diff options
-rw-r--r-- | 0001-curl-7.21.7-a7864c4.patch | 453 | ||||
-rw-r--r-- | 0002-curl-7.21.7-5eb2396.patch | 30 | ||||
-rw-r--r-- | 0003-curl-7.21.7-5538904.patch | 131 | ||||
-rw-r--r-- | 0004-curl-7.21.7-d6f319f.patch | 118 | ||||
-rw-r--r-- | curl.spec | 39 |
5 files changed, 768 insertions, 3 deletions
diff --git a/0001-curl-7.21.7-a7864c4.patch b/0001-curl-7.21.7-a7864c4.patch new file mode 100644 index 0000000..477f1e1 --- /dev/null +++ b/0001-curl-7.21.7-a7864c4.patch @@ -0,0 +1,453 @@ +From fd86734fca0945b2d6b90d6d7d0224cf0732114a Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Wed, 3 Aug 2011 12:48:49 +0200 +Subject: [PATCH 1/2] curl - rhbz #719939 + +--- + docs/libcurl/curl_easy_setopt.3 | 8 ++++++ + docs/libcurl/symbols-in-versions | 4 +++ + include/curl/curl.h | 7 +++++ + lib/Makefile.in | 18 +++++++++++--- + lib/Makefile.inc | 4 +- + lib/curl_gssapi.c | 44 ++++++++++++++++++++++++++++++++++++ + lib/curl_gssapi.h | 46 ++++++++++++++++++++++++++++++++++++++ + lib/http_negotiate.c | 6 ++++- + lib/krb5.c | 6 ++++- + lib/socks_gssapi.c | 7 ++++- + lib/url.c | 6 +++++ + lib/urldata.h | 3 ++ + 12 files changed, 149 insertions(+), 10 deletions(-) + create mode 100644 lib/curl_gssapi.c + create mode 100644 lib/curl_gssapi.h + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index c2804f3..3b7826b 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2105,6 +2105,14 @@ of these, 'private' will be used. Set the string to NULL to disable kerberos + support for FTP. + + (This option was known as CURLOPT_KRB4LEVEL up to 7.16.3) ++.IP CURLOPT_GSSAPI_DELEGATION ++Set the parameter to CURLGSSAPI_DELEGATION_FLAG to allow unconditional GSSAPI ++credential delegation. The delegation is disabled by default since 7.21.7. ++Set the parameter to CURLGSSAPI_DELEGATION_POLICY_FLAG to delegate only if ++the OK-AS-DELEGATE flag is set in the service ticket in case this feature is ++supported by the GSSAPI implementation and the definition of ++GSS_C_DELEG_POLICY_FLAG was available at compile-time. ++(Added in 7.21.8) + .SH SSH OPTIONS + .IP CURLOPT_SSH_AUTH_TYPES + Pass a long set to a bitmask consisting of one or more of +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 9257fb1..3c8f715 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -186,6 +186,9 @@ CURLFTPSSL_TRY 7.11.0 7.17.0 + CURLFTP_CREATE_DIR 7.19.4 + CURLFTP_CREATE_DIR_NONE 7.19.4 + CURLFTP_CREATE_DIR_RETRY 7.19.4 ++CURLGSSAPI_DELEGATION_FLAG 7.21.8 ++CURLGSSAPI_DELEGATION_NONE 7.21.8 ++CURLGSSAPI_DELEGATION_POLICY_FLAG 7.21.8 + CURLINFO_APPCONNECT_TIME 7.19.0 + CURLINFO_CERTINFO 7.19.1 + CURLINFO_CONDITION_UNMET 7.19.4 +@@ -344,6 +347,7 @@ CURLOPT_FTP_SSL_CCC 7.16.1 + CURLOPT_FTP_USE_EPRT 7.10.5 + CURLOPT_FTP_USE_EPSV 7.9.2 + CURLOPT_FTP_USE_PRET 7.20.0 ++CURLOPT_GSSAPI_DELEGATION 7.21.8 + CURLOPT_HEADER 7.1 + CURLOPT_HEADERDATA 7.10 + CURLOPT_HEADERFUNCTION 7.7.2 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index a9d42fa..bcbab86 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -614,6 +614,10 @@ typedef enum { + #define CURLSSH_AUTH_KEYBOARD (1<<3) /* keyboard interactive */ + #define CURLSSH_AUTH_DEFAULT CURLSSH_AUTH_ANY + ++#define CURLGSSAPI_DELEGATION_NONE 0 /* no delegation (default) */ ++#define CURLGSSAPI_DELEGATION_POLICY_FLAG (1<<0) /* if permitted by policy */ ++#define CURLGSSAPI_DELEGATION_FLAG (1<<1) /* delegate always */ ++ + #define CURL_ERROR_SIZE 256 + + struct curl_khkey { +@@ -1483,6 +1487,9 @@ typedef enum { + CINIT(CLOSESOCKETFUNCTION, FUNCTIONPOINT, 208), + CINIT(CLOSESOCKETDATA, OBJECTPOINT, 209), + ++ /* allow GSSAPI credential delegation */ ++ CINIT(GSSAPI_DELEGATION, LONG, 210), ++ + CURLOPT_LASTENTRY /* the last unused */ + } CURLoption; + +diff --git a/lib/Makefile.in b/lib/Makefile.in +index a99f5e9..d5c65e7 100644 +--- a/lib/Makefile.in ++++ b/lib/Makefile.in +@@ -94,7 +94,7 @@ am__objects_1 = file.lo timeval.lo base64.lo hostip.lo progress.lo \ + curl_threads.lo warnless.lo hmac.lo polarssl.lo curl_rtmp.lo \ + openldap.lo curl_gethostname.lo gopher.lo axtls.lo \ + idn_win32.lo http_negotiate_sspi.lo cyassl.lo http_proxy.lo \ +- non-ascii.lo asyn-ares.lo asyn-thread.lo ++ non-ascii.lo asyn-ares.lo asyn-thread.lo curl_gssapi.lo + am__objects_2 = + am_libcurl_la_OBJECTS = $(am__objects_1) $(am__objects_2) + libcurl_la_OBJECTS = $(am_libcurl_la_OBJECTS) +@@ -144,7 +144,8 @@ am__objects_3 = libcurlu_la-file.lo libcurlu_la-timeval.lo \ + libcurlu_la-axtls.lo libcurlu_la-idn_win32.lo \ + libcurlu_la-http_negotiate_sspi.lo libcurlu_la-cyassl.lo \ + libcurlu_la-http_proxy.lo libcurlu_la-non-ascii.lo \ +- libcurlu_la-asyn-ares.lo libcurlu_la-asyn-thread.lo ++ libcurlu_la-asyn-ares.lo libcurlu_la-asyn-thread.lo \ ++ libcurlu_la-curl_gssapi.lo + am_libcurlu_la_OBJECTS = $(am__objects_3) $(am__objects_2) + libcurlu_la_OBJECTS = $(am_libcurlu_la_OBJECTS) + @BUILD_UNITTESTS_TRUE@am_libcurlu_la_rpath = +@@ -479,7 +480,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ + pingpong.c rtsp.c curl_threads.c warnless.c hmac.c polarssl.c \ + curl_rtmp.c openldap.c curl_gethostname.c gopher.c axtls.c \ + idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c \ +- asyn-ares.c asyn-thread.c ++ asyn-ares.c asyn-thread.c curl_gssapi.c + + HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ + progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \ +@@ -494,7 +495,7 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ + curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \ + curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \ + warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \ +- gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h ++ gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_gssapi.h + + + # Makefile.inc provides the CSOURCES and HHEADERS defines +@@ -612,6 +613,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_addrinfo.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_fnmatch.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_gethostname.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_gssapi.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_memrchr.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_rand.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/curl_rtmp.Plo@am__quote@ +@@ -662,6 +664,7 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_addrinfo.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_fnmatch.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_gethostname.Plo@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_gssapi.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_memrchr.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_rand.Plo@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/libcurlu_la-curl_rtmp.Plo@am__quote@ +@@ -1488,6 +1491,13 @@ libcurlu_la-asyn-thread.lo: asyn-thread.c + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-asyn-thread.lo `test -f 'asyn-thread.c' || echo '$(srcdir)/'`asyn-thread.c + ++libcurlu_la-curl_gssapi.lo: curl_gssapi.c ++@am__fastdepCC_TRUE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT libcurlu_la-curl_gssapi.lo -MD -MP -MF $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/libcurlu_la-curl_gssapi.Tpo $(DEPDIR)/libcurlu_la-curl_gssapi.Plo ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='curl_gssapi.c' object='libcurlu_la-curl_gssapi.lo' libtool=yes @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libcurlu_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o libcurlu_la-curl_gssapi.lo `test -f 'curl_gssapi.c' || echo '$(srcdir)/'`curl_gssapi.c ++ + mostlyclean-libtool: + -rm -f *.lo + +diff --git a/lib/Makefile.inc b/lib/Makefile.inc +index 04285b5..51fc919 100644 +--- a/lib/Makefile.inc ++++ b/lib/Makefile.inc +@@ -22,7 +22,7 @@ CSOURCES = file.c timeval.c base64.c hostip.c progress.c formdata.c \ + pingpong.c rtsp.c curl_threads.c warnless.c hmac.c polarssl.c \ + curl_rtmp.c openldap.c curl_gethostname.c gopher.c axtls.c \ + idn_win32.c http_negotiate_sspi.c cyassl.c http_proxy.c non-ascii.c \ +- asyn-ares.c asyn-thread.c ++ asyn-ares.c asyn-thread.c curl_gssapi.c + + HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ + progress.h formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h \ +@@ -37,4 +37,4 @@ HHEADERS = arpa_telnet.h netrc.h file.h timeval.h qssl.h hostip.h \ + curl_base64.h rawstr.h curl_addrinfo.h curl_sspi.h slist.h nonblock.h \ + curl_memrchr.h imap.h pop3.h smtp.h pingpong.h rtsp.h curl_threads.h \ + warnless.h curl_hmac.h polarssl.h curl_rtmp.h curl_gethostname.h \ +- gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h ++ gopher.h axtls.h cyassl.h http_proxy.h non-ascii.h asyn.h curl_gssapi.h +diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c +new file mode 100644 +index 0000000..e55c9cc +--- /dev/null ++++ b/lib/curl_gssapi.c +@@ -0,0 +1,44 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at http://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++#include "setup.h" ++ ++#ifdef HAVE_GSSAPI ++ ++#include "curl_gssapi.h" ++ ++void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data) ++{ ++ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) { ++#ifdef GSS_C_DELEG_POLICY_FLAG ++ *req_flags |= GSS_C_DELEG_POLICY_FLAG; ++#else ++ infof(data, "warning: support for CURLGSSAPI_DELEGATION_POLICY_FLAG not " ++ "compiled in\n"); ++#endif ++ } ++ ++ if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_FLAG) ++ *req_flags |= GSS_C_DELEG_FLAG; ++} ++ ++#endif /* HAVE_GSSAPI */ +diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h +new file mode 100644 +index 0000000..02aa527 +--- /dev/null ++++ b/lib/curl_gssapi.h +@@ -0,0 +1,46 @@ ++#ifndef HEADER_CURL_GSSAPI_H ++#define HEADER_CURL_GSSAPI_H ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 2011, Daniel Stenberg, <daniel@haxx.se>, et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at http://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++ ++#include "setup.h" ++#include "urldata.h" ++ ++#ifdef HAVE_GSSAPI ++ ++#ifdef HAVE_GSSGNU ++# include <gss.h> ++#elif defined HAVE_GSSMIT ++ /* MIT style */ ++# include <gssapi/gssapi.h> ++# include <gssapi/gssapi_generic.h> ++# include <gssapi/gssapi_krb5.h> ++#else ++ /* Heimdal-style */ ++# include <gssapi.h> ++#endif ++ ++void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data); ++ ++#endif /* HAVE_GSSAPI */ ++ ++#endif /* HEADER_CURL_GSSAPI_H */ +diff --git a/lib/http_negotiate.c b/lib/http_negotiate.c +index 5127e64..8cb69fe 100644 +--- a/lib/http_negotiate.c ++++ b/lib/http_negotiate.c +@@ -40,6 +40,7 @@ + #include "curl_base64.h" + #include "http_negotiate.h" + #include "curl_memory.h" ++#include "curl_gssapi.h" + + #ifdef HAVE_SPNEGO + # include <spnegohelp.h> +@@ -144,6 +145,9 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, + bool gss; + const char* protocol; + ++ OM_uint32 req_flags = 0; ++ Curl_gss_req_flags(&req_flags, conn->data); ++ + while(*header && ISSPACE(*header)) + header++; + if(checkprefix("GSS-Negotiate", header)) { +@@ -243,7 +247,7 @@ int Curl_input_negotiate(struct connectdata *conn, bool proxy, + &neg_ctx->context, + neg_ctx->server_name, + GSS_C_NO_OID, +- 0, ++ req_flags, + 0, + GSS_C_NO_CHANNEL_BINDINGS, + &input_token, +diff --git a/lib/krb5.c b/lib/krb5.c +index f128d51..08f70f9 100644 +--- a/lib/krb5.c ++++ b/lib/krb5.c +@@ -65,6 +65,7 @@ + #include "sendf.h" + #include "krb4.h" + #include "curl_memory.h" ++#include "curl_gssapi.h" + + #define _MPRINTF_REPLACE /* use our functions only */ + #include <curl/mprintf.h> +@@ -185,6 +186,9 @@ krb5_auth(void *app_data, struct connectdata *conn) + gss_ctx_id_t *context = app_data; + struct gss_channel_bindings_struct chan; + ++ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; ++ Curl_gss_req_flags(&req_flags, data); ++ + if(getsockname(conn->sock[FIRSTSOCKET], + (struct sockaddr *)LOCAL_ADDR, &l) < 0) + perror("getsockname()"); +@@ -247,7 +251,7 @@ krb5_auth(void *app_data, struct connectdata *conn) + context, + gssname, + GSS_C_NO_OID, +- GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG, ++ req_flags, + 0, + &chan, + gssresp, +diff --git a/lib/socks_gssapi.c b/lib/socks_gssapi.c +index 653306c..57048be 100644 +--- a/lib/socks_gssapi.c ++++ b/lib/socks_gssapi.c +@@ -43,6 +43,7 @@ + #include "timeval.h" + #include "socks.h" + #include "warnless.h" ++#include "curl_gssapi.h" + + #define _MPRINTF_REPLACE /* use our functions only */ + #include <curl/mprintf.h> +@@ -137,6 +138,9 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, + unsigned char socksreq[4]; /* room for gssapi exchange header only */ + char *serviceptr = data->set.str[STRING_SOCKS5_GSSAPI_SERVICE]; + ++ OM_uint32 req_flags = GSS_C_MUTUAL_FLAG | GSS_C_REPLAY_FLAG; ++ Curl_gss_req_flags(&req_flags, data); ++ + /* get timeout */ + timeout = Curl_timeleft(data, NULL, TRUE); + +@@ -187,8 +191,7 @@ CURLcode Curl_SOCKS5_gssapi_negotiate(int sockindex, + GSS_C_NO_CREDENTIAL, + &gss_context, server, + GSS_C_NULL_OID, +- GSS_C_MUTUAL_FLAG | +- GSS_C_REPLAY_FLAG, ++ req_flags, + 0, + NULL, + gss_token, +diff --git a/lib/url.c b/lib/url.c +index c5b642f..39e04af 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -1985,6 +1985,12 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + va_arg(param, char *)); + data->set.krb = (bool)(NULL != data->set.str[STRING_KRB_LEVEL]); + break; ++ case CURLOPT_GSSAPI_DELEGATION: ++ /* ++ * GSSAPI credential delegation ++ */ ++ data->set.gssapi_delegation = va_arg(param, long); ++ break; + case CURLOPT_SSL_VERIFYPEER: + /* + * Enable peer SSL verifying. +diff --git a/lib/urldata.h b/lib/urldata.h +index d256968..d3cfec3 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1517,6 +1517,9 @@ struct UserDefined { + curl_fnmatch_callback fnmatch; /* callback to decide which file corresponds + to pattern (e.g. if WILDCARDMATCH is on) */ + void *fnmatch_data; ++ ++ long gssapi_delegation; /* GSSAPI credential delegation, see the ++ documentation of CURLOPT_GSSAPI_DELEGATION */ + }; + + struct Names { +-- +1.7.4.4 + + +From d4ea7258b1703497fd0c06e08369a6bd3e37d2e8 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Wed, 3 Aug 2011 18:00:07 +0200 +Subject: [PATCH 2/2] curl_gssapi: add a missing include of sendf.h + +... to avoid build failure when GSS_C_DELEG_POLICY_FLAG is not defined. + +Reported by: Paul Howarth +--- + lib/curl_gssapi.c | 3 ++- + lib/curl_gssapi.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/lib/curl_gssapi.c b/lib/curl_gssapi.c +index e55c9cc..d1b1715 100644 +--- a/lib/curl_gssapi.c ++++ b/lib/curl_gssapi.c +@@ -25,8 +25,9 @@ + #ifdef HAVE_GSSAPI + + #include "curl_gssapi.h" ++#include "sendf.h" + +-void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data) ++void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data) + { + if(data->set.gssapi_delegation & CURLGSSAPI_DELEGATION_POLICY_FLAG) { + #ifdef GSS_C_DELEG_POLICY_FLAG +diff --git a/lib/curl_gssapi.h b/lib/curl_gssapi.h +index 02aa527..c8ffefc 100644 +--- a/lib/curl_gssapi.h ++++ b/lib/curl_gssapi.h +@@ -39,7 +39,7 @@ + # include <gssapi.h> + #endif + +-void Curl_gss_req_flags(OM_uint32 *req_flags, const struct SessionHandle *data); ++void Curl_gss_req_flags(OM_uint32 *req_flags, struct SessionHandle *data); + + #endif /* HAVE_GSSAPI */ + +-- +1.7.4.4 + diff --git a/0002-curl-7.21.7-5eb2396.patch b/0002-curl-7.21.7-5eb2396.patch new file mode 100644 index 0000000..e104e3a --- /dev/null +++ b/0002-curl-7.21.7-5eb2396.patch @@ -0,0 +1,30 @@ +From 5eb2396cd15cbbf73b02ad6bbcc313167330c2b5 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Thu, 4 Aug 2011 23:22:48 +0200 +Subject: [PATCH] segfault fixed + +When using both -J and a single -O with multiple URLs, a missing init +could cause badness. + +Bug: http://curl.haxx.se/mail/lib-2011-07/0126.html and + http://bugzilla.redhat.com/723075 +Reported by: Paul Howarth and Garrett Holmstrom +--- + src/main.c | 1 + + 1 files changed, 1 insertions(+), 0 deletions(-) + +diff --git a/src/main.c b/src/main.c +index 6dcf333..eae45de 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -4898,6 +4898,7 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) + outs.stream = stdout; + outs.config = config; + outs.bytes = 0; /* nothing written yet */ ++ outs.filename = NULL; + + /* save outfile pattern before expansion */ + if(urlnode->outfile) { +-- +1.7.4.4 + diff --git a/0003-curl-7.21.7-5538904.patch b/0003-curl-7.21.7-5538904.patch new file mode 100644 index 0000000..1374ad8 --- /dev/null +++ b/0003-curl-7.21.7-5538904.patch @@ -0,0 +1,131 @@ +From 9698db7fd56b08cc8f9bdeb2182bc9afdbcb4f90 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 12 Aug 2011 14:48:32 +0200 +Subject: [PATCH 1/2] added --delegation + +Using this option with an argument being set to one of +none/policy/always instructs libcurl how to deal with GSS +credentials. Or rather how it tells the server that delegation is fine +or not. + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + src/main.c | 29 ++++++++++++++++++++++++++--- + 1 files changed, 26 insertions(+), 3 deletions(-) + +diff --git a/src/main.c b/src/main.c +index d85bf62..3a2595c 100644 +--- a/src/main.c ++++ b/src/main.c +@@ -659,6 +659,7 @@ struct Configurable { + basically each given URL to transfer */ + struct OutStruct *outs; + bool xattr; /* store metadata in extended attributes */ ++ long gssapi_delegation; + }; + + #define WARN_PREFIX "Warning: " +@@ -817,6 +818,7 @@ static void help(void) + " --data-binary <data> HTTP POST binary data (H)", + " --data-urlencode <name=data/name@filename> " + "HTTP POST data url encoded (H)", ++ " --delegation STRING GSS-API delegation permission", + " --digest Use HTTP Digest Authentication (H)", + " --disable-eprt Inhibit using EPRT or LPRT (F)", + " --disable-epsv Inhibit using EPSV (F)", +@@ -1823,6 +1825,18 @@ static int sockoptcallback(void *clientp, curl_socket_t curlfd, + return 0; + } + ++static long delegation(struct Configurable *config, ++ char *str) ++{ ++ if(curlx_raw_equal("none", str)) ++ return CURLGSSAPI_DELEGATION_NONE; ++ if(curlx_raw_equal("policy", str)) ++ return CURLGSSAPI_DELEGATION_POLICY_FLAG; ++ if(curlx_raw_equal("always", str)) ++ return CURLGSSAPI_DELEGATION_FLAG; ++ warnf(config, "unrecognized delegation method '%s', using none\n", str); ++ return CURLGSSAPI_DELEGATION_NONE; ++} + + static ParameterError getparameter(char *flag, /* f or -long-flag */ + char *nextarg, /* NULL if unset */ +@@ -1942,6 +1956,7 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ + {"$D", "proto", TRUE}, + {"$E", "proto-redir", TRUE}, + {"$F", "resolve", TRUE}, ++ {"$G", "delegation", TRUE}, + {"0", "http1.0", FALSE}, + {"1", "tlsv1", FALSE}, + {"2", "sslv2", FALSE}, +@@ -2516,6 +2531,9 @@ static ParameterError getparameter(char *flag, /* f or -long-flag */ + if(err) + return err; + break; ++ case 'G': /* --delegation LEVEL */ ++ config->gssapi_delegation = delegation(config, nextarg); ++ break; + } + break; + case '#': /* --progress-bar */ +@@ -5564,9 +5582,14 @@ operate(struct Configurable *config, int argc, argv_item_t argv[]) + /* new in 7.21.3 */ + my_setopt(curl, CURLOPT_RESOLVE, config->resolve); + +- /* TODO: new in ### */ +- curl_easy_setopt(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username); +- curl_easy_setopt(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password); ++ /* new in 7.21.4 */ ++ my_setopt_str(curl, CURLOPT_TLSAUTH_USERNAME, config->tls_username); ++ my_setopt_str(curl, CURLOPT_TLSAUTH_PASSWORD, config->tls_password); ++ ++ /* new in 7.22.0 */ ++ if(config->gssapi_delegation) ++ my_setopt_str(curl, CURLOPT_GSSAPI_DELEGATION, ++ config->gssapi_delegation); + + retry_numretries = config->req_retry; + +-- +1.7.4.4 + + +From 8e404e1c3846cc98a1977514af5b0432ae2de755 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg <daniel@haxx.se> +Date: Fri, 12 Aug 2011 23:51:41 +0200 +Subject: [PATCH 2/2] docs: --delegation + + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + docs/curl.1 | 12 ++++++++++++ + 1 files changed, 12 insertions(+), 0 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 812b2eb..eee3481 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -320,6 +320,18 @@ URL-encode that data and pass it on in the POST. The name part gets an equal + sign appended, resulting in \fIname=urlencoded-file-content\fP. Note that the + name is expected to be URL-encoded already. + .RE ++.IP "--delegation LEVEL" ++Set \fILEVEL\fP to tell the server what it is allowed to delegate when it ++comes to user credentials. Used with GSS/kerberos. ++.RS ++.IP "none" ++Don't allow any delegation. ++.IP "policy" ++Delegates if and only if the OK-AS-DELEGATE flag is set in the Kerberos ++service ticket, which is a matter of realm policy. ++.IP "always" ++Unconditionally allow the server to delegate. ++.RE + .IP "--digest" + (HTTP) Enables HTTP Digest authentication. This is a authentication that + prevents the password from being sent over the wire in clear text. Use this in +-- +1.7.4.4 + diff --git a/0004-curl-7.21.7-d6f319f.patch b/0004-curl-7.21.7-d6f319f.patch new file mode 100644 index 0000000..33f430d --- /dev/null +++ b/0004-curl-7.21.7-d6f319f.patch @@ -0,0 +1,118 @@ +From 857fed6e245a9620b0f25a2f4ca6d6dc01584674 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka <kdudka@redhat.com> +Date: Mon, 15 Aug 2011 13:48:45 +0200 +Subject: [PATCH] nss: start with no database if the selected database is + broken + +Bug: https://bugzilla.redhat.com/728562 + +Signed-off-by: Kamil Dudka <kdudka@redhat.com> +--- + lib/nss.c | 63 +++++++++++++++++++++++++++++++++++++----------------------- + 1 files changed, 39 insertions(+), 24 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 3dc0ba6..94a530b 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -898,10 +898,42 @@ isTLSIntoleranceError(PRInt32 err) + } + } + +-static CURLcode init_nss(struct SessionHandle *data) ++static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) ++{ ++ if(NSS_IsInitialized()) ++ return CURLE_OK; ++ ++ if(cert_dir) { ++ SECStatus rv; ++ const bool use_sql = NSS_VersionCheck("3.12.0"); ++ char *certpath = aprintf("%s%s", use_sql ? "sql:" : "", cert_dir); ++ if(!certpath) ++ return CURLE_OUT_OF_MEMORY; ++ ++ infof(data, "Initializing NSS with certpath: %s\n", certpath); ++ rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); ++ free(certpath); ++ ++ if(rv == SECSuccess) ++ return CURLE_OK; ++ ++ infof(data, "Unable to initialize NSS database\n"); ++ } ++ ++ infof(data, "Initializing NSS with certpath: none\n"); ++ if(NSS_NoDB_Init(NULL) == SECSuccess) ++ return CURLE_OK; ++ ++ infof(data, "Unable to initialize NSS\n"); ++ return CURLE_SSL_CACERT_BADFILE; ++} ++ ++static CURLcode nss_init(struct SessionHandle *data) + { + char *cert_dir; + struct_stat st; ++ CURLcode rv; ++ + if(initialized) + return CURLE_OK; + +@@ -922,31 +954,14 @@ static CURLcode init_nss(struct SessionHandle *data) + } + } + +- if(!NSS_IsInitialized()) { +- SECStatus rv; +- initialized = 1; +- infof(data, "Initializing NSS with certpath: %s\n", +- cert_dir ? cert_dir : "none"); +- if(!cert_dir) { +- rv = NSS_NoDB_Init(NULL); +- } +- else { +- char *certpath = +- PR_smprintf("%s%s", NSS_VersionCheck("3.12.0") ? "sql:" : "", +- cert_dir); +- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); +- PR_smprintf_free(certpath); +- } +- if(rv != SECSuccess) { +- infof(data, "Unable to initialize NSS database\n"); +- initialized = 0; +- return CURLE_SSL_CACERT_BADFILE; +- } +- } ++ rv = nss_init_core(data, cert_dir); ++ if(rv) ++ return rv; + + if(num_enabled_ciphers() == 0) + NSS_SetDomesticPolicy(); + ++ initialized = 1; + return CURLE_OK; + } + +@@ -981,7 +996,7 @@ CURLcode Curl_nss_force_init(struct SessionHandle *data) + } + + PR_Lock(nss_initlock); +- rv = init_nss(data); ++ rv = nss_init(data); + PR_Unlock(nss_initlock); + return rv; + } +@@ -1184,7 +1199,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + + /* FIXME. NSS doesn't support multiple databases open at the same time. */ + PR_Lock(nss_initlock); +- curlerr = init_nss(conn->data); ++ curlerr = nss_init(conn->data); + if(CURLE_OK != curlerr) { + PR_Unlock(nss_initlock); + goto error; +-- +1.7.4.4 + @@ -1,13 +1,25 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.21.7 -Release: 1%{?dist} +Release: 3%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 Source2: curlbuild.h Source3: hide_selinux.c +# add a new option CURLOPT_GSSAPI_DELEGATION (#719939) +Patch1: 0001-curl-7.21.7-a7864c4.patch + +# fix SIGSEGV of curl -O -J given more than one URLs (#723075) +Patch2: 0002-curl-7.21.7-5eb2396.patch + +# introduce the --delegation option of curl (#730444) +Patch3: 0003-curl-7.21.7-5538904.patch + +# initialize NSS with no database if the selected database is broken (#728562) +Patch4: 0004-curl-7.21.7-d6f319f.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.21.1-multilib.patch @@ -112,6 +124,12 @@ for f in CHANGES README; do mv -f ${f}.utf8 ${f} done +# upstream patches (already applied) +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 +%patch4 -p1 + # Fedora patches %patch101 -p1 %patch102 -p1 @@ -170,12 +188,15 @@ gcc -o hide_selinux.so -fPIC -shared %{SOURCE3} LD_PRELOAD="`readlink -f ./hide_selinux.so`:$LD_PRELOAD" export LD_PRELOAD +# test 310, 311, 312 requires libnsspem.so not provides in latest nss for EL-5 +DISABLED="!310 !311 !312" + # use different port range for 32bit and 64bit build, thus make it possible # to run both in parallel on the same machine %ifarch x86_64 -./runtests.pl -a -b6490 -p -v +./runtests.pl -a -b6490 -p -v $DISABLED %else -./runtests.pl -a -b3290 -p -v +./runtests.pl -a -b3290 -p -v $DISABLED %endif @@ -233,6 +254,18 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Tue Aug 16 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.21.7-3 +- sync with rawhide +- disable tests which requires libnsspem.so (not available in EL-5) + +* Mon Aug 15 2011 Kamil Dudka <kdudka@redhat.com> 7.21.7-3 +- fix SIGSEGV of curl -O -J given more than one URLs (#723075) +- introduce the --delegation option of curl (#730444) +- initialize NSS with no database if the selected database is broken (#728562) + +* Wed Aug 03 2011 Kamil Dudka <kdudka@redhat.com> 7.21.7-2 +- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) + * Sun Jul 24 2011 Remi Collet <RPMS@FamilleCollet.com> - 7.21.7-1 - rebuild for remi repo with libcurl4 sub-packages |