-@@ -2105,6 +2105,14 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos
- support for FTP.
-
- (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3)
-+.IP CURLOPT_GSSAPI_DELEGATION
-+Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI
-+credential delegation. The delegation is disabled by default since 7.21.7.
-+Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if
-+the OK-AS-DELEGATE flag is set in the service ticket in case this feature is
-+supported by the GSSAPI implementation and the definition of
-+GSS_C_DELEG_POLICY_FLAG was available at compile-time.
-+(Added in 7.21.8)
- .SH SSH OPTIONS
- .IP CURLOPT_SSH_AUTH_TYPES
- Pass a long set to a bitmask consisting of one or more of
-diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
-index 9257fb1..3c8f715 100644
---- a/docs/libcurl/symbols-in-versions
-+++ b/docs/libcurl/symbols-in-versions
-@@ -186,6 +186,9 @@ CURLFTPSSL_TRY 7.11.0 7.17.0
- CURLFTP_CREATE_DIR 7.19.4
- CURLFTP_CREATE_DIR_NONE 7.19.4
- CURLFTP_CREATE_DIR_RETRY 7.19.4
-+CURLGSSAPI_DELEGATION_FLAG 7.21.8
-+CURLGSSAPI_DELEGATION_NONE 7.21.8
-+CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8
- CURLINFO_APPCONNECT_TIME 7.19.0
- CURLINFO_CERTINFO 7.19.1
- CURLINFO_CONDITION_UNMET 7.19.4
-@@ -344,6 +347,7 @@ CURLOPT_FTP_SSL_CCC 7.16.1
- CURLOPT_FTP_USE_EPRT 7.10.5
- CURLOPT_FTP_USE_EPSV 7.9.2
- CURLOPT_FTP_USE_PRET 7.20.0
-+CURLOPT_GSSAPI_DELEGATION 7.21.8
- CURLOPT_HEADER 7.1
- CURLOPT_HEADERDATA 7.10
- CURLOPT_HEADERFUNCTION 7.7.2
-diff --git a/include/curl/curl.h b/include/curl/curl.h
-index a9d42fa..bcbab86 100644
---- a/include/curl/curl.h
-+++ b/include/curl/curl.h
-@@ -614,6 +614,10 @@ typedef enum {
- #define CURLSSH_AUTH_KEYBOARD (1<<3) /* keyboard interactive */
- #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY
-
-+#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */
-+#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */
-+#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */
-+
- #define CURL_ERROR_SIZE 256
-
- struct curl_khkey {
-@@ -1483,6 +1487,9 @@ typedef enum {
- CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208),
- CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209),
-
-+ /* allow GSSAPI credential delegation */
-+ CINIT(GSSAPI_DELEGATION, LONG, 210),
-+
- CURLOPT_LASTENTRY /* the last unused */
- } CURLoption;
-
-diff --git a/lib/Makefile.in b/lib/Makefile.in
-index a99f5e9..d5c65e7 100644
---- a/lib/Makefile.in
-+++ b/lib/Makefile.in
-@@ -94,7 +94,7 @@ am__objects_1 = file.lo timeval.lo base64.lo hostip.lo progress.lo \
- curl_threads.lo warnless.lo hmac.lo polarssl.lo curl_rtmp.lo \
- openldap.lo curl_gethostname.lo gopher.lo axtls.lo \
- idn_win32.lo http_negotiate_sspi.lo cyassl.lo http_proxy.lo \
-- non-ascii.lo asyn-ares.lo asyn-thread.lo
-+ non-ascii.lo asyn-ares.lo asyn-thread.lo curl_gssapi.lo
- am__objects_2 =
- am_libcurl_la_OBJECTS = $(am__objects_1) $(am__objects_2)
- libcurl_la_OBJECTS = $(am_libcurl_la_OBJECTS)
-@@ -144,7 +144,8 @@ am__objects_3 = libcurlu_la-file.lo libcurlu_la-timeval.lo \
- libcurlu_la-axtls.lo libcurlu_la-idn_win32.lo \
- libcurlu_la-http_negotiate_sspi.lo libcurlu_la-cyassl.lo \
- libcurlu_la-http_proxy.lo libcurlu_la-non-ascii.lo \
-- libcurlu_la-asyn-ares.lo libcurlu_la-asyn-thread.lo
-+ libcurlu_la-asyn-ares.lo libcurlu_la-asyn-thread.lo \
-+ libcurlu_la-curl_gssapi.lo
- am_libcurlu_la_OBJECTS = $(am__objects_3) $(am__objects_2)
- libcurlu_la_OBJECTS = $(am_libcurlu_la_OBJECTS)
- @BUILD_UNITTESTS_TRUE@am_libcurlu_la_rpath =
-@@ -479,7 +480,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
- pingpong.c rtsp.c curl_threads.c warnless.c hmac.c polarssl.c \
- curl_rtmp.c openldap.c curl_gethostname.c gopher.c axtls.c \
- idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c \
-- asyn-ares.c asyn-thread.c
-+ asyn-ares.c asyn-thread.c curl_gssapi.c
-
- HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
- progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \
-@@ -494,7 +495,7 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
- curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \
- curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \
- warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \
-- gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h
-+ gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_gssapi.h
-
-
- # Makefile.inc provides the CSOURCES and HHEADERS defines
-@@ -612,6 +613,7 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_addrinfo.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_fnmatch.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_gethostname.Plo@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_gssapi.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_memrchr.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_rand.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_rtmp.Plo@am__quote@
-@@ -662,6 +664,7 @@ distclean-compile:
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_addrinfo.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_fnmatch.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_gethostname.Plo@am__quote@
-+@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_gssapi.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_memrchr.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_rand.Plo@am__quote@
- @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_rtmp.Plo@am__quote@
-@@ -1488,6 +1491,13 @@ libcurlu_la-asyn-thread.lo: asyn-thread.c
- @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
- @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-asyn-thread.lo `test -f 'asyn-thread.c' || echo '$(srcdir)/'`asyn-thread.c
-
-+libcurlu_la-curl_gssapi.lo: curl_gssapi.c
-+@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libcurlu_la-curl_gssapi.lo -MD -MP -MF $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c
-+@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo $(DEPDIR)/libcurlu_la-curl_gssapi.Plo
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='curl_gssapi.c' object='libcurlu_la-curl_gssapi.lo' libtool=yes @AMDEPBACKSLASH@
-+@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@
-+@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c
-+
- mostlyclean-libtool:
- -rm -f *.lo
-
-diff --git a/lib/Makefile.inc b/lib/Makefile.inc
-index 04285b5..51fc919 100644
---- a/lib/Makefile.inc
-+++ b/lib/Makefile.inc
-@@ -22,7 +22,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \
- pingpong.c rtsp.c curl_threads.c warnless.c hmac.c polarssl.c \
- curl_rtmp.c openldap.c curl_gethostname.c gopher.c axtls.c \
- idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c \
-- asyn-ares.c asyn-thread.c
-+ asyn-ares.c asyn-thread.c curl_gssapi.c
-
- HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
- progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \
-@@ -37,4 +37,4 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \
- curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \
- curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \
- warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \
-- gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h
-+ gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_gssapi.h
-diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
-new file mode 100644
-index 0000000..e55c9cc
---- /dev/null
-+++ b/lib/curl_gssapi.c
-@@ -0,0 +1,44 @@
-+/***************************************************************************
-+ * _ _ ____ _
-+ * Project ___| | | | _ \| |
-+ * / __| | | | |_) | |
-+ * | (__| |_| | _ <| |___
-+ * \___|\___/|_| \_\_____|
-+ *
-+ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ *
-+ * This software is licensed as described in the file COPYING, which
-+ * you should have received as part of this distribution. The terms
-+ * are also available at http://curl.haxx.se/docs/copyright.html.
-+ *
-+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
-+ * copies of the Software, and permit persons to whom the Software is
-+ * furnished to do so, under the terms of the COPYING file.
-+ *
-+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
-+ * KIND, either express or implied.
-+ *
-+ ***************************************************************************/
-+
-+#include "setup.h"
-+
-+#ifdef HAVE_GSSAPI
-+
-+#include "curl_gssapi.h"
-+
-+void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data)
-+{
-+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
-+#ifdef GSS_C_DELEG_POLICY_FLAG
-+ *req_flags |= GSS_C_DELEG_POLICY_FLAG;
-+#else
-+ infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not "
-+ "compiled in\n");
-+#endif
-+ }
-+
-+ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG)
-+ *req_flags |= GSS_C_DELEG_FLAG;
-+}
-+
-+#endif /* HAVE_GSSAPI */
-diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
-new file mode 100644
-index 0000000..02aa527
---- /dev/null
-+++ b/lib/curl_gssapi.h
-@@ -0,0 +1,46 @@
-+#ifndef HEADER_CURL_GSSAPI_H
-+#define HEADER_CURL_GSSAPI_H
-+/***************************************************************************
-+ * _ _ ____ _
-+ * Project ___| | | | _ \| |
-+ * / __| | | | |_) | |
-+ * | (__| |_| | _ <| |___
-+ * \___|\___/|_| \_\_____|
-+ *
-+ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al.
-+ *
-+ * This software is licensed as described in the file COPYING, which
-+ * you should have received as part of this distribution. The terms
-+ * are also available at http://curl.haxx.se/docs/copyright.html.
-+ *
-+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
-+ * copies of the Software, and permit persons to whom the Software is
-+ * furnished to do so, under the terms of the COPYING file.
-+ *
-+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
-+ * KIND, either express or implied.
-+ *
-+ ***************************************************************************/
-+
-+#include "setup.h"
-+#include "urldata.h"
-+
-+#ifdef HAVE_GSSAPI
-+
-+#ifdef HAVE_GSSGNU
-+# include <gss.h>
-+#elif defined HAVE_GSSMIT
-+ /* MIT style */
-+# include <gssapi/gssapi.h>
-+# include <gssapi/gssapi_generic.h>
-+# include <gssapi/gssapi_krb5.h>
-+#else
-+ /* Heimdal-style */
-+# include <gssapi.h>
-+#endif
-+
-+void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data);
-+
-+#endif /* HAVE_GSSAPI */
-+
-+#endif /* HEADER_CURL_GSSAPI_H */
-diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c
-index 5127e64..8cb69fe 100644
---- a/lib/http_negotiate.c
-+++ b/lib/http_negotiate.c
-@@ -40,6 +40,7 @@
- #include "curl_base64.h"
- #include "http_negotiate.h"
- #include "curl_memory.h"
-+#include "curl_gssapi.h"
-
- #ifdef HAVE_SPNEGO
- # include <spnegohelp.h>
-@@ -144,6 +145,9 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
- bool gss;
- const char* protocol;
-
-+ OM_uint32 req_flags = 0;
-+ Curl_gss_req_flags(&req_flags, conn->data);
-+
- while(*header && ISSPACE(*header))
- header++;
- if(checkprefix("GSS-Negotiate", header)) {
-@@ -243,7 +247,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy,
- &neg_ctx->context,
- neg_ctx->server_name,
- GSS_C_NO_OID,
-- 0,
-+ req_flags,
- 0,
- GSS_C_NO_CHANNEL_BINDINGS,
- &input_token,
-diff --git a/lib/krb5.c b/lib/krb5.c
-index f128d51..08f70f9 100644
---- a/lib/krb5.c
-+++ b/lib/krb5.c
-@@ -65,6 +65,7 @@
- #include "sendf.h"
- #include "krb4.h"
- #include "curl_memory.h"
-+#include "curl_gssapi.h"
-
- #define _MPRINTF_REPLACE /* use our functions only */
- #include <curl/mprintf.h>
-@@ -185,6 +186,9 @@ krb5_auth(void *app_data, struct connectdata *conn)
- gss_ctx_id_t *context = app_data;
- struct gss_channel_bindings_struct chan;
-
-+ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
-+ Curl_gss_req_flags(&req_flags, data);
-+
- if(getsockname(conn->sock[FIRSTSOCKET],
- (struct sockaddr *)LOCAL_ADDR, &l) < 0)
- perror("getsockname()");
-@@ -247,7 +251,7 @@ krb5_auth(void *app_data, struct connectdata *conn)
- context,
- gssname,
- GSS_C_NO_OID,
-- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG,
-+ req_flags,
- 0,
- &chan,
- gssresp,
-diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c
-index 653306c..57048be 100644
---- a/lib/socks_gssapi.c
-+++ b/lib/socks_gssapi.c
-@@ -43,6 +43,7 @@
- #include "timeval.h"
- #include "socks.h"
- #include "warnless.h"
-+#include "curl_gssapi.h"
-
- #define _MPRINTF_REPLACE /* use our functions only */
- #include <curl/mprintf.h>
-@@ -137,6 +138,9 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
- unsigned char socksreq[4]; /* room for gssapi exchange header only */
- char *serviceptr = data->set.str[STRING_SOCKS5_GSSAPI_SERVICE];
-
-+ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG;
-+ Curl_gss_req_flags(&req_flags, data);
-+
- /* get timeout */
- timeout = Curl_timeleft(data, NULL, TRUE);
-
-@@ -187,8 +191,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex,
- GSS_C_NO_CREDENTIAL,
- &gss_context, server,
- GSS_C_NULL_OID,
-- GSS_C_MUTUAL_FLAG |
-- GSS_C_REPLAY_FLAG,
-+ req_flags,
- 0,
- NULL,
- gss_token,
-diff --git a/lib/url.c b/lib/url.c
-index c5b642f..39e04af 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -1985,6 +1985,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option,
- va_arg(param, char *));
- data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]);
- break;
-+ case CURLOPT_GSSAPI_DELEGATION:
-+ /*
-+ * GSSAPI credential delegation
-+ */
-+ data->set.gssapi_delegation = va_arg(param, long);
-+ break;
- case CURLOPT_SSL_VERIFYPEER:
- /*
- * Enable peer SSL verifying.
-diff --git a/lib/urldata.h b/lib/urldata.h
-index d256968..d3cfec3 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1517,6 +1517,9 @@ struct UserDefined {
- curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds
- to pattern (e.g. if WILDCARDMATCH is on) */
- void *fnmatch_data;
-+
-+ long gssapi_delegation; /* GSSAPI credential delegation, see the
-+ documentation of CURLOPT_GSSAPI_DELEGATION */
- };
-
- struct Names {
---
-1.7.4.4
-
-
-From d4ea7258b1703497fd0c06e08369a6bd3e37d2e8 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 3 Aug 2011 18:00:07 +0200
-Subject: [PATCH 2/2] curl_gssapi: add a missing include of sendf.h
-
-... to avoid build failure when GSS_C_DELEG_POLICY_FLAG is not defined.
-
-Reported by: Paul Howarth
----
- lib/curl_gssapi.c | 3 ++-
- lib/curl_gssapi.h | 2 +-
- 2 files changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c
-index e55c9cc..d1b1715 100644
---- a/lib/curl_gssapi.c
-+++ b/lib/curl_gssapi.c
-@@ -25,8 +25,9 @@
- #ifdef HAVE_GSSAPI
-
- #include "curl_gssapi.h"
-+#include "sendf.h"
-
--void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data)
-+void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data)
- {
- if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) {
- #ifdef GSS_C_DELEG_POLICY_FLAG
-diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h
-index 02aa527..c8ffefc 100644
---- a/lib/curl_gssapi.h
-+++ b/lib/curl_gssapi.h
-@@ -39,7 +39,7 @@
- # include <gssapi.h>
- #endif
-
--void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data);
-+void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data);
-
- #endif /* HAVE_GSSAPI */
-
---
-1.7.4.4
-
diff --git a/0001-curl-7.27.0-1f8518c5.patch b/0001-curl-7.27.0-1f8518c5.patch
new file mode 100644
index 0000000..02e2e6e
--- /dev/null
+++ b/0001-curl-7.27.0-1f8518c5.patch
@@ -0,0 +1,34 @@
+From e693b8e6591366ef2c077ba90fe0315a8a0b00c5 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 30 Jul 2012 14:20:07 +0200
+Subject: [PATCH] file: use fdopen() for uploaded files if available
+
+It eliminates noisy events when using inotify and fixes a TOCTOU issue.
+
+Bug: https://bugzilla.redhat.com/844385
+
+[upstream commit 1f8518c5d9aaa369dae85620973f9b5c1add3277]
+---
+ lib/file.c | 4 ++++
+ 1 files changed, 4 insertions(+), 0 deletions(-)
+
+diff --git a/lib/file.c b/lib/file.c
+index 4447c73..1025022 100644
+--- a/lib/file.c
++++ b/lib/file.c
+@@ -351,8 +351,12 @@ static CURLcode file_upload(struct connectdata *conn)
+ failf(data, "Can't open %s for writing", file->path);
+ return CURLE_WRITE_ERROR;
+ }
++#ifdef HAVE_FDOPEN
++ fp = fdopen(fd, "wb");
++#else
+ close(fd);
+ fp = fopen(file->path, "wb");
++#endif
+ }
+
+ if(!fp) {
+--
+1.7.1
+
diff --git a/0002-curl-7.21.7-5eb2396.patch b/0002-curl-7.21.7-5eb2396.patch
deleted file mode 100644
index ded2da9..0000000
--- a/0002-curl-7.21.7-5eb2396.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From 5eb2396cd15cbbf73b02ad6bbcc313167330c2b5 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 4 Aug 2011 23:22:48 +0200
-Subject: [PATCH] segfault fixed
-
-When using both -J and a single -O with multiple URLs, a missing init
-could cause badness.
-
-Bug: http://curl.haxx.se/mail/lib-2011-07/0126.html and
- http://bugzilla.redhat.com/723075
-Reported by: Paul Howarth and Garrett Holmstrom
----
- src/main.c | 1 +
- 1 files changed, 1 insertions(+), 0 deletions(-)
-
-diff --git a/src/main.c b/src/main.c
-index 6dcf333..eae45de 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -4866,6 +4866,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
- outs.stream = stdout;
- outs.config = config;
- outs.bytes = 0; /* nothing written yet */
-+ outs.filename = NULL;
-
- /* save outfile pattern before expansion */
- if(urlnode->outfile) {
---
-1.7.4.4
-
diff --git a/0002-curl-7.27.0-f05e5136.patch b/0002-curl-7.27.0-f05e5136.patch
new file mode 100644
index 0000000..7413ed6
--- /dev/null
+++ b/0002-curl-7.27.0-f05e5136.patch
@@ -0,0 +1,197 @@
+From ce515e993fe7bc7e95549317fe5180b196454d4c Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 12 Sep 2012 16:06:18 +0200
+Subject: [PATCH 1/3] ssh: move the fingerprint checking code to a separate fnc
+
+---
+ lib/ssh.c | 71 +++++++++++++++++++++++++++++++++---------------------------
+ 1 files changed, 39 insertions(+), 32 deletions(-)
+
+diff --git a/lib/ssh.c b/lib/ssh.c
+index c76a48e..4455d44 100644
+--- a/lib/ssh.c
++++ b/lib/ssh.c
+@@ -635,6 +635,43 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
+ return result;
+ }
+
++static bool ssh_check_fingerprint(struct connectdata *conn)
++{
++ struct ssh_conn *sshc = &conn->proto.sshc;
++ struct SessionHandle *data = conn->data;
++ const char *pubkey_md5 = data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5];
++ char md5buffer[33];
++ int i;
++
++ const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
++ LIBSSH2_HOSTKEY_HASH_MD5);
++
++ /* The fingerprint points to static storage (!), don't free() it. */
++ for(i = 0; i < 16; i++)
++ snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
++ infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
++
++ /* Before we authenticate we check the hostkey's MD5 fingerprint
++ * against a known fingerprint, if available.
++ */
++ if(pubkey_md5 && strlen(pubkey_md5) == 32) {
++ if(!strequal(md5buffer, pubkey_md5)) {
++ failf(data,
++ "Denied establishing ssh session: mismatch md5 fingerprint. "
++ "Remote %s is not equal to %s", md5buffer, pubkey_md5);
++ state(conn, SSH_SESSION_FREE);
++ sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
++ return sshc->actualcode;
++ }
++ else {
++ infof(data, "MD5 checksum match!\n");
++ /* as we already matched, we skip the check for known hosts */
++ return CURLE_OK;
++ }
++ }
++ else
++ return ssh_knownhost(conn);
++}
+
+ /*
+ * ssh_statemach_act() runs the SSH state machine as far as it can without
+@@ -650,10 +687,8 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
+ struct SSHPROTO *sftp_scp = data->state.proto.ssh;
+ struct ssh_conn *sshc = &conn->proto.sshc;
+ curl_socket_t sock = conn->sock[FIRSTSOCKET];
+- const char *fingerprint;
+- char md5buffer[33];
+ char *new_readdir_line;
+- int rc = LIBSSH2_ERROR_NONE, i;
++ int rc = LIBSSH2_ERROR_NONE;
+ int err;
+ int seekerr = CURL_SEEKFUNC_OK;
+ *block = 0; /* we're not blocking by default */
+@@ -694,35 +729,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
+ * against our known hosts. How that is handled (reading from file,
+ * whatever) is up to us.
+ */
+- fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
+- LIBSSH2_HOSTKEY_HASH_MD5);
+-
+- /* The fingerprint points to static storage (!), don't free() it. */
+- for(i = 0; i < 16; i++)
+- snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
+- infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
+-
+- /* Before we authenticate we check the hostkey's MD5 fingerprint
+- * against a known fingerprint, if available.
+- */
+- if(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5] &&
+- strlen(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) == 32) {
+- if(!strequal(md5buffer,
+- data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5])) {
+- failf(data,
+- "Denied establishing ssh session: mismatch md5 fingerprint. "
+- "Remote %s is not equal to %s",
+- md5buffer, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]);
+- state(conn, SSH_SESSION_FREE);
+- result = sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
+- }
+- else
+- infof(data, "MD5 checksum match!\n");
+- /* as we already matched, we skip the check for known hosts */
+- }
+- else
+- result = ssh_knownhost(conn);
+-
++ result = ssh_check_fingerprint(conn);
+ if(!result)
+ state(conn, SSH_AUTHLIST);
+ break;
+--
+1.7.1
+
+
+From f05e51362f310cb04b0ad8d086b9cf693aad5c9d Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Wed, 12 Sep 2012 16:18:36 +0200
+Subject: [PATCH 2/3] ssh: do not crash if MD5 fingerprint is not provided by libssh2
+
+The MD5 fingerprint cannot be computed when running in FIPS mode.
+---
+ lib/ssh.c | 22 ++++++++++++++--------
+ 1 files changed, 14 insertions(+), 8 deletions(-)
+
+diff --git a/lib/ssh.c b/lib/ssh.c
+index 4455d44..466566c 100644
+--- a/lib/ssh.c
++++ b/lib/ssh.c
+@@ -646,19 +646,25 @@ static bool ssh_check_fingerprint(struct connectdata *conn)
+ const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session,
+ LIBSSH2_HOSTKEY_HASH_MD5);
+
+- /* The fingerprint points to static storage (!), don't free() it. */
+- for(i = 0; i < 16; i++)
+- snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
+- infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
++ if(fingerprint) {
++ /* The fingerprint points to static storage (!), don't free() it. */
++ for(i = 0; i < 16; i++)
++ snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]);
++ infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
++ }
+
+ /* Before we authenticate we check the hostkey's MD5 fingerprint
+ * against a known fingerprint, if available.
+ */
+ if(pubkey_md5 && strlen(pubkey_md5) == 32) {
+- if(!strequal(md5buffer, pubkey_md5)) {
+- failf(data,
+- "Denied establishing ssh session: mismatch md5 fingerprint. "
+- "Remote %s is not equal to %s", md5buffer, pubkey_md5);
++ if(!fingerprint || !strequal(md5buffer, pubkey_md5)) {
++ if(fingerprint)
++ failf(data,
++ "Denied establishing ssh session: mismatch md5 fingerprint. "
++ "Remote %s is not equal to %s", md5buffer, pubkey_md5);
++ else
++ failf(data,
++ "Denied establishing ssh session: md5 fingerprint not available");
+ state(conn, SSH_SESSION_FREE);
+ sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION;
+ return sshc->actualcode;
+--
+1.7.1
+
+
+From 1ab6c353635760e8e25bacc13ae0cab2f97f7338 Mon Sep 17 00:00:00 2001
+From: Marc Hoersken <info@marc-hoersken.de>
+Date: Fri, 14 Sep 2012 14:48:55 +0200
+Subject: [PATCH 3/3] ssh.c: Fixed warning: implicit conversion from enumeration type
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/ssh.c | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/ssh.c b/lib/ssh.c
+index 466566c..e8b7172 100644
+--- a/lib/ssh.c
++++ b/lib/ssh.c
+@@ -635,7 +635,7 @@ static CURLcode ssh_knownhost(struct connectdata *conn)
+ return result;
+ }
+
+-static bool ssh_check_fingerprint(struct connectdata *conn)
++static CURLcode ssh_check_fingerprint(struct connectdata *conn)
+ {
+ struct ssh_conn *sshc = &conn->proto.sshc;
+ struct SessionHandle *data = conn->data;
+@@ -736,7 +736,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block)
+ * whatever) is up to us.
+ */
+ result = ssh_check_fingerprint(conn);
+- if(!result)
++ if(result == CURLE_OK)
+ state(conn, SSH_AUTHLIST);
+ break;
+
+--
+1.7.1
+
diff --git a/0003-curl-7.21.7-5538904.patch b/0003-curl-7.21.7-5538904.patch
deleted file mode 100644
index 1374ad8..0000000
--- a/0003-curl-7.21.7-5538904.patch
+++ /dev/null
@@ -1,131 +0,0 @@
-From 9698db7fd56b08cc8f9bdeb2182bc9afdbcb4f90 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Fri, 12 Aug 2011 14:48:32 +0200
-Subject: [PATCH 1/2] added --delegation
-
-Using this option with an argument being set to one of
-none/policy/always instructs libcurl how to deal with GSS
-credentials. Or rather how it tells the server that delegation is fine
-or not.
-
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/main.c | 29 ++++++++++++++++++++++++++---
- 1 files changed, 26 insertions(+), 3 deletions(-)
-
-diff --git a/src/main.c b/src/main.c
-index d85bf62..3a2595c 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -659,6 +659,7 @@ struct Configurable {
- basically each given URL to transfer */
- struct OutStruct *outs;
- bool xattr; /* store metadata in extended attributes */
-+ long gssapi_delegation;
- };
-
- #define WARN_PREFIX "Warning: "
-@@ -817,6 +818,7 @@ static void help(void)
- " --data-binary <data> HTTP POST binary data (H)",
- " --data-urlencode <name=data/name@filename> "
- "HTTP POST data url encoded (H)",
-+ " --delegation STRING GSS-API delegation permission",
- " --digest Use HTTP Digest Authentication (H)",
- " --disable-eprt Inhibit using EPRT or LPRT (F)",
- " --disable-epsv Inhibit using EPSV (F)",
-@@ -1823,6 +1825,18 @@ static int sockoptcallback(void *clientp, curl_socket_t curlfd,
- return 0;
- }
-
-+static long delegation(struct Configurable *config,
-+ char *str)
-+{
-+ if(curlx_raw_equal("none", str))
-+ return CURLGSSAPI_DELEGATION_NONE;
-+ if(curlx_raw_equal("policy", str))
-+ return CURLGSSAPI_DELEGATION_POLICY_FLAG;
-+ if(curlx_raw_equal("always", str))
-+ return CURLGSSAPI_DELEGATION_FLAG;
-+ warnf(config, "unrecognized delegation method '%s', using none\n", str);
-+ return CURLGSSAPI_DELEGATION_NONE;
-+}
-
- static ParameterError getparameter(char *flag, /* f or -long-flag */
- char *nextarg, /* NULL if unset */
-@@ -1942,6 +1956,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
- {"$D", "proto", TRUE},
- {"$E", "proto-redir", TRUE},
- {"$F", "resolve", TRUE},
-+ {"$G", "delegation", TRUE},
- {"0", "http1.0", FALSE},
- {"1", "tlsv1", FALSE},
- {"2", "sslv2", FALSE},
-@@ -2516,6 +2531,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */
- if(err)
- return err;
- break;
-+ case 'G': /* --delegation LEVEL */
-+ config->gssapi_delegation = delegation(config, nextarg);
-+ break;
- }
- break;
- case '#': /* --progress-bar */
-@@ -5564,9 +5582,14 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
- /* new in 7.21.3 */
- my_setopt(curl, CURLOPT_RESOLVE, config->resolve);
-
-- /* TODO: new in ### */
-- curl_easy_setopt(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username);
-- curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password);
-+ /* new in 7.21.4 */
-+ my_setopt_str(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username);
-+ my_setopt_str(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password);
-+
-+ /* new in 7.22.0 */
-+ if(config->gssapi_delegation)
-+ my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION,
-+ config->gssapi_delegation);
-
- retry_numretries = config->req_retry;
-
---
-1.7.4.4
-
-
-From 8e404e1c3846cc98a1977514af5b0432ae2de755 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Fri, 12 Aug 2011 23:51:41 +0200
-Subject: [PATCH 2/2] docs: --delegation
-
-
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- docs/curl.1 | 12 ++++++++++++
- 1 files changed, 12 insertions(+), 0 deletions(-)
-
-diff --git a/docs/curl.1 b/docs/curl.1
-index 812b2eb..eee3481 100644
---- a/docs/curl.1
-+++ b/docs/curl.1
-@@ -320,6 +320,18 @@ URL-encode that data and pass it on in the POST. The name part gets an equal
- sign appended, resulting in \fIname=urlencoded-file-content\fP. Note that the
- name is expected to be URL-encoded already.
- .RE
-+.IP "--delegation LEVEL"
-+Set \fILEVEL\fP to tell the server what it is allowed to delegate when it
-+comes to user credentials. Used with GSS/kerberos.
-+.RS
-+.IP "none"
-+Don't allow any delegation.
-+.IP "policy"
-+Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos
-+service ticket, which is a matter of realm policy.
-+.IP "always"
-+Unconditionally allow the server to delegate.
-+.RE
- .IP "--digest"
- (HTTP) Enables HTTP Digest authentication. This is a authentication that
- prevents the password from being sent over the wire in clear text. Use this in
---
-1.7.4.4
-
diff --git a/0003-curl-7.27.0-382429e7.patch b/0003-curl-7.27.0-382429e7.patch
new file mode 100644
index 0000000..f25fe71
--- /dev/null
+++ b/0003-curl-7.27.0-382429e7.patch
@@ -0,0 +1,32 @@
+From 382429e7601de68564f08a88cc867dbcd6e2556a Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Tue, 7 Aug 2012 14:13:09 +0200
+Subject: [PATCH] curl-config: parentheses fix
+
+Braces, not parentheses, should be used for shell variable names.
+
+Bug: http://curl.haxx.se/bug/view.cgi?id=3551460
+Reported by: Edward Sheldrake
+---
+ curl-config.in | 4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/curl-config.in b/curl-config.in
+index a3ca8b5..731761c 100644
+--- a/curl-config.in
++++ b/curl-config.in
+@@ -135,9 +135,9 @@ while test $# -gt 0; do
+ CPPFLAG_CURL_STATICLIB=""
+ fi
+ if test "X@includedir@" = "X/usr/include"; then
+- echo "$(CPPFLAG_CURL_STATICLIB)"
++ echo "$CPPFLAG_CURL_STATICLIB"
+ else
+- echo "$(CPPFLAG_CURL_STATICLIB)-I@includedir@"
++ echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@"
+ fi
+ ;;
+
+--
+1.7.1
+
diff --git a/0004-curl-7.21.7-d6f319f.patch b/0004-curl-7.21.7-d6f319f.patch
deleted file mode 100644
index 33f430d..0000000
--- a/0004-curl-7.21.7-d6f319f.patch
+++ /dev/null
@@ -1,118 +0,0 @@
-From 857fed6e245a9620b0f25a2f4ca6d6dc01584674 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 15 Aug 2011 13:48:45 +0200
-Subject: [PATCH] nss: start with no database if the selected database is
- broken
-
-Bug: https://bugzilla.redhat.com/728562
-
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/nss.c | 63 +++++++++++++++++++++++++++++++++++++-----------------------
- 1 files changed, 39 insertions(+), 24 deletions(-)
-
-diff --git a/lib/nss.c b/lib/nss.c
-index 3dc0ba6..94a530b 100644
---- a/lib/nss.c
-+++ b/lib/nss.c
-@@ -898,10 +898,42 @@ isTLSIntoleranceError(PRInt32 err)
- }
- }
-
--static CURLcode init_nss(struct SessionHandle *data)
-+static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
-+{
-+ if(NSS_IsInitialized())
-+ return CURLE_OK;
-+
-+ if(cert_dir) {
-+ SECStatus rv;
-+ const bool use_sql = NSS_VersionCheck("3.12.0");
-+ char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir);
-+ if(!certpath)
-+ return CURLE_OUT_OF_MEMORY;
-+
-+ infof(data, "Initializing NSS with certpath: %s\n", certpath);
-+ rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
-+ free(certpath);
-+
-+ if(rv == SECSuccess)
-+ return CURLE_OK;
-+
-+ infof(data, "Unable to initialize NSS database\n");
-+ }
-+
-+ infof(data, "Initializing NSS with certpath: none\n");
-+ if(NSS_NoDB_Init(NULL) == SECSuccess)
-+ return CURLE_OK;
-+
-+ infof(data, "Unable to initialize NSS\n");
-+ return CURLE_SSL_CACERT_BADFILE;
-+}
-+
-+static CURLcode nss_init(struct SessionHandle *data)
- {
- char *cert_dir;
- struct_stat st;
-+ CURLcode rv;
-+
- if(initialized)
- return CURLE_OK;
-
-@@ -922,31 +954,14 @@ static CURLcode init_nss(struct SessionHandle *data)
- }
- }
-
-- if(!NSS_IsInitialized()) {
-- SECStatus rv;
-- initialized = 1;
-- infof(data, "Initializing NSS with certpath: %s\n",
-- cert_dir ? cert_dir : "none");
-- if(!cert_dir) {
-- rv = NSS_NoDB_Init(NULL);
-- }
-- else {
-- char *certpath =
-- PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "",
-- cert_dir);
-- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY);
-- PR_smprintf_free(certpath);
-- }
-- if(rv != SECSuccess) {
-- infof(data, "Unable to initialize NSS database\n");
-- initialized = 0;
-- return CURLE_SSL_CACERT_BADFILE;
-- }
-- }
-+ rv = nss_init_core(data, cert_dir);
-+ if(rv)
-+ return rv;
-
- if(num_enabled_ciphers() == 0)
- NSS_SetDomesticPolicy();
-
-+ initialized = 1;
- return CURLE_OK;
- }
-
-@@ -981,7 +996,7 @@ CURLcode Curl_nss_force_init(struct SessionHandle *data)
- }
-
- PR_Lock(nss_initlock);
-- rv = init_nss(data);
-+ rv = nss_init(data);
- PR_Unlock(nss_initlock);
- return rv;
- }
-@@ -1184,7 +1199,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
-
- /* FIXME. NSS doesn't support multiple databases open at the same time. */
- PR_Lock(nss_initlock);
-- curlerr = init_nss(conn->data);
-+ curlerr = nss_init(conn->data);
- if(CURLE_OK != curlerr) {
- PR_Unlock(nss_initlock);
- goto error;
---
-1.7.4.4
-
diff --git a/0004-curl-7.27.0-52b6eda4.patch b/0004-curl-7.27.0-52b6eda4.patch
new file mode 100644
index 0000000..a6b751b
--- /dev/null
+++ b/0004-curl-7.27.0-52b6eda4.patch
@@ -0,0 +1,115 @@
+From fea7914a32b7d7a8ec4bbf4de0c2be74a32969bb Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 9 Aug 2012 09:40:00 +0200
+Subject: [PATCH 1/2] nss: do not print misleading NSS error codes
+
+[upstream commit 52b6eda4f2a006e33358c6964ef6a00b09ae59ab]
+---
+ lib/nss.c | 42 ++++++++++++++++++++++++++++++------------
+ 1 files changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index b11796c..a8e08f4 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1084,17 +1084,31 @@ int Curl_nss_close_all(struct SessionHandle *data)
+ return 0;
+ }
+
+-/* return true if the given error code is related to a client certificate */
+-static bool is_cc_error(PRInt32 err)
++/* return true if NSS can provide error code (and possibly msg) for the error */
++static bool is_nss_error(CURLcode err)
+ {
+ switch(err) {
+- case SSL_ERROR_BAD_CERT_ALERT:
++ case CURLE_PEER_FAILED_VERIFICATION:
++ case CURLE_SSL_CACERT:
++ case CURLE_SSL_CACERT_BADFILE:
++ case CURLE_SSL_CERTPROBLEM:
++ case CURLE_SSL_CONNECT_ERROR:
++ case CURLE_SSL_CRL_BADFILE:
++ case CURLE_SSL_ISSUER_ERROR:
+ return true;
+
+- case SSL_ERROR_REVOKED_CERT_ALERT:
+- return true;
++ default:
++ return false;
++ }
++}
+
++/* return true if the given error code is related to a client certificate */
++static bool is_cc_error(PRInt32 err)
++{
++ switch(err) {
++ case SSL_ERROR_BAD_CERT_ALERT:
+ case SSL_ERROR_EXPIRED_CERT_ALERT:
++ case SSL_ERROR_REVOKED_CERT_ALERT:
+ return true;
+
+ default:
+@@ -1388,6 +1402,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ time_left = Curl_timeleft(data, NULL, TRUE);
+ if(time_left < 0L) {
+ failf(data, "timed out before SSL handshake");
++ curlerr = CURLE_OPERATION_TIMEDOUT;
+ goto error;
+ }
+ timeout = PR_MillisecondsToInterval((PRUint32) time_left);
+@@ -1432,15 +1447,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ /* reset the flag to avoid an infinite loop */
+ data->state.ssl_connect_retry = FALSE;
+
+- err = PR_GetError();
+- if(is_cc_error(err))
+- curlerr = CURLE_SSL_CERTPROBLEM;
++ if(is_nss_error(curlerr)) {
++ /* read NSPR error code */
++ err = PR_GetError();
++ if(is_cc_error(err))
++ curlerr = CURLE_SSL_CERTPROBLEM;
+
+- /* print the error number and error string */
+- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
++ /* print the error number and error string */
++ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
+
+- /* print a human-readable message describing the error if available */
+- nss_print_error_message(data, err);
++ /* print a human-readable message describing the error if available */
++ nss_print_error_message(data, err);
++ }
+
+ if(model)
+ PR_Close(model);
+--
+1.7.1
+
+
+From b00ba010d0cd0a6ee77692fd4e38e6680b07a82e Mon Sep 17 00:00:00 2001
+From: Marc Hoersken <info@marc-hoersken.de>
+Date: Tue, 11 Sep 2012 09:49:23 +0200
+Subject: [PATCH 2/2] nss.c: Fixed warning: 'err' may be used uninitialized in this function
+
+[upstream commit e6ba0487013085afc5bc1ca7d7c8a15a13367ba6]
+---
+ lib/nss.c | 2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index a8e08f4..fef7c3d 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1173,7 +1173,7 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn,
+
+ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+ {
+- PRInt32 err;
++ PRErrorCode err = 0;
+ PRFileDesc *model = NULL;
+ PRBool ssl2 = PR_FALSE;
+ PRBool ssl3 = PR_FALSE;
+--
+1.7.1
+
diff --git a/0005-curl-7.21.7-61ae7e9.patch b/0005-curl-7.21.7-61ae7e9.patch
deleted file mode 100644
index 46cfe47..0000000
--- a/0005-curl-7.21.7-61ae7e9.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From 61ae7e9ce77af86a7290fca8bf73c9798f80845c Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sun, 21 Aug 2011 12:59:06 +0200
-Subject: [PATCH] main: fix segfault
-
-Follow-up to commit 5eb2396cd as that wasn't complete.
-
-At times HEADERFUNCTION+HEADERDATA was set only to have only HEADERDATA
-set in the subsequent loop which could cause a NULL to get sent as
-userdata to 'header_callback' which wasn't made to handle that.
-
-Now HEADERFUNCTION is explicitly set to NULL if it isn't set to the
-callback.
----
- src/main.c | 8 ++++++--
- 1 files changed, 6 insertions(+), 2 deletions(-)
-
-diff --git a/src/main.c b/src/main.c
-index 276718b..56cd133 100644
---- a/src/main.c
-+++ b/src/main.c
-@@ -5371,8 +5371,6 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
- my_setopt(curl, CURLOPT_QUOTE, config->quote);
- my_setopt(curl, CURLOPT_POSTQUOTE, config->postquote);
- my_setopt(curl, CURLOPT_PREQUOTE, config->prequote);
-- my_setopt(curl, CURLOPT_HEADERDATA,
-- config->headerfile?&heads:NULL);
- my_setopt_str(curl, CURLOPT_COOKIEFILE, config->cookiefile);
- /* cookie jar was added in 7.9 */
- if(config->cookiejar)
-@@ -5577,6 +5575,12 @@ operate(struct Configurable *config, int argc, argv_item_t argv[])
- my_setopt(curl, CURLOPT_HEADERFUNCTION, header_callback);
- my_setopt(curl, CURLOPT_HEADERDATA, &outs);
- }
-+ else {
-+ /* if HEADERFUNCTION was set to something in the previous loop, it
-+ is important that we set it (back) to NULL now */
-+ my_setopt(curl, CURLOPT_HEADERFUNCTION, NULL);
-+ my_setopt(curl, CURLOPT_HEADERDATA, config->headerfile?&heads:NULL);
-+ }
-
- if(config->resolve)
- /* new in 7.21.3 */
---
-1.7.6
-
diff --git a/0005-curl-7.27.0-f208bf5a.patch b/0005-curl-7.27.0-f208bf5a.patch
new file mode 100644
index 0000000..c164fd0
--- /dev/null
+++ b/0005-curl-7.27.0-f208bf5a.patch
@@ -0,0 +1,190 @@
+From c78462408b8033c99cb45e70f34586ceb8fa8276 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 9 Aug 2012 14:08:11 +0200
+Subject: [PATCH] docs: update the links to cipher-suites supported by NSS
+
+... and make the list of cipher-suites in nss.c readable by humans.
+
+Bug: http://curl.haxx.se/mail/archive-2012-08/0016.html
+
+[upstream commit f208bf5a2d622ae525690dfba2ab58abd8d72264]
+---
+ docs/curl.1 | 2 +-
+ docs/libcurl/curl_easy_setopt.3 | 2 +-
+ lib/nss.c | 105 +++++++++++++++++++--------------------
+ 3 files changed, 53 insertions(+), 56 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index 0e29ed5..5ba3d56 100644
+--- a/docs/curl.1
++++ b/docs/curl.1
+@@ -223,7 +223,7 @@ must specify valid ciphers. Read up on SSL cipher list details on this URL:
+
+ NSS ciphers are done differently than OpenSSL and GnuTLS. The full list of
+ NSS ciphers is in the NSSCipherSuite entry at this URL:
+-\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP
++\fIhttp://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives\fP
+
+ If this option is used several times, the last one will override the others.
+ .IP "--compressed"
+diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
+index 25a7d5e..d83afe8 100644
+--- a/docs/libcurl/curl_easy_setopt.3
++++ b/docs/libcurl/curl_easy_setopt.3
+@@ -2367,7 +2367,7 @@ this option then all known ciphers are disabled and only those passed in
+ are enabled.
+
+ You'll find more details about the NSS cipher lists on this URL:
+-\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP
++\fIhttp://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives\fP
+
+ .IP CURLOPT_SSL_SESSIONID_CACHE
+ Pass a long set to 0 to disable libcurl's use of SSL session-ID caching. Set
+diff --git a/lib/nss.c b/lib/nss.c
+index fef7c3d..705a625 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -89,7 +89,6 @@ volatile int initialized = 0;
+ typedef struct {
+ const char *name;
+ int num;
+- PRInt32 version; /* protocol version valid for this cipher */
+ } cipher_s;
+
+ #define PK11_SETATTRS(_attr, _idx, _type, _val, _len) do { \
+@@ -101,65 +100,63 @@ typedef struct {
+
+ #define CERT_NewTempCertificate __CERT_NewTempCertificate
+
+-enum sslversion { SSL2 = 1, SSL3 = 2, TLS = 4 };
+-
+ #define NUM_OF_CIPHERS sizeof(cipherlist)/sizeof(cipherlist[0])
+ static const cipher_s cipherlist[] = {
+ /* SSL2 cipher suites */
+- {"rc4", SSL_EN_RC4_128_WITH_MD5, SSL2},
+- {"rc4-md5", SSL_EN_RC4_128_WITH_MD5, SSL2},
+- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL2},
+- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, SSL2},
+- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2},
+- {"des", SSL_EN_DES_64_CBC_WITH_MD5, SSL2},
+- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL2},
++ {"rc4", SSL_EN_RC4_128_WITH_MD5},
++ {"rc4-md5", SSL_EN_RC4_128_WITH_MD5},
++ {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5},
++ {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5},
++ {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5},
++ {"des", SSL_EN_DES_64_CBC_WITH_MD5},
++ {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5},
+ /* SSL3/TLS cipher suites */
+- {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, SSL3 | TLS},
+- {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, SSL3 | TLS},
+- {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL3 | TLS},
+- {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, SSL3 | TLS},
+- {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL3 | TLS},
+- {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL3 | TLS},
+- {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, SSL3 | TLS},
+- {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, SSL3 | TLS},
+- {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL3 | TLS},
+- {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL3 | TLS},
+- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL3 | TLS},
+- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL3 | TLS},
+- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL3 | TLS},
++ {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5},
++ {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA},
++ {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA},
++ {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA},
++ {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5},
++ {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5},
++ {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5},
++ {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA},
++ {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA},
++ {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA},
++ {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA},
++ {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA},
++ {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA},
+ /* TLS 1.0: Exportable 56-bit Cipher Suites. */
+- {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL3 | TLS},
+- {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL3 | TLS},
++ {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
++ {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
+ /* AES ciphers. */
+- {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, SSL3 | TLS},
+- {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, SSL3 | TLS},
++ {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA},
++ {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA},
+ #ifdef NSS_ENABLE_ECC
+ /* ECC ciphers. */
+- {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS},
+- {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS},
+- {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS},
+- {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS},
+- {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS},
+- {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS},
+- {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS},
+- {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS},
+- {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS},
+- {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS},
+- {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, TLS},
+- {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS},
+- {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS},
+- {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS},
+- {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS},
+- {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, TLS},
+- {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS},
+- {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS},
+- {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS},
+- {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS},
+- {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, TLS},
+- {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, TLS},
+- {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS},
+- {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS},
+- {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS},
++ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA},
++ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA},
++ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA},
++ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA},
++ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA},
++ {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA},
++ {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA},
++ {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA},
++ {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
++ {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
++ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA},
++ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA},
++ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA},
++ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA},
++ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA},
++ {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA},
++ {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA},
++ {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA},
++ {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
++ {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
++ {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA},
++ {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA},
++ {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA},
++ {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA},
++ {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
+ #endif
+ };
+
+@@ -248,7 +245,7 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model,
+ for(i=0; i<NUM_OF_CIPHERS; i++) {
+ rv = SSL_CipherPrefSet(model, cipherlist[i].num, cipher_state[i]);
+ if(rv != SECSuccess) {
+- failf(data, "Unknown cipher in cipher list");
++ failf(data, "cipher-suite not supported by NSS: %s", cipherlist[i].name);
+ return SECFailure;
+ }
+ }
+@@ -1084,7 +1081,7 @@ int Curl_nss_close_all(struct SessionHandle *data)
+ return 0;
+ }
+
+-/* return true if NSS can provide error code (and possibly msg) for the error */
++/* true if NSS can provide error code (and possibly a message) for the error */
+ static bool is_nss_error(CURLcode err)
+ {
+ switch(err) {
+--
+1.7.1
+
diff --git a/0006-curl-7.21.7-3445fa2.patch b/0006-curl-7.21.7-3445fa2.patch
deleted file mode 100644
index fe9cf74..0000000
--- a/0006-curl-7.21.7-3445fa2.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-From 3445fa2e3f28b359a3acd2a884f4e119b11e0a57 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 26 Aug 2011 11:10:58 +0200
-Subject: [PATCH] tests: break busy loops in tests 502, 555, and 573
-
----
- tests/libtest/lib502.c | 23 +++++++++++++++++++++--
- tests/libtest/lib555.c | 23 +++++++++++++++++++++--
- tests/libtest/lib573.c | 23 +++++++++++++++++++++--
- 3 files changed, 63 insertions(+), 6 deletions(-)
-
-diff --git a/tests/libtest/lib502.c b/tests/libtest/lib502.c
-index 9ade12a..9040b2b 100644
---- a/tests/libtest/lib502.c
-+++ b/tests/libtest/lib502.c
-@@ -73,6 +73,10 @@ int test(char *URL)
- mp_start = tutil_tvnow();
-
- while (running) {
-+ static struct timeval timeout = /* 100 ms */ { 0, 100000L };
-+ fd_set fdread, fdwrite, fdexcep;
-+ int maxfd = -1;
-+
- res = (int)curl_multi_perform(m, &running);
- if (tutil_tvdiff(tutil_tvnow(), mp_start) >
- MULTI_PERFORM_HANG_TIMEOUT) {
-@@ -83,11 +87,26 @@ int test(char *URL)
- fprintf(stderr, "nothing left running.\n");
- break;
- }
-+
-+ FD_ZERO(&fdread);
-+ FD_ZERO(&fdwrite);
-+ FD_ZERO(&fdexcep);
-+ curl_multi_fdset(m, &fdread, &fdwrite, &fdexcep, &maxfd);
-+
-+ /* In a real-world program you OF COURSE check the return code of the
-+ function calls. On success, the value of maxfd is guaranteed to be
-+ greater or equal than -1. We call select(maxfd + 1, ...), specially in
-+ case of (maxfd == -1), we call select(0, ...), which is basically equal
-+ to sleep. */
-+
-+ if (select(maxfd + 1, &fdread, &fdwrite, &fdexcep, &timeout) == -1) {
-+ res = ~CURLM_OK;
-+ break;
-+ }
- }
-
- if (mp_timedout) {
-- if (mp_timedout) fprintf(stderr, "mp_timedout\n");
-- fprintf(stderr, "ABORTING TEST, since it seems "
-+ fprintf(stderr, "mp_timedout\nABORTING TEST, since it seems "
- "that it would have run forever.\n");
- res = TEST_ERR_RUNS_FOREVER;
- }
-diff --git a/tests/libtest/lib555.c b/tests/libtest/lib555.c
-index c675015..1e73a5a 100644
---- a/tests/libtest/lib555.c
-+++ b/tests/libtest/lib555.c
-@@ -135,6 +135,10 @@ int test(char *URL)
- mp_start = tutil_tvnow();
-
- while (running) {
-+ static struct timeval timeout = /* 100 ms */ { 0, 100000L };
-+ fd_set fdread, fdwrite, fdexcep;
-+ int maxfd = -1;
-+
- res = (int)curl_multi_perform(m, &running);
- if (tutil_tvdiff(tutil_tvnow(), mp_start) >
- MULTI_PERFORM_HANG_TIMEOUT) {
-@@ -148,11 +152,26 @@ int test(char *URL)
- fprintf(stderr, "nothing left running.\n");
- break;
- }
-+
-+ FD_ZERO(&fdread);
-+ FD_ZERO(&fdwrite);
-+ FD_ZERO(&fdexcep);
-+ curl_multi_fdset(m, &fdread, &fdwrite, &fdexcep, &maxfd);
-+
-+ /* In a real-world program you OF COURSE check the return code of the
-+ function calls. On success, the value of maxfd is guaranteed to be
-+ greater or equal than -1. We call select(maxfd + 1, ...), specially in
-+ case of (maxfd == -1), we call select(0, ...), which is basically equal
-+ to sleep. */
-+
-+ if (select(maxfd + 1, &fdread, &fdwrite, &fdexcep, &timeout) == -1) {
-+ res = ~CURLM_OK;
-+ break;
-+ }
- }
-
- if (mp_timedout) {
-- if (mp_timedout) fprintf(stderr, "mp_timedout\n");
-- fprintf(stderr, "ABORTING TEST, since it seems "
-+ fprintf(stderr, "mp_timedout\nABORTING TEST, since it seems "
- "that it would have run forever.\n");
- res = TEST_ERR_RUNS_FOREVER;
- }
-diff --git a/tests/libtest/lib573.c b/tests/libtest/lib573.c
-index 4661858..b5fafe1 100644
---- a/tests/libtest/lib573.c
-+++ b/tests/libtest/lib573.c
-@@ -76,6 +76,10 @@ int test(char *URL)
- mp_start = tutil_tvnow();
-
- while (running) {
-+ static struct timeval timeout = /* 100 ms */ { 0, 100000L };
-+ fd_set fdread, fdwrite, fdexcep;
-+ int maxfd = -1;
-+
- res = (int)curl_multi_perform(m, &running);
- if (tutil_tvdiff(tutil_tvnow(), mp_start) >
- MULTI_PERFORM_HANG_TIMEOUT) {
-@@ -86,11 +90,26 @@ int test(char *URL)
- fprintf(stderr, "nothing left running.\n");
- break;
- }
-+
-+ FD_ZERO(&fdread);
-+ FD_ZERO(&fdwrite);
-+ FD_ZERO(&fdexcep);
-+ curl_multi_fdset(m, &fdread, &fdwrite, &fdexcep, &maxfd);
-+
-+ /* In a real-world program you OF COURSE check the return code of the
-+ function calls. On success, the value of maxfd is guaranteed to be
-+ greater or equal than -1. We call select(maxfd + 1, ...), specially in
-+ case of (maxfd == -1), we call select(0, ...), which is basically equal
-+ to sleep. */
-+
-+ if (select(maxfd + 1, &fdread, &fdwrite, &fdexcep, &timeout) == -1) {
-+ res = ~CURLM_OK;
-+ break;
-+ }
- }
-
- if (mp_timedout) {
-- if (mp_timedout) fprintf(stderr, "mp_timedout\n");
-- fprintf(stderr, "ABORTING TEST, since it seems "
-+ fprintf(stderr, "mp_timedout\nABORTING TEST, since it seems "
- "that it would have run forever.\n");
- res = TEST_ERR_RUNS_FOREVER;
- }
---
-1.7.4.4
-
diff --git a/0006-curl-7.27.0-68d2830e.patch b/0006-curl-7.27.0-68d2830e.patch
new file mode 100644
index 0000000..be8c558
--- /dev/null
+++ b/0006-curl-7.27.0-68d2830e.patch
@@ -0,0 +1,68 @@
+From c011938e10bf3af5896d0f7f5ecffc22150303f3 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 3 Dec 2012 13:17:50 +0100
+Subject: [PATCH 1/3] nss: prevent NSS from crashing on client auth hook failure
+
+Although it is not explicitly stated in the documentation, NSS uses
+*pRetCert and *pRetKey even if the client authentication hook returns
+a failure. Namely, if we destroy *pRetCert without clearing *pRetCert
+afterwards, NSS destroys the certificate once again, which causes a
+double free.
+
+Reported by: Bob Relyea
+
+[upstream commit 68d2830ee9df50961e481e81c1baaa290c33f03e]
+---
+ lib/nss.c | 17 +++++++++++------
+ 1 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 22b53bf..794eccb 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -757,6 +757,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+ static const char pem_slotname[] = "PEM Token #1";
+ SECItem cert_der = { 0, NULL, 0 };
+ void *proto_win = SSL_RevealPinArg(sock);
++ struct CERTCertificateStr *cert;
++ struct SECKEYPrivateKeyStr *key;
+
+ PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname);
+ if(NULL == slot) {
+@@ -771,24 +773,27 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+ return SECFailure;
+ }
+
+- *pRetCert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win);
++ cert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win);
+ SECITEM_FreeItem(&cert_der, PR_FALSE);
+- if(NULL == *pRetCert) {
++ if(NULL == cert) {
+ failf(data, "NSS: client certificate from file not found");
+ PK11_FreeSlot(slot);
+ return SECFailure;
+ }
+
+- *pRetKey = PK11_FindPrivateKeyFromCert(slot, *pRetCert, NULL);
++ key = PK11_FindPrivateKeyFromCert(slot, cert, NULL);
+ PK11_FreeSlot(slot);
+- if(NULL == *pRetKey) {
++ if(NULL == key) {
+ failf(data, "NSS: private key from file not found");
+- CERT_DestroyCertificate(*pRetCert);
++ CERT_DestroyCertificate(cert);
+ return SECFailure;
+ }
+
+ infof(data, "NSS: client certificate from file\n");
+- display_cert_info(data, *pRetCert);
++ display_cert_info(data, cert);
++
++ *pRetCert = cert;
++ *pRetKey = key;
+ return SECSuccess;
+ }
+
+--
+1.7.1
+
diff --git a/0007-curl-7.27.0-b36f1d26.patch b/0007-curl-7.27.0-b36f1d26.patch
new file mode 100644
index 0000000..c712da0
--- /dev/null
+++ b/0007-curl-7.27.0-b36f1d26.patch
@@ -0,0 +1,55 @@
+From fefd7cdcde39c56651f6e2c32be9cd79354ffdc4 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Fri, 11 Jan 2013 10:24:21 +0100
+Subject: [PATCH 2/3] nss: clear session cache if a client cert from file is used
+
+This commit fixes a regression introduced in 052a08ff.
+
+NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback
+and if we connect second time to the same server, the cached cert/key
+pair is used. If we use multiple client certificates for different
+paths on the same server, we need to clear the session cache to force
+NSS to call the hook again. The commit 052a08ff prevented the session
+cache from being cleared if a client certificate from file was used.
+
+The condition is now fixed to cover both cases: consssl->client_nickname
+is not NULL if a client certificate from the NSS database is used and
+connssl->obj_clicert is not NULL if a client certificate from file is
+used.
+
+Review by: Kai Engert
+
+[upstream commit b36f1d26f830453ebaa17238f9bd1e396f618720]
+---
+ lib/nss.c | 12 ++++++++----
+ 1 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 794eccb..f97090a 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1058,13 +1058,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex)
+ as closed to avoid double close */
+ fake_sclose(conn->sock[sockindex]);
+ conn->sock[sockindex] = CURL_SOCKET_BAD;
++
++ if((connssl->client_nickname != NULL) || (connssl->obj_clicert != NULL))
++ /* A server might require different authentication based on the
++ * particular path being requested by the client. To support this
++ * scenario, we must ensure that a connection will never reuse the
++ * authentication data from a previous connection. */
++ SSL_InvalidateSession(connssl->handle);
++
+ if(connssl->client_nickname != NULL) {
+ free(connssl->client_nickname);
+ connssl->client_nickname = NULL;
+-
+- /* force NSS to ask again for a client cert when connecting
+- * next time to the same server */
+- SSL_InvalidateSession(connssl->handle);
+ }
+ /* destroy all NSS objects in order to avoid failure of NSS shutdown */
+ Curl_llist_destroy(connssl->obj_list, NULL);
+--
+1.7.1
+
diff --git a/0008-curl-7.27.0-26613d78.patch b/0008-curl-7.27.0-26613d78.patch
new file mode 100644
index 0000000..27e381c
--- /dev/null
+++ b/0008-curl-7.27.0-26613d78.patch
@@ -0,0 +1,30 @@
+From afd2d98b4a9c69fb47048122629fd4be1d40f906 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 15 Jan 2013 12:58:08 +0100
+Subject: [PATCH 3/3] nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
+
+Do not use the error messages from NSS for errors not occurring in NSS.
+
+[upstream commit 26613d781725e39b0f601301a65c64e146977d8f]
+---
+ lib/nss.c | 2 --
+ 1 files changed, 0 insertions(+), 2 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index f97090a..c5dcf52 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -1096,10 +1096,8 @@ static bool is_nss_error(CURLcode err)
+ switch(err) {
+ case CURLE_PEER_FAILED_VERIFICATION:
+ case CURLE_SSL_CACERT:
+- case CURLE_SSL_CACERT_BADFILE:
+ case CURLE_SSL_CERTPROBLEM:
+ case CURLE_SSL_CONNECT_ERROR:
+- case CURLE_SSL_CRL_BADFILE:
+ case CURLE_SSL_ISSUER_ERROR:
+ return true;
+
+--
+1.7.1
+
diff --git a/0009-curl-7.27.0-f206d6c0.patch b/0009-curl-7.27.0-f206d6c0.patch
new file mode 100644
index 0000000..f904907
--- /dev/null
+++ b/0009-curl-7.27.0-f206d6c0.patch
@@ -0,0 +1,69 @@
+From 46890e837c3b27195e4b0285d221d900f2ad48cc Mon Sep 17 00:00:00 2001
+From: Eldar Zaitov <kyprizel@volema.com>
+Date: Wed, 30 Jan 2013 23:22:27 +0100
+Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow
+
+When negotiating SASL DIGEST-MD5 authentication, the function
+Curl_sasl_create_digest_md5_message() uses the data provided from the
+server without doing the proper length checks and that data is then
+appended to a local fixed-size buffer on the stack.
+
+This vulnerability can be exploited by someone who is in control of a
+server that a libcurl based program is accessing with POP3, SMTP or
+IMAP. For applications that accept user provided URLs, it is also
+thinkable that a malicious user would feed an application with a URL to
+a server hosting code targetting this flaw.
+
+Bug: http://curl.haxx.se/docs/adv_20130206.html
+
+[upstream commit f206d6c055d1008f0edb6d5d5920f0f300b9983a]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/curl_sasl.c | 23 ++++++-----------------
+ 1 files changed, 6 insertions(+), 17 deletions(-)
+
+diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c
+index ccb54a8..e42b850 100644
+--- a/lib/curl_sasl.c
++++ b/lib/curl_sasl.c
+@@ -345,9 +345,7 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
+ snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]);
+
+ /* Prepare the URL string */
+- strcpy(uri, service);
+- strcat(uri, "/");
+- strcat(uri, realm);
++ snprintf(uri, sizeof(uri), "%s/%s", service, realm);
+
+ /* Calculate H(A2) */
+ ctxt = Curl_MD5_init(Curl_DIGEST_MD5);
+@@ -391,20 +389,11 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data,
+ for(i = 0; i < MD5_DIGEST_LEN; i++)
+ snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]);
+
+- strcpy(response, "username=\"");
+- strcat(response, userp);
+- strcat(response, "\",realm=\"");
+- strcat(response, realm);
+- strcat(response, "\",nonce=\"");
+- strcat(response, nonce);
+- strcat(response, "\",cnonce=\"");
+- strcat(response, cnonce);
+- strcat(response, "\",nc=");
+- strcat(response, nonceCount);
+- strcat(response, ",digest-uri=\"");
+- strcat(response, uri);
+- strcat(response, "\",response=");
+- strcat(response, resp_hash_hex);
++ snprintf(response, sizeof(response),
++ "username=\"%s\",realm=\"%s\",nonce=\"%s\","
++ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s",
++ userp, realm, nonce,
++ cnonce, nonceCount, uri, resp_hash_hex);
+
+ /* Base64 encode the reply */
+ return Curl_base64_encode(data, response, 0, outptr, outlen);
+--
+1.7.1
+
diff --git a/0010-curl-7.27.0-57ccdfa8.patch b/0010-curl-7.27.0-57ccdfa8.patch
new file mode 100644
index 0000000..cc4be82
--- /dev/null
+++ b/0010-curl-7.27.0-57ccdfa8.patch
@@ -0,0 +1,158 @@
+From fba5ed6d23b8fab97150da2b49a35236a8f4684c Mon Sep 17 00:00:00 2001
+From: Zdenek Pavlas <zpavlas@redhat.com>
+Date: Mon, 11 Mar 2013 14:57:07 +0100
+Subject: [PATCH] curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag
+
+The flag can be used in pycurl-based applications where using the multi
+interface would not be acceptable because of the performance lost caused
+by implementing the select() loop in python.
+
+Bug: http://curl.haxx.se/bug/view.cgi?id=1168
+Downstream Bug: https://bugzilla.redhat.com/919127
+
+[upstream commit 57ccdfa8d2bb6275388223f4676cd623ebd01697]
+
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/curl_global_init.3 | 4 ++++
+ docs/libcurl/symbols-in-versions | 1 +
+ include/curl/curl.h | 1 +
+ lib/easy.c | 6 +++++-
+ lib/select.c | 17 ++---------------
+ lib/select.h | 6 ++++++
+ 6 files changed, 19 insertions(+), 16 deletions(-)
+
+diff --git a/docs/libcurl/curl_global_init.3 b/docs/libcurl/curl_global_init.3
+index d91e1bd..6a08383 100644
+--- a/docs/libcurl/curl_global_init.3
++++ b/docs/libcurl/curl_global_init.3
+@@ -70,6 +70,10 @@ Initialise nothing extra. This sets no bit.
+ .B CURL_GLOBAL_DEFAULT
+ A sensible default. It will init both SSL and Win32. Right now, this equals
+ the functionality of the \fBCURL_GLOBAL_ALL\fP mask.
++.TP
++.B CURL_GLOBAL_ACK_EINTR
++When this flag is set, curl will acknowledge EINTR condition when connecting
++or when waiting for data. Otherwise, curl waits until full timeout elapses.
+ .SH RETURN VALUE
+ If this function returns non-zero, something went wrong and you cannot use the
+ other curl functions.
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index 41705fd..c528208 100644
+--- a/docs/libcurl/symbols-in-versions
++++ b/docs/libcurl/symbols-in-versions
+@@ -612,6 +612,7 @@ CURL_GLOBAL_DEFAULT 7.8
+ CURL_GLOBAL_NOTHING 7.8
+ CURL_GLOBAL_SSL 7.8
+ CURL_GLOBAL_WIN32 7.8.1
++CURL_GLOBAL_ACK_EINTR 7.30.0
+ CURL_HTTP_VERSION_1_0 7.9.1
+ CURL_HTTP_VERSION_1_1 7.9.1
+ CURL_HTTP_VERSION_NONE 7.9.1
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 2cad282..63e7056 100644
+--- a/include/curl/curl.h
++++ b/include/curl/curl.h
+@@ -2022,6 +2022,7 @@ typedef enum {
+ #define CURL_GLOBAL_ALL (CURL_GLOBAL_SSL|CURL_GLOBAL_WIN32)
+ #define CURL_GLOBAL_NOTHING 0
+ #define CURL_GLOBAL_DEFAULT CURL_GLOBAL_ALL
++#define CURL_GLOBAL_ACK_EINTR (1<<2)
+
+
+ /*****************************************************************************
+diff --git a/lib/easy.c b/lib/easy.c
+index 6e8ff77..88f4a60 100644
+--- a/lib/easy.c
++++ b/lib/easy.c
+@@ -267,6 +267,8 @@ CURLcode curl_global_init(long flags)
+ }
+ #endif
+
++ Curl_ack_eintr = flags & CURL_GLOBAL_ACK_EINTR;
++
+ init_flags = flags;
+
+ /* Preset pseudo-random number sequence. */
+@@ -459,9 +461,11 @@ CURLcode curl_easy_perform(CURL *easy)
+ select. This whole alternative version should probably rather use the
+ curl_multi_socket() approach. */
+
+- if(rc == -1)
++ if(rc == -1) {
+ /* select error */
++ code = CURLE_RECV_ERROR;
+ break;
++ }
+
+ /* timeout or data to send/receive => loop! */
+ } while(still_running);
+diff --git a/lib/select.c b/lib/select.c
+index 40673ec..bb8b773 100644
+--- a/lib/select.c
++++ b/lib/select.c
+@@ -50,11 +50,8 @@
+
+ #define elapsed_ms (int)curlx_tvdiff(curlx_tvnow(), initial_tv)
+
+-#ifdef CURL_ACKNOWLEDGE_EINTR
+-#define error_not_EINTR (1)
+-#else
+-#define error_not_EINTR (error != EINTR)
+-#endif
++int Curl_ack_eintr = 0;
++#define error_not_EINTR (Curl_ack_eintr || error != EINTR)
+
+ /*
+ * Internal function used for waiting a specific amount of ms
+@@ -67,10 +64,6 @@
+ * Timeout resolution, accuracy, as well as maximum supported
+ * value is system dependent, neither factor is a citical issue
+ * for the intended use of this function in the library.
+- * On non-DOS and non-Winsock platforms, when compiled with
+- * CURL_ACKNOWLEDGE_EINTR defined, EINTR condition is honored
+- * and function might exit early without awaiting full timeout,
+- * otherwise EINTR will be ignored and full timeout will elapse.
+ *
+ * Return values:
+ * -1 = system call error, invalid timeout value, or interrupted
+@@ -133,9 +126,6 @@ int Curl_wait_ms(int timeout_ms)
+ * A negative timeout value makes this function wait indefinitely,
+ * unles no valid file descriptor is given, when this happens the
+ * negative timeout is ignored and the function times out immediately.
+- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition
+- * is honored and function might exit early without awaiting timeout,
+- * otherwise EINTR will be ignored.
+ *
+ * Return values:
+ * -1 = system call error or fd >= FD_SETSIZE
+@@ -347,9 +337,6 @@ int Curl_socket_check(curl_socket_t readfd0, /* two sockets to read from */
+ * A negative timeout value makes this function wait indefinitely,
+ * unles no valid file descriptor is given, when this happens the
+ * negative timeout is ignored and the function times out immediately.
+- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition
+- * is honored and function might exit early without awaiting timeout,
+- * otherwise EINTR will be ignored.
+ *
+ * Return values:
+ * -1 = system call error or fd >= FD_SETSIZE
+diff --git a/lib/select.h b/lib/select.h
+index b50604b..4f0e464 100644
+--- a/lib/select.h
++++ b/lib/select.h
+@@ -99,6 +99,12 @@ int Curl_socket_check(curl_socket_t readfd, curl_socket_t readfd2,
+
+ int Curl_poll(struct pollfd ufds[], unsigned int nfds, int timeout_ms);
+
++/* On non-DOS and non-Winsock platforms, when Curl_ack_eintr is set,
++ * EINTR condition is honored and function might exit early without
++ * awaiting full timeout. Otherwise EINTR will be ignored and full
++ * timeout will elapse. */
++extern int Curl_ack_eintr;
++
+ int Curl_wait_ms(int timeout_ms);
+
+ #ifdef TPF
+--
+1.7.1
+
diff --git a/0101-curl-7.21.1-multilib.patch b/0101-curl-7.27.0-multilib.patch
index cbb5bab..09acf78 100644
--- a/0101-curl-7.21.1-multilib.patch
+++ b/0101-curl-7.27.0-multilib.patch
@@ -7,7 +7,7 @@ diff --git a/curl-config.in b/curl-config.in
index 150004d..95d0759 100644
--- a/curl-config.in
+++ b/curl-config.in
-@@ -74,7 +74,7 @@ while test $# -gt 0; do
+@@ -75,7 +75,7 @@ while test $# -gt 0; do
;;
--cc)
@@ -16,7 +16,7 @@ index 150004d..95d0759 100644
;;
--prefix)
-@@ -136,24 +136,14 @@ while test $# -gt 0; do
+@@ -142,24 +142,14 @@ while test $# -gt 0; do
;;
--libs)
@@ -26,9 +26,9 @@ index 150004d..95d0759 100644
- CURLLIBDIR=""
- fi
- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
-- echo ${CURLLIBDIR}-lcurl @LDFLAGS@ @LIBCURL_LIBS@ @LIBS@
+- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ @LIBS@
- else
-- echo ${CURLLIBDIR}-lcurl @LDFLAGS@ @LIBS@
+- echo ${CURLLIBDIR}-lcurl @LIBS@
- fi
+ pkg-config libcurl --libs
;;
@@ -39,7 +39,7 @@ index 150004d..95d0759 100644
--configure)
- echo @CONFIGURE_OPTIONS@
-+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
;;
*)
@@ -47,7 +47,7 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1
index c4f4e2b..3e0ea60 100644
--- a/docs/curl-config.1
+++ b/docs/curl-config.1
-@@ -65,7 +65,9 @@ be listed using uppercase and are separated by newlines. There may be none,
+@@ -65,7 +65,9 @@ be listed using uppercase and are separa
one, or several protocols in the list. (Added in 7.13.0)
.IP "--static-libs"
Shows the complete set of libs and other linker options you will need in order
diff --git a/0102-curl-7.27.0-debug.patch b/0102-curl-7.27.0-debug.patch
new file mode 100644
index 0000000..0f10d40
--- /dev/null
+++ b/0102-curl-7.27.0-debug.patch
@@ -0,0 +1,58 @@
+ configure | 15 ++++-----------
+ m4/curl-compilers.m4 | 15 ++++-----------
+ 2 files changed, 8 insertions(+), 22 deletions(-)
+
+diff --git a/configure b/configure
+index d3ecf69..6d8f085 100755
+--- a/configure
++++ b/configure
+@@ -15093,18 +15093,11 @@ $as_echo "yes" >&6; }
+ gccvhi=`echo $gccver | cut -d . -f1`
+ gccvlo=`echo $gccver | cut -d . -f2`
+ compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+- flags_dbg_all="-g -g0 -g1 -g2 -g3"
+- flags_dbg_all="$flags_dbg_all -ggdb"
+- flags_dbg_all="$flags_dbg_all -gstabs"
+- flags_dbg_all="$flags_dbg_all -gstabs+"
+- flags_dbg_all="$flags_dbg_all -gcoff"
+- flags_dbg_all="$flags_dbg_all -gxcoff"
+- flags_dbg_all="$flags_dbg_all -gdwarf-2"
+- flags_dbg_all="$flags_dbg_all -gvms"
++ flags_dbg_all=""
+ flags_dbg_yes="-g"
+- flags_dbg_off="-g0"
+- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
+- flags_opt_yes="-O2"
++ flags_dbg_off=""
++ flags_opt_all=""
++ flags_opt_yes=""
+ flags_opt_off="-O0"
+
+ if test -z "$SED"; then
+diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
+index 1ea4d17..868d65a 100644
+--- a/m4/curl-compilers.m4
++++ b/m4/curl-compilers.m4
+@@ -148,18 +148,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+ gccvhi=`echo $gccver | cut -d . -f1`
+ gccvlo=`echo $gccver | cut -d . -f2`
+ compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
+- flags_dbg_all="-g -g0 -g1 -g2 -g3"
+- flags_dbg_all="$flags_dbg_all -ggdb"
+- flags_dbg_all="$flags_dbg_all -gstabs"
+- flags_dbg_all="$flags_dbg_all -gstabs+"
+- flags_dbg_all="$flags_dbg_all -gcoff"
+- flags_dbg_all="$flags_dbg_all -gxcoff"
+- flags_dbg_all="$flags_dbg_all -gdwarf-2"
+- flags_dbg_all="$flags_dbg_all -gvms"
++ flags_dbg_all=""
+ flags_dbg_yes="-g"
+- flags_dbg_off="-g0"
+- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
+- flags_opt_yes="-O2"
++ flags_dbg_off=""
++ flags_opt_all=""
++ flags_opt_yes=""
+ flags_opt_off="-O0"
+ CURL_CHECK_DEF([_WIN32], [], [silent])
+ else
diff --git a/0105-curl-7.21.3-disable-test1112.patch b/0105-curl-7.21.3-disable-test1112.patch
deleted file mode 100644
index d1c0292..0000000
--- a/0105-curl-7.21.3-disable-test1112.patch
+++ /dev/null
@@ -1,30 +0,0 @@
- tests/data/Makefile.am | 2 +-
- tests/data/Makefile.in | 2 +-
- 2 files changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am
-index 9370974..b553f54 100644
---- a/tests/data/Makefile.am
-+++ b/tests/data/Makefile.am
-@@ -69,7 +69,7 @@ test1078 test1079 test1080 test1081 test1082 test1083 test1084 test1085 \
- test1086 test1087 test1088 test1089 test1090 test1091 test1092 test1093 \
- test1094 test1095 test1096 test1097 test1098 test1099 test1100 test1101 \
- test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 \
--test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \
-+test1110 test1111 test1113 test1114 test1115 test1116 test1117 \
- test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \
- test1126 test1127 test1128 test1200 test1201 test1202 test1203 test1300 \
- test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 \
-diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in
-index 435b126..1d71c4e 100644
---- a/tests/data/Makefile.in
-+++ b/tests/data/Makefile.in
-@@ -317,7 +317,7 @@ test1078 test1079 test1080 test1081 test1082 test1083 test1084 test1085 \
- test1086 test1087 test1088 test1089 test1090 test1091 test1092 test1093 \
- test1094 test1095 test1096 test1097 test1098 test1099 test1100 test1101 \
- test1102 test1103 test1104 test1105 test1106 test1107 test1108 test1109 \
--test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \
-+test1110 test1111 test1113 test1114 test1115 test1116 test1117 \
- test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \
- test1126 test1127 test1128 test1200 test1201 test1202 test1203 test1300 \
- test1301 test1302 test1303 test1304 test1305 test1306 test1307 test1308 \
diff --git a/0108-curl-7.27.0-utf8.patch b/0108-curl-7.27.0-utf8.patch
new file mode 100644
index 0000000..b740b17
--- /dev/null
+++ b/0108-curl-7.27.0-utf8.patch
@@ -0,0 +1,86 @@
+ CHANGES | 16 ++++++++--------
+ README | 2 +-
+ 2 files changed, 9 insertions(+), 9 deletions(-)
+
+diff --git a/CHANGES b/CHANGES
+index 2335841..d4d37c2 100644
+--- a/CHANGES
++++ b/CHANGES
+@@ -272,7 +272,7 @@ Daniel Stenberg (9 Jul 2012)
+
+ - cookie: fixed typo in comment
+
+-- [Christian Hägele brought this change]
++- [Christian Hägele brought this change]
+
+ https_getsock: provided for schannel backend as well
+
+@@ -454,7 +454,7 @@ Yang Tse (3 Jul 2012)
+ testcurl.pl: fix missing semicolon
+
+ Daniel Stenberg (2 Jul 2012)
+-- [Christian Hägele brought this change]
++- [Christian Hägele brought this change]
+
+ unicode NTLM SSPI: heap corruption fixed
+
+@@ -2563,18 +2563,18 @@ Daniel Stenberg (1 Apr 2012)
+ Reported by: Michael Wallner
+
+ Steve Holme (31 Mar 2012)
+-- [Gökhan Şengün brought this change]
++- [Gökhan Şengün brought this change]
+
+ smtp: Add support for DIGEST-MD5 authentication
+
+-- [Gökhan Şengün brought this change]
++- [Gökhan Şengün brought this change]
+
+ smtp: Cody tidy up of md5 digest length
+
+ Replaced the hard coded md5 digest length (16) with a preprocessor
+ constant
+
+-- [Gökhan Şengün brought this change]
++- [Gökhan Şengün brought this change]
+
+ md5: Add support for calculating the md5 sum of buffers incrementally
+
+@@ -3866,7 +3866,7 @@ Daniel Stenberg (20 Dec 2011)
+ This offers an alternative to the existing Curl_socket_ready() API which
+ only checks one socket for read and one for write.
+
+-- [Cédric Deltheil brought this change]
++- [Cédric Deltheil brought this change]
+
+ curl.h: add __ANDROID__ macro check
+
+@@ -4079,7 +4079,7 @@ Daniel Stenberg (12 Dec 2011)
+ linking with a static openssl requires a set of more libs to be linked
+ on Windows.
+
+- Thanks also to Steve Holme and Martin Storsj for additional feedback.
++ Thanks also to Steve Holme and Martin Storsjö for additional feedback.
+
+ Bug: http://curl.haxx.se/mail/lib-2011-12/0063.html
+ Reported by: Ward Willats
+@@ -5333,7 +5333,7 @@ Daniel Stenberg (25 Sep 2011)
+ damaging.
+
+ Bug: http://curl.haxx.se/bug/view.cgi?id=3413181
+- Reported by: Taneli Vhkangas
++ Reported by: Taneli Vähäkangas
+
+ Yang Tse (24 Sep 2011)
+ - curl tool: fix a compiler warning
+diff --git a/README b/README
+index 2ffacc3..cfd6760 100644
+--- a/README
++++ b/README
+@@ -45,5 +45,5 @@ GIT
+ NOTICE
+
+ Curl contains pieces of source code that is Copyright (c) 1998, 1999
+- Kungliga Tekniska Hgskolan. This notice is included here to comply with the
++ Kungliga Tekniska Högskolan. This notice is included here to comply with the
+ distribution terms.
diff --git a/curl.spec b/curl.spec
index 3fb29bc..6f2d5d0 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,47 +1,62 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
-Version: 7.21.7
-Release: 5%{?dist}.2
+Version: 7.27.0
+Release: 7%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
Source2: curlbuild.h
Source3: hide_selinux.c
-# add a new option CURLOPT_GSSAPI_DELEGATION (#719939)
-Patch1: 0001-curl-7.21.7-a7864c4.patch
+# eliminate unnecessary inotify events on upload via file protocol (#844385)
+Patch1: 0001-curl-7.27.0-1f8518c5.patch
-# fix SIGSEGV of curl -O -J given more than one URLs (#723075)
-Patch2: 0002-curl-7.21.7-5eb2396.patch
-Patch5: 0005-curl-7.21.7-61ae7e9.patch
+# do not crash if MD5 fingerprint is not provided by libssh2
+Patch2: 0002-curl-7.27.0-f05e5136.patch
-# introduce the --delegation option of curl (#730444)
-Patch3: 0003-curl-7.21.7-5538904.patch
+# fix a syntax error in curl-config (#871317)
+Patch3: 0003-curl-7.27.0-382429e7.patch
-# initialize NSS with no database if the selected database is broken (#728562)
-Patch4: 0004-curl-7.21.7-d6f319f.patch
+# do not print misleading NSS error codes
+Patch4: 0004-curl-7.27.0-52b6eda4.patch
-# break busy loops in tests 502, 555, and 573
-Patch6: 0006-curl-7.21.7-3445fa2.patch
+# update the links to cipher-suites supported by NSS
+Patch5: 0005-curl-7.27.0-f208bf5a.patch
+
+# prevent NSS from crashing on client auth hook failure
+Patch6: 0006-curl-7.27.0-68d2830e.patch
+
+# clear session cache if a client cert from file is used
+Patch7: 0007-curl-7.27.0-b36f1d26.patch
+
+# fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE
+Patch8: 0008-curl-7.27.0-26613d78.patch
+
+# fix buffer overflow when negotiating SASL DIGEST-MD5 auth (CVE-2013-0249)
+Patch9: 0009-curl-7.27.0-f206d6c0.patch
+
+# curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag
+Patch10: 0010-curl-7.27.0-57ccdfa8.patch
# patch making libcurl multilib ready
-Patch101: 0101-curl-7.21.1-multilib.patch
+Patch101: 0101-curl-7.27.0-multilib.patch
# prevent configure script from discarding -g in CFLAGS (#496778)
-Patch102: 0102-curl-7.21.2-debug.patch
+Patch102: 0102-curl-7.27.0-debug.patch
# use localhost6 instead of ip6-localhost in the curl test-suite
Patch104: 0104-curl-7.19.7-localhost6.patch
-# exclude test1112 from the test suite (#565305)
-Patch105: 0105-curl-7.21.3-disable-test1112.patch
-
# disable valgrind for certain test-cases (libssh2 problem)
Patch106: 0106-curl-7.21.0-libssh2-valgrind.patch
# work around valgrind bug (#678518)
Patch107: 0107-curl-7.21.4-libidn-valgrind.patch
+# Fix character encoding of docs, which are of mixed encoding originally so
+# a simple iconv can't fix them
+Patch108: 0108-curl-7.27.0-utf8.patch
+
Provides: webclient
URL: http://curl.haxx.se/
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -58,7 +73,7 @@ BuildRequires: stunnel
BuildRequires: zlib-devel
# valgrind is not available on s390(x), sparc or arm5
-%ifnarch s390 s390x %{sparc} %{arm}
+%ifnarch s390 s390x %{sparc} %{arm} ppc
BuildRequires: valgrind
%endif
@@ -68,8 +83,8 @@ Requires: libcurl = %{version}-%{release}
# to ensure that we have the necessary symbols available (#525002, #642796)
%global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0)
-# older version doesn't provides "ldap_init_fd"
-%global openldap_version 2.3.43-12.el5_6.5
+# older version than 12.el5_6.5 doesn't provides "ldap_init_fd"
+%global openldap_version 2.3.43-25.el5_8.1
%description
curl is a command line tool for transferring data with URL syntax, supporting
@@ -119,20 +134,17 @@ documentation of the library, too.
%prep
%setup -q
-# Convert docs to UTF-8
-# NOTE: we do this _before_ applying of all patches, which are already UTF-8
-for f in CHANGES README; do
- iconv -f iso-8859-1 -t utf8 < ${f} > ${f}.utf8
- mv -f ${f}.utf8 ${f}
-done
-
-# upstream patches (already applied)
+# upstream patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
+%patch10 -p1
# Fedora patches
%patch101 -p1
@@ -140,10 +152,7 @@ done
%patch104 -p1
%patch106 -p1
%patch107 -p1
-
-# exclude test1112 from the test suite (#565305)
-%patch105 -p1
-rm -f tests/data/test1112
+%patch108 -p1
# replace hard wired port numbers in the test suite
%ifarch x86_64
@@ -207,13 +216,16 @@ DISABLED=
%install
rm -rf $RPM_BUILD_ROOT
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="%{__install} -p" install
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
+# drop man page for a script we do not distribute
+rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1
+
# Make libcurl-devel multilib-ready (bug #488922)
%ifarch x86_64
%define _curlbuild_h curlbuild-64.h
@@ -258,6 +270,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Mon Oct 17 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.27.0-7
+- sync with 7.27.0-7 from F18
+
* Mon Oct 17 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.21.7-5.2
- dump release and build against libssh2 1.2.7