From 01d72d81f7e86f9433a81792cd61038506fe0048 Mon Sep 17 00:00:00 2001 From: Remi Collet Date: Sat, 20 Dec 2014 09:04:54 +0100 Subject: curl: sync with 7.29.0-19 from RHEL-7 (for EL-5) --- .gitignore | 1 + 0001-curl-7.27.0-1f8518c5.patch | 34 -- 0001-curl-7.29.0-da3fc1ee.patch | 321 +++++++++++ 0002-curl-7.27.0-f05e5136.patch | 197 ------- 0002-curl-7.29.0-9d0af301.patch | 47 ++ 0003-curl-7.27.0-382429e7.patch | 32 -- 0003-curl-7.29.0-491e026c.patch | 39 ++ 0004-curl-7.27.0-52b6eda4.patch | 115 ---- 0004-curl-7.29.0-57ccdfa8.patch | 143 +++++ 0005-curl-7.27.0-f208bf5a.patch | 190 ------- 0005-curl-7.29.0-2eb8dcf2.patch | 295 ++++++++++ 0006-curl-7.27.0-68d2830e.patch | 68 --- 0006-curl-7.29.0-25e577b3.patch | 86 +++ 0007-curl-7.27.0-b36f1d26.patch | 55 -- 0007-curl-7.29.0-b37b5233.patch | 35 ++ 0008-curl-7.27.0-26613d78.patch | 30 - 0008-curl-7.29.0-192c4f78.patch | 43 ++ 0009-curl-7.27.0-f206d6c0.patch | 69 --- 0009-curl-7.29.0-3a0e931f.patch | 101 ++++ 0010-curl-7.27.0-57ccdfa8.patch | 158 ------ 0010-curl-7.29.0-7cc00d9a.patch | 395 ++++++++++++++ 0011-curl-7.27.0-2eb8dcf2.patch | 295 ---------- 0011-curl-7.29.0-0feeab78.patch | 74 +++ 0012-curl-7.27.0-25e577b3.patch | 86 --- 0012-curl-7.29.0-c639d725.patch | 519 ++++++++++++++++++ 0013-curl-7.27.0-b37b5233.patch | 35 -- 0013-curl-7.29.0-665c160f.patch | 86 +++ 0014-curl-7.27.0-9d0af301.patch | 95 ---- 0014-curl-7.29.0-8ae35102.patch | 42 ++ 0015-curl-7.27.0-192c4f78.patch | 43 -- 0015-curl-7.29.0-7fc9325a.patch | 1090 +++++++++++++++++++++++++++++++++++++ 0016-curl-7.29.0-1cf71bd7.patch | 27 + 0017-curl-7.29.0-ffb8a21d.patch | 36 ++ 0018-curl-7.29.0-03c28820.patch | 67 +++ 0018-curl-7.29.0-517b06d6.patch | 68 +++ 0101-curl-7.27.0-multilib.patch | 72 --- 0101-curl-7.29.0-multilib.patch | 72 +++ 0102-curl-7.27.0-debug.patch | 58 -- 0102-curl-7.29.0-debug.patch | 65 +++ 0105-curl-7.32.0-scp-upload.patch | 42 ++ 0108-curl-7.27.0-utf8.patch | 86 --- 0108-curl-7.29.0-utf8.patch | 39 ++ 0201-curl-7.29.0-openssl.patch | 31 ++ curl.spec | 155 +++--- 44 files changed, 3856 insertions(+), 1781 deletions(-) create mode 100644 .gitignore delete mode 100644 0001-curl-7.27.0-1f8518c5.patch create mode 100644 0001-curl-7.29.0-da3fc1ee.patch delete mode 100644 0002-curl-7.27.0-f05e5136.patch create mode 100644 0002-curl-7.29.0-9d0af301.patch delete mode 100644 0003-curl-7.27.0-382429e7.patch create mode 100644 0003-curl-7.29.0-491e026c.patch delete mode 100644 0004-curl-7.27.0-52b6eda4.patch create mode 100644 0004-curl-7.29.0-57ccdfa8.patch delete mode 100644 0005-curl-7.27.0-f208bf5a.patch create mode 100644 0005-curl-7.29.0-2eb8dcf2.patch delete mode 100644 0006-curl-7.27.0-68d2830e.patch create mode 100644 0006-curl-7.29.0-25e577b3.patch delete mode 100644 0007-curl-7.27.0-b36f1d26.patch create mode 100644 0007-curl-7.29.0-b37b5233.patch delete mode 100644 0008-curl-7.27.0-26613d78.patch create mode 100644 0008-curl-7.29.0-192c4f78.patch delete mode 100644 0009-curl-7.27.0-f206d6c0.patch create mode 100644 0009-curl-7.29.0-3a0e931f.patch delete mode 100644 0010-curl-7.27.0-57ccdfa8.patch create mode 100644 0010-curl-7.29.0-7cc00d9a.patch delete mode 100644 0011-curl-7.27.0-2eb8dcf2.patch create mode 100644 0011-curl-7.29.0-0feeab78.patch delete mode 100644 0012-curl-7.27.0-25e577b3.patch create mode 100644 0012-curl-7.29.0-c639d725.patch delete mode 100644 0013-curl-7.27.0-b37b5233.patch create mode 100644 0013-curl-7.29.0-665c160f.patch delete mode 100644 0014-curl-7.27.0-9d0af301.patch create mode 100644 0014-curl-7.29.0-8ae35102.patch delete mode 100644 0015-curl-7.27.0-192c4f78.patch create mode 100644 0015-curl-7.29.0-7fc9325a.patch create mode 100644 0016-curl-7.29.0-1cf71bd7.patch create mode 100644 0017-curl-7.29.0-ffb8a21d.patch create mode 100644 0018-curl-7.29.0-03c28820.patch create mode 100644 0018-curl-7.29.0-517b06d6.patch delete mode 100644 0101-curl-7.27.0-multilib.patch create mode 100644 0101-curl-7.29.0-multilib.patch delete mode 100644 0102-curl-7.27.0-debug.patch create mode 100644 0102-curl-7.29.0-debug.patch create mode 100644 0105-curl-7.32.0-scp-upload.patch delete mode 100644 0108-curl-7.27.0-utf8.patch create mode 100644 0108-curl-7.29.0-utf8.patch create mode 100644 0201-curl-7.29.0-openssl.patch diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ec30f2a --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +curl-7.*.tar.lzma diff --git a/0001-curl-7.27.0-1f8518c5.patch b/0001-curl-7.27.0-1f8518c5.patch deleted file mode 100644 index 02e2e6e..0000000 --- a/0001-curl-7.27.0-1f8518c5.patch +++ /dev/null @@ -1,34 +0,0 @@ -From e693b8e6591366ef2c077ba90fe0315a8a0b00c5 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 30 Jul 2012 14:20:07 +0200 -Subject: [PATCH] file: use fdopen() for uploaded files if available - -It eliminates noisy events when using inotify and fixes a TOCTOU issue. - -Bug: https://bugzilla.redhat.com/844385 - -[upstream commit 1f8518c5d9aaa369dae85620973f9b5c1add3277] ---- - lib/file.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/lib/file.c b/lib/file.c -index 4447c73..1025022 100644 ---- a/lib/file.c -+++ b/lib/file.c -@@ -351,8 +351,12 @@ static CURLcode file_upload(struct connectdata *conn) - failf(data, "Can't open %s for writing", file->path); - return CURLE_WRITE_ERROR; - } -+#ifdef HAVE_FDOPEN -+ fp = fdopen(fd, "wb"); -+#else - close(fd); - fp = fopen(file->path, "wb"); -+#endif - } - - if(!fp) { --- -1.7.1 - diff --git a/0001-curl-7.29.0-da3fc1ee.patch b/0001-curl-7.29.0-da3fc1ee.patch new file mode 100644 index 0000000..bebcb95 --- /dev/null +++ b/0001-curl-7.29.0-da3fc1ee.patch @@ -0,0 +1,321 @@ +From 48b69def52771149ed19189284b8c6d1ba667ef7 Mon Sep 17 00:00:00 2001 +From: Linus Nielsen Feltzing +Date: Sun, 10 Feb 2013 22:57:58 +0100 +Subject: [PATCH] Fix NULL pointer reference when closing an unused multi handle. + +[upstream commit da3fc1ee91de656a30f3a12de394bcba55119872] + +Signed-off-by: Kamil Dudka +--- + lib/multi.c | 8 +++-- + tests/data/Makefile.am | 2 +- + tests/data/Makefile.in | 2 +- + tests/data/test1508 | 31 +++++++++++++++++ + tests/libtest/Makefile.in | 79 ++++++++++++++++++++++++++++++++++++++++++-- + tests/libtest/Makefile.inc | 6 +++- + tests/libtest/lib1508.c | 49 +++++++++++++++++++++++++++ + 7 files changed, 168 insertions(+), 9 deletions(-) + create mode 100644 tests/data/test1508 + create mode 100644 tests/libtest/lib1508.c + +diff --git a/lib/multi.c b/lib/multi.c +index fa0afb9..706df23 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -1773,10 +1773,12 @@ CURLMcode curl_multi_cleanup(CURLM *multi_handle) + /* Close all the connections in the connection cache */ + close_all_connections(multi); + +- multi->closure_handle->dns.hostcache = multi->hostcache; +- Curl_hostcache_clean(multi->closure_handle); ++ if(multi->closure_handle) { ++ multi->closure_handle->dns.hostcache = multi->hostcache; ++ Curl_hostcache_clean(multi->closure_handle); + +- Curl_close(multi->closure_handle); ++ Curl_close(multi->closure_handle); ++ } + multi->closure_handle = NULL; + + Curl_hash_destroy(multi->sockhash); +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index d82534d..9f569a3 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -93,7 +93,7 @@ test1379 test1380 test1381 test1382 test1383 test1384 test1385 test1386 \ + test1387 test1388 test1389 test1390 test1391 test1392 test1393 \ + test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ + test1408 test1409 test1410 test1411 test1412 test1413 \ +-test1500 test1501 test1502 test1503 test1504 test1505 test1506 \ ++test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1508 \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ + test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \ + test2016 test2017 test2018 test2019 test2020 test2021 test2022 \ +diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in +index df52421..d5b0918 100644 +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -357,7 +357,7 @@ test1379 test1380 test1381 test1382 test1383 test1384 test1385 test1386 \ + test1387 test1388 test1389 test1390 test1391 test1392 test1393 \ + test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ + test1408 test1409 test1410 test1411 test1412 test1413 \ +-test1500 test1501 test1502 test1503 test1504 test1505 test1506 \ ++test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1508 \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ + test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \ + test2016 test2017 test2018 test2019 test2020 test2021 test2022 \ +diff --git a/tests/data/test1508 b/tests/data/test1508 +new file mode 100644 +index 0000000..f8607e5 +--- /dev/null ++++ b/tests/data/test1508 +@@ -0,0 +1,31 @@ ++ ++ ++ ++HTTP ++multi ++ ++ ++ ++# Client-side ++ ++ ++none ++ ++ ++lib1508 ++ ++ ++Close a multi handle without using it ++ ++ ++http://%HOSTIP:%HTTPPORT/path/1508 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++We are done ++ ++ ++ +diff --git a/tests/libtest/Makefile.in b/tests/libtest/Makefile.in +index 406b457..7683c09 100644 +--- a/tests/libtest/Makefile.in ++++ b/tests/libtest/Makefile.in +@@ -85,7 +85,7 @@ noinst_PROGRAMS = chkhostname$(EXEEXT) libauthretry$(EXEEXT) \ + lib591$(EXEEXT) lib597$(EXEEXT) lib598$(EXEEXT) \ + lib599$(EXEEXT) lib1500$(EXEEXT) lib1501$(EXEEXT) \ + lib1502$(EXEEXT) lib1503$(EXEEXT) lib1504$(EXEEXT) \ +- lib1505$(EXEEXT) lib1506$(EXEEXT) ++ lib1505$(EXEEXT) lib1506$(EXEEXT) lib1508$(EXEEXT) + subdir = tests/libtest + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 + am__aclocal_m4_deps = $(top_srcdir)/m4/curl-compilers.m4 \ +@@ -173,6 +173,13 @@ am_lib1506_OBJECTS = lib1506-lib1506.$(OBJEXT) $(am__objects_18) \ + $(am__objects_19) $(am__objects_20) + lib1506_OBJECTS = $(am_lib1506_OBJECTS) + lib1506_DEPENDENCIES = $(am__DEPENDENCIES_1) ++am__objects_151 = lib1508-first.$(OBJEXT) ++am__objects_152 = lib1508-testutil.$(OBJEXT) ++am__objects_153 = lib1508-warnless.$(OBJEXT) ++am_lib1508_OBJECTS = lib1508-lib1508.$(OBJEXT) $(am__objects_151) \ ++ $(am__objects_152) $(am__objects_153) ++lib1508_OBJECTS = $(am_lib1508_OBJECTS) ++lib1508_DEPENDENCIES = $(am__DEPENDENCIES_1) + am__objects_21 = lib500-first.$(OBJEXT) + am__objects_22 = lib500-testutil.$(OBJEXT) + am__objects_23 = lib500-testtrace.$(OBJEXT) +@@ -632,7 +639,7 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + SOURCES = $(libhostname_la_SOURCES) $(chkhostname_SOURCES) \ + $(lib1500_SOURCES) $(lib1501_SOURCES) $(lib1502_SOURCES) \ + $(lib1503_SOURCES) $(lib1504_SOURCES) $(lib1505_SOURCES) \ +- $(lib1506_SOURCES) $(lib500_SOURCES) $(lib501_SOURCES) \ ++ $(lib1506_SOURCES) $(lib1508_SOURCES) $(lib500_SOURCES) $(lib501_SOURCES) \ + $(lib502_SOURCES) $(lib503_SOURCES) $(lib504_SOURCES) \ + $(lib505_SOURCES) $(lib506_SOURCES) $(lib507_SOURCES) \ + $(lib508_SOURCES) $(lib510_SOURCES) $(lib511_SOURCES) \ +@@ -662,7 +669,7 @@ SOURCES = $(libhostname_la_SOURCES) $(chkhostname_SOURCES) \ + DIST_SOURCES = $(libhostname_la_SOURCES) $(chkhostname_SOURCES) \ + $(lib1500_SOURCES) $(lib1501_SOURCES) $(lib1502_SOURCES) \ + $(lib1503_SOURCES) $(lib1504_SOURCES) $(lib1505_SOURCES) \ +- $(lib1506_SOURCES) $(lib500_SOURCES) $(lib501_SOURCES) \ ++ $(lib1506_SOURCES) $(lib1508_SOURCES) $(lib500_SOURCES) $(lib501_SOURCES) \ + $(lib502_SOURCES) $(lib503_SOURCES) $(lib504_SOURCES) \ + $(lib505_SOURCES) $(lib506_SOURCES) $(lib507_SOURCES) \ + $(lib508_SOURCES) $(lib510_SOURCES) $(lib511_SOURCES) \ +@@ -1155,6 +1162,9 @@ lib1505_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1505 + lib1506_SOURCES = lib1506.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1506_LDADD = $(TESTUTIL_LIBS) + lib1506_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1506 ++lib1508_SOURCES = lib1508.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1508_LDADD = $(TESTUTIL_LIBS) ++lib1508_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1508 + @BUILD_LIBHOSTNAME_FALSE@noinst_LTLIBRARIES = + + # Makefile.inc provides the source defines (TESTUTIL, SUPPORTFILES, +@@ -1253,6 +1263,9 @@ lib1505$(EXEEXT): $(lib1505_OBJECTS) $(lib1505_DEPENDENCIES) $(EXTRA_lib1505_DEP + lib1506$(EXEEXT): $(lib1506_OBJECTS) $(lib1506_DEPENDENCIES) $(EXTRA_lib1506_DEPENDENCIES) + @rm -f lib1506$(EXEEXT) + $(LINK) $(lib1506_OBJECTS) $(lib1506_LDADD) $(LIBS) ++lib1508$(EXEEXT): $(lib1508_OBJECTS) $(lib1508_DEPENDENCIES) $(EXTRA_lib1508_DEPENDENCIES) ++ @rm -f lib1508$(EXEEXT) ++ $(LINK) $(lib1508_OBJECTS) $(lib1508_LDADD) $(LIBS) + lib500$(EXEEXT): $(lib500_OBJECTS) $(lib500_DEPENDENCIES) $(EXTRA_lib500_DEPENDENCIES) + @rm -f lib500$(EXEEXT) + $(LINK) $(lib500_OBJECTS) $(lib500_LDADD) $(LIBS) +@@ -1520,6 +1533,10 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1506-lib1506.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1506-testutil.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1506-warnless.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1508-first.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1508-lib1508.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1508-testutil.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1508-warnless.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib500-first.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib500-lib500.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib500-testtrace.Po@am__quote@ +@@ -2163,6 +2180,62 @@ lib1506-warnless.obj: ../../lib/warnless.c + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1506_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1506-warnless.obj `if test -f '../../lib/warnless.c'; then $(CYGPATH_W) '../../lib/warnless.c'; else $(CYGPATH_W) '$(srcdir)/../../lib/warnless.c'; fi` + ++lib1508-lib1508.o: lib1508.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-lib1508.o -MD -MP -MF $(DEPDIR)/lib1508-lib1508.Tpo -c -o lib1508-lib1508.o `test -f 'lib1508.c' || echo '$(srcdir)/'`lib1508.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-lib1508.Tpo $(DEPDIR)/lib1508-lib1508.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='lib1508.c' object='lib1508-lib1508.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-lib1508.o `test -f 'lib1508.c' || echo '$(srcdir)/'`lib1508.c ++ ++lib1508-lib1508.obj: lib1508.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-lib1508.obj -MD -MP -MF $(DEPDIR)/lib1508-lib1508.Tpo -c -o lib1508-lib1508.obj `if test -f 'lib1508.c'; then $(CYGPATH_W) 'lib1508.c'; else $(CYGPATH_W) '$(srcdir)/lib1508.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-lib1508.Tpo $(DEPDIR)/lib1508-lib1508.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='lib1508.c' object='lib1508-lib1508.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-lib1508.obj `if test -f 'lib1508.c'; then $(CYGPATH_W) 'lib1508.c'; else $(CYGPATH_W) '$(srcdir)/lib1508.c'; fi` ++ ++lib1508-first.o: first.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-first.o -MD -MP -MF $(DEPDIR)/lib1508-first.Tpo -c -o lib1508-first.o `test -f 'first.c' || echo '$(srcdir)/'`first.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-first.Tpo $(DEPDIR)/lib1508-first.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='first.c' object='lib1508-first.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-first.o `test -f 'first.c' || echo '$(srcdir)/'`first.c ++ ++lib1508-first.obj: first.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-first.obj -MD -MP -MF $(DEPDIR)/lib1508-first.Tpo -c -o lib1508-first.obj `if test -f 'first.c'; then $(CYGPATH_W) 'first.c'; else $(CYGPATH_W) '$(srcdir)/first.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-first.Tpo $(DEPDIR)/lib1508-first.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='first.c' object='lib1508-first.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-first.obj `if test -f 'first.c'; then $(CYGPATH_W) 'first.c'; else $(CYGPATH_W) '$(srcdir)/first.c'; fi` ++ ++lib1508-testutil.o: testutil.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-testutil.o -MD -MP -MF $(DEPDIR)/lib1508-testutil.Tpo -c -o lib1508-testutil.o `test -f 'testutil.c' || echo '$(srcdir)/'`testutil.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-testutil.Tpo $(DEPDIR)/lib1508-testutil.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='testutil.c' object='lib1508-testutil.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-testutil.o `test -f 'testutil.c' || echo '$(srcdir)/'`testutil.c ++ ++lib1508-testutil.obj: testutil.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-testutil.obj -MD -MP -MF $(DEPDIR)/lib1508-testutil.Tpo -c -o lib1508-testutil.obj `if test -f 'testutil.c'; then $(CYGPATH_W) 'testutil.c'; else $(CYGPATH_W) '$(srcdir)/testutil.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-testutil.Tpo $(DEPDIR)/lib1508-testutil.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='testutil.c' object='lib1508-testutil.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-testutil.obj `if test -f 'testutil.c'; then $(CYGPATH_W) 'testutil.c'; else $(CYGPATH_W) '$(srcdir)/testutil.c'; fi` ++ ++lib1508-warnless.o: ../../lib/warnless.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-warnless.o -MD -MP -MF $(DEPDIR)/lib1508-warnless.Tpo -c -o lib1508-warnless.o `test -f '../../lib/warnless.c' || echo '$(srcdir)/'`../../lib/warnless.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-warnless.Tpo $(DEPDIR)/lib1508-warnless.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='../../lib/warnless.c' object='lib1508-warnless.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-warnless.o `test -f '../../lib/warnless.c' || echo '$(srcdir)/'`../../lib/warnless.c ++ ++lib1508-warnless.obj: ../../lib/warnless.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-warnless.obj -MD -MP -MF $(DEPDIR)/lib1508-warnless.Tpo -c -o lib1508-warnless.obj `if test -f '../../lib/warnless.c'; then $(CYGPATH_W) '../../lib/warnless.c'; else $(CYGPATH_W) '$(srcdir)/../../lib/warnless.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-warnless.Tpo $(DEPDIR)/lib1508-warnless.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='../../lib/warnless.c' object='lib1508-warnless.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1508-warnless.obj `if test -f '../../lib/warnless.c'; then $(CYGPATH_W) '../../lib/warnless.c'; else $(CYGPATH_W) '$(srcdir)/../../lib/warnless.c'; fi` ++ + lib500-lib500.o: lib500.c + @am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib500_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib500-lib500.o -MD -MP -MF $(DEPDIR)/lib500-lib500.Tpo -c -o lib500-lib500.o `test -f 'lib500.c' || echo '$(srcdir)/'`lib500.c + @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib500-lib500.Tpo $(DEPDIR)/lib500-lib500.Po +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 82c265d..8bf2be4 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -23,7 +23,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib582 lib583 lib585 lib586 lib587 \ + lib590 lib591 lib597 lib598 lib599 \ + \ +- lib1500 lib1501 lib1502 lib1503 lib1504 lib1505 lib1506 ++ lib1500 lib1501 lib1502 lib1503 lib1504 lib1505 lib1506 lib1508 + + chkhostname_SOURCES = chkhostname.c ../../lib/curl_gethostname.c + chkhostname_LDADD = @CURL_NETWORK_LIBS@ +@@ -312,3 +312,7 @@ lib1505_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1505 + lib1506_SOURCES = lib1506.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1506_LDADD = $(TESTUTIL_LIBS) + lib1506_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1506 ++ ++lib1508_SOURCES = lib1508.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1508_LDADD = $(TESTUTIL_LIBS) ++lib1508_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1508 +diff --git a/tests/libtest/lib1508.c b/tests/libtest/lib1508.c +new file mode 100644 +index 0000000..72f26d1 +--- /dev/null ++++ b/tests/libtest/lib1508.c +@@ -0,0 +1,49 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 2013, Linus Nielsen Feltzing ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at http://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++int test(char *URL) ++{ ++ int res = 0; ++ CURLM *m = NULL; ++ ++ (void)URL; ++ ++ global_init(CURL_GLOBAL_ALL); ++ ++ multi_init(m); ++ ++test_cleanup: ++ ++ /* proper cleanup sequence - type PB */ ++ ++ curl_multi_cleanup(m); ++ curl_global_cleanup(); ++ ++ printf("We are done\n"); ++ ++ return res; ++} +-- +1.7.1 + diff --git a/0002-curl-7.27.0-f05e5136.patch b/0002-curl-7.27.0-f05e5136.patch deleted file mode 100644 index 7413ed6..0000000 --- a/0002-curl-7.27.0-f05e5136.patch +++ /dev/null @@ -1,197 +0,0 @@ -From ce515e993fe7bc7e95549317fe5180b196454d4c Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 12 Sep 2012 16:06:18 +0200 -Subject: [PATCH 1/3] ssh: move the fingerprint checking code to a separate fnc - ---- - lib/ssh.c | 71 +++++++++++++++++++++++++++++++++--------------------------- - 1 files changed, 39 insertions(+), 32 deletions(-) - -diff --git a/lib/ssh.c b/lib/ssh.c -index c76a48e..4455d44 100644 ---- a/lib/ssh.c -+++ b/lib/ssh.c -@@ -635,6 +635,43 @@ static CURLcode ssh_knownhost(struct connectdata *conn) - return result; - } - -+static bool ssh_check_fingerprint(struct connectdata *conn) -+{ -+ struct ssh_conn *sshc = &conn->proto.sshc; -+ struct SessionHandle *data = conn->data; -+ const char *pubkey_md5 = data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]; -+ char md5buffer[33]; -+ int i; -+ -+ const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session, -+ LIBSSH2_HOSTKEY_HASH_MD5); -+ -+ /* The fingerprint points to static storage (!), don't free() it. */ -+ for(i = 0; i < 16; i++) -+ snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); -+ infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); -+ -+ /* Before we authenticate we check the hostkey's MD5 fingerprint -+ * against a known fingerprint, if available. -+ */ -+ if(pubkey_md5 && strlen(pubkey_md5) == 32) { -+ if(!strequal(md5buffer, pubkey_md5)) { -+ failf(data, -+ "Denied establishing ssh session: mismatch md5 fingerprint. " -+ "Remote %s is not equal to %s", md5buffer, pubkey_md5); -+ state(conn, SSH_SESSION_FREE); -+ sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; -+ return sshc->actualcode; -+ } -+ else { -+ infof(data, "MD5 checksum match!\n"); -+ /* as we already matched, we skip the check for known hosts */ -+ return CURLE_OK; -+ } -+ } -+ else -+ return ssh_knownhost(conn); -+} - - /* - * ssh_statemach_act() runs the SSH state machine as far as it can without -@@ -650,10 +687,8 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) - struct SSHPROTO *sftp_scp = data->state.proto.ssh; - struct ssh_conn *sshc = &conn->proto.sshc; - curl_socket_t sock = conn->sock[FIRSTSOCKET]; -- const char *fingerprint; -- char md5buffer[33]; - char *new_readdir_line; -- int rc = LIBSSH2_ERROR_NONE, i; -+ int rc = LIBSSH2_ERROR_NONE; - int err; - int seekerr = CURL_SEEKFUNC_OK; - *block = 0; /* we're not blocking by default */ -@@ -694,35 +729,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) - * against our known hosts. How that is handled (reading from file, - * whatever) is up to us. - */ -- fingerprint = libssh2_hostkey_hash(sshc->ssh_session, -- LIBSSH2_HOSTKEY_HASH_MD5); -- -- /* The fingerprint points to static storage (!), don't free() it. */ -- for(i = 0; i < 16; i++) -- snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); -- infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); -- -- /* Before we authenticate we check the hostkey's MD5 fingerprint -- * against a known fingerprint, if available. -- */ -- if(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5] && -- strlen(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) == 32) { -- if(!strequal(md5buffer, -- data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5])) { -- failf(data, -- "Denied establishing ssh session: mismatch md5 fingerprint. " -- "Remote %s is not equal to %s", -- md5buffer, data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]); -- state(conn, SSH_SESSION_FREE); -- result = sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; -- } -- else -- infof(data, "MD5 checksum match!\n"); -- /* as we already matched, we skip the check for known hosts */ -- } -- else -- result = ssh_knownhost(conn); -- -+ result = ssh_check_fingerprint(conn); - if(!result) - state(conn, SSH_AUTHLIST); - break; --- -1.7.1 - - -From f05e51362f310cb04b0ad8d086b9cf693aad5c9d Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 12 Sep 2012 16:18:36 +0200 -Subject: [PATCH 2/3] ssh: do not crash if MD5 fingerprint is not provided by libssh2 - -The MD5 fingerprint cannot be computed when running in FIPS mode. ---- - lib/ssh.c | 22 ++++++++++++++-------- - 1 files changed, 14 insertions(+), 8 deletions(-) - -diff --git a/lib/ssh.c b/lib/ssh.c -index 4455d44..466566c 100644 ---- a/lib/ssh.c -+++ b/lib/ssh.c -@@ -646,19 +646,25 @@ static bool ssh_check_fingerprint(struct connectdata *conn) - const char *fingerprint = libssh2_hostkey_hash(sshc->ssh_session, - LIBSSH2_HOSTKEY_HASH_MD5); - -- /* The fingerprint points to static storage (!), don't free() it. */ -- for(i = 0; i < 16; i++) -- snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); -- infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); -+ if(fingerprint) { -+ /* The fingerprint points to static storage (!), don't free() it. */ -+ for(i = 0; i < 16; i++) -+ snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char) fingerprint[i]); -+ infof(data, "SSH MD5 fingerprint: %s\n", md5buffer); -+ } - - /* Before we authenticate we check the hostkey's MD5 fingerprint - * against a known fingerprint, if available. - */ - if(pubkey_md5 && strlen(pubkey_md5) == 32) { -- if(!strequal(md5buffer, pubkey_md5)) { -- failf(data, -- "Denied establishing ssh session: mismatch md5 fingerprint. " -- "Remote %s is not equal to %s", md5buffer, pubkey_md5); -+ if(!fingerprint || !strequal(md5buffer, pubkey_md5)) { -+ if(fingerprint) -+ failf(data, -+ "Denied establishing ssh session: mismatch md5 fingerprint. " -+ "Remote %s is not equal to %s", md5buffer, pubkey_md5); -+ else -+ failf(data, -+ "Denied establishing ssh session: md5 fingerprint not available"); - state(conn, SSH_SESSION_FREE); - sshc->actualcode = CURLE_PEER_FAILED_VERIFICATION; - return sshc->actualcode; --- -1.7.1 - - -From 1ab6c353635760e8e25bacc13ae0cab2f97f7338 Mon Sep 17 00:00:00 2001 -From: Marc Hoersken -Date: Fri, 14 Sep 2012 14:48:55 +0200 -Subject: [PATCH 3/3] ssh.c: Fixed warning: implicit conversion from enumeration type - -Signed-off-by: Kamil Dudka ---- - lib/ssh.c | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/lib/ssh.c b/lib/ssh.c -index 466566c..e8b7172 100644 ---- a/lib/ssh.c -+++ b/lib/ssh.c -@@ -635,7 +635,7 @@ static CURLcode ssh_knownhost(struct connectdata *conn) - return result; - } - --static bool ssh_check_fingerprint(struct connectdata *conn) -+static CURLcode ssh_check_fingerprint(struct connectdata *conn) - { - struct ssh_conn *sshc = &conn->proto.sshc; - struct SessionHandle *data = conn->data; -@@ -736,7 +736,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) - * whatever) is up to us. - */ - result = ssh_check_fingerprint(conn); -- if(!result) -+ if(result == CURLE_OK) - state(conn, SSH_AUTHLIST); - break; - --- -1.7.1 - diff --git a/0002-curl-7.29.0-9d0af301.patch b/0002-curl-7.29.0-9d0af301.patch new file mode 100644 index 0000000..0b9f7aa --- /dev/null +++ b/0002-curl-7.29.0-9d0af301.patch @@ -0,0 +1,47 @@ +From 8d25353ae1661ce50fe564e733f3ef45004f4bdf Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 5 Mar 2013 17:51:01 +0100 +Subject: [PATCH] nss: fix misplaced code enabling non-blocking socket mode + +The option needs to be set on the SSL socket. Setting it on the model +takes no effect. Note that the non-blocking mode is still not enabled +for the handshake because the code is not yet ready for that. + +[upstream commit 9d0af3018c5db25f5adda216dbcad6056b4a3107] +--- + lib/nss.c | 12 ++++++------ + 1 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 8a2cb09..a2c5c63 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1237,12 +1237,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + goto error; + model = SSL_ImportFD(NULL, model); + +- /* make the socket nonblocking */ +- sock_opt.option = PR_SockOpt_Nonblocking; +- sock_opt.value.non_blocking = PR_TRUE; +- if(PR_SetSocketOption(model, &sock_opt) != PR_SUCCESS) +- goto error; +- + if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) + goto error; + if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess) +@@ -1415,6 +1409,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + goto error; + } + ++ /* switch the SSL socket into non-blocking mode */ ++ sock_opt.option = PR_SockOpt_Nonblocking; ++ sock_opt.value.non_blocking = PR_TRUE; ++ if(PR_SetSocketOption(connssl->handle, &sock_opt) != PR_SUCCESS) ++ goto error; ++ + connssl->state = ssl_connection_complete; + conn->recv[sockindex] = nss_recv; + conn->send[sockindex] = nss_send; +-- +1.7.1 + diff --git a/0003-curl-7.27.0-382429e7.patch b/0003-curl-7.27.0-382429e7.patch deleted file mode 100644 index f25fe71..0000000 --- a/0003-curl-7.27.0-382429e7.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 382429e7601de68564f08a88cc867dbcd6e2556a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 7 Aug 2012 14:13:09 +0200 -Subject: [PATCH] curl-config: parentheses fix - -Braces, not parentheses, should be used for shell variable names. - -Bug: http://curl.haxx.se/bug/view.cgi?id=3551460 -Reported by: Edward Sheldrake ---- - curl-config.in | 4 ++-- - 1 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/curl-config.in b/curl-config.in -index a3ca8b5..731761c 100644 ---- a/curl-config.in -+++ b/curl-config.in -@@ -135,9 +135,9 @@ while test $# -gt 0; do - CPPFLAG_CURL_STATICLIB="" - fi - if test "X@includedir@" = "X/usr/include"; then -- echo "$(CPPFLAG_CURL_STATICLIB)" -+ echo "$CPPFLAG_CURL_STATICLIB" - else -- echo "$(CPPFLAG_CURL_STATICLIB)-I@includedir@" -+ echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@" - fi - ;; - --- -1.7.1 - diff --git a/0003-curl-7.29.0-491e026c.patch b/0003-curl-7.29.0-491e026c.patch new file mode 100644 index 0000000..c136e34 --- /dev/null +++ b/0003-curl-7.29.0-491e026c.patch @@ -0,0 +1,39 @@ +From a2e6eadf6a72f7587eb9bc1ad52383e4c5507b12 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 11 Mar 2013 16:57:25 +0100 +Subject: [PATCH 1/2] easy: do not ignore poll() failures other than EINTR + +[upstream commit 491e026ccda0e60975fa6e2e9cf3ccca37e18f7b] +--- + lib/easy.c | 12 ++++++++++-- + 1 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/lib/easy.c b/lib/easy.c +index c27deff..2e747bb 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -441,11 +441,19 @@ CURLcode curl_easy_perform(CURL *easy) + + while(!done && !mcode) { + int still_running; ++ int ret; + +- mcode = curl_multi_wait(multi, NULL, 0, 1000, NULL); ++ mcode = curl_multi_wait(multi, NULL, 0, 1000, &ret); ++ ++ if(mcode == CURLM_OK) { ++ if(ret == -1) { ++ /* poll() failed not on EINTR, indicate a network problem */ ++ code = CURLE_RECV_ERROR; ++ break; ++ } + +- if(mcode == CURLM_OK) + mcode = curl_multi_perform(multi, &still_running); ++ } + + /* only read 'still_running' if curl_multi_perform() return OK */ + if((mcode == CURLM_OK) && !still_running) { +-- +1.7.1 + diff --git a/0004-curl-7.27.0-52b6eda4.patch b/0004-curl-7.27.0-52b6eda4.patch deleted file mode 100644 index a6b751b..0000000 --- a/0004-curl-7.27.0-52b6eda4.patch +++ /dev/null @@ -1,115 +0,0 @@ -From fea7914a32b7d7a8ec4bbf4de0c2be74a32969bb Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 9 Aug 2012 09:40:00 +0200 -Subject: [PATCH 1/2] nss: do not print misleading NSS error codes - -[upstream commit 52b6eda4f2a006e33358c6964ef6a00b09ae59ab] ---- - lib/nss.c | 42 ++++++++++++++++++++++++++++++------------ - 1 files changed, 30 insertions(+), 12 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index b11796c..a8e08f4 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1084,17 +1084,31 @@ int Curl_nss_close_all(struct SessionHandle *data) - return 0; - } - --/* return true if the given error code is related to a client certificate */ --static bool is_cc_error(PRInt32 err) -+/* return true if NSS can provide error code (and possibly msg) for the error */ -+static bool is_nss_error(CURLcode err) - { - switch(err) { -- case SSL_ERROR_BAD_CERT_ALERT: -+ case CURLE_PEER_FAILED_VERIFICATION: -+ case CURLE_SSL_CACERT: -+ case CURLE_SSL_CACERT_BADFILE: -+ case CURLE_SSL_CERTPROBLEM: -+ case CURLE_SSL_CONNECT_ERROR: -+ case CURLE_SSL_CRL_BADFILE: -+ case CURLE_SSL_ISSUER_ERROR: - return true; - -- case SSL_ERROR_REVOKED_CERT_ALERT: -- return true; -+ default: -+ return false; -+ } -+} - -+/* return true if the given error code is related to a client certificate */ -+static bool is_cc_error(PRInt32 err) -+{ -+ switch(err) { -+ case SSL_ERROR_BAD_CERT_ALERT: - case SSL_ERROR_EXPIRED_CERT_ALERT: -+ case SSL_ERROR_REVOKED_CERT_ALERT: - return true; - - default: -@@ -1388,6 +1402,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - time_left = Curl_timeleft(data, NULL, TRUE); - if(time_left < 0L) { - failf(data, "timed out before SSL handshake"); -+ curlerr = CURLE_OPERATION_TIMEDOUT; - goto error; - } - timeout = PR_MillisecondsToInterval((PRUint32) time_left); -@@ -1432,15 +1447,18 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - /* reset the flag to avoid an infinite loop */ - data->state.ssl_connect_retry = FALSE; - -- err = PR_GetError(); -- if(is_cc_error(err)) -- curlerr = CURLE_SSL_CERTPROBLEM; -+ if(is_nss_error(curlerr)) { -+ /* read NSPR error code */ -+ err = PR_GetError(); -+ if(is_cc_error(err)) -+ curlerr = CURLE_SSL_CERTPROBLEM; - -- /* print the error number and error string */ -- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); -+ /* print the error number and error string */ -+ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); - -- /* print a human-readable message describing the error if available */ -- nss_print_error_message(data, err); -+ /* print a human-readable message describing the error if available */ -+ nss_print_error_message(data, err); -+ } - - if(model) - PR_Close(model); --- -1.7.1 - - -From b00ba010d0cd0a6ee77692fd4e38e6680b07a82e Mon Sep 17 00:00:00 2001 -From: Marc Hoersken -Date: Tue, 11 Sep 2012 09:49:23 +0200 -Subject: [PATCH 2/2] nss.c: Fixed warning: 'err' may be used uninitialized in this function - -[upstream commit e6ba0487013085afc5bc1ca7d7c8a15a13367ba6] ---- - lib/nss.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index a8e08f4..fef7c3d 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1173,7 +1173,7 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, - - CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - { -- PRInt32 err; -+ PRErrorCode err = 0; - PRFileDesc *model = NULL; - PRBool ssl2 = PR_FALSE; - PRBool ssl3 = PR_FALSE; --- -1.7.1 - diff --git a/0004-curl-7.29.0-57ccdfa8.patch b/0004-curl-7.29.0-57ccdfa8.patch new file mode 100644 index 0000000..1448d64 --- /dev/null +++ b/0004-curl-7.29.0-57ccdfa8.patch @@ -0,0 +1,143 @@ +From 37a515d9933a3160a8a868d5a697a42b28f6d792 Mon Sep 17 00:00:00 2001 +From: Zdenek Pavlas +Date: Mon, 11 Mar 2013 14:57:07 +0100 +Subject: [PATCH 2/2] curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag + +The flag can be used in pycurl-based applications where using the multi +interface would not be acceptable because of the performance lost caused +by implementing the select() loop in python. + +Bug: http://curl.haxx.se/bug/view.cgi?id=1168 +Downstream Bug: https://bugzilla.redhat.com/919127 + +[upstream commit 57ccdfa8d2bb6275388223f4676cd623ebd01697] +--- + docs/libcurl/curl_global_init.3 | 4 ++++ + docs/libcurl/symbols-in-versions | 1 + + include/curl/curl.h | 1 + + lib/easy.c | 2 ++ + lib/select.c | 17 ++--------------- + lib/select.h | 6 ++++++ + 6 files changed, 16 insertions(+), 15 deletions(-) + +diff --git a/docs/libcurl/curl_global_init.3 b/docs/libcurl/curl_global_init.3 +index d91e1bd..6a08383 100644 +--- a/docs/libcurl/curl_global_init.3 ++++ b/docs/libcurl/curl_global_init.3 +@@ -70,6 +70,10 @@ Initialise nothing extra. This sets no bit. + .B CURL_GLOBAL_DEFAULT + A sensible default. It will init both SSL and Win32. Right now, this equals + the functionality of the \fBCURL_GLOBAL_ALL\fP mask. ++.TP ++.B CURL_GLOBAL_ACK_EINTR ++When this flag is set, curl will acknowledge EINTR condition when connecting ++or when waiting for data. Otherwise, curl waits until full timeout elapses. + .SH RETURN VALUE + If this function returns non-zero, something went wrong and you cannot use the + other curl functions. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 1de1ace..37b5e27 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -614,6 +614,7 @@ CURL_GLOBAL_DEFAULT 7.8 + CURL_GLOBAL_NOTHING 7.8 + CURL_GLOBAL_SSL 7.8 + CURL_GLOBAL_WIN32 7.8.1 ++CURL_GLOBAL_ACK_EINTR 7.30.0 + CURL_HTTP_VERSION_1_0 7.9.1 + CURL_HTTP_VERSION_1_1 7.9.1 + CURL_HTTP_VERSION_NONE 7.9.1 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 5b39a24..80e4cf5 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -2023,6 +2023,7 @@ typedef enum { + #define CURL_GLOBAL_ALL (CURL_GLOBAL_SSL|CURL_GLOBAL_WIN32) + #define CURL_GLOBAL_NOTHING 0 + #define CURL_GLOBAL_DEFAULT CURL_GLOBAL_ALL ++#define CURL_GLOBAL_ACK_EINTR (1<<2) + + + /***************************************************************************** +diff --git a/lib/easy.c b/lib/easy.c +index 2e747bb..2739598 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -262,6 +262,8 @@ CURLcode curl_global_init(long flags) + } + #endif + ++ Curl_ack_eintr = flags & CURL_GLOBAL_ACK_EINTR; ++ + init_flags = flags; + + /* Preset pseudo-random number sequence. */ +diff --git a/lib/select.c b/lib/select.c +index d13e122..db7fb6d 100644 +--- a/lib/select.c ++++ b/lib/select.c +@@ -50,11 +50,8 @@ + + #define elapsed_ms (int)curlx_tvdiff(curlx_tvnow(), initial_tv) + +-#ifdef CURL_ACKNOWLEDGE_EINTR +-#define error_not_EINTR (1) +-#else +-#define error_not_EINTR (error != EINTR) +-#endif ++int Curl_ack_eintr = 0; ++#define error_not_EINTR (Curl_ack_eintr || error != EINTR) + + /* + * Internal function used for waiting a specific amount of ms +@@ -67,10 +64,6 @@ + * Timeout resolution, accuracy, as well as maximum supported + * value is system dependent, neither factor is a citical issue + * for the intended use of this function in the library. +- * On non-DOS and non-Winsock platforms, when compiled with +- * CURL_ACKNOWLEDGE_EINTR defined, EINTR condition is honored +- * and function might exit early without awaiting full timeout, +- * otherwise EINTR will be ignored and full timeout will elapse. + * + * Return values: + * -1 = system call error, invalid timeout value, or interrupted +@@ -133,9 +126,6 @@ int Curl_wait_ms(int timeout_ms) + * A negative timeout value makes this function wait indefinitely, + * unles no valid file descriptor is given, when this happens the + * negative timeout is ignored and the function times out immediately. +- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition +- * is honored and function might exit early without awaiting timeout, +- * otherwise EINTR will be ignored. + * + * Return values: + * -1 = system call error or fd >= FD_SETSIZE +@@ -351,9 +341,6 @@ int Curl_socket_check(curl_socket_t readfd0, /* two sockets to read from */ + * A negative timeout value makes this function wait indefinitely, + * unles no valid file descriptor is given, when this happens the + * negative timeout is ignored and the function times out immediately. +- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition +- * is honored and function might exit early without awaiting timeout, +- * otherwise EINTR will be ignored. + * + * Return values: + * -1 = system call error or fd >= FD_SETSIZE +diff --git a/lib/select.h b/lib/select.h +index 00789bb..c00afe1 100644 +--- a/lib/select.h ++++ b/lib/select.h +@@ -81,6 +81,12 @@ int Curl_socket_check(curl_socket_t readfd, curl_socket_t readfd2, + + int Curl_poll(struct pollfd ufds[], unsigned int nfds, int timeout_ms); + ++/* On non-DOS and non-Winsock platforms, when Curl_ack_eintr is set, ++ * EINTR condition is honored and function might exit early without ++ * awaiting full timeout. Otherwise EINTR will be ignored and full ++ * timeout will elapse. */ ++extern int Curl_ack_eintr; ++ + int Curl_wait_ms(int timeout_ms); + + #ifdef TPF +-- +1.7.1 + diff --git a/0005-curl-7.27.0-f208bf5a.patch b/0005-curl-7.27.0-f208bf5a.patch deleted file mode 100644 index c164fd0..0000000 --- a/0005-curl-7.27.0-f208bf5a.patch +++ /dev/null @@ -1,190 +0,0 @@ -From c78462408b8033c99cb45e70f34586ceb8fa8276 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 9 Aug 2012 14:08:11 +0200 -Subject: [PATCH] docs: update the links to cipher-suites supported by NSS - -... and make the list of cipher-suites in nss.c readable by humans. - -Bug: http://curl.haxx.se/mail/archive-2012-08/0016.html - -[upstream commit f208bf5a2d622ae525690dfba2ab58abd8d72264] ---- - docs/curl.1 | 2 +- - docs/libcurl/curl_easy_setopt.3 | 2 +- - lib/nss.c | 105 +++++++++++++++++++-------------------- - 3 files changed, 53 insertions(+), 56 deletions(-) - -diff --git a/docs/curl.1 b/docs/curl.1 -index 0e29ed5..5ba3d56 100644 ---- a/docs/curl.1 -+++ b/docs/curl.1 -@@ -223,7 +223,7 @@ must specify valid ciphers. Read up on SSL cipher list details on this URL: - - NSS ciphers are done differently than OpenSSL and GnuTLS. The full list of - NSS ciphers is in the NSSCipherSuite entry at this URL: --\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP -+\fIhttp://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives\fP - - If this option is used several times, the last one will override the others. - .IP "--compressed" -diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 -index 25a7d5e..d83afe8 100644 ---- a/docs/libcurl/curl_easy_setopt.3 -+++ b/docs/libcurl/curl_easy_setopt.3 -@@ -2367,7 +2367,7 @@ this option then all known ciphers are disabled and only those passed in - are enabled. - - You'll find more details about the NSS cipher lists on this URL: --\fIhttp://directory.fedora.redhat.com/docs/mod_nss.html#Directives\fP -+\fIhttp://git.fedorahosted.org/cgit/mod_nss.git/plain/docs/mod_nss.html#Directives\fP - - .IP CURLOPT_SSL_SESSIONID_CACHE - Pass a long set to 0 to disable libcurl's use of SSL session-ID caching. Set -diff --git a/lib/nss.c b/lib/nss.c -index fef7c3d..705a625 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -89,7 +89,6 @@ volatile int initialized = 0; - typedef struct { - const char *name; - int num; -- PRInt32 version; /* protocol version valid for this cipher */ - } cipher_s; - - #define PK11_SETATTRS(_attr, _idx, _type, _val, _len) do { \ -@@ -101,65 +100,63 @@ typedef struct { - - #define CERT_NewTempCertificate __CERT_NewTempCertificate - --enum sslversion { SSL2 = 1, SSL3 = 2, TLS = 4 }; -- - #define NUM_OF_CIPHERS sizeof(cipherlist)/sizeof(cipherlist[0]) - static const cipher_s cipherlist[] = { - /* SSL2 cipher suites */ -- {"rc4", SSL_EN_RC4_128_WITH_MD5, SSL2}, -- {"rc4-md5", SSL_EN_RC4_128_WITH_MD5, SSL2}, -- {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5, SSL2}, -- {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5, SSL2}, -- {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5, SSL2}, -- {"des", SSL_EN_DES_64_CBC_WITH_MD5, SSL2}, -- {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5, SSL2}, -+ {"rc4", SSL_EN_RC4_128_WITH_MD5}, -+ {"rc4-md5", SSL_EN_RC4_128_WITH_MD5}, -+ {"rc4export", SSL_EN_RC4_128_EXPORT40_WITH_MD5}, -+ {"rc2", SSL_EN_RC2_128_CBC_WITH_MD5}, -+ {"rc2export", SSL_EN_RC2_128_CBC_EXPORT40_WITH_MD5}, -+ {"des", SSL_EN_DES_64_CBC_WITH_MD5}, -+ {"desede3", SSL_EN_DES_192_EDE3_CBC_WITH_MD5}, - /* SSL3/TLS cipher suites */ -- {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5, SSL3 | TLS}, -- {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA, SSL3 | TLS}, -- {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA, SSL3 | TLS}, -- {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA, SSL3 | TLS}, -- {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5, SSL3 | TLS}, -- {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5, SSL3 | TLS}, -- {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5, SSL3 | TLS}, -- {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA, SSL3 | TLS}, -- {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA, SSL3 | TLS}, -- {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA, SSL3 | TLS}, -- {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA, SSL3 | TLS}, -- {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA, SSL3 | TLS}, -- {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA, SSL3 | TLS}, -+ {"rsa_rc4_128_md5", SSL_RSA_WITH_RC4_128_MD5}, -+ {"rsa_rc4_128_sha", SSL_RSA_WITH_RC4_128_SHA}, -+ {"rsa_3des_sha", SSL_RSA_WITH_3DES_EDE_CBC_SHA}, -+ {"rsa_des_sha", SSL_RSA_WITH_DES_CBC_SHA}, -+ {"rsa_rc4_40_md5", SSL_RSA_EXPORT_WITH_RC4_40_MD5}, -+ {"rsa_rc2_40_md5", SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5}, -+ {"rsa_null_md5", SSL_RSA_WITH_NULL_MD5}, -+ {"rsa_null_sha", SSL_RSA_WITH_NULL_SHA}, -+ {"fips_3des_sha", SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA}, -+ {"fips_des_sha", SSL_RSA_FIPS_WITH_DES_CBC_SHA}, -+ {"fortezza", SSL_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA}, -+ {"fortezza_rc4_128_sha", SSL_FORTEZZA_DMS_WITH_RC4_128_SHA}, -+ {"fortezza_null", SSL_FORTEZZA_DMS_WITH_NULL_SHA}, - /* TLS 1.0: Exportable 56-bit Cipher Suites. */ -- {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA, SSL3 | TLS}, -- {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA, SSL3 | TLS}, -+ {"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA}, -+ {"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA}, - /* AES ciphers. */ -- {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA, SSL3 | TLS}, -- {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA, SSL3 | TLS}, -+ {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, -+ {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, - #ifdef NSS_ENABLE_ECC - /* ECC ciphers. */ -- {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA, TLS}, -- {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA, TLS}, -- {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS}, -- {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS}, -- {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS}, -- {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA, TLS}, -- {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, TLS}, -- {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS}, -- {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS}, -- {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS}, -- {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA, TLS}, -- {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA, TLS}, -- {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, TLS}, -- {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS}, -- {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS}, -- {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA, TLS}, -- {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA, TLS}, -- {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, TLS}, -- {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS}, -- {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS}, -- {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA, TLS}, -- {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA, TLS}, -- {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA, TLS}, -- {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA, TLS}, -- {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA, TLS}, -+ {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA}, -+ {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA}, -+ {"ecdh_ecdsa_3des_sha", TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA}, -+ {"ecdh_ecdsa_aes_128_sha", TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA}, -+ {"ecdh_ecdsa_aes_256_sha", TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA}, -+ {"ecdhe_ecdsa_null_sha", TLS_ECDHE_ECDSA_WITH_NULL_SHA}, -+ {"ecdhe_ecdsa_rc4_128_sha", TLS_ECDHE_ECDSA_WITH_RC4_128_SHA}, -+ {"ecdhe_ecdsa_3des_sha", TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA}, -+ {"ecdhe_ecdsa_aes_128_sha", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA}, -+ {"ecdhe_ecdsa_aes_256_sha", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA}, -+ {"ecdh_rsa_null_sha", TLS_ECDH_RSA_WITH_NULL_SHA}, -+ {"ecdh_rsa_128_sha", TLS_ECDH_RSA_WITH_RC4_128_SHA}, -+ {"ecdh_rsa_3des_sha", TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA}, -+ {"ecdh_rsa_aes_128_sha", TLS_ECDH_RSA_WITH_AES_128_CBC_SHA}, -+ {"ecdh_rsa_aes_256_sha", TLS_ECDH_RSA_WITH_AES_256_CBC_SHA}, -+ {"echde_rsa_null", TLS_ECDHE_RSA_WITH_NULL_SHA}, -+ {"ecdhe_rsa_rc4_128_sha", TLS_ECDHE_RSA_WITH_RC4_128_SHA}, -+ {"ecdhe_rsa_3des_sha", TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA}, -+ {"ecdhe_rsa_aes_128_sha", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA}, -+ {"ecdhe_rsa_aes_256_sha", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA}, -+ {"ecdh_anon_null_sha", TLS_ECDH_anon_WITH_NULL_SHA}, -+ {"ecdh_anon_rc4_128sha", TLS_ECDH_anon_WITH_RC4_128_SHA}, -+ {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA}, -+ {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA}, -+ {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, - #endif - }; - -@@ -248,7 +245,7 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, - for(i=0; i +Date: Fri, 12 Apr 2013 15:53:39 +0200 +Subject: [PATCH 1/3] test1216: test tailmatching cookie domains + +This test is an attempt to repeat the problem YAMADA Yasuharu reported +at http://curl.haxx.se/mail/lib-2013-04/0108.html + +Conflicts: + + tests/data/Makefile.am + +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.am | 2 +- + tests/data/Makefile.in | 2 +- + tests/data/test1216 | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 64 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1216 + +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 9f569a3..d714e5d 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -77,7 +77,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ + test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ +-test1208 test1209 test1210 test1211 \ ++test1208 test1209 test1210 test1211 test1216 \ + test1220 test1221 test1222 test1223 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ +diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in +index d5b0918..a070266 100644 +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -341,7 +341,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ + test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ +-test1208 test1209 test1210 test1211 \ ++test1208 test1209 test1210 test1211 test1216 \ + test1220 test1221 test1222 test1223 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ +diff --git a/tests/data/test1216 b/tests/data/test1216 +new file mode 100644 +index 0000000..e63fe92 +--- /dev/null ++++ b/tests/data/test1216 +@@ -0,0 +1,62 @@ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP proxy ++cookies ++ ++ ++ ++# Server-side ++ ++ ++HTTP/1.1 200 OK ++Server: Microsoft-IIS/4.0 ++Date: Tue, 25 Sep 2001 19:37:44 GMT ++Content-Type: text/html ++Connection: close ++Content-Length: 21 ++ ++This server says moo ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++HTTP cookie domains tailmatching the host name ++ ++ ++http://example.fake/c/1216 http://bexample.fake/c/1216 -b log/injar1216 -x %HOSTIP:%HTTPPORT ++ ++ ++example.fake FALSE /a FALSE 2139150993 mooo indeed ++example.fake FALSE /b FALSE 0 moo1 indeed ++example.fake FALSE /c FALSE 2139150993 moo2 indeed ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://example.fake/c/1216 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++Cookie: moo2=indeed ++ ++GET http://bexample.fake/c/1216 HTTP/1.1 ++Host: bexample.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +1.7.1 + + +From 6c5a78d0407788b1092bbc8a19b68b01ccb75f8a Mon Sep 17 00:00:00 2001 +From: YAMADA Yasuharu +Date: Thu, 11 Apr 2013 00:17:15 +0200 +Subject: [PATCH 2/3] cookie: fix tailmatching to prevent cross-domain leakage + +Cookies set for 'example.com' could accidentaly also be sent by libcurl +to the 'bexample.com' (ie with a prefix to the first domain name). + +This is a security vulnerabilty, CVE-2013-1944. + +Bug: http://curl.haxx.se/docs/adv_20130412.html + +Signed-off-by: Kamil Dudka +--- + lib/cookie.c | 24 +++++++++++++++++++----- + 1 files changed, 19 insertions(+), 5 deletions(-) + +diff --git a/lib/cookie.c b/lib/cookie.c +index 18b9155..d4fd78a 100644 +--- a/lib/cookie.c ++++ b/lib/cookie.c +@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) + free(co); + } + +-static bool tailmatch(const char *little, const char *bigone) ++static bool tailmatch(const char *cooke_domain, const char *hostname) + { +- size_t littlelen = strlen(little); +- size_t biglen = strlen(bigone); ++ size_t cookie_domain_len = strlen(cooke_domain); ++ size_t hostname_len = strlen(hostname); + +- if(littlelen > biglen) ++ if(hostname_len < cookie_domain_len) + return FALSE; + +- return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE; ++ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) ++ return FALSE; ++ ++ /* A lead char of cookie_domain is not '.'. ++ RFC6265 4.1.2.3. The Domain Attribute says: ++ For example, if the value of the Domain attribute is ++ "example.com", the user agent will include the cookie in the Cookie ++ header when making HTTP requests to example.com, www.example.com, and ++ www.corp.example.com. ++ */ ++ if(hostname_len == cookie_domain_len) ++ return TRUE; ++ if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) ++ return TRUE; ++ return FALSE; + } + + /* +-- +1.7.1 + + +From 6284e78c9421911a24349621c5b63684823d12f7 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Fri, 12 Apr 2013 15:55:57 +0200 +Subject: [PATCH 3/3] test1218: another cookie tailmatch test + +These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie +domain tailmatch" vulnerability. See +http://curl.haxx.se/docs/adv_20130412.html + +Conflicts: + + tests/data/Makefile.am + +Signed-off-by: Kamil Dudka +--- + tests/data/Makefile.am | 2 +- + tests/data/Makefile.in | 2 +- + tests/data/test1218 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 63 insertions(+), 2 deletions(-) + create mode 100644 tests/data/test1218 + +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index d714e5d..3e8dae0 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -77,7 +77,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ + test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ +-test1208 test1209 test1210 test1211 test1216 \ ++test1208 test1209 test1210 test1211 test1216 test1218 \ + test1220 test1221 test1222 test1223 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ +diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in +index a070266..71c9422 100644 +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -341,7 +341,7 @@ test1110 test1111 test1112 test1113 test1114 test1115 test1116 test1117 \ + test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ +-test1208 test1209 test1210 test1211 test1216 \ ++test1208 test1209 test1210 test1211 test1216 test1218 \ + test1220 test1221 test1222 test1223 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ +diff --git a/tests/data/test1218 b/tests/data/test1218 +new file mode 100644 +index 0000000..7d86547 +--- /dev/null ++++ b/tests/data/test1218 +@@ -0,0 +1,61 @@ ++ ++ ++ ++HTTP ++HTTP GET ++HTTP proxy ++cookies ++ ++ ++ ++# This test is very similar to 1216, only that it sets the cookies from the ++# first site instead of reading from a file ++ ++ ++HTTP/1.1 200 OK ++Date: Tue, 25 Sep 2001 19:37:44 GMT ++Set-Cookie: domain=.example.fake; bug=fixed; ++Content-Length: 21 ++ ++This server says moo ++ ++ ++ ++# Client-side ++ ++ ++http ++ ++ ++HTTP cookies and domains with same prefix ++ ++ ++http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++^User-Agent:.* ++ ++ ++GET http://example.fake/c/1218 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++GET http://example.fake/c/1218 HTTP/1.1 ++Host: example.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++Cookie: bug=fixed ++ ++GET http://bexample.fake/c/1218 HTTP/1.1 ++Host: bexample.fake ++Accept: */* ++Proxy-Connection: Keep-Alive ++ ++ ++ ++ +-- +1.7.1 + diff --git a/0006-curl-7.27.0-68d2830e.patch b/0006-curl-7.27.0-68d2830e.patch deleted file mode 100644 index be8c558..0000000 --- a/0006-curl-7.27.0-68d2830e.patch +++ /dev/null @@ -1,68 +0,0 @@ -From c011938e10bf3af5896d0f7f5ecffc22150303f3 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 3 Dec 2012 13:17:50 +0100 -Subject: [PATCH 1/3] nss: prevent NSS from crashing on client auth hook failure - -Although it is not explicitly stated in the documentation, NSS uses -*pRetCert and *pRetKey even if the client authentication hook returns -a failure. Namely, if we destroy *pRetCert without clearing *pRetCert -afterwards, NSS destroys the certificate once again, which causes a -double free. - -Reported by: Bob Relyea - -[upstream commit 68d2830ee9df50961e481e81c1baaa290c33f03e] ---- - lib/nss.c | 17 +++++++++++------ - 1 files changed, 11 insertions(+), 6 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index 22b53bf..794eccb 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -757,6 +757,8 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, - static const char pem_slotname[] = "PEM Token #1"; - SECItem cert_der = { 0, NULL, 0 }; - void *proto_win = SSL_RevealPinArg(sock); -+ struct CERTCertificateStr *cert; -+ struct SECKEYPrivateKeyStr *key; - - PK11SlotInfo *slot = PK11_FindSlotByName(pem_slotname); - if(NULL == slot) { -@@ -771,24 +773,27 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, - return SECFailure; - } - -- *pRetCert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win); -+ cert = PK11_FindCertFromDERCertItem(slot, &cert_der, proto_win); - SECITEM_FreeItem(&cert_der, PR_FALSE); -- if(NULL == *pRetCert) { -+ if(NULL == cert) { - failf(data, "NSS: client certificate from file not found"); - PK11_FreeSlot(slot); - return SECFailure; - } - -- *pRetKey = PK11_FindPrivateKeyFromCert(slot, *pRetCert, NULL); -+ key = PK11_FindPrivateKeyFromCert(slot, cert, NULL); - PK11_FreeSlot(slot); -- if(NULL == *pRetKey) { -+ if(NULL == key) { - failf(data, "NSS: private key from file not found"); -- CERT_DestroyCertificate(*pRetCert); -+ CERT_DestroyCertificate(cert); - return SECFailure; - } - - infof(data, "NSS: client certificate from file\n"); -- display_cert_info(data, *pRetCert); -+ display_cert_info(data, cert); -+ -+ *pRetCert = cert; -+ *pRetKey = key; - return SECSuccess; - } - --- -1.7.1 - diff --git a/0006-curl-7.29.0-25e577b3.patch b/0006-curl-7.29.0-25e577b3.patch new file mode 100644 index 0000000..2b6a786 --- /dev/null +++ b/0006-curl-7.29.0-25e577b3.patch @@ -0,0 +1,86 @@ +From 74d01a8e4d48eedc526cffaf6a6bc782b139e068 Mon Sep 17 00:00:00 2001 +From: Kim Vandry +Date: Mon, 18 Feb 2013 21:36:34 +0100 +Subject: [PATCH 1/2] Curl_resolver_is_resolved: show proper host name on failed resolve + +[upstream commit 25e577b33d00afb6630cf2cac98d6baa319e9aef] + +Signed-off-by: Kamil Dudka +--- + lib/asyn-thread.c | 35 ++++++++++++++++++++--------------- + 1 files changed, 20 insertions(+), 15 deletions(-) + +diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c +index 7a8294d..c392b21 100644 +--- a/lib/asyn-thread.c ++++ b/lib/asyn-thread.c +@@ -430,8 +430,19 @@ static const char *gai_strerror(int ecode) + * error + */ + +-static void resolver_error(struct connectdata *conn, const char *host_or_proxy) ++static CURLcode resolver_error(struct connectdata *conn) + { ++ const char *host_or_proxy; ++ CURLcode rc; ++ if(conn->bits.httpproxy) { ++ host_or_proxy = "proxy"; ++ rc = CURLE_COULDNT_RESOLVE_PROXY; ++ } ++ else { ++ host_or_proxy = "host"; ++ rc = CURLE_COULDNT_RESOLVE_HOST; ++ } ++ + failf(conn->data, "Could not resolve %s: %s; %s", host_or_proxy, + conn->async.hostname, + #ifdef HAVE_GAI_STRERROR +@@ -442,6 +453,7 @@ static void resolver_error(struct connectdata *conn, const char *host_or_proxy) + Curl_strerror(conn, conn->async.status) + #endif + ); ++ return rc; + } + + /* +@@ -473,17 +485,9 @@ CURLcode Curl_resolver_wait_resolv(struct connectdata *conn, + if(entry) + *entry = conn->async.dns; + +- if(!conn->async.dns) { +- /* a name was not resolved */ +- if(conn->bits.httpproxy) { +- resolver_error(conn, "proxy"); +- rc = CURLE_COULDNT_RESOLVE_PROXY; +- } +- else { +- resolver_error(conn, "host"); +- rc = CURLE_COULDNT_RESOLVE_HOST; +- } +- } ++ if(!conn->async.dns) ++ /* a name was not resolved, report error */ ++ rc = resolver_error(conn); + + destroy_async_data(&conn->async); + +@@ -518,12 +522,13 @@ CURLcode Curl_resolver_is_resolved(struct connectdata *conn, + + if(done) { + getaddrinfo_complete(conn); +- destroy_async_data(&conn->async); + + if(!conn->async.dns) { +- resolver_error(conn, "host"); +- return CURLE_COULDNT_RESOLVE_HOST; ++ CURLcode rc = resolver_error(conn); ++ destroy_async_data(&conn->async); ++ return rc; + } ++ destroy_async_data(&conn->async); + *entry = conn->async.dns; + } + else { +-- +1.7.1 + diff --git a/0007-curl-7.27.0-b36f1d26.patch b/0007-curl-7.27.0-b36f1d26.patch deleted file mode 100644 index c712da0..0000000 --- a/0007-curl-7.27.0-b36f1d26.patch +++ /dev/null @@ -1,55 +0,0 @@ -From fefd7cdcde39c56651f6e2c32be9cd79354ffdc4 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 11 Jan 2013 10:24:21 +0100 -Subject: [PATCH 2/3] nss: clear session cache if a client cert from file is used - -This commit fixes a regression introduced in 052a08ff. - -NSS caches certs/keys returned by the SSL_GetClientAuthDataHook callback -and if we connect second time to the same server, the cached cert/key -pair is used. If we use multiple client certificates for different -paths on the same server, we need to clear the session cache to force -NSS to call the hook again. The commit 052a08ff prevented the session -cache from being cleared if a client certificate from file was used. - -The condition is now fixed to cover both cases: consssl->client_nickname -is not NULL if a client certificate from the NSS database is used and -connssl->obj_clicert is not NULL if a client certificate from file is -used. - -Review by: Kai Engert - -[upstream commit b36f1d26f830453ebaa17238f9bd1e396f618720] ---- - lib/nss.c | 12 ++++++++---- - 1 files changed, 8 insertions(+), 4 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index 794eccb..f97090a 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1058,13 +1058,17 @@ void Curl_nss_close(struct connectdata *conn, int sockindex) - as closed to avoid double close */ - fake_sclose(conn->sock[sockindex]); - conn->sock[sockindex] = CURL_SOCKET_BAD; -+ -+ if((connssl->client_nickname != NULL) || (connssl->obj_clicert != NULL)) -+ /* A server might require different authentication based on the -+ * particular path being requested by the client. To support this -+ * scenario, we must ensure that a connection will never reuse the -+ * authentication data from a previous connection. */ -+ SSL_InvalidateSession(connssl->handle); -+ - if(connssl->client_nickname != NULL) { - free(connssl->client_nickname); - connssl->client_nickname = NULL; -- -- /* force NSS to ask again for a client cert when connecting -- * next time to the same server */ -- SSL_InvalidateSession(connssl->handle); - } - /* destroy all NSS objects in order to avoid failure of NSS shutdown */ - Curl_llist_destroy(connssl->obj_list, NULL); --- -1.7.1 - diff --git a/0007-curl-7.29.0-b37b5233.patch b/0007-curl-7.29.0-b37b5233.patch new file mode 100644 index 0000000..0f6a0c1 --- /dev/null +++ b/0007-curl-7.29.0-b37b5233.patch @@ -0,0 +1,35 @@ +From fd5664bc7322ebffb8d5532d17a743ace8a5449e Mon Sep 17 00:00:00 2001 +From: Zdenek Pavlas +Date: Fri, 26 Apr 2013 14:56:38 +0200 +Subject: [PATCH 2/2] url: initialize speed-check data for file:// protocol + +... in order to prevent an artificial timeout event based on stale +speed-check data from a previous network transfer. This commit fixes +a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e. + +Bug: https://bugzilla.redhat.com/906031 + +[upstream commit b37b5233cab96b5b1f2ab7f6e0b9c3df77320bba] + +Signed-off-by: Kamil Dudka +--- + lib/url.c | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index 918ce58..b269027 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -4895,6 +4895,9 @@ static CURLcode create_conn(struct SessionHandle *data, + -1, NULL); /* no upload */ + } + ++ /* since we skip do_init() */ ++ Curl_speedinit(data); ++ + return result; + } + #endif +-- +1.7.1 + diff --git a/0008-curl-7.27.0-26613d78.patch b/0008-curl-7.27.0-26613d78.patch deleted file mode 100644 index 27e381c..0000000 --- a/0008-curl-7.27.0-26613d78.patch +++ /dev/null @@ -1,30 +0,0 @@ -From afd2d98b4a9c69fb47048122629fd4be1d40f906 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 15 Jan 2013 12:58:08 +0100 -Subject: [PATCH 3/3] nss: fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -Do not use the error messages from NSS for errors not occurring in NSS. - -[upstream commit 26613d781725e39b0f601301a65c64e146977d8f] ---- - lib/nss.c | 2 -- - 1 files changed, 0 insertions(+), 2 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index f97090a..c5dcf52 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1096,10 +1096,8 @@ static bool is_nss_error(CURLcode err) - switch(err) { - case CURLE_PEER_FAILED_VERIFICATION: - case CURLE_SSL_CACERT: -- case CURLE_SSL_CACERT_BADFILE: - case CURLE_SSL_CERTPROBLEM: - case CURLE_SSL_CONNECT_ERROR: -- case CURLE_SSL_CRL_BADFILE: - case CURLE_SSL_ISSUER_ERROR: - return true; - --- -1.7.1 - diff --git a/0008-curl-7.29.0-192c4f78.patch b/0008-curl-7.29.0-192c4f78.patch new file mode 100644 index 0000000..299f386 --- /dev/null +++ b/0008-curl-7.29.0-192c4f78.patch @@ -0,0 +1,43 @@ +From 25089c2c69028f0549facf93f7bdbf7344277f09 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 19 May 2013 23:24:29 +0200 +Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer + +Security problem: CVE-2013-2174 + +If a program would give a string like "%FF" to curl_easy_unescape() but +ask for it to decode only the first byte, it would still parse and +decode the full hex sequence. The function then not only read beyond the +allowed buffer but it would also deduct the *unsigned* counter variable +for how many more bytes there's left to read in the buffer by two, +making the counter wrap. Continuing this, the function would go on +reading beyond the buffer and soon writing beyond the allocated target +buffer... + +Bug: http://curl.haxx.se/docs/adv_20130622.html +Reported-by: Timo Sirainen + +[upstream commit 192c4f788d48f82c03e9cef40013f34370e90737] + +Signed-off-by: Kamil Dudka +--- + lib/escape.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/lib/escape.c b/lib/escape.c +index 6a26cf8..a567edb 100644 +--- a/lib/escape.c ++++ b/lib/escape.c +@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data, + + while(--alloc > 0) { + in = *string; +- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { ++ if(('%' == in) && (alloc > 2) && ++ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { + /* this is two hexadecimal digits following a '%' */ + char hexstr[3]; + char *ptr; +-- +1.7.1 + diff --git a/0009-curl-7.27.0-f206d6c0.patch b/0009-curl-7.27.0-f206d6c0.patch deleted file mode 100644 index f904907..0000000 --- a/0009-curl-7.27.0-f206d6c0.patch +++ /dev/null @@ -1,69 +0,0 @@ -From 46890e837c3b27195e4b0285d221d900f2ad48cc Mon Sep 17 00:00:00 2001 -From: Eldar Zaitov -Date: Wed, 30 Jan 2013 23:22:27 +0100 -Subject: [PATCH] Curl_sasl_create_digest_md5_message: fix buffer overflow - -When negotiating SASL DIGEST-MD5 authentication, the function -Curl_sasl_create_digest_md5_message() uses the data provided from the -server without doing the proper length checks and that data is then -appended to a local fixed-size buffer on the stack. - -This vulnerability can be exploited by someone who is in control of a -server that a libcurl based program is accessing with POP3, SMTP or -IMAP. For applications that accept user provided URLs, it is also -thinkable that a malicious user would feed an application with a URL to -a server hosting code targetting this flaw. - -Bug: http://curl.haxx.se/docs/adv_20130206.html - -[upstream commit f206d6c055d1008f0edb6d5d5920f0f300b9983a] - -Signed-off-by: Kamil Dudka ---- - lib/curl_sasl.c | 23 ++++++----------------- - 1 files changed, 6 insertions(+), 17 deletions(-) - -diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c -index ccb54a8..e42b850 100644 ---- a/lib/curl_sasl.c -+++ b/lib/curl_sasl.c -@@ -345,9 +345,7 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, - snprintf(&HA1_hex[2 * i], 3, "%02x", digest[i]); - - /* Prepare the URL string */ -- strcpy(uri, service); -- strcat(uri, "/"); -- strcat(uri, realm); -+ snprintf(uri, sizeof(uri), "%s/%s", service, realm); - - /* Calculate H(A2) */ - ctxt = Curl_MD5_init(Curl_DIGEST_MD5); -@@ -391,20 +389,11 @@ CURLcode Curl_sasl_create_digest_md5_message(struct SessionHandle *data, - for(i = 0; i < MD5_DIGEST_LEN; i++) - snprintf(&resp_hash_hex[2 * i], 3, "%02x", digest[i]); - -- strcpy(response, "username=\""); -- strcat(response, userp); -- strcat(response, "\",realm=\""); -- strcat(response, realm); -- strcat(response, "\",nonce=\""); -- strcat(response, nonce); -- strcat(response, "\",cnonce=\""); -- strcat(response, cnonce); -- strcat(response, "\",nc="); -- strcat(response, nonceCount); -- strcat(response, ",digest-uri=\""); -- strcat(response, uri); -- strcat(response, "\",response="); -- strcat(response, resp_hash_hex); -+ snprintf(response, sizeof(response), -+ "username=\"%s\",realm=\"%s\",nonce=\"%s\"," -+ "cnonce=\"%s\",nc=\"%s\",digest-uri=\"%s\",response=%s", -+ userp, realm, nonce, -+ cnonce, nonceCount, uri, resp_hash_hex); - - /* Base64 encode the reply */ - return Curl_base64_encode(data, response, 0, outptr, outlen); --- -1.7.1 - diff --git a/0009-curl-7.29.0-3a0e931f.patch b/0009-curl-7.29.0-3a0e931f.patch new file mode 100644 index 0000000..0849d9d --- /dev/null +++ b/0009-curl-7.29.0-3a0e931f.patch @@ -0,0 +1,101 @@ +From b49d54103a4f011998195263de850642fa21f705 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 9 Jul 2013 14:59:01 +0200 +Subject: [PATCH 1/3] curl.1: document the --time-cond option in the man page + +[upstream commit 3a0e931fc715a80004958794a96b12cf90503f99] +--- + docs/curl.1 | 3 +++ + 1 files changed, 3 insertions(+), 0 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 1aeeb46..4b12c3f 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1407,6 +1407,9 @@ default 512 bytes will be used. + If this option is used several times, the last one will be used. + + (Added in 7.20.0) ++.IP " -z, --time-cond TIME" ++Transfer based on a time condition. TIME may to be preceded by -, +, or =. ++See the corresponding sections 14.24, 14.28, and 14.29 of RFC 2068. + .IP "--tlsauthtype " + Set TLS authentication type. Currently, the only supported option is "SRP", + for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are +-- +1.7.1 + + +From fdc89d82464d90560aa5da857374906338472ed6 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 9 Jul 2013 14:59:01 +0200 +Subject: [PATCH 2/3] curl.1: document the --post303 option in the man page + +[upstream commit 39e85d99feede7cc573902e8ab6b3dd759022d9c] +--- + docs/curl.1 | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 4b12c3f..5dd6579 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1038,6 +1038,13 @@ ubiquitous in web browsers, so curl does the conversion by default to maintain + consistency. However, a server may require a POST to remain a POST after such + a redirection. This option is meaningful only when using \fI-L, --location\fP + (Added in 7.19.1) ++.IP "--post303" ++(HTTP) Tells curl to respect RFC 2616/10.3.2 and not convert POST requests ++into GET requests when following a 303 redirection. The non-RFC behaviour is ++ubiquitous in web browsers, so curl does the conversion by default to maintain ++consistency. However, a server may require a POST to remain a POST after such ++a redirection. This option is meaningful only when using \fI-L, --location\fP ++(Added in 7.26.0) + .IP "--proto " + Tells curl to use the listed protocols for its initial retrieval. Protocols + are evaluated left to right, are comma separated, and are each a protocol +-- +1.7.1 + + +From 31102c7190a0a009cf0c06b23f98880cb43d4f55 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Tue, 9 Jul 2013 15:45:36 +0200 +Subject: [PATCH 3/3] Revert "curl.1: document the --time-cond option in the man page" + +This reverts commit 3a0e931fc715a80004958794a96b12cf90503f99 because +the documentation of --time-cond was duplicated by mistake. + +Reported by: Dave Reisner + +[upstream commit 45339625bc85b29225a2035a57eceda43206dd1e] +--- + docs/curl.1 | 5 +---- + 1 files changed, 1 insertions(+), 4 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 5dd6579..b350865 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1414,9 +1414,6 @@ default 512 bytes will be used. + If this option is used several times, the last one will be used. + + (Added in 7.20.0) +-.IP " -z, --time-cond TIME" +-Transfer based on a time condition. TIME may to be preceded by -, +, or =. +-See the corresponding sections 14.24, 14.28, and 14.29 of RFC 2068. + .IP "--tlsauthtype " + Set TLS authentication type. Currently, the only supported option is "SRP", + for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are +@@ -1699,7 +1696,7 @@ speed-time seconds it gets aborted. speed-time is set with \fI-y\fP and is 30 + if not set. + + If this option is used several times, the last one will be used. +-.IP "-z/--time-cond |" ++.IP "-z, --time-cond |" + (HTTP/FTP) Request a file that has been modified later than the given time and + date, or one that has been modified before that time. The + can be all sorts of date strings or if it doesn't match any internal ones, it +-- +1.7.1 + diff --git a/0010-curl-7.27.0-57ccdfa8.patch b/0010-curl-7.27.0-57ccdfa8.patch deleted file mode 100644 index cc4be82..0000000 --- a/0010-curl-7.27.0-57ccdfa8.patch +++ /dev/null @@ -1,158 +0,0 @@ -From fba5ed6d23b8fab97150da2b49a35236a8f4684c Mon Sep 17 00:00:00 2001 -From: Zdenek Pavlas -Date: Mon, 11 Mar 2013 14:57:07 +0100 -Subject: [PATCH] curl_global_init: accept the CURL_GLOBAL_ACK_EINTR flag - -The flag can be used in pycurl-based applications where using the multi -interface would not be acceptable because of the performance lost caused -by implementing the select() loop in python. - -Bug: http://curl.haxx.se/bug/view.cgi?id=1168 -Downstream Bug: https://bugzilla.redhat.com/919127 - -[upstream commit 57ccdfa8d2bb6275388223f4676cd623ebd01697] - -Signed-off-by: Kamil Dudka ---- - docs/libcurl/curl_global_init.3 | 4 ++++ - docs/libcurl/symbols-in-versions | 1 + - include/curl/curl.h | 1 + - lib/easy.c | 6 +++++- - lib/select.c | 17 ++--------------- - lib/select.h | 6 ++++++ - 6 files changed, 19 insertions(+), 16 deletions(-) - -diff --git a/docs/libcurl/curl_global_init.3 b/docs/libcurl/curl_global_init.3 -index d91e1bd..6a08383 100644 ---- a/docs/libcurl/curl_global_init.3 -+++ b/docs/libcurl/curl_global_init.3 -@@ -70,6 +70,10 @@ Initialise nothing extra. This sets no bit. - .B CURL_GLOBAL_DEFAULT - A sensible default. It will init both SSL and Win32. Right now, this equals - the functionality of the \fBCURL_GLOBAL_ALL\fP mask. -+.TP -+.B CURL_GLOBAL_ACK_EINTR -+When this flag is set, curl will acknowledge EINTR condition when connecting -+or when waiting for data. Otherwise, curl waits until full timeout elapses. - .SH RETURN VALUE - If this function returns non-zero, something went wrong and you cannot use the - other curl functions. -diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index 41705fd..c528208 100644 ---- a/docs/libcurl/symbols-in-versions -+++ b/docs/libcurl/symbols-in-versions -@@ -612,6 +612,7 @@ CURL_GLOBAL_DEFAULT 7.8 - CURL_GLOBAL_NOTHING 7.8 - CURL_GLOBAL_SSL 7.8 - CURL_GLOBAL_WIN32 7.8.1 -+CURL_GLOBAL_ACK_EINTR 7.30.0 - CURL_HTTP_VERSION_1_0 7.9.1 - CURL_HTTP_VERSION_1_1 7.9.1 - CURL_HTTP_VERSION_NONE 7.9.1 -diff --git a/include/curl/curl.h b/include/curl/curl.h -index 2cad282..63e7056 100644 ---- a/include/curl/curl.h -+++ b/include/curl/curl.h -@@ -2022,6 +2022,7 @@ typedef enum { - #define CURL_GLOBAL_ALL (CURL_GLOBAL_SSL|CURL_GLOBAL_WIN32) - #define CURL_GLOBAL_NOTHING 0 - #define CURL_GLOBAL_DEFAULT CURL_GLOBAL_ALL -+#define CURL_GLOBAL_ACK_EINTR (1<<2) - - - /***************************************************************************** -diff --git a/lib/easy.c b/lib/easy.c -index 6e8ff77..88f4a60 100644 ---- a/lib/easy.c -+++ b/lib/easy.c -@@ -267,6 +267,8 @@ CURLcode curl_global_init(long flags) - } - #endif - -+ Curl_ack_eintr = flags & CURL_GLOBAL_ACK_EINTR; -+ - init_flags = flags; - - /* Preset pseudo-random number sequence. */ -@@ -459,9 +461,11 @@ CURLcode curl_easy_perform(CURL *easy) - select. This whole alternative version should probably rather use the - curl_multi_socket() approach. */ - -- if(rc == -1) -+ if(rc == -1) { - /* select error */ -+ code = CURLE_RECV_ERROR; - break; -+ } - - /* timeout or data to send/receive => loop! */ - } while(still_running); -diff --git a/lib/select.c b/lib/select.c -index 40673ec..bb8b773 100644 ---- a/lib/select.c -+++ b/lib/select.c -@@ -50,11 +50,8 @@ - - #define elapsed_ms (int)curlx_tvdiff(curlx_tvnow(), initial_tv) - --#ifdef CURL_ACKNOWLEDGE_EINTR --#define error_not_EINTR (1) --#else --#define error_not_EINTR (error != EINTR) --#endif -+int Curl_ack_eintr = 0; -+#define error_not_EINTR (Curl_ack_eintr || error != EINTR) - - /* - * Internal function used for waiting a specific amount of ms -@@ -67,10 +64,6 @@ - * Timeout resolution, accuracy, as well as maximum supported - * value is system dependent, neither factor is a citical issue - * for the intended use of this function in the library. -- * On non-DOS and non-Winsock platforms, when compiled with -- * CURL_ACKNOWLEDGE_EINTR defined, EINTR condition is honored -- * and function might exit early without awaiting full timeout, -- * otherwise EINTR will be ignored and full timeout will elapse. - * - * Return values: - * -1 = system call error, invalid timeout value, or interrupted -@@ -133,9 +126,6 @@ int Curl_wait_ms(int timeout_ms) - * A negative timeout value makes this function wait indefinitely, - * unles no valid file descriptor is given, when this happens the - * negative timeout is ignored and the function times out immediately. -- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition -- * is honored and function might exit early without awaiting timeout, -- * otherwise EINTR will be ignored. - * - * Return values: - * -1 = system call error or fd >= FD_SETSIZE -@@ -347,9 +337,6 @@ int Curl_socket_check(curl_socket_t readfd0, /* two sockets to read from */ - * A negative timeout value makes this function wait indefinitely, - * unles no valid file descriptor is given, when this happens the - * negative timeout is ignored and the function times out immediately. -- * When compiled with CURL_ACKNOWLEDGE_EINTR defined, EINTR condition -- * is honored and function might exit early without awaiting timeout, -- * otherwise EINTR will be ignored. - * - * Return values: - * -1 = system call error or fd >= FD_SETSIZE -diff --git a/lib/select.h b/lib/select.h -index b50604b..4f0e464 100644 ---- a/lib/select.h -+++ b/lib/select.h -@@ -99,6 +99,12 @@ int Curl_socket_check(curl_socket_t readfd, curl_socket_t readfd2, - - int Curl_poll(struct pollfd ufds[], unsigned int nfds, int timeout_ms); - -+/* On non-DOS and non-Winsock platforms, when Curl_ack_eintr is set, -+ * EINTR condition is honored and function might exit early without -+ * awaiting full timeout. Otherwise EINTR will be ignored and full -+ * timeout will elapse. */ -+extern int Curl_ack_eintr; -+ - int Curl_wait_ms(int timeout_ms); - - #ifdef TPF --- -1.7.1 - diff --git a/0010-curl-7.29.0-7cc00d9a.patch b/0010-curl-7.29.0-7cc00d9a.patch new file mode 100644 index 0000000..fb44274 --- /dev/null +++ b/0010-curl-7.29.0-7cc00d9a.patch @@ -0,0 +1,395 @@ +From 3f411052825386a95d039435eb139a63859c3c73 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Mon, 5 Aug 2013 23:49:53 +0200 +Subject: [PATCH] FTP: when EPSV gets a 229 but fails to connect, retry with PASV + +This is a regression as this logic used to work. It isn't clear when it +broke, but I'm assuming in 7.28.0 when we went all-multi internally. + +This likely never worked with the multi interface. As the failed +connection is detected once the multi state has reached DO_MORE, the +Curl_do_more() function was now expanded somewhat so that the +ftp_do_more() function can request to go "back" to the previous state +when it makes another attempt - using PASV. + +Added test case 1233 to verify this fix. It has the little issue that it +assumes no service is listening/accepting connections on port 1... + +Reported-by: byte_bucket in the #curl IRC channel + +[upstream commit 7cc00d9a832c42a330888aa5c11a2abad1bd5ac0] + +Signed-off-by: Kamil Dudka +--- + lib/ftp.c | 64 ++++++++++++++++++++++++++++------------------- + lib/multi.c | 11 ++++++-- + lib/url.c | 10 ++++--- + lib/url.h | 4 +- + lib/urldata.h | 2 +- + tests/data/Makefile.am | 2 +- + tests/data/test1233 | 46 ++++++++++++++++++++++++++++++++++ + 7 files changed, 102 insertions(+), 37 deletions(-) + create mode 100644 tests/data/test1233 + +diff --git a/lib/ftp.c b/lib/ftp.c +index 469b887..4501116 100644 +--- a/lib/ftp.c ++++ b/lib/ftp.c +@@ -136,7 +136,7 @@ static CURLcode ftp_done(struct connectdata *conn, + CURLcode, bool premature); + static CURLcode ftp_connect(struct connectdata *conn, bool *done); + static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection); +-static CURLcode ftp_do_more(struct connectdata *conn, bool *completed); ++static CURLcode ftp_do_more(struct connectdata *conn, int *completed); + static CURLcode ftp_multi_statemach(struct connectdata *conn, bool *done); + static int ftp_getsock(struct connectdata *conn, curl_socket_t *socks, + int numsocks); +@@ -1794,15 +1794,15 @@ static CURLcode ftp_state_quote(struct connectdata *conn, + static CURLcode ftp_epsv_disable(struct connectdata *conn) + { + CURLcode result = CURLE_OK; +- infof(conn->data, "got positive EPSV response, but can't connect. " +- "Disabling EPSV\n"); ++ infof(conn->data, "Failed EPSV attempt. Disabling EPSV\n"); + /* disable it for next transfer */ + conn->bits.ftp_use_epsv = FALSE; + conn->data->state.errorbuf = FALSE; /* allow error message to get + rewritten */ + PPSENDF(&conn->proto.ftpc.pp, "PASV", NULL); + conn->proto.ftpc.count1++; +- /* remain in the FTP_PASV state */ ++ /* remain in/go to the FTP_PASV state */ ++ state(conn, FTP_PASV); + return result; + } + +@@ -1931,15 +1931,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn, + } + else if(ftpc->count1 == 0) { + /* EPSV failed, move on to PASV */ +- +- /* disable it for next transfer */ +- conn->bits.ftp_use_epsv = FALSE; +- infof(data, "disabling EPSV usage\n"); +- +- PPSENDF(&ftpc->pp, "PASV", NULL); +- ftpc->count1++; +- /* remain in the FTP_PASV state */ +- return result; ++ return ftp_epsv_disable(conn); + } + else { + failf(data, "Bad PASV/EPSV response: %03d", ftpcode); +@@ -2018,14 +2010,17 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn, + case CURLPROXY_SOCKS5_HOSTNAME: + result = Curl_SOCKS5(conn->proxyuser, conn->proxypasswd, newhost, newport, + SECONDARYSOCKET, conn); ++ connected = TRUE; + break; + case CURLPROXY_SOCKS4: + result = Curl_SOCKS4(conn->proxyuser, newhost, newport, + SECONDARYSOCKET, conn, FALSE); ++ connected = TRUE; + break; + case CURLPROXY_SOCKS4A: + result = Curl_SOCKS4(conn->proxyuser, newhost, newport, + SECONDARYSOCKET, conn, TRUE); ++ connected = TRUE; + break; + case CURLPROXY_HTTP: + case CURLPROXY_HTTP_1_0: +@@ -2077,8 +2072,7 @@ static CURLcode ftp_state_pasv_resp(struct connectdata *conn, + } + } + +- conn->bits.tcpconnect[SECONDARYSOCKET] = TRUE; +- ++ conn->bits.tcpconnect[SECONDARYSOCKET] = connected; + conn->bits.do_more = TRUE; + state(conn, FTP_STOP); /* this phase is completed */ + +@@ -3664,20 +3658,23 @@ static CURLcode ftp_range(struct connectdata *conn) + * + * This function shall be called when the second FTP (data) connection is + * connected. ++ * ++ * 'complete' can return 0 for incomplete, 1 for done and -1 for go back ++ * (which basically is only for when PASV is being sent to retry a failed ++ * EPSV). + */ + +-static CURLcode ftp_do_more(struct connectdata *conn, bool *complete) ++static CURLcode ftp_do_more(struct connectdata *conn, int *completep) + { + struct SessionHandle *data=conn->data; + struct ftp_conn *ftpc = &conn->proto.ftpc; + CURLcode result = CURLE_OK; + bool connected = FALSE; ++ bool complete = FALSE; + + /* the ftp struct is inited in ftp_connect() */ + struct FTP *ftp = data->state.proto.ftp; + +- *complete = FALSE; +- + /* if the second connection isn't done yet, wait for it */ + if(!conn->bits.tcpconnect[SECONDARYSOCKET]) { + if(conn->tunnel_state[SECONDARYSOCKET] == TUNNEL_CONNECT) { +@@ -3694,14 +3691,22 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete) + if(connected) { + DEBUGF(infof(data, "DO-MORE connected phase starts\n")); + } +- else ++ else { ++ if(result && (ftpc->count1 == 0)) { ++ *completep = -1; /* go back to DOING please */ ++ /* this is a EPSV connect failing, try PASV instead */ ++ return ftp_epsv_disable(conn); ++ } + return result; ++ } + } + + if(ftpc->state) { + /* already in a state so skip the intial commands. + They are only done to kickstart the do_more state */ +- result = ftp_multi_statemach(conn, complete); ++ result = ftp_multi_statemach(conn, &complete); ++ ++ *completep = (int)complete; + + /* if we got an error or if we don't wait for a data connection return + immediately */ +@@ -3712,7 +3717,7 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete) + /* if we reach the end of the FTP state machine here, *complete will be + TRUE but so is ftpc->wait_data_conn, which says we need to wait for + the data connection and therefore we're not actually complete */ +- *complete = FALSE; ++ *completep = 0; + } + + if(ftp->transfer <= FTPTRANSFER_INFO) { +@@ -3735,6 +3740,9 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete) + + if(result) + return result; ++ ++ *completep = 1; /* this state is now complete when the server has ++ connected back to us */ + } + } + else if(data->set.upload) { +@@ -3742,7 +3750,8 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete) + if(result) + return result; + +- result = ftp_multi_statemach(conn, complete); ++ result = ftp_multi_statemach(conn, &complete); ++ *completep = (int)complete; + } + else { + /* download */ +@@ -3770,7 +3779,8 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete) + return result; + } + +- result = ftp_multi_statemach(conn, complete); ++ result = ftp_multi_statemach(conn, &complete); ++ *completep = (int)complete; + } + return result; + } +@@ -3782,7 +3792,7 @@ static CURLcode ftp_do_more(struct connectdata *conn, bool *complete) + + if(!ftpc->wait_data_conn) { + /* no waiting for the data connection so this is now complete */ +- *complete = TRUE; ++ *completep = 1; + DEBUGF(infof(data, "DO-MORE phase ends with %d\n", (int)result)); + } + +@@ -3825,7 +3835,9 @@ CURLcode ftp_perform(struct connectdata *conn, + /* run the state-machine */ + result = ftp_multi_statemach(conn, dophase_done); + +- *connected = conn->bits.tcpconnect[FIRSTSOCKET]; ++ *connected = conn->bits.tcpconnect[SECONDARYSOCKET]; ++ ++ infof(conn->data, "ftp_perform ends with SECONDARY: %d\n", *connected); + + if(*dophase_done) + DEBUGF(infof(conn->data, "DO phase is complete1\n")); +@@ -4445,7 +4457,7 @@ static CURLcode ftp_dophase_done(struct connectdata *conn, + struct ftp_conn *ftpc = &conn->proto.ftpc; + + if(connected) { +- bool completed; ++ int completed; + CURLcode result = ftp_do_more(conn, &completed); + + if(result) { +diff --git a/lib/multi.c b/lib/multi.c +index 706df23..9a8e68e 100644 +--- a/lib/multi.c ++++ b/lib/multi.c +@@ -906,6 +906,7 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + struct SingleRequest *k; + struct SessionHandle *data; + long timeout_ms; ++ int control; + + if(!GOOD_EASY_HANDLE(easy->easy_handle)) + return CURLM_BAD_EASY_HANDLE; +@@ -1323,13 +1324,17 @@ static CURLMcode multi_runsingle(struct Curl_multi *multi, + /* + * When we are connected, DO MORE and then go DO_DONE + */ +- easy->result = Curl_do_more(easy->easy_conn, &dophase_done); ++ easy->result = Curl_do_more(easy->easy_conn, &control); + + /* No need to remove this handle from the send pipeline here since that + is done in Curl_done() */ + if(CURLE_OK == easy->result) { +- if(dophase_done) { +- multistate(easy, CURLM_STATE_DO_DONE); ++ if(control) { ++ /* if positive, advance to DO_DONE ++ if negative, go back to DOING */ ++ multistate(easy, control==1? ++ CURLM_STATE_DO_DONE: ++ CURLM_STATE_DOING); + result = CURLM_CALL_MULTI_PERFORM; + } + else +diff --git a/lib/url.c b/lib/url.c +index b269027..52f7e27 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -5394,18 +5394,20 @@ CURLcode Curl_do(struct connectdata **connp, bool *done) + * + * TODO: A future libcurl should be able to work away this state. + * ++ * 'complete' can return 0 for incomplete, 1 for done and -1 for go back to ++ * DOING state there's more work to do! + */ + +-CURLcode Curl_do_more(struct connectdata *conn, bool *completed) ++CURLcode Curl_do_more(struct connectdata *conn, int *complete) + { + CURLcode result=CURLE_OK; + +- *completed = FALSE; ++ *complete = 0; + + if(conn->handler->do_more) +- result = conn->handler->do_more(conn, completed); ++ result = conn->handler->do_more(conn, complete); + +- if(!result && *completed) ++ if(!result && (*complete == 1)) + /* do_complete must be called after the protocol-specific DO function */ + do_complete(conn); + +diff --git a/lib/url.h b/lib/url.h +index a026e90..c0d9c38 100644 +--- a/lib/url.h ++++ b/lib/url.h +@@ -7,7 +7,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2011, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -37,7 +37,7 @@ CURLcode Curl_close(struct SessionHandle *data); /* opposite of curl_open() */ + CURLcode Curl_connect(struct SessionHandle *, struct connectdata **, + bool *async, bool *protocol_connect); + CURLcode Curl_do(struct connectdata **, bool *done); +-CURLcode Curl_do_more(struct connectdata *, bool *completed); ++CURLcode Curl_do_more(struct connectdata *, int *completed); + CURLcode Curl_done(struct connectdata **, CURLcode, bool premature); + CURLcode Curl_disconnect(struct connectdata *, bool dead_connection); + CURLcode Curl_protocol_connect(struct connectdata *conn, bool *done); +diff --git a/lib/urldata.h b/lib/urldata.h +index 7a275da..2be467b 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -550,7 +550,7 @@ struct Curl_async { + /* These function pointer types are here only to allow easier typecasting + within the source when we need to cast between data pointers (such as NULL) + and function pointers. */ +-typedef CURLcode (*Curl_do_more_func)(struct connectdata *, bool *); ++typedef CURLcode (*Curl_do_more_func)(struct connectdata *, int *); + typedef CURLcode (*Curl_done_func)(struct connectdata *, CURLcode, bool); + + +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 3e8dae0..3f6a047 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -78,7 +78,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ + test1126 test1127 test1128 test1129 test1130 test1131 test1132 test1133 \ + test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ + test1208 test1209 test1210 test1211 test1216 test1218 \ +-test1220 test1221 test1222 test1223 \ ++test1220 test1221 test1222 test1223 test1233 \ + test1300 test1301 test1302 test1303 test1304 test1305 \ + test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ + test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ +diff --git a/tests/data/test1233 b/tests/data/test1233 +new file mode 100644 +index 0000000..caf0527 +--- /dev/null ++++ b/tests/data/test1233 +@@ -0,0 +1,46 @@ ++ ++ ++ ++FTP ++ ++ ++ ++# Server-side ++ ++ ++# Assuming there's nothing listening on port 1 ++REPLY EPSV 229 Entering Passiv Mode (|||1|) ++ ++ ++here are some bytes ++ ++ ++ ++# Client-side ++ ++ ++ftp ++ ++ ++FTP failing to connect to EPSV port, switching to PASV ++ ++ ++ftp://%HOSTIP:%FTPPORT/1233 ++ ++ ++ ++# Verify data after the test has been "shot" ++ ++ ++USER anonymous ++PASS ftp@example.com ++PWD ++EPSV ++PASV ++TYPE I ++SIZE 1233 ++RETR 1233 ++QUIT ++ ++ ++ +-- +1.7.1 + diff --git a/0011-curl-7.27.0-2eb8dcf2.patch b/0011-curl-7.27.0-2eb8dcf2.patch deleted file mode 100644 index f77f104..0000000 --- a/0011-curl-7.27.0-2eb8dcf2.patch +++ /dev/null @@ -1,295 +0,0 @@ -From 5ceda5fa61a87015275ab94f99da4f92f49ac802 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 16:49:32 +0200 -Subject: [PATCH 1/3] test1216: test tailmatching cookie domains - -This test is an attempt to repeat the problem YAMADA Yasuharu reported -at http://curl.haxx.se/mail/lib-2013-04/0108.html - -Conflicts: - - tests/data/Makefile.am - -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.am | 2 +- - tests/data/Makefile.in | 2 +- - tests/data/test1216 | 62 ++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 64 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test1216 - -diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am -index 372f127..9321d61 100644 ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -78,7 +78,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ - test1126 test1127 test1128 test1129 test1130 test1131 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 \ --test1220 \ -+test1220 test1216 \ - test1300 test1301 test1302 test1303 test1304 test1305 \ - test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ - test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ -diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in -index e0a554a..0c18cb5 100644 ---- a/tests/data/Makefile.in -+++ b/tests/data/Makefile.in -@@ -343,7 +343,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ - test1126 test1127 test1128 test1129 test1130 test1131 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 \ --test1220 \ -+test1220 test1216 \ - test1300 test1301 test1302 test1303 test1304 test1305 \ - test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ - test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ -diff --git a/tests/data/test1216 b/tests/data/test1216 -new file mode 100644 -index 0000000..e63fe92 ---- /dev/null -+++ b/tests/data/test1216 -@@ -0,0 +1,62 @@ -+ -+ -+ -+HTTP -+HTTP GET -+HTTP proxy -+cookies -+ -+ -+ -+# Server-side -+ -+ -+HTTP/1.1 200 OK -+Server: Microsoft-IIS/4.0 -+Date: Tue, 25 Sep 2001 19:37:44 GMT -+Content-Type: text/html -+Connection: close -+Content-Length: 21 -+ -+This server says moo -+ -+ -+ -+# Client-side -+ -+ -+http -+ -+ -+HTTP cookie domains tailmatching the host name -+ -+ -+http://example.fake/c/1216 http://bexample.fake/c/1216 -b log/injar1216 -x %HOSTIP:%HTTPPORT -+ -+ -+example.fake FALSE /a FALSE 2139150993 mooo indeed -+example.fake FALSE /b FALSE 0 moo1 indeed -+example.fake FALSE /c FALSE 2139150993 moo2 indeed -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+^User-Agent:.* -+ -+ -+GET http://example.fake/c/1216 HTTP/1.1 -+Host: example.fake -+Accept: */* -+Proxy-Connection: Keep-Alive -+Cookie: moo2=indeed -+ -+GET http://bexample.fake/c/1216 HTTP/1.1 -+Host: bexample.fake -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ --- -1.7.1 - - -From 3cf21844356a152df3af92530bb607ef880588af Mon Sep 17 00:00:00 2001 -From: YAMADA Yasuharu -Date: Thu, 11 Apr 2013 00:17:15 +0200 -Subject: [PATCH 2/3] cookie: fix tailmatching to prevent cross-domain leakage - -Cookies set for 'example.com' could accidentaly also be sent by libcurl -to the 'bexample.com' (ie with a prefix to the first domain name). - -This is a security vulnerabilty, CVE-2013-1944. - -Bug: http://curl.haxx.se/docs/adv_20130412.html - -Signed-off-by: Kamil Dudka ---- - lib/cookie.c | 24 +++++++++++++++++++----- - 1 files changed, 19 insertions(+), 5 deletions(-) - -diff --git a/lib/cookie.c b/lib/cookie.c -index 644b33a..760a931 100644 ---- a/lib/cookie.c -+++ b/lib/cookie.c -@@ -118,15 +118,29 @@ static void freecookie(struct Cookie *co) - free(co); - } - --static bool tailmatch(const char *little, const char *bigone) -+static bool tailmatch(const char *cooke_domain, const char *hostname) - { -- size_t littlelen = strlen(little); -- size_t biglen = strlen(bigone); -+ size_t cookie_domain_len = strlen(cooke_domain); -+ size_t hostname_len = strlen(hostname); - -- if(littlelen > biglen) -+ if(hostname_len < cookie_domain_len) - return FALSE; - -- return Curl_raw_equal(little, bigone+biglen-littlelen) ? TRUE : FALSE; -+ if(!Curl_raw_equal(cooke_domain, hostname+hostname_len-cookie_domain_len)) -+ return FALSE; -+ -+ /* A lead char of cookie_domain is not '.'. -+ RFC6265 4.1.2.3. The Domain Attribute says: -+ For example, if the value of the Domain attribute is -+ "example.com", the user agent will include the cookie in the Cookie -+ header when making HTTP requests to example.com, www.example.com, and -+ www.corp.example.com. -+ */ -+ if(hostname_len == cookie_domain_len) -+ return TRUE; -+ if('.' == *(hostname + hostname_len - cookie_domain_len - 1)) -+ return TRUE; -+ return FALSE; - } - - /* --- -1.7.1 - - -From cb95277d4732d7e9a50df7cca2ce0aa8dc0aa5b9 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 16:50:11 +0200 -Subject: [PATCH 3/3] test1218: another cookie tailmatch test - -These tests verify commit 3604fde3d3c9b0d, the fix for the "cookie -domain tailmatch" vulnerability. See -http://curl.haxx.se/docs/adv_20130412.html - -Conflicts: - - tests/data/Makefile.am - -Signed-off-by: Kamil Dudka ---- - tests/data/Makefile.am | 2 +- - tests/data/Makefile.in | 2 +- - tests/data/test1218 | 61 ++++++++++++++++++++++++++++++++++++++++++++++++ - 3 files changed, 63 insertions(+), 2 deletions(-) - create mode 100644 tests/data/test1218 - -diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am -index 9321d61..c8295c3 100644 ---- a/tests/data/Makefile.am -+++ b/tests/data/Makefile.am -@@ -78,7 +78,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ - test1126 test1127 test1128 test1129 test1130 test1131 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 \ --test1220 test1216 \ -+test1220 test1216 test1218 \ - test1300 test1301 test1302 test1303 test1304 test1305 \ - test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ - test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ -diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in -index 0c18cb5..96678cd 100644 ---- a/tests/data/Makefile.in -+++ b/tests/data/Makefile.in -@@ -343,7 +343,7 @@ test1118 test1119 test1120 test1121 test1122 test1123 test1124 test1125 \ - test1126 test1127 test1128 test1129 test1130 test1131 \ - test1200 test1201 test1202 test1203 test1204 test1205 test1206 test1207 \ - test1208 test1209 test1210 test1211 \ --test1220 test1216 \ -+test1220 test1216 test1218 \ - test1300 test1301 test1302 test1303 test1304 test1305 \ - test1306 test1307 test1308 test1309 test1310 test1311 test1312 test1313 \ - test1314 test1315 test1316 test1317 test1318 test1319 test1320 test1321 \ -diff --git a/tests/data/test1218 b/tests/data/test1218 -new file mode 100644 -index 0000000..7d86547 ---- /dev/null -+++ b/tests/data/test1218 -@@ -0,0 +1,61 @@ -+ -+ -+ -+HTTP -+HTTP GET -+HTTP proxy -+cookies -+ -+ -+ -+# This test is very similar to 1216, only that it sets the cookies from the -+# first site instead of reading from a file -+ -+ -+HTTP/1.1 200 OK -+Date: Tue, 25 Sep 2001 19:37:44 GMT -+Set-Cookie: domain=.example.fake; bug=fixed; -+Content-Length: 21 -+ -+This server says moo -+ -+ -+ -+# Client-side -+ -+ -+http -+ -+ -+HTTP cookies and domains with same prefix -+ -+ -+http://example.fake/c/1218 http://example.fake/c/1218 http://bexample.fake/c/1218 -b nonexisting -x %HOSTIP:%HTTPPORT -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+ -+^User-Agent:.* -+ -+ -+GET http://example.fake/c/1218 HTTP/1.1 -+Host: example.fake -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+GET http://example.fake/c/1218 HTTP/1.1 -+Host: example.fake -+Accept: */* -+Proxy-Connection: Keep-Alive -+Cookie: bug=fixed -+ -+GET http://bexample.fake/c/1218 HTTP/1.1 -+Host: bexample.fake -+Accept: */* -+Proxy-Connection: Keep-Alive -+ -+ -+ -+ --- -1.7.1 - diff --git a/0011-curl-7.29.0-0feeab78.patch b/0011-curl-7.29.0-0feeab78.patch new file mode 100644 index 0000000..bd6b8b3 --- /dev/null +++ b/0011-curl-7.29.0-0feeab78.patch @@ -0,0 +1,74 @@ +From d3036f34cce421990e8268ee4bbfc0d9f5ceb054 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Thu, 13 Jun 2013 19:27:12 +0200 +Subject: [PATCH] curl_easy_perform: avoid busy-looping + +When curl_multi_wait() finds no file descriptor to wait for, it returns +instantly and this must be handled gracefully within curl_easy_perform() +or cause a busy-loop. Starting now, repeated fast returns without any +file descriptors is detected and a gradually increasing sleep will be +used (up to a max of 1000 milliseconds) before continuing the loop. + +Bug: http://curl.haxx.se/bug/view.cgi?id=1238 +Reported-by: Miguel Angel + +[upstream commit 0feeab7802dd2a6465d22d153d8d36b2cca99b96] + +Signed-off-by: Kamil Dudka +--- + lib/easy.c | 25 +++++++++++++++++++++++++ + 1 files changed, 25 insertions(+), 0 deletions(-) + +diff --git a/lib/easy.c b/lib/easy.c +index 2739598..a7051dd 100644 +--- a/lib/easy.c ++++ b/lib/easy.c +@@ -410,6 +410,9 @@ CURLcode curl_easy_perform(CURL *easy) + bool done = FALSE; + int rc; + struct SessionHandle *data = easy; ++ int without_fds = 0; /* count number of consecutive returns from ++ curl_multi_wait() without any filedescriptors */ ++ struct timeval before; + + if(!easy) + return CURLE_BAD_FUNCTION_ARGUMENT; +@@ -445,6 +448,7 @@ CURLcode curl_easy_perform(CURL *easy) + int still_running; + int ret; + ++ before = curlx_tvnow(); + mcode = curl_multi_wait(multi, NULL, 0, 1000, &ret); + + if(mcode == CURLM_OK) { +@@ -453,6 +457,27 @@ CURLcode curl_easy_perform(CURL *easy) + code = CURLE_RECV_ERROR; + break; + } ++ else if(ret == 0) { ++ struct timeval after = curlx_tvnow(); ++ /* If it returns without any filedescriptor instantly, we need to ++ avoid busy-looping during periods where it has nothing particular ++ to wait for */ ++ if(curlx_tvdiff(after, before) <= 10) { ++ without_fds++; ++ if(without_fds > 2) { ++ int sleep_ms = without_fds * 50; ++ if(sleep_ms > 1000) ++ sleep_ms = 1000; ++ Curl_wait_ms(sleep_ms); ++ } ++ } ++ else ++ /* it wasn't "instant", restart counter */ ++ without_fds = 0; ++ } ++ else ++ /* got file descriptor, restart counter */ ++ without_fds = 0; + + mcode = curl_multi_perform(multi, &still_running); + } +-- +1.7.1 + diff --git a/0012-curl-7.27.0-25e577b3.patch b/0012-curl-7.27.0-25e577b3.patch deleted file mode 100644 index 4b6ec7d..0000000 --- a/0012-curl-7.27.0-25e577b3.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 461a96d26c08fcd27fc0ab2c94574461a85782bf Mon Sep 17 00:00:00 2001 -From: Kim Vandry -Date: Mon, 18 Feb 2013 21:36:34 +0100 -Subject: [PATCH] Curl_resolver_is_resolved: show proper host name on failed resolve - -[upstream commit 25e577b33d00afb6630cf2cac98d6baa319e9aef] - -Signed-off-by: Kamil Dudka ---- - lib/asyn-thread.c | 35 ++++++++++++++++++++--------------- - 1 files changed, 20 insertions(+), 15 deletions(-) - -diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c -index b027144..5552810 100644 ---- a/lib/asyn-thread.c -+++ b/lib/asyn-thread.c -@@ -436,8 +436,19 @@ static const char *gai_strerror(int ecode) - * error - */ - --static void resolver_error(struct connectdata *conn, const char *host_or_proxy) -+static CURLcode resolver_error(struct connectdata *conn) - { -+ const char *host_or_proxy; -+ CURLcode rc; -+ if(conn->bits.httpproxy) { -+ host_or_proxy = "proxy"; -+ rc = CURLE_COULDNT_RESOLVE_PROXY; -+ } -+ else { -+ host_or_proxy = "host"; -+ rc = CURLE_COULDNT_RESOLVE_HOST; -+ } -+ - failf(conn->data, "Could not resolve %s: %s; %s", host_or_proxy, - conn->async.hostname, - #ifdef HAVE_GAI_STRERROR -@@ -448,6 +459,7 @@ static void resolver_error(struct connectdata *conn, const char *host_or_proxy) - Curl_strerror(conn, conn->async.status) - #endif - ); -+ return rc; - } - - /* -@@ -479,17 +491,9 @@ CURLcode Curl_resolver_wait_resolv(struct connectdata *conn, - if(entry) - *entry = conn->async.dns; - -- if(!conn->async.dns) { -- /* a name was not resolved */ -- if(conn->bits.httpproxy) { -- resolver_error(conn, "proxy"); -- rc = CURLE_COULDNT_RESOLVE_PROXY; -- } -- else { -- resolver_error(conn, "host"); -- rc = CURLE_COULDNT_RESOLVE_HOST; -- } -- } -+ if(!conn->async.dns) -+ /* a name was not resolved, report error */ -+ rc = resolver_error(conn); - - destroy_async_data(&conn->async); - -@@ -524,12 +528,13 @@ CURLcode Curl_resolver_is_resolved(struct connectdata *conn, - - if(done) { - getaddrinfo_complete(conn); -- destroy_async_data(&conn->async); - - if(!conn->async.dns) { -- resolver_error(conn, "host"); -- return CURLE_COULDNT_RESOLVE_HOST; -+ CURLcode rc = resolver_error(conn); -+ destroy_async_data(&conn->async); -+ return rc; - } -+ destroy_async_data(&conn->async); - *entry = conn->async.dns; - } - else { --- -1.7.1 - diff --git a/0012-curl-7.29.0-c639d725.patch b/0012-curl-7.29.0-c639d725.patch new file mode 100644 index 0000000..16d1eac --- /dev/null +++ b/0012-curl-7.29.0-c639d725.patch @@ -0,0 +1,519 @@ +From 9b675516d5fb09a455d1f7b7aa98e253361bedf3 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 8 Feb 2013 13:48:56 +0100 +Subject: [PATCH 1/2] DONE: consider callback-aborted transfers premature + +This bug report properly identified that when doing SMTP and aborting +the transfer with a callback, it must be considered aborted prematurely +by the code to avoid QUIT etc to be attempted as that would cause a +hang. + +The new test case 1507 verifies this behavior. + +Reported by: Patricia Muscalu +Bug: http://curl.haxx.se/bug/view.cgi?id=1184 + +[upstream commit 72688317adcedb9508fd2189e6c6d3945e06a004] + +Signed-off-by: Kamil Dudka +--- + lib/url.c | 7 ++ + tests/data/Makefile.am | 3 +- + tests/data/Makefile.in | 3 +- + tests/data/test1507 | 51 +++++++++++++ + tests/libtest/Makefile.in | 82 +++++++++++++++++++++- + tests/libtest/Makefile.inc | 6 ++- + tests/libtest/lib1507.c | 167 ++++++++++++++++++++++++++++++++++++++++++++ + 7 files changed, 313 insertions(+), 6 deletions(-) + create mode 100644 tests/data/test1507 + create mode 100644 tests/libtest/lib1507.c + +diff --git a/lib/url.c b/lib/url.c +index 52f7e27..a6375a2 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -5222,6 +5222,13 @@ CURLcode Curl_done(struct connectdata **connp, + conn->dns_entry = NULL; + } + ++ if(status == CURLE_ABORTED_BY_CALLBACK) ++ /* When we're aborted due to a callback return code it basically have to ++ be counted as premature as there is trouble ahead if we don't. We have ++ many callbacks and protocols work differently, we could potentially do ++ this more fine-grained in the future. */ ++ premature = TRUE; ++ + /* this calls the protocol-specific function pointer previously set */ + if(conn->handler->done) + result = conn->handler->done(conn, status, premature); +diff --git a/tests/data/Makefile.am b/tests/data/Makefile.am +index 3f6a047..805955c 100644 +--- a/tests/data/Makefile.am ++++ b/tests/data/Makefile.am +@@ -93,7 +93,8 @@ test1379 test1380 test1381 test1382 test1383 test1384 test1385 test1386 \ + test1387 test1388 test1389 test1390 test1391 test1392 test1393 \ + test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ + test1408 test1409 test1410 test1411 test1412 test1413 \ +-test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1508 \ ++test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ ++test1508 \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ + test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \ + test2016 test2017 test2018 test2019 test2020 test2021 test2022 \ +diff --git a/tests/data/Makefile.in b/tests/data/Makefile.in +index 71c9422..1e6d679 100644 +--- a/tests/data/Makefile.in ++++ b/tests/data/Makefile.in +@@ -357,7 +357,8 @@ test1379 test1380 test1381 test1382 test1383 test1384 test1385 test1386 \ + test1387 test1388 test1389 test1390 test1391 test1392 test1393 \ + test1400 test1401 test1402 test1403 test1404 test1405 test1406 test1407 \ + test1408 test1409 test1410 test1411 test1412 test1413 \ +-test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1508 \ ++test1500 test1501 test1502 test1503 test1504 test1505 test1506 test1507 \ ++test1508 \ + test2000 test2001 test2002 test2003 test2004 test2005 test2006 test2007 \ + test2008 test2009 test2010 test2011 test2012 test2013 test2014 test2015 \ + test2016 test2017 test2018 test2019 test2020 test2021 test2022 \ +diff --git a/tests/data/test1507 b/tests/data/test1507 +new file mode 100644 +index 0000000..b66e71d +--- /dev/null ++++ b/tests/data/test1507 +@@ -0,0 +1,51 @@ ++ ++ ++ ++SMTP ++multi ++ ++ ++ ++# ++# Server-side ++ ++ ++ ++# ++# Client-side ++ ++ ++smtp ++ ++ ++lib1507 ++ ++ ++# based on bug report #1184 ++ ++SMTP with multi interface and CURLE_ABORTED_BY_CALLBACK ++ ++ ++From: different ++To: another ++ ++body ++ ++ ++smtp://%HOSTIP:%SMTPPORT/user ++ ++ ++ ++# ++# Verify data after the test has been "shot" ++ ++ ++EHLO user ++MAIL FROM:<1507-realuser@example.com> ++RCPT TO:<1507-recipient@example.com> ++DATA ++ ++ ++ ++ ++ +diff --git a/tests/libtest/Makefile.in b/tests/libtest/Makefile.in +index 7683c09..e6826c0 100644 +--- a/tests/libtest/Makefile.in ++++ b/tests/libtest/Makefile.in +@@ -85,7 +85,8 @@ noinst_PROGRAMS = chkhostname$(EXEEXT) libauthretry$(EXEEXT) \ + lib591$(EXEEXT) lib597$(EXEEXT) lib598$(EXEEXT) \ + lib599$(EXEEXT) lib1500$(EXEEXT) lib1501$(EXEEXT) \ + lib1502$(EXEEXT) lib1503$(EXEEXT) lib1504$(EXEEXT) \ +- lib1505$(EXEEXT) lib1506$(EXEEXT) lib1508$(EXEEXT) ++ lib1505$(EXEEXT) lib1506$(EXEEXT) lib1507$(EXEEXT) \ ++ lib1508$(EXEEXT) + subdir = tests/libtest + ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 + am__aclocal_m4_deps = $(top_srcdir)/m4/curl-compilers.m4 \ +@@ -173,6 +174,13 @@ am_lib1506_OBJECTS = lib1506-lib1506.$(OBJEXT) $(am__objects_18) \ + $(am__objects_19) $(am__objects_20) + lib1506_OBJECTS = $(am_lib1506_OBJECTS) + lib1506_DEPENDENCIES = $(am__DEPENDENCIES_1) ++am__objects_154 = lib1507-first.$(OBJEXT) ++am__objects_155 = lib1507-testutil.$(OBJEXT) ++am__objects_156 = lib1507-warnless.$(OBJEXT) ++am_lib1507_OBJECTS = lib1507-lib1507.$(OBJEXT) $(am__objects_154) \ ++ $(am__objects_155) $(am__objects_156) ++lib1507_OBJECTS = $(am_lib1507_OBJECTS) ++lib1507_DEPENDENCIES = $(am__DEPENDENCIES_1) + am__objects_151 = lib1508-first.$(OBJEXT) + am__objects_152 = lib1508-testutil.$(OBJEXT) + am__objects_153 = lib1508-warnless.$(OBJEXT) +@@ -639,7 +647,8 @@ LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + SOURCES = $(libhostname_la_SOURCES) $(chkhostname_SOURCES) \ + $(lib1500_SOURCES) $(lib1501_SOURCES) $(lib1502_SOURCES) \ + $(lib1503_SOURCES) $(lib1504_SOURCES) $(lib1505_SOURCES) \ +- $(lib1506_SOURCES) $(lib1508_SOURCES) $(lib500_SOURCES) $(lib501_SOURCES) \ ++ $(lib1506_SOURCES) $(lib1507_SOURCES) $(lib1508_SOURCES) \ ++ $(lib500_SOURCES) $(lib501_SOURCES) \ + $(lib502_SOURCES) $(lib503_SOURCES) $(lib504_SOURCES) \ + $(lib505_SOURCES) $(lib506_SOURCES) $(lib507_SOURCES) \ + $(lib508_SOURCES) $(lib510_SOURCES) $(lib511_SOURCES) \ +@@ -669,7 +678,8 @@ SOURCES = $(libhostname_la_SOURCES) $(chkhostname_SOURCES) \ + DIST_SOURCES = $(libhostname_la_SOURCES) $(chkhostname_SOURCES) \ + $(lib1500_SOURCES) $(lib1501_SOURCES) $(lib1502_SOURCES) \ + $(lib1503_SOURCES) $(lib1504_SOURCES) $(lib1505_SOURCES) \ +- $(lib1506_SOURCES) $(lib1508_SOURCES) $(lib500_SOURCES) $(lib501_SOURCES) \ ++ $(lib1506_SOURCES) $(lib1507_SOURCES) $(lib1508_SOURCES) \ ++ $(lib500_SOURCES) $(lib501_SOURCES) \ + $(lib502_SOURCES) $(lib503_SOURCES) $(lib504_SOURCES) \ + $(lib505_SOURCES) $(lib506_SOURCES) $(lib507_SOURCES) \ + $(lib508_SOURCES) $(lib510_SOURCES) $(lib511_SOURCES) \ +@@ -1162,6 +1172,9 @@ lib1505_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1505 + lib1506_SOURCES = lib1506.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1506_LDADD = $(TESTUTIL_LIBS) + lib1506_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1506 ++lib1507_SOURCES = lib1507.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1507_LDADD = $(TESTUTIL_LIBS) ++lib1507_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1507 + lib1508_SOURCES = lib1508.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1508_LDADD = $(TESTUTIL_LIBS) + lib1508_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1508 +@@ -1263,6 +1276,9 @@ lib1505$(EXEEXT): $(lib1505_OBJECTS) $(lib1505_DEPENDENCIES) $(EXTRA_lib1505_DEP + lib1506$(EXEEXT): $(lib1506_OBJECTS) $(lib1506_DEPENDENCIES) $(EXTRA_lib1506_DEPENDENCIES) + @rm -f lib1506$(EXEEXT) + $(LINK) $(lib1506_OBJECTS) $(lib1506_LDADD) $(LIBS) ++lib1507$(EXEEXT): $(lib1507_OBJECTS) $(lib1507_DEPENDENCIES) $(EXTRA_lib1507_DEPENDENCIES) ++ @rm -f lib1507$(EXEEXT) ++ $(LINK) $(lib1507_OBJECTS) $(lib1507_LDADD) $(LIBS) + lib1508$(EXEEXT): $(lib1508_OBJECTS) $(lib1508_DEPENDENCIES) $(EXTRA_lib1508_DEPENDENCIES) + @rm -f lib1508$(EXEEXT) + $(LINK) $(lib1508_OBJECTS) $(lib1508_LDADD) $(LIBS) +@@ -1533,6 +1549,10 @@ distclean-compile: + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1506-lib1506.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1506-testutil.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1506-warnless.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1507-first.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1507-lib1507.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1507-testutil.Po@am__quote@ ++@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1507-warnless.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1508-first.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1508-lib1508.Po@am__quote@ + @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/lib1508-testutil.Po@am__quote@ +@@ -2180,6 +2200,62 @@ lib1506-warnless.obj: ../../lib/warnless.c + @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ + @am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1506_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1506-warnless.obj `if test -f '../../lib/warnless.c'; then $(CYGPATH_W) '../../lib/warnless.c'; else $(CYGPATH_W) '$(srcdir)/../../lib/warnless.c'; fi` + ++lib1507-lib1507.o: lib1507.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-lib1507.o -MD -MP -MF $(DEPDIR)/lib1507-lib1507.Tpo -c -o lib1507-lib1507.o `test -f 'lib1507.c' || echo '$(srcdir)/'`lib1507.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-lib1507.Tpo $(DEPDIR)/lib1507-lib1507.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='lib1507.c' object='lib1507-lib1507.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-lib1507.o `test -f 'lib1507.c' || echo '$(srcdir)/'`lib1507.c ++ ++lib1507-lib1507.obj: lib1507.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-lib1507.obj -MD -MP -MF $(DEPDIR)/lib1507-lib1507.Tpo -c -o lib1507-lib1507.obj `if test -f 'lib1507.c'; then $(CYGPATH_W) 'lib1507.c'; else $(CYGPATH_W) '$(srcdir)/lib1507.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-lib1507.Tpo $(DEPDIR)/lib1507-lib1507.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='lib1507.c' object='lib1507-lib1507.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-lib1507.obj `if test -f 'lib1507.c'; then $(CYGPATH_W) 'lib1507.c'; else $(CYGPATH_W) '$(srcdir)/lib1507.c'; fi` ++ ++lib1507-first.o: first.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-first.o -MD -MP -MF $(DEPDIR)/lib1507-first.Tpo -c -o lib1507-first.o `test -f 'first.c' || echo '$(srcdir)/'`first.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-first.Tpo $(DEPDIR)/lib1507-first.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='first.c' object='lib1507-first.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-first.o `test -f 'first.c' || echo '$(srcdir)/'`first.c ++ ++lib1507-first.obj: first.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-first.obj -MD -MP -MF $(DEPDIR)/lib1507-first.Tpo -c -o lib1507-first.obj `if test -f 'first.c'; then $(CYGPATH_W) 'first.c'; else $(CYGPATH_W) '$(srcdir)/first.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-first.Tpo $(DEPDIR)/lib1507-first.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='first.c' object='lib1507-first.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-first.obj `if test -f 'first.c'; then $(CYGPATH_W) 'first.c'; else $(CYGPATH_W) '$(srcdir)/first.c'; fi` ++ ++lib1507-testutil.o: testutil.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-testutil.o -MD -MP -MF $(DEPDIR)/lib1507-testutil.Tpo -c -o lib1507-testutil.o `test -f 'testutil.c' || echo '$(srcdir)/'`testutil.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-testutil.Tpo $(DEPDIR)/lib1507-testutil.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='testutil.c' object='lib1507-testutil.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-testutil.o `test -f 'testutil.c' || echo '$(srcdir)/'`testutil.c ++ ++lib1507-testutil.obj: testutil.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-testutil.obj -MD -MP -MF $(DEPDIR)/lib1507-testutil.Tpo -c -o lib1507-testutil.obj `if test -f 'testutil.c'; then $(CYGPATH_W) 'testutil.c'; else $(CYGPATH_W) '$(srcdir)/testutil.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-testutil.Tpo $(DEPDIR)/lib1507-testutil.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='testutil.c' object='lib1507-testutil.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-testutil.obj `if test -f 'testutil.c'; then $(CYGPATH_W) 'testutil.c'; else $(CYGPATH_W) '$(srcdir)/testutil.c'; fi` ++ ++lib1507-warnless.o: ../../lib/warnless.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-warnless.o -MD -MP -MF $(DEPDIR)/lib1507-warnless.Tpo -c -o lib1507-warnless.o `test -f '../../lib/warnless.c' || echo '$(srcdir)/'`../../lib/warnless.c ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-warnless.Tpo $(DEPDIR)/lib1507-warnless.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='../../lib/warnless.c' object='lib1507-warnless.o' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-warnless.o `test -f '../../lib/warnless.c' || echo '$(srcdir)/'`../../lib/warnless.c ++ ++lib1507-warnless.obj: ../../lib/warnless.c ++@am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1507-warnless.obj -MD -MP -MF $(DEPDIR)/lib1507-warnless.Tpo -c -o lib1507-warnless.obj `if test -f '../../lib/warnless.c'; then $(CYGPATH_W) '../../lib/warnless.c'; else $(CYGPATH_W) '$(srcdir)/../../lib/warnless.c'; fi` ++@am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1507-warnless.Tpo $(DEPDIR)/lib1507-warnless.Po ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ source='../../lib/warnless.c' object='lib1507-warnless.obj' libtool=no @AMDEPBACKSLASH@ ++@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ ++@am__fastdepCC_FALSE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1507_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o lib1507-warnless.obj `if test -f '../../lib/warnless.c'; then $(CYGPATH_W) '../../lib/warnless.c'; else $(CYGPATH_W) '$(srcdir)/../../lib/warnless.c'; fi` ++ + lib1508-lib1508.o: lib1508.c + @am__fastdepCC_TRUE@ $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(lib1508_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT lib1508-lib1508.o -MD -MP -MF $(DEPDIR)/lib1508-lib1508.Tpo -c -o lib1508-lib1508.o `test -f 'lib1508.c' || echo '$(srcdir)/'`lib1508.c + @am__fastdepCC_TRUE@ $(am__mv) $(DEPDIR)/lib1508-lib1508.Tpo $(DEPDIR)/lib1508-lib1508.Po +diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc +index 8bf2be4..5e377d3 100644 +--- a/tests/libtest/Makefile.inc ++++ b/tests/libtest/Makefile.inc +@@ -23,7 +23,7 @@ noinst_PROGRAMS = chkhostname libauthretry libntlmconnect \ + lib582 lib583 lib585 lib586 lib587 \ + lib590 lib591 lib597 lib598 lib599 \ + \ +- lib1500 lib1501 lib1502 lib1503 lib1504 lib1505 lib1506 lib1508 ++ lib1500 lib1501 lib1502 lib1503 lib1504 lib1505 lib1506 lib1507 lib1508 + + chkhostname_SOURCES = chkhostname.c ../../lib/curl_gethostname.c + chkhostname_LDADD = @CURL_NETWORK_LIBS@ +@@ -313,6 +313,10 @@ lib1506_SOURCES = lib1506.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1506_LDADD = $(TESTUTIL_LIBS) + lib1506_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1506 + ++lib1507_SOURCES = lib1507.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) ++lib1507_LDADD = $(TESTUTIL_LIBS) ++lib1507_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1507 ++ + lib1508_SOURCES = lib1508.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) + lib1508_LDADD = $(TESTUTIL_LIBS) + lib1508_CPPFLAGS = $(AM_CPPFLAGS) -DLIB1508 +diff --git a/tests/libtest/lib1507.c b/tests/libtest/lib1507.c +new file mode 100644 +index 0000000..7c4e6ed +--- /dev/null ++++ b/tests/libtest/lib1507.c +@@ -0,0 +1,167 @@ ++/*************************************************************************** ++ * _ _ ____ _ ++ * Project ___| | | | _ \| | ++ * / __| | | | |_) | | ++ * | (__| |_| | _ <| |___ ++ * \___|\___/|_| \_\_____| ++ * ++ * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. ++ * ++ * This software is licensed as described in the file COPYING, which ++ * you should have received as part of this distribution. The terms ++ * are also available at http://curl.haxx.se/docs/copyright.html. ++ * ++ * You may opt to use, copy, modify, merge, publish, distribute and/or sell ++ * copies of the Software, and permit persons to whom the Software is ++ * furnished to do so, under the terms of the COPYING file. ++ * ++ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++ * KIND, either express or implied. ++ * ++ ***************************************************************************/ ++#include "test.h" ++ ++#include "testutil.h" ++#include "warnless.h" ++#include "memdebug.h" ++ ++/* ++ * This is the list of basic details you need to tweak to get things right. ++ */ ++#define USERNAME "user@example.com" ++#define PASSWORD "123qwerty" ++#define RECIPIENT "<1507-recipient@example.com>" ++#define MAILFROM "<1507-realuser@example.com>" ++ ++#define MULTI_PERFORM_HANG_TIMEOUT 60 * 1000 ++ ++static size_t read_callback(void *ptr, size_t size, size_t nmemb, void *userp) ++{ ++ (void)ptr; ++ (void)size; ++ (void)nmemb; ++ (void)userp; ++ return CURL_READFUNC_ABORT; ++} ++ ++static struct timeval tvnow(void) ++{ ++ /* ++ ** time() returns the value of time in seconds since the Epoch. ++ */ ++ struct timeval now; ++ now.tv_sec = (long)time(NULL); ++ now.tv_usec = 0; ++ return now; ++} ++ ++static long tvdiff(struct timeval newer, struct timeval older) ++{ ++ return (newer.tv_sec-older.tv_sec)*1000+ ++ (newer.tv_usec-older.tv_usec)/1000; ++} ++ ++int test(char *URL) ++{ ++ CURL *curl; ++ CURLM *mcurl; ++ int still_running = 1; ++ struct timeval mp_start; ++ struct curl_slist* rcpt_list = NULL; ++ ++ curl_global_init(CURL_GLOBAL_DEFAULT); ++ ++ curl = curl_easy_init(); ++ if(!curl) ++ return 1; ++ ++ mcurl = curl_multi_init(); ++ if(!mcurl) ++ return 2; ++ ++ rcpt_list = curl_slist_append(rcpt_list, RECIPIENT); ++ /* more addresses can be added here ++ rcpt_list = curl_slist_append(rcpt_list, ""); ++ */ ++ ++ curl_easy_setopt(curl, CURLOPT_URL, URL); ++#if 0 ++ curl_easy_setopt(curl, CURLOPT_USERNAME, USERNAME); ++ curl_easy_setopt(curl, CURLOPT_PASSWORD, PASSWORD); ++#endif ++ curl_easy_setopt(curl, CURLOPT_READFUNCTION, read_callback); ++ curl_easy_setopt(curl, CURLOPT_MAIL_FROM, MAILFROM); ++ curl_easy_setopt(curl, CURLOPT_MAIL_RCPT, rcpt_list); ++ curl_easy_setopt(curl, CURLOPT_VERBOSE, 1L); ++ curl_multi_add_handle(mcurl, curl); ++ ++ mp_start = tvnow(); ++ ++ /* we start some action by calling perform right away */ ++ curl_multi_perform(mcurl, &still_running); ++ ++ while(still_running) { ++ struct timeval timeout; ++ int rc; /* select() return code */ ++ ++ fd_set fdread; ++ fd_set fdwrite; ++ fd_set fdexcep; ++ int maxfd = -1; ++ ++ long curl_timeo = -1; ++ ++ FD_ZERO(&fdread); ++ FD_ZERO(&fdwrite); ++ FD_ZERO(&fdexcep); ++ ++ /* set a suitable timeout to play around with */ ++ timeout.tv_sec = 1; ++ timeout.tv_usec = 0; ++ ++ curl_multi_timeout(mcurl, &curl_timeo); ++ if(curl_timeo >= 0) { ++ timeout.tv_sec = curl_timeo / 1000; ++ if(timeout.tv_sec > 1) ++ timeout.tv_sec = 1; ++ else ++ timeout.tv_usec = (curl_timeo % 1000) * 1000; ++ } ++ ++ /* get file descriptors from the transfers */ ++ curl_multi_fdset(mcurl, &fdread, &fdwrite, &fdexcep, &maxfd); ++ ++ /* In a real-world program you OF COURSE check the return code of the ++ function calls. On success, the value of maxfd is guaranteed to be ++ greater or equal than -1. We call select(maxfd + 1, ...), specially in ++ case of (maxfd == -1), we call select(0, ...), which is basically equal ++ to sleep. */ ++ ++ rc = select(maxfd+1, &fdread, &fdwrite, &fdexcep, &timeout); ++ ++ if (tvdiff(tvnow(), mp_start) > MULTI_PERFORM_HANG_TIMEOUT) { ++ fprintf(stderr, "ABORTING TEST, since it seems " ++ "that it would have run forever.\n"); ++ break; ++ } ++ ++ switch(rc) { ++ case -1: ++ /* select error */ ++ break; ++ case 0: /* timeout */ ++ default: /* action */ ++ curl_multi_perform(mcurl, &still_running); ++ break; ++ } ++ } ++ ++ curl_slist_free_all(rcpt_list); ++ curl_multi_remove_handle(mcurl, curl); ++ curl_multi_cleanup(mcurl); ++ curl_easy_cleanup(curl); ++ curl_global_cleanup(); ++ return 0; ++} ++ ++ +-- +1.7.1 + + +From 55004df420d1e520d84fded41a4d16f36acee119 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 9 Sep 2013 13:10:53 +0200 +Subject: [PATCH 2/2] url: handle abortion by read/write callbacks, too + +Otherwise, the FTP protocol would unnecessarily hang 60 seconds if +aborted in the CURLOPT_HEADERFUNCTION callback. + +Reported by: Tomas Mlcoch +Bug: https://bugzilla.redhat.com/1005686 + +[upstream commit c639d725a37c91fb49bb3a689cb2596fad3a0645] +--- + lib/url.c | 8 +++++++- + 1 files changed, 7 insertions(+), 1 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index a6375a2..bddbd91 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -5222,12 +5222,18 @@ CURLcode Curl_done(struct connectdata **connp, + conn->dns_entry = NULL; + } + +- if(status == CURLE_ABORTED_BY_CALLBACK) ++ switch(status) { ++ case CURLE_ABORTED_BY_CALLBACK: ++ case CURLE_READ_ERROR: ++ case CURLE_WRITE_ERROR: + /* When we're aborted due to a callback return code it basically have to + be counted as premature as there is trouble ahead if we don't. We have + many callbacks and protocols work differently, we could potentially do + this more fine-grained in the future. */ + premature = TRUE; ++ default: ++ break; ++ } + + /* this calls the protocol-specific function pointer previously set */ + if(conn->handler->done) +-- +1.7.1 + diff --git a/0013-curl-7.27.0-b37b5233.patch b/0013-curl-7.27.0-b37b5233.patch deleted file mode 100644 index 63c2779..0000000 --- a/0013-curl-7.27.0-b37b5233.patch +++ /dev/null @@ -1,35 +0,0 @@ -From a0d7db27c1cf8edbde1d468d655be942bcacb39c Mon Sep 17 00:00:00 2001 -From: Zdenek Pavlas -Date: Fri, 26 Apr 2013 14:56:38 +0200 -Subject: [PATCH] url: initialize speed-check data for file:// protocol - -... in order to prevent an artificial timeout event based on stale -speed-check data from a previous network transfer. This commit fixes -a regression caused by 9dd85bced56f6951107f69e581c872c1e7e3e58e. - -Bug: https://bugzilla.redhat.com/906031 - -[upstream commit b37b5233cab96b5b1f2ab7f6e0b9c3df77320bba] - -Signed-off-by: Kamil Dudka ---- - lib/url.c | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 87b8701..da53086 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -5058,6 +5058,9 @@ static CURLcode create_conn(struct SessionHandle *data, - -1, NULL); /* no upload */ - } - -+ /* since we skip do_init() */ -+ Curl_speedinit(data); -+ - return result; - } - #endif --- -1.7.1 - diff --git a/0013-curl-7.29.0-665c160f.patch b/0013-curl-7.29.0-665c160f.patch new file mode 100644 index 0000000..d7c2ddf --- /dev/null +++ b/0013-curl-7.29.0-665c160f.patch @@ -0,0 +1,86 @@ +From 311a22b801693bf8b748169f35bde7bef744da8c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 29 Jan 2014 12:55:36 +0100 +Subject: [PATCH 1/2] nss: do not fail if NSS does not implement a cipher + +... that the user does not ask for + +[upstream commit e15e73b741a2ddc88d166d2cec86d2bebb5d349e] +--- + lib/nss.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index a2c5c63..c4ffe7b 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -192,14 +192,13 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, + PRBool cipher_state[NUM_OF_CIPHERS]; + PRBool found; + char *cipher; +- SECStatus rv; + + /* First disable all ciphers. This uses a different max value in case + * NSS adds more ciphers later we don't want them available by + * accident + */ + for(i=0; i +Date: Wed, 29 Jan 2014 13:03:46 +0100 +Subject: [PATCH 2/2] nss: do not use the NSS_ENABLE_ECC define + +It is not provided by NSS public headers. + +Bug: https://bugzilla.redhat.com/1058776 + +[upstream commit 665c160f0a4635565b44704ca281d2a03e715d6d] +--- + lib/nss.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index c4ffe7b..111982f 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -126,7 +126,6 @@ static const cipher_s cipherlist[] = { + /* AES ciphers. */ + {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, + {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, +-#ifdef NSS_ENABLE_ECC + /* ECC ciphers. */ + {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA}, + {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA}, +@@ -153,7 +152,6 @@ static const cipher_s cipherlist[] = { + {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA}, + {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA}, + {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, +-#endif + }; + + /* following ciphers are new in NSS 3.4 and not enabled by default, therefore +-- +1.7.1 + diff --git a/0014-curl-7.27.0-9d0af301.patch b/0014-curl-7.27.0-9d0af301.patch deleted file mode 100644 index 739bbe7..0000000 --- a/0014-curl-7.27.0-9d0af301.patch +++ /dev/null @@ -1,95 +0,0 @@ -From c7bd0361565f70caf621f588e38bfc6cc196c432 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Tue, 5 Mar 2013 17:51:01 +0100 -Subject: [PATCH 1/2] nss: fix misplaced code enabling non-blocking socket mode - -The option needs to be set on the SSL socket. Setting it on the model -takes no effect. Note that the non-blocking mode is still not enabled -for the handshake because the code is not yet ready for that. - -[upstream commit 9d0af3018c5db25f5adda216dbcad6056b4a3107] ---- - lib/nss.c | 12 ++++++------ - 1 files changed, 6 insertions(+), 6 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index efa578c..0ad1863 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1240,12 +1240,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - goto error; - model = SSL_ImportFD(NULL, model); - -- /* make the socket nonblocking */ -- sock_opt.option = PR_SockOpt_Nonblocking; -- sock_opt.value.non_blocking = PR_TRUE; -- if(PR_SetSocketOption(model, &sock_opt) != PR_SUCCESS) -- goto error; -- - if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) - goto error; - if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess) -@@ -1420,6 +1414,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - goto error; - } - -+ /* switch the SSL socket into non-blocking mode */ -+ sock_opt.option = PR_SockOpt_Nonblocking; -+ sock_opt.value.non_blocking = PR_TRUE; -+ if(PR_SetSocketOption(connssl->handle, &sock_opt) != PR_SUCCESS) -+ goto error; -+ - connssl->state = ssl_connection_complete; - conn->recv[sockindex] = nss_recv; - conn->send[sockindex] = nss_send; --- -1.7.1 - - -From f3a5d46280264965ca096c9b3efba481d4883d0e Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 7 May 2013 23:30:52 +0200 -Subject: [PATCH 2/2] nss: give PR_INTERVAL_NO_WAIT instead of -1 to PR_Recv/PR_Send - -Reported by: David Strauss -Bug: http://curl.haxx.se/mail/lib-2013-05/0088.html - -[upstream commit 01a2abedd7e3a2075de70979003302313570c58c] - -Signed-off-by: Kamil Dudka ---- - lib/nss.c | 11 ++++------- - 1 files changed, 4 insertions(+), 7 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index 0ad1863..f69a888 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1487,10 +1487,8 @@ static ssize_t nss_send(struct connectdata *conn, /* connection data */ - size_t len, /* amount to write */ - CURLcode *curlcode) - { -- int rc; -- -- rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0, -1); -- -+ ssize_t rc = PR_Send(conn->ssl[sockindex].handle, mem, (int)len, 0, -+ PR_INTERVAL_NO_WAIT); - if(rc < 0) { - PRInt32 err = PR_GetError(); - if(err == PR_WOULD_BLOCK_ERROR) -@@ -1518,9 +1516,8 @@ static ssize_t nss_recv(struct connectdata * conn, /* connection data */ - size_t buffersize, /* max amount to read */ - CURLcode *curlcode) - { -- ssize_t nread; -- -- nread = PR_Recv(conn->ssl[num].handle, buf, (int)buffersize, 0, -1); -+ ssize_t nread = PR_Recv(conn->ssl[num].handle, buf, (int)buffersize, 0, -+ PR_INTERVAL_NO_WAIT); - if(nread < 0) { - /* failed SSL read */ - PRInt32 err = PR_GetError(); --- -1.7.1 - diff --git a/0014-curl-7.29.0-8ae35102.patch b/0014-curl-7.29.0-8ae35102.patch new file mode 100644 index 0000000..9daa26d --- /dev/null +++ b/0014-curl-7.29.0-8ae35102.patch @@ -0,0 +1,42 @@ +From 8683703ef3978983e61329801aecc554aec06055 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 7 Jan 2014 09:33:54 +0100 +Subject: [PATCH] ConnectionExists: fix NTLM check for new connection + +When the requested authentication bitmask includes NTLM, we cannot +re-use a connection for another username/password as we then risk +re-using NTLM (connection-based auth). + +This has the unfortunate downside that if you include NTLM as a possible +auth, you cannot re-use connections for other usernames/passwords even +if NTLM doesn't end up the auth type used. + +Reported-by: Paras S +Patched-by: Paras S +Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html + +[upstream commit 8ae35102c43d8d06572c3a1292eb6e27e663c78d] + +Signed-off-by: Kamil Dudka +--- + lib/url.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index bddbd91..313ec3e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2782,8 +2782,8 @@ ConnectionExists(struct SessionHandle *data, + struct connectdata *check; + struct connectdata *chosen = 0; + bool canPipeline = IsPipeliningPossible(data, needle); +- bool wantNTLM = (data->state.authhost.want==CURLAUTH_NTLM) || +- (data->state.authhost.want==CURLAUTH_NTLM_WB) ? TRUE : FALSE; ++ bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) || ++ (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE; + struct connectbundle *bundle; + + /* Look up the bundle with all the connections to this +-- +1.7.1 + diff --git a/0015-curl-7.27.0-192c4f78.patch b/0015-curl-7.27.0-192c4f78.patch deleted file mode 100644 index 299f386..0000000 --- a/0015-curl-7.27.0-192c4f78.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 25089c2c69028f0549facf93f7bdbf7344277f09 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 19 May 2013 23:24:29 +0200 -Subject: [PATCH] Curl_urldecode: no peeking beyond end of input buffer - -Security problem: CVE-2013-2174 - -If a program would give a string like "%FF" to curl_easy_unescape() but -ask for it to decode only the first byte, it would still parse and -decode the full hex sequence. The function then not only read beyond the -allowed buffer but it would also deduct the *unsigned* counter variable -for how many more bytes there's left to read in the buffer by two, -making the counter wrap. Continuing this, the function would go on -reading beyond the buffer and soon writing beyond the allocated target -buffer... - -Bug: http://curl.haxx.se/docs/adv_20130622.html -Reported-by: Timo Sirainen - -[upstream commit 192c4f788d48f82c03e9cef40013f34370e90737] - -Signed-off-by: Kamil Dudka ---- - lib/escape.c | 3 ++- - 1 files changed, 2 insertions(+), 1 deletions(-) - -diff --git a/lib/escape.c b/lib/escape.c -index 6a26cf8..a567edb 100644 ---- a/lib/escape.c -+++ b/lib/escape.c -@@ -159,7 +159,8 @@ CURLcode Curl_urldecode(struct SessionHandle *data, - - while(--alloc > 0) { - in = *string; -- if(('%' == in) && ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { -+ if(('%' == in) && (alloc > 2) && -+ ISXDIGIT(string[1]) && ISXDIGIT(string[2])) { - /* this is two hexadecimal digits following a '%' */ - char hexstr[3]; - char *ptr; --- -1.7.1 - diff --git a/0015-curl-7.29.0-7fc9325a.patch b/0015-curl-7.29.0-7fc9325a.patch new file mode 100644 index 0000000..7b6c5fe --- /dev/null +++ b/0015-curl-7.29.0-7fc9325a.patch @@ -0,0 +1,1090 @@ +From a7b1ea3537b30450ad82d2c64d31dcecaed60fca Mon Sep 17 00:00:00 2001 +From: Gergely Nagy +Date: Thu, 19 Sep 2013 15:17:13 +0200 +Subject: [PATCH 1/9] SSL: protocol version can be specified more precisely + +CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, +CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version +(CURL_SSLVERSION_TLSv1 means TLS 1.x). + +axTLS: +axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one +of these should be used, so we don't allow the new enum values. + +darwinssl: +Added support for the new enum values. + +SChannel: +Added support for the new enum values. + +CyaSSL: +Added support for the new enum values. +Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it +did the same before this commit), because CyaSSL cannot be configured to +use TLS 1.0-1.2. + +GSKit: +GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow +those values. +Bugfix: There was a typo that caused wrong SSL versions to be passed to +GSKit. + +NSS: +TLS minor version cannot be set, so we don't allow the new enum values. + +QsoSSL: +TLS minor version cannot be set, so we don't allow the new enum values. + +OpenSSL: +Added support for the new enum values. +Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, +now it enables 1.0-1.2. + +Command-line tool: +Added command line options for the new values. + +[upstream commit ad34a2d5c87c7f4b14e8dded34569395de0d8c5b] +--- + docs/libcurl/curl_easy_setopt.3 | 8 +++++- + docs/libcurl/symbols-in-versions | 3 ++ + include/curl/curl.h | 5 +++- + lib/axtls.c | 3 +- + lib/curl_darwinssl.c | 34 +++++++++++++++++++++++++ + lib/curl_schannel.c | 9 ++++++ + lib/cyassl.c | 13 +++++++++- + lib/nss.c | 6 ++++ + lib/qssl.c | 6 ++++ + lib/ssluse.c | 51 +++++++++++++++++++++++++++---------- + packages/OS400/curl.inc.in | 6 ++++ + src/tool_getparam.c | 25 ++++++++++++++++-- + src/tool_setopt.c | 3 ++ + 13 files changed, 151 insertions(+), 21 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 3d31aef..92db8f4 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2219,11 +2219,17 @@ The default action. This will attempt to figure out the remote SSL protocol + version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled + by default with 7.18.1). + .IP CURL_SSLVERSION_TLSv1 +-Force TLSv1 ++Force TLSv1.x + .IP CURL_SSLVERSION_SSLv2 + Force SSLv2 + .IP CURL_SSLVERSION_SSLv3 + Force SSLv3 ++.IP CURL_SSLVERSION_TLSv1_0 ++Force TLSv1.0 ++.IP CURL_SSLVERSION_TLSv1_1 ++Force TLSv1.1 ++.IP CURL_SSLVERSION_TLSv1_2 ++Force TLSv1.2 + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 37b5e27..57fa6eb 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -678,6 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 + CURL_SSLVERSION_SSLv2 7.9.2 + CURL_SSLVERSION_SSLv3 7.9.2 + CURL_SSLVERSION_TLSv1 7.9.2 ++CURL_SSLVERSION_TLSv1_0 7.33.0 ++CURL_SSLVERSION_TLSv1_1 7.33.0 ++CURL_SSLVERSION_TLSv1_2 7.33.0 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 80e4cf5..8e548e3 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -1625,9 +1625,12 @@ enum CURL_NETRC_OPTION { + + enum { + CURL_SSLVERSION_DEFAULT, +- CURL_SSLVERSION_TLSv1, ++ CURL_SSLVERSION_TLSv1, /* TLS 1.x */ + CURL_SSLVERSION_SSLv2, + CURL_SSLVERSION_SSLv3, ++ CURL_SSLVERSION_TLSv1_0, ++ CURL_SSLVERSION_TLSv1_1, ++ CURL_SSLVERSION_TLSv1_2, + + CURL_SSLVERSION_LAST /* never use, keep last */ + }; +diff --git a/lib/axtls.c b/lib/axtls.c +index d512950..68794b5 100644 +--- a/lib/axtls.c ++++ b/lib/axtls.c +@@ -169,7 +169,8 @@ Curl_axtls_connect(struct connectdata *conn, + case CURL_SSLVERSION_TLSv1: + break; + default: +- failf(data, "axTLS only supports TLSv1"); ++ failf(data, "axTLS only supports TLS 1.0 and 1.1, " ++ "and it cannot be specified which one to use"); + return CURLE_SSL_CONNECT_ERROR; + } + +diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c +index 827c876..69eff8a 100644 +--- a/lib/curl_darwinssl.c ++++ b/lib/curl_darwinssl.c +@@ -719,6 +719,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); + (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); ++ break; + case CURL_SSLVERSION_SSLv3: + (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); + (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3); +@@ -759,6 +771,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + kTLSProtocol12, + true); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol1, ++ true); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol11, ++ true); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol12, ++ true); ++ break; + case CURL_SSLVERSION_SSLv3: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kSSLProtocol3, +@@ -785,10 +812,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + true); + break; + case CURL_SSLVERSION_TLSv1: ++ case CURL_SSLVERSION_TLSv1_0: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kTLSProtocol1, + true); + break; ++ case CURL_SSLVERSION_TLSv1_1: ++ failf(data, "Your version of the OS does not support TLSv1.1"); ++ return CURLE_SSL_CONNECT_ERROR; ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "Your version of the OS does not support TLSv1.2"); ++ return CURLE_SSL_CONNECT_ERROR; + case CURL_SSLVERSION_SSLv2: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kSSLProtocol2, +diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c +index a615f57..19b7f71 100644 +--- a/lib/curl_schannel.c ++++ b/lib/curl_schannel.c +@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) + SP_PROT_TLS1_1_CLIENT | + SP_PROT_TLS1_2_CLIENT; + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT; ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT; ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT; ++ break; + case CURL_SSLVERSION_SSLv3: + schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT; + break; +diff --git a/lib/cyassl.c b/lib/cyassl.c +index 7c78464..ff11bdd 100644 +--- a/lib/cyassl.c ++++ b/lib/cyassl.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn, + req_method = SSLv23_client_method(); + break; + case CURL_SSLVERSION_TLSv1: ++ infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, " ++ "TLS 1.0 is used exclusively\n"); + req_method = TLSv1_client_method(); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ req_method = TLSv1_client_method(); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ req_method = TLSv1_1_client_method(); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ req_method = TLSv1_2_client_method(); ++ break; + case CURL_SSLVERSION_SSLv3: + req_method = SSLv3_client_method(); + break; +diff --git a/lib/nss.c b/lib/nss.c +index 111982f..ff93a38 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1266,6 +1266,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + case CURL_SSLVERSION_SSLv3: + ssl3 = PR_TRUE; + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "TLS minor version cannot be set\n"); ++ curlerr = CURLE_SSL_CONNECT_ERROR; ++ goto error; + } + + if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) +diff --git a/lib/qssl.c b/lib/qssl.c +index 8ef6fec..8b5e499 100644 +--- a/lib/qssl.c ++++ b/lib/qssl.c +@@ -206,6 +206,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) + case CURL_SSLVERSION_SSLv3: + h->protocol = SSL_VERSION_3; + break; ++ ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "TLS minor version cannot be set"); ++ return CURLE_SSL_CONNECT_ERROR; + } + + rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT); +diff --git a/lib/ssluse.c b/lib/ssluse.c +index 4a0dba7..dd99435 100644 +--- a/lib/ssluse.c ++++ b/lib/ssluse.c +@@ -1389,19 +1389,12 @@ ossl_connect_step1(struct connectdata *conn, + switch(data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +-#ifdef USE_TLS_SRP +- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { +- infof(data, "Set version TLSv1 for SRP authorisation\n"); +- req_method = TLSv1_client_method() ; +- } +- else +-#endif +- /* we try to figure out version */ +- req_method = SSLv23_client_method(); +- use_sni(TRUE); +- break; + case CURL_SSLVERSION_TLSv1: +- req_method = TLSv1_client_method(); ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ /* it will be handled later with the context options */ ++ req_method = SSLv23_client_method(); + use_sni(TRUE); + break; + case CURL_SSLVERSION_SSLv2: +@@ -1514,9 +1507,39 @@ ossl_connect_step1(struct connectdata *conn, + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + #endif + +- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ +- if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) ++ switch(data->set.ssl.version) { ++ case CURL_SSLVERSION_DEFAULT: ++ ctx_options |= SSL_OP_NO_SSLv2; ++#ifdef USE_TLS_SRP ++ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { ++ infof(data, "Set version TLSv1.x for SRP authorisation\n"); ++ ctx_options |= SSL_OP_NO_SSLv3; ++ } ++#endif ++ break; ++ case CURL_SSLVERSION_TLSv1: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ break; ++ case CURL_SSLVERSION_TLSv1_0: + ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1_1; ++ ctx_options |= SSL_OP_NO_TLSv1_2; ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1; ++ ctx_options |= SSL_OP_NO_TLSv1_2; ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1; ++ ctx_options |= SSL_OP_NO_TLSv1_1; ++ break; ++ } + + SSL_CTX_set_options(connssl->ctx, ctx_options); + +diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in +index 33ca12a..22a5511 100644 +--- a/packages/OS400/curl.inc.in ++++ b/packages/OS400/curl.inc.in +@@ -226,6 +226,12 @@ + d c 2 + d CURL_SSLVERSION_SSLv3... + d c 3 ++ d CURL_SSLVERSION_TLSv1_0... ++ d c 4 ++ d CURL_SSLVERSION_TLSv1_1... ++ d c 5 ++ d CURL_SSLVERSION_TLSv1_2... ++ d c 6 + * + d CURL_TLSAUTH_NONE... + d c 0 +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 297b986..98d53a7 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -175,6 +175,9 @@ static const struct LongShort aliases[]= { + {"$J", "metalink", FALSE}, + {"0", "http1.0", FALSE}, + {"1", "tlsv1", FALSE}, ++ {"10", "tlsv1.0", FALSE}, ++ {"11", "tlsv1.1", FALSE}, ++ {"12", "tlsv1.2", FALSE}, + {"2", "sslv2", FALSE}, + {"3", "sslv3", FALSE}, + {"4", "ipv4", FALSE}, +@@ -873,9 +876,25 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ + /* HTTP version 1.0 */ + config->httpversion = CURL_HTTP_VERSION_1_0; + break; +- case '1': +- /* TLS version 1 */ +- config->ssl_version = CURL_SSLVERSION_TLSv1; ++ case '1': /* --tlsv1* options */ ++ switch(subletter) { ++ case '\0': ++ /* TLS version 1.x */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1; ++ break; ++ case '0': ++ /* TLS version 1.0 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_0; ++ break; ++ case '1': ++ /* TLS version 1.1 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_1; ++ break; ++ case '2': ++ /* TLS version 1.2 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_2; ++ break; ++ } + break; + case '2': + /* SSL version 2 */ +diff --git a/src/tool_setopt.c b/src/tool_setopt.c +index 4014177..9860117 100644 +--- a/src/tool_setopt.c ++++ b/src/tool_setopt.c +@@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = { + NV(CURL_SSLVERSION_TLSv1), + NV(CURL_SSLVERSION_SSLv2), + NV(CURL_SSLVERSION_SSLv3), ++ NV(CURL_SSLVERSION_TLSv1_0), ++ NV(CURL_SSLVERSION_TLSv1_1), ++ NV(CURL_SSLVERSION_TLSv1_2), + NVEND, + }; + +-- +1.7.1 + + +From 350765306d7e2946fc8295fa2bfc2fe0c14651fc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 15 Oct 2013 20:31:04 +0200 +Subject: [PATCH 2/9] curl: document the new --tlsv1.[012] options + +[upstream commit 076726f1412205622414abd908723c4b33ca12cb] +--- + docs/curl.1 | 20 ++++++++++++++++---- + 1 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index b350865..53b378c 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1419,14 +1419,26 @@ Set TLS authentication type. Currently, the only supported option is "SRP", + for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are + specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP". + (Added in 7.21.4) +-.IP "--tlsuser " +-Set username for use with the TLS authentication method specified with +-\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in +-7.21.4) + .IP "--tlspassword " + Set password for use with the TLS authentication method specified with + \fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set. (Added in + 7.21.4) ++.IP "--tlsuser " ++Set username for use with the TLS authentication method specified with ++\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in ++7.21.4) ++.IP "--tlsv1.0" ++(SSL) ++Forces curl to use TLS version 1.0 when negotiating with a remote TLS server. ++(Added in 7.34.0) ++.IP "--tlsv1.1" ++(SSL) ++Forces curl to use TLS version 1.1 when negotiating with a remote TLS server. ++(Added in 7.34.0) ++.IP "--tlsv1.2" ++(SSL) ++Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. ++(Added in 7.34.0) + .IP "--tr-encoding" + (HTTP) Request a compressed Transfer-Encoding response using one of the + algorithms curl supports, and uncompress the data while receiving it. +-- +1.7.1 + + +From ba2b4e87b396faab9ccb5a3ca9aca935a7a78a1b Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Wed, 16 Oct 2013 20:06:23 +0100 +Subject: [PATCH 3/9] SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f + +[upstream commit 2c84ffe1549ea7d5029ba7863f53013562e6758d] +--- + docs/libcurl/symbols-in-versions | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 57fa6eb..b275900 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -678,9 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 + CURL_SSLVERSION_SSLv2 7.9.2 + CURL_SSLVERSION_SSLv3 7.9.2 + CURL_SSLVERSION_TLSv1 7.9.2 +-CURL_SSLVERSION_TLSv1_0 7.33.0 +-CURL_SSLVERSION_TLSv1_1 7.33.0 +-CURL_SSLVERSION_TLSv1_2 7.33.0 ++CURL_SSLVERSION_TLSv1_0 7.34.0 ++CURL_SSLVERSION_TLSv1_1 7.34.0 ++CURL_SSLVERSION_TLSv1_2 7.34.0 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +-- +1.7.1 + + +From 5f908139b4e56c969bf6ef06c115a0a12353c827 Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Wed, 16 Oct 2013 20:18:15 +0100 +Subject: [PATCH 4/9] DOCS: Added libcurl version number to CURLOPT_SSLVERSION + +[upstream commit 75b9b26465d5f01b52564293c2d553649f801f70] +--- + docs/libcurl/curl_easy_setopt.3 | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 92db8f4..d73b664 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2212,6 +2212,8 @@ Even though this option doesn't need any parameter, in some configurations + arguments. Therefore, it's recommended to pass 1 as parameter to this option. + .IP CURLOPT_SSLVERSION + Pass a long as parameter to control what version of SSL/TLS to attempt to use. ++(Added in 7.9.2) ++ + The available options are: + .RS + .IP CURL_SSLVERSION_DEFAULT +@@ -2225,11 +2227,11 @@ Force SSLv2 + .IP CURL_SSLVERSION_SSLv3 + Force SSLv3 + .IP CURL_SSLVERSION_TLSv1_0 +-Force TLSv1.0 ++Force TLSv1.0 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_1 +-Force TLSv1.1 ++Force TLSv1.1 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_2 +-Force TLSv1.2 ++Force TLSv1.2 (Added in 7.34.0) + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +-- +1.7.1 + + +From 7940044fc233f626b912b5f51a7a0111a4c145d3 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 25 Nov 2013 16:03:52 +0100 +Subject: [PATCH 5/9] nss: use a better API for controlling SSL version + +This change introduces a dependency on NSS 3.14+. + +[upstream commit 30e7e7552ba4397896ecac82ea04f38d52c4cc8f] +--- + configure | 20 ++++++++++---------- + configure.ac | 4 ++-- + docs/INTERNALS | 2 +- + lib/nss.c | 40 +++++++++++++++++++--------------------- + 4 files changed, 32 insertions(+), 34 deletions(-) + +diff --git a/configure b/configure +index 2496b3c..ebde78a 100755 +--- a/configure ++++ b/configure +@@ -23641,9 +23641,9 @@ $as_echo "found" >&6; } + CPPFLAGS="$CPPFLAGS $addcflags" + fi + +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PK11_CreateGenericObject in -lnss3" >&5 +-$as_echo_n "checking for PK11_CreateGenericObject in -lnss3... " >&6; } +-if ${ac_cv_lib_nss3_PK11_CreateGenericObject+:} false; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5 ++$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; } ++if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then : + $as_echo_n "(cached) " >&6 + else + ac_check_lib_save_LIBS=$LIBS +@@ -23655,26 +23655,26 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext + #ifdef __cplusplus + extern "C" + #endif +-char PK11_CreateGenericObject (); ++char SSL_VersionRangeSet (); + int main (void) + { +-return PK11_CreateGenericObject (); ++return SSL_VersionRangeSet (); + ; + return 0; + } + _ACEOF + if ac_fn_c_try_link "$LINENO"; then : +- ac_cv_lib_nss3_PK11_CreateGenericObject=yes ++ ac_cv_lib_nss3_SSL_VersionRangeSet=yes + else +- ac_cv_lib_nss3_PK11_CreateGenericObject=no ++ ac_cv_lib_nss3_SSL_VersionRangeSet=no + fi + rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS=$ac_check_lib_save_LIBS + fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_PK11_CreateGenericObject" >&5 +-$as_echo "$ac_cv_lib_nss3_PK11_CreateGenericObject" >&6; } +-if test "x$ac_cv_lib_nss3_PK11_CreateGenericObject" = xyes; then : ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5 ++$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; } ++if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then : + + + $as_echo "#define USE_NSS 1" >>confdefs.h +diff --git a/configure.ac b/configure.ac +index 5970188..c81c879 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2194,8 +2194,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then + CPPFLAGS="$CPPFLAGS $addcflags" + fi + +- dnl The function PK11_CreateGenericObject is needed to load libnsspem.so +- AC_CHECK_LIB(nss3, PK11_CreateGenericObject, ++ dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0 ++ AC_CHECK_LIB(nss3, SSL_VersionRangeSet, + [ + AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) + AC_SUBST(USE_NSS, [1]) +diff --git a/docs/INTERNALS b/docs/INTERNALS +index 03839c3..581b22d 100644 +--- a/docs/INTERNALS ++++ b/docs/INTERNALS +@@ -43,7 +43,7 @@ Portability + openldap 2.0 + MIT krb5 lib 1.2.4 + qsossl V5R2M0 +- NSS 3.12.x ++ NSS 3.14.x + axTLS 1.2.7 + Heimdal ? + +diff --git a/lib/nss.c b/lib/nss.c +index ff93a38..14a0b0c 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1175,9 +1175,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; + PRFileDesc *model = NULL; +- PRBool ssl2 = PR_FALSE; +- PRBool ssl3 = PR_FALSE; +- PRBool tlsv1 = PR_FALSE; ++ SSLVersionRange sslver; + PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; + struct SessionHandle *data = conn->data; +@@ -1251,20 +1249,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +- ssl3 = PR_TRUE; +- if(data->state.ssl_connect_retry) ++ sslver.min = SSL_LIBRARY_VERSION_3_0; ++ if(data->state.ssl_connect_retry) { + infof(data, "TLS disabled due to previous handshake failure\n"); ++ sslver.max = SSL_LIBRARY_VERSION_3_0; ++ } + else +- tlsv1 = PR_TRUE; ++ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; + break; + case CURL_SSLVERSION_TLSv1: +- tlsv1 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; + break; + case CURL_SSLVERSION_SSLv2: +- ssl2 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_2; ++ sslver.max = SSL_LIBRARY_VERSION_2; + break; + case CURL_SSLVERSION_SSLv3: +- ssl3 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_3_0; ++ sslver.max = SSL_LIBRARY_VERSION_3_0; + break; + case CURL_SSLVERSION_TLSv1_0: + case CURL_SSLVERSION_TLSv1_1: +@@ -1274,14 +1277,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + goto error; + } + +- if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) +- goto error; +- if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) +- goto error; +- if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) +- goto error; +- +- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) ++ if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) + goto error; + + ssl_cbc_random_iv = !data->set.ssl_enable_beast; +@@ -1467,11 +1463,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + if(model) + PR_Close(model); + +- /* cleanup on connection failure */ +- Curl_llist_destroy(connssl->obj_list, NULL); +- connssl->obj_list = NULL; ++ /* cleanup on connection failure */ ++ Curl_llist_destroy(connssl->obj_list, NULL); ++ connssl->obj_list = NULL; + +- if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { ++ if((sslver.min == SSL_LIBRARY_VERSION_3_0) ++ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) ++ && isTLSIntoleranceError(err)) { + /* schedule reconnect through Curl_retry_request() */ + data->state.ssl_connect_retry = TRUE; + infof(data, "Error in TLS handshake, trying SSLv3...\n"); +-- +1.7.1 + + +From 08398e7a8a8ba4e6fef1557392e3c0104cc3550f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 25 Nov 2013 16:14:55 +0100 +Subject: [PATCH 6/9] nss: put SSL version selection into separate fnc + +[upstream commit 4fb8241add5b68e95fbf44d3c2bf470201a9915d] +--- + lib/nss.c | 72 +++++++++++++++++++++++++++++++++++------------------------- + 1 files changed, 42 insertions(+), 30 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 14a0b0c..2e2240b 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1171,6 +1171,46 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, + return CURLE_OK; + } + ++static CURLcode nss_init_sslver(SSLVersionRange *sslver, ++ struct SessionHandle *data) ++{ ++ switch (data->set.ssl.version) { ++ default: ++ case CURL_SSLVERSION_DEFAULT: ++ sslver->min = SSL_LIBRARY_VERSION_3_0; ++ if(data->state.ssl_connect_retry) { ++ infof(data, "TLS disabled due to previous handshake failure\n"); ++ sslver->max = SSL_LIBRARY_VERSION_3_0; ++ } ++ else ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_TLSv1: ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_SSLv2: ++ sslver->min = SSL_LIBRARY_VERSION_2; ++ sslver->max = SSL_LIBRARY_VERSION_2; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_SSLv3: ++ sslver->min = SSL_LIBRARY_VERSION_3_0; ++ sslver->max = SSL_LIBRARY_VERSION_3_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ break; ++ } ++ ++ failf(data, "TLS minor version cannot be set"); ++ return CURLE_SSL_CONNECT_ERROR; ++} ++ + CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; +@@ -1246,37 +1286,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) + goto error; + +- switch (data->set.ssl.version) { +- default: +- case CURL_SSLVERSION_DEFAULT: +- sslver.min = SSL_LIBRARY_VERSION_3_0; +- if(data->state.ssl_connect_retry) { +- infof(data, "TLS disabled due to previous handshake failure\n"); +- sslver.max = SSL_LIBRARY_VERSION_3_0; +- } +- else +- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; +- break; +- case CURL_SSLVERSION_TLSv1: +- sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; +- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; +- break; +- case CURL_SSLVERSION_SSLv2: +- sslver.min = SSL_LIBRARY_VERSION_2; +- sslver.max = SSL_LIBRARY_VERSION_2; +- break; +- case CURL_SSLVERSION_SSLv3: +- sslver.min = SSL_LIBRARY_VERSION_3_0; +- sslver.max = SSL_LIBRARY_VERSION_3_0; +- break; +- case CURL_SSLVERSION_TLSv1_0: +- case CURL_SSLVERSION_TLSv1_1: +- case CURL_SSLVERSION_TLSv1_2: +- failf(data, "TLS minor version cannot be set\n"); +- curlerr = CURLE_SSL_CONNECT_ERROR; ++ /* enable/disable the requested SSL version(s) */ ++ if(nss_init_sslver(&sslver, data) != CURLE_OK) + goto error; +- } +- + if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) + goto error; + +-- +1.7.1 + + +From 91a3d58fc48f0d08ab81f1e013b2d58a7ccd7146 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 25 Nov 2013 16:25:15 +0100 +Subject: [PATCH 7/9] nss: allow to use TLS > 1.0 if built against recent NSS + +Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html + +[upstream commit 7fc9325a52a6dad1f8b859a3269472ffc125edd0] +--- + lib/nss.c | 22 ++++++++++++++++++++++ + 1 files changed, 22 insertions(+), 0 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 2e2240b..5cd33d8 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1188,7 +1188,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + + case CURL_SSLVERSION_TLSv1: + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++#ifdef SSL_LIBRARY_VERSION_TLS_1_2 ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++#elif defined SSL_LIBRARY_VERSION_TLS_1_1 ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++#else + sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++#endif + return CURLE_OK; + + case CURL_SSLVERSION_SSLv2: +@@ -1202,8 +1208,24 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1_0: ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ + case CURL_SSLVERSION_TLSv1_1: ++#ifdef SSL_LIBRARY_VERSION_TLS_1_1 ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_1; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++ return CURLE_OK; ++#endif ++ break; ++ + case CURL_SSLVERSION_TLSv1_2: ++#ifdef SSL_LIBRARY_VERSION_TLS_1_2 ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++ return CURLE_OK; ++#endif + break; + } + +-- +1.7.1 + + +From 404492a5a815b83fab58ce60434c01c270b6bc73 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 2 Dec 2013 14:25:07 +0100 +Subject: [PATCH 8/9] nss: unconditionally require NSS_InitContext() + +... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway + +[upstream commit 865666afca926faa1c721020fc54364540caf734] +--- + configure | 12 ------------ + configure.ac | 8 -------- + lib/nss.c | 26 -------------------------- + 3 files changed, 0 insertions(+), 46 deletions(-) + +diff --git a/configure b/configure +index ebde78a..8741e21 100755 +--- a/configure ++++ b/configure +@@ -23697,18 +23697,6 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: detected NSS version $version" >&5 + $as_echo "$as_me: detected NSS version $version" >&6;} + +- ac_fn_c_check_func "$LINENO" "NSS_InitContext" "ac_cv_func_NSS_InitContext" +-if test "x$ac_cv_func_NSS_InitContext" = xyes; then : +- +- +-$as_echo "#define HAVE_NSS_INITCONTEXT 1" >>confdefs.h +- +- HAVE_NSS_INITCONTEXT=1 +- +- +-fi +- +- + if test "x$cross_compiling" != "xyes"; then + LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff" + export LD_LIBRARY_PATH +diff --git a/configure.ac b/configure.ac +index c81c879..70ef0b7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2211,14 +2211,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then + if test "x$USE_NSS" = "xyes"; then + AC_MSG_NOTICE([detected NSS version $version]) + +- dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent +- dnl collisions on NSS initialization/shutdown with other libraries +- AC_CHECK_FUNC(NSS_InitContext, +- [ +- AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function]) +- AC_SUBST(HAVE_NSS_INITCONTEXT, [1]) +- ]) +- + dnl when shared libs were found in a path that the run-time + dnl linker doesn't search through, we need to add it to + dnl LD_LIBRARY_PATH to prevent further configure tests to fail +diff --git a/lib/nss.c b/lib/nss.c +index 5cd33d8..7b49c20 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -76,9 +76,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); + + PRLock * nss_initlock = NULL; + PRLock * nss_crllock = NULL; +-#ifdef HAVE_NSS_INITCONTEXT + NSSInitContext * nss_context = NULL; +-#endif + + volatile int initialized = 0; + +@@ -853,7 +851,6 @@ isTLSIntoleranceError(PRInt32 err) + + static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + { +-#ifdef HAVE_NSS_INITCONTEXT + NSSInitParameters initparams; + + if(nss_context != NULL) +@@ -861,12 +858,6 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + + memset((void *) &initparams, '\0', sizeof(initparams)); + initparams.length = sizeof(initparams); +-#else /* HAVE_NSS_INITCONTEXT */ +- SECStatus rv; +- +- if(NSS_IsInitialized()) +- return CURLE_OK; +-#endif + + if(cert_dir) { + const bool use_sql = NSS_VersionCheck("3.12.0"); +@@ -875,35 +866,22 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + return CURLE_OUT_OF_MEMORY; + + infof(data, "Initializing NSS with certpath: %s\n", certpath); +-#ifdef HAVE_NSS_INITCONTEXT + nss_context = NSS_InitContext(certpath, "", "", "", &initparams, + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + free(certpath); + + if(nss_context != NULL) + return CURLE_OK; +-#else /* HAVE_NSS_INITCONTEXT */ +- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); +- free(certpath); +- +- if(rv == SECSuccess) +- return CURLE_OK; +-#endif + + infof(data, "Unable to initialize NSS database\n"); + } + + infof(data, "Initializing NSS with certpath: none\n"); +-#ifdef HAVE_NSS_INITCONTEXT + nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY + | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN + | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD); + if(nss_context != NULL) + return CURLE_OK; +-#else /* HAVE_NSS_INITCONTEXT */ +- if(NSS_NoDB_Init(NULL) == SECSuccess) +- return CURLE_OK; +-#endif + + infof(data, "Unable to initialize NSS\n"); + return CURLE_SSL_CACERT_BADFILE; +@@ -999,12 +977,8 @@ void Curl_nss_cleanup(void) + SECMOD_DestroyModule(mod); + mod = NULL; + } +-#ifdef HAVE_NSS_INITCONTEXT + NSS_ShutdownContext(nss_context); + nss_context = NULL; +-#else /* HAVE_NSS_INITCONTEXT */ +- NSS_Shutdown(); +-#endif + } + PR_Unlock(nss_initlock); + +-- +1.7.1 + + +From a643c75662b6909a5be1bed8273ed1273ab2b3f4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 2 Dec 2013 16:09:12 +0100 +Subject: [PATCH 9/9] nss: make sure that 'sslver' is always initialized + +[upstream commit e221b55f67a2e12717e911f25d1bb6c85fcebfab] +--- + lib/nss.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 7b49c20..abc8a91 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1151,13 +1151,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +- sslver->min = SSL_LIBRARY_VERSION_3_0; + if(data->state.ssl_connect_retry) { + infof(data, "TLS disabled due to previous handshake failure\n"); + sslver->max = SSL_LIBRARY_VERSION_3_0; + } +- else +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1: +@@ -1211,7 +1208,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; + PRFileDesc *model = NULL; +- SSLVersionRange sslver; + PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; + struct SessionHandle *data = conn->data; +@@ -1223,6 +1219,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + long time_left; + PRUint32 timeout; + ++ SSLVersionRange sslver = { ++ SSL_LIBRARY_VERSION_3_0, /* min */ ++ SSL_LIBRARY_VERSION_TLS_1_0 /* max */ ++ }; ++ + if(connssl->state == ssl_connection_complete) + return CURLE_OK; + +-- +1.7.1 + diff --git a/0016-curl-7.29.0-1cf71bd7.patch b/0016-curl-7.29.0-1cf71bd7.patch new file mode 100644 index 0000000..31c4e08 --- /dev/null +++ b/0016-curl-7.29.0-1cf71bd7.patch @@ -0,0 +1,27 @@ +From cf8b6a21f1e9af984cfef417e83ca06b64565215 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 20 Jan 2014 20:24:05 +0100 +Subject: [PATCH] Curl_is_connected: use proxy name in error message when proxy is used + +Backport of upstream commit 1cf71bd76e4a330e5b7824014c2605e4bfe1a0a5. +--- + lib/connect.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 0afb1ee..ba9ab92 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -758,7 +758,8 @@ CURLcode Curl_is_connected(struct connectdata *conn, + error = SOCKERRNO; + data->state.os_errno = error; + failf(data, "Failed connect to %s:%ld; %s", +- conn->host.name, conn->port, Curl_strerror(conn, error)); ++ conn->bits.proxy?conn->proxy.name:conn->host.name, ++ conn->port, Curl_strerror(conn, error)); + } + + return code; +-- +1.7.1 + diff --git a/0017-curl-7.29.0-ffb8a21d.patch b/0017-curl-7.29.0-ffb8a21d.patch new file mode 100644 index 0000000..5f35a9a --- /dev/null +++ b/0017-curl-7.29.0-ffb8a21d.patch @@ -0,0 +1,36 @@ +From 93b06606d7ee483567770deda967985e8377debb Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Sun, 2 Feb 2014 11:01:10 +0000 +Subject: [PATCH] tests: Fixed test172 cookie expiry + +The test contains a cookie jar file where one of the cookies has an +expiry date of 1391252187 -- Sat, 1 Feb 2014 10:56:27 GMT which has +now expired. Updated to Wed, 14 Oct 2037 16:36:33 GMT as per test +179. + +Reported-by: Adam Sampson +Bug: http://curl.haxx.se/bug/view.cgi?id=1330 + +[upstream commit ffb8a21d85bde8b626e5dc52ce25f0447ee49f89] + +Signed-off-by: Kamil Dudka +--- + tests/data/test172 | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/tests/data/test172 b/tests/data/test172 +index b3efae9..3d53418 100644 +--- a/tests/data/test172 ++++ b/tests/data/test172 +@@ -36,7 +36,7 @@ http://%HOSTIP:%HTTPPORT/we/want/172 -b log/jar172.txt -b "tool=curl; name=fool" + + .%HOSTIP TRUE /silly/ FALSE 0 ismatch this + .%HOSTIP TRUE / FALSE 0 partmatch present +-%HOSTIP FALSE /we/want/ FALSE 1391252187 nodomain value ++%HOSTIP FALSE /we/want/ FALSE 2139150993 nodomain value + + + +-- +1.7.1 + diff --git a/0018-curl-7.29.0-03c28820.patch b/0018-curl-7.29.0-03c28820.patch new file mode 100644 index 0000000..09a7391 --- /dev/null +++ b/0018-curl-7.29.0-03c28820.patch @@ -0,0 +1,67 @@ +From fbbbf6a3daa7949cfb0fbd9731a80649ce717e6d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 7 Feb 2014 20:28:53 +0100 +Subject: [PATCH 1/2] --help: add missing --tlsv1.x options + +[upstream commit 67d14ab98f8b819ee6f5e6a4a2770d311c6bf13b] + +Signed-off-by: Kamil Dudka +--- + src/tool_help.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +diff --git a/src/tool_help.c b/src/tool_help.c +index 124f640..f7cd618 100644 +--- a/src/tool_help.c ++++ b/src/tool_help.c +@@ -199,7 +199,10 @@ static const char *const helptext[] = { + " -t, --telnet-option OPT=VAL Set telnet option", + " --tftp-blksize VALUE Set TFTP BLKSIZE option (must be >512)", + " -z, --time-cond TIME Transfer based on a time condition", +- " -1, --tlsv1 Use TLSv1 (SSL)", ++ " -1, --tlsv1 Use => TLSv1 (SSL)", ++ " --tlsv1.0 Use TLSv1.0 (SSL)", ++ " --tlsv1.1 Use TLSv1.1 (SSL)", ++ " --tlsv1.2 Use TLSv1.2 (SSL)", + " --trace FILE Write a debug trace to the given file", + " --trace-ascii FILE Like --trace but without the hex output", + " --trace-time Add time stamps to trace/verbose output", +-- +1.7.1 + + +From cc28ee70fcc2222646eef4f2b2ab3cc207c6112a Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 17 Feb 2014 16:55:10 +0100 +Subject: [PATCH 2/2] curl.1: update the description of --tlsv1 + +... and mention the --tlsv1.[0-2] options in the --tslv1 entry + +Reported-by: Hubert Kario + +[upstream commit 03c288202ed159a2a9e953f59e58f69a86eda79b] + +Signed-off-by: Kamil Dudka +--- + docs/curl.1 | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 53b378c..7f3571b 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -117,7 +117,10 @@ more informational, meter. + internally preferred: HTTP 1.1. + .IP "-1, --tlsv1" + (SSL) +-Forces curl to use TLS version 1 when negotiating with a remote TLS server. ++Forces curl to use TLS version 1.x when negotiating with a remote TLS server. ++You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to ++control the TLS version more precisely (if the SSL backend in use supports such ++a level of control). + .IP "-2, --sslv2" + (SSL) + Forces curl to use SSL version 2 when negotiating with a remote SSL server. +-- +1.7.1 + diff --git a/0018-curl-7.29.0-517b06d6.patch b/0018-curl-7.29.0-517b06d6.patch new file mode 100644 index 0000000..b56875e --- /dev/null +++ b/0018-curl-7.29.0-517b06d6.patch @@ -0,0 +1,68 @@ +From 46e85fee025964dd9a8ce2d615bc5f8ece530519 Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Thu, 20 Feb 2014 23:51:36 +0000 +Subject: [PATCH] url: Fixed connection re-use when using different log-in credentials + +In addition to FTP, other connection based protocols such as IMAP, POP3, +SMTP, SCP, SFTP and LDAP require a new connection when different log-in +credentials are specified. Fixed the detection logic to include these +other protocols. + +Bug: http://curl.haxx.se/docs/adv_20140326A.html + +[upstream commit 517b06d657aceb11a234b05cc891170c367ab80d] + +Signed-off-by: Kamil Dudka +--- + lib/http.c | 2 +- + lib/url.c | 6 +++--- + lib/urldata.h | 2 ++ + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index f4b7a48..c78036b 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -142,7 +142,7 @@ const struct Curl_handler Curl_handler_https = { + ZERO_NULL, /* readwrite */ + PORT_HTTPS, /* defport */ + CURLPROTO_HTTP | CURLPROTO_HTTPS, /* protocol */ +- PROTOPT_SSL /* flags */ ++ PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */ + }; + #endif + +diff --git a/lib/url.c b/lib/url.c +index 9690dfa..0174ff4 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2961,10 +2961,10 @@ ConnectionExists(struct SessionHandle *data, + continue; + } + } +- if((needle->handler->protocol & CURLPROTO_FTP) || ++ if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || + ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { +- /* This is FTP or HTTP+NTLM, verify that we're using the same name +- and password as well */ ++ /* This protocol requires credentials per connection or is HTTP+NTLM, ++ so verify that we're using the same name and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ +diff --git a/lib/urldata.h b/lib/urldata.h +index d597c67..cbf4102 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -755,6 +755,8 @@ struct Curl_handler { + gets a default */ + #define PROTOPT_NOURLQUERY (1<<6) /* protocol can't handle + url query strings (?foo=bar) ! */ ++#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request ++ as opposed to per connection */ + + + /* return the count of bytes sent, or -1 on error */ +-- +1.7.1 + diff --git a/0101-curl-7.27.0-multilib.patch b/0101-curl-7.27.0-multilib.patch deleted file mode 100644 index 09acf78..0000000 --- a/0101-curl-7.27.0-multilib.patch +++ /dev/null @@ -1,72 +0,0 @@ - curl-config.in | 16 +++------------- - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + - 3 files changed, 7 insertions(+), 14 deletions(-) - -diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 ---- a/curl-config.in -+++ b/curl-config.in -@@ -75,7 +75,7 @@ while test $# -gt 0; do - ;; - - --cc) -- echo "@CC@" -+ echo "gcc" - ;; - - --prefix) -@@ -142,24 +142,14 @@ while test $# -gt 0; do - ;; - - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ @LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl @LIBS@ -- fi -+ pkg-config libcurl --libs - ;; - - --static-libs) -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ @LIBS@ - ;; - - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; - - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index c4f4e2b..3e0ea60 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -65,7 +65,9 @@ be listed using uppercase and are separa - one, or several protocols in the list. (Added in 7.13.0) - .IP "--static-libs" - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl -+packages do not provide any static libraries, thus cannot be linked statically. -+(Added in 7.17.1) - .IP "--version" - Outputs version information about the installed libcurl. - .IP "--vernum" -diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 ---- a/libcurl.pc.in -+++ b/libcurl.pc.in -@@ -29,6 +29,7 @@ libdir=@libdir@ - includedir=@includedir@ - supported_protocols="@SUPPORT_PROTOCOLS@" - supported_features="@SUPPORT_FEATURES@" -+configure_options=@CONFIGURE_OPTIONS@ - - Name: libcurl - URL: http://curl.haxx.se/ diff --git a/0101-curl-7.29.0-multilib.patch b/0101-curl-7.29.0-multilib.patch new file mode 100644 index 0000000..38aa86c --- /dev/null +++ b/0101-curl-7.29.0-multilib.patch @@ -0,0 +1,72 @@ + curl-config.in | 16 +++------------- + docs/curl-config.1 | 4 +++- + libcurl.pc.in | 1 + + 3 files changed, 7 insertions(+), 14 deletions(-) + +diff --git a/curl-config.in b/curl-config.in +index 150004d..95d0759 100644 +--- a/curl-config.in ++++ b/curl-config.in +@@ -75,7 +75,7 @@ while test $# -gt 0; do + ;; + + --cc) +- echo "@CC@" ++ echo "gcc" + ;; + + --prefix) +@@ -142,24 +142,14 @@ while test $# -gt 0; do + ;; + + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi +- if test "X@REQUIRE_LIB_DEPS@" = "Xyes"; then +- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ +- else +- echo ${CURLLIBDIR}-lcurl +- fi ++ pkg-config libcurl --libs + ;; + + --static-libs) +- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ + ;; + + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.1 b/docs/curl-config.1 +index c4f4e2b..3e0ea60 100644 +--- a/docs/curl-config.1 ++++ b/docs/curl-config.1 +@@ -65,7 +65,9 @@ be listed using uppercase and are separa + one, or several protocols in the list. (Added in 7.13.0) + .IP "--static-libs" + Shows the complete set of libs and other linker options you will need in order +-to link your application with libcurl statically. (Added in 7.17.1) ++to link your application with libcurl statically. Note that Fedora/RHEL libcurl ++packages do not provide any static libraries, thus cannot be linked statically. ++(Added in 7.17.1) + .IP "--version" + Outputs version information about the installed libcurl. + .IP "--vernum" +diff --git a/libcurl.pc.in b/libcurl.pc.in +index 2ba9c39..f8f8b00 100644 +--- a/libcurl.pc.in ++++ b/libcurl.pc.in +@@ -29,6 +29,7 @@ libdir=@libdir@ + includedir=@includedir@ + supported_protocols="@SUPPORT_PROTOCOLS@" + supported_features="@SUPPORT_FEATURES@" ++configure_options=@CONFIGURE_OPTIONS@ + + Name: libcurl + URL: http://curl.haxx.se/ diff --git a/0102-curl-7.27.0-debug.patch b/0102-curl-7.27.0-debug.patch deleted file mode 100644 index 0f10d40..0000000 --- a/0102-curl-7.27.0-debug.patch +++ /dev/null @@ -1,58 +0,0 @@ - configure | 15 ++++----------- - m4/curl-compilers.m4 | 15 ++++----------- - 2 files changed, 8 insertions(+), 22 deletions(-) - -diff --git a/configure b/configure -index d3ecf69..6d8f085 100755 ---- a/configure -+++ b/configure -@@ -15093,18 +15093,11 @@ $as_echo "yes" >&6; } - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" -- flags_dbg_off="-g0" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" -- flags_opt_yes="-O2" -+ flags_dbg_off="" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - - if test -z "$SED"; then -diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index 1ea4d17..868d65a 100644 ---- a/m4/curl-compilers.m4 -+++ b/m4/curl-compilers.m4 -@@ -148,18 +148,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" -- flags_dbg_off="-g0" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" -- flags_opt_yes="-O2" -+ flags_dbg_off="" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - CURL_CHECK_DEF([_WIN32], [], [silent]) - else diff --git a/0102-curl-7.29.0-debug.patch b/0102-curl-7.29.0-debug.patch new file mode 100644 index 0000000..7f70530 --- /dev/null +++ b/0102-curl-7.29.0-debug.patch @@ -0,0 +1,65 @@ +From 6710648c2b270c9ce68a7d9f1bba1222c7be8b58 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 31 Oct 2012 11:38:30 +0100 +Subject: [PATCH] prevent configure script from discarding -g in CFLAGS (#496778) + +--- + configure | 13 +++---------- + m4/curl-compilers.m4 | 13 +++---------- + 2 files changed, 6 insertions(+), 20 deletions(-) + +diff --git a/configure b/configure +index 8f079a3..53b4774 100755 +--- a/configure ++++ b/configure +@@ -15759,18 +15759,11 @@ $as_echo "yes" >&6; } + gccvhi=`echo $gccver | cut -d . -f1` + gccvlo=`echo $gccver | cut -d . -f2` + compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" +- flags_opt_yes="-O2" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + + if test -z "$SED"; then +diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 +index 0cbba7a..9175b5b 100644 +--- a/m4/curl-compilers.m4 ++++ b/m4/curl-compilers.m4 +@@ -148,18 +148,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ + gccvhi=`echo $gccver | cut -d . -f1` + gccvlo=`echo $gccver | cut -d . -f2` + compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` +- flags_dbg_all="-g -g0 -g1 -g2 -g3" +- flags_dbg_all="$flags_dbg_all -ggdb" +- flags_dbg_all="$flags_dbg_all -gstabs" +- flags_dbg_all="$flags_dbg_all -gstabs+" +- flags_dbg_all="$flags_dbg_all -gcoff" +- flags_dbg_all="$flags_dbg_all -gxcoff" +- flags_dbg_all="$flags_dbg_all -gdwarf-2" +- flags_dbg_all="$flags_dbg_all -gvms" ++ flags_dbg_all="" + flags_dbg_yes="-g" + flags_dbg_off="" +- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os" +- flags_opt_yes="-O2" ++ flags_opt_all="" ++ flags_opt_yes="" + flags_opt_off="-O0" + CURL_CHECK_DEF([_WIN32], [], [silent]) + else +-- +1.7.1 + diff --git a/0105-curl-7.32.0-scp-upload.patch b/0105-curl-7.32.0-scp-upload.patch new file mode 100644 index 0000000..c0fb0bf --- /dev/null +++ b/0105-curl-7.32.0-scp-upload.patch @@ -0,0 +1,42 @@ +From 2e973be50f75d0a85dcb995f7823f00b1fc85c2f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 7 Oct 2013 16:07:50 +0200 +Subject: [PATCH] ssh: improve the logic for detecting blocking direction + +This fixes a regression introduced by commit 0feeab78 limiting the speed +of SCP upload to 16384 B/s on a fast connection (such as localhost). + +[upstream commit d015f4ccac627852869cb45e31ccdc9fbd97dc47] +--- + lib/ssh.c | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/lib/ssh.c b/lib/ssh.c +index 422357b..93c65c3 100644 +--- a/lib/ssh.c ++++ b/lib/ssh.c +@@ -2287,6 +2287,10 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) + sshc->actualcode = result; + } + else { ++ /* store this original bitmask setup to use later on if we can't ++ figure out a "real" bitmask */ ++ sshc->orig_waitfor = data->req.keepon; ++ + /* we want to use the _sending_ function even when the socket turns + out readable as the underlying libssh2 scp send function will deal + with both accordingly */ +@@ -2603,9 +2607,7 @@ static void ssh_block2waitfor(struct connectdata *conn, bool block) + { + struct ssh_conn *sshc = &conn->proto.sshc; + int dir; +- if(!block) +- conn->waitfor = 0; +- else if((dir = libssh2_session_block_directions(sshc->ssh_session))) { ++ if(block && (dir = libssh2_session_block_directions(sshc->ssh_session))) { + /* translate the libssh2 define bits into our own bit defines */ + conn->waitfor = ((dir&LIBSSH2_SESSION_BLOCK_INBOUND)?KEEP_RECV:0) | + ((dir&LIBSSH2_SESSION_BLOCK_OUTBOUND)?KEEP_SEND:0); +-- +1.7.1 + diff --git a/0108-curl-7.27.0-utf8.patch b/0108-curl-7.27.0-utf8.patch deleted file mode 100644 index b740b17..0000000 --- a/0108-curl-7.27.0-utf8.patch +++ /dev/null @@ -1,86 +0,0 @@ - CHANGES | 16 ++++++++-------- - README | 2 +- - 2 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/CHANGES b/CHANGES -index 2335841..d4d37c2 100644 ---- a/CHANGES -+++ b/CHANGES -@@ -272,7 +272,7 @@ Daniel Stenberg (9 Jul 2012) - - - cookie: fixed typo in comment - --- [Christian Hägele brought this change] -+- [Christian Hägele brought this change] - - https_getsock: provided for schannel backend as well - -@@ -454,7 +454,7 @@ Yang Tse (3 Jul 2012) - testcurl.pl: fix missing semicolon - - Daniel Stenberg (2 Jul 2012) --- [Christian Hägele brought this change] -+- [Christian Hägele brought this change] - - unicode NTLM SSPI: heap corruption fixed - -@@ -2563,18 +2563,18 @@ Daniel Stenberg (1 Apr 2012) - Reported by: Michael Wallner - - Steve Holme (31 Mar 2012) --- [Gökhan Şengün brought this change] -+- [Gökhan Şengün brought this change] - - smtp: Add support for DIGEST-MD5 authentication - --- [Gökhan Şengün brought this change] -+- [Gökhan Şengün brought this change] - - smtp: Cody tidy up of md5 digest length - - Replaced the hard coded md5 digest length (16) with a preprocessor - constant - --- [Gökhan Şengün brought this change] -+- [Gökhan Şengün brought this change] - - md5: Add support for calculating the md5 sum of buffers incrementally - -@@ -3866,7 +3866,7 @@ Daniel Stenberg (20 Dec 2011) - This offers an alternative to the existing Curl_socket_ready() API which - only checks one socket for read and one for write. - --- [Cédric Deltheil brought this change] -+- [Cédric Deltheil brought this change] - - curl.h: add __ANDROID__ macro check - -@@ -4079,7 +4079,7 @@ Daniel Stenberg (12 Dec 2011) - linking with a static openssl requires a set of more libs to be linked - on Windows. - -- Thanks also to Steve Holme and Martin Storsj for additional feedback. -+ Thanks also to Steve Holme and Martin Storsjö for additional feedback. - - Bug: http://curl.haxx.se/mail/lib-2011-12/0063.html - Reported by: Ward Willats -@@ -5333,7 +5333,7 @@ Daniel Stenberg (25 Sep 2011) - damaging. - - Bug: http://curl.haxx.se/bug/view.cgi?id=3413181 -- Reported by: Taneli Vhkangas -+ Reported by: Taneli Vähäkangas - - Yang Tse (24 Sep 2011) - - curl tool: fix a compiler warning -diff --git a/README b/README -index 2ffacc3..cfd6760 100644 ---- a/README -+++ b/README -@@ -45,5 +45,5 @@ GIT - NOTICE - - Curl contains pieces of source code that is Copyright (c) 1998, 1999 -- Kungliga Tekniska Hgskolan. This notice is included here to comply with the -+ Kungliga Tekniska Högskolan. This notice is included here to comply with the - distribution terms. diff --git a/0108-curl-7.29.0-utf8.patch b/0108-curl-7.29.0-utf8.patch new file mode 100644 index 0000000..4829d1f --- /dev/null +++ b/0108-curl-7.29.0-utf8.patch @@ -0,0 +1,39 @@ +From c6246783cf347652f70d95c0562dd411747e9d53 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 31 Oct 2012 11:40:30 +0100 +Subject: [PATCH] Fix character encoding of docs + +..., which are of mixed encoding originally so a simple iconv can't +fix them. +--- + CHANGES | 2 +- + README | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/CHANGES b/CHANGES +index 4568408..5fc1652 100644 +--- a/CHANGES ++++ b/CHANGES +@@ -1910,7 +1910,7 @@ Daniel Stenberg (12 Nov 2012) + + - [Gabriel Sjoberg brought this change] + +- Digst: Add microseconds into nounce calculation ++ Digest: Add microseconds into nounce calculation + + When using only 1 second precision, curl doesn't create new cnonce + values quickly enough for all uses. +diff --git a/README b/README +index 2ffacc3..cfd6760 100644 +--- a/README ++++ b/README +@@ -45,5 +45,5 @@ GIT + NOTICE + + Curl contains pieces of source code that is Copyright (c) 1998, 1999 +- Kungliga Tekniska Hgskolan. This notice is included here to comply with the ++ Kungliga Tekniska Högskolan. This notice is included here to comply with the + distribution terms. +-- +1.7.1 + diff --git a/0201-curl-7.29.0-openssl.patch b/0201-curl-7.29.0-openssl.patch new file mode 100644 index 0000000..984d916 --- /dev/null +++ b/0201-curl-7.29.0-openssl.patch @@ -0,0 +1,31 @@ +--- ./lib/ssluse.c.old 2014-12-20 08:10:34.590020955 +0100 ++++ ./lib/ssluse.c 2014-12-20 08:12:24.143382067 +0100 +@@ -1524,20 +1524,28 @@ + case CURL_SSLVERSION_TLSv1_0: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; ++#ifdef SSL_OP_NO_TLSv1_1 + ctx_options |= SSL_OP_NO_TLSv1_1; ++#endif ++#ifdef SSL_OP_NO_TLSv1_2 + ctx_options |= SSL_OP_NO_TLSv1_2; ++#endif + break; + case CURL_SSLVERSION_TLSv1_1: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; + ctx_options |= SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_TLSv1_2 + ctx_options |= SSL_OP_NO_TLSv1_2; ++#endif + break; + case CURL_SSLVERSION_TLSv1_2: + ctx_options |= SSL_OP_NO_SSLv2; + ctx_options |= SSL_OP_NO_SSLv3; + ctx_options |= SSL_OP_NO_TLSv1; ++#ifdef SSL_OP_NO_TLSv1_1 + ctx_options |= SSL_OP_NO_TLSv1_1; ++#endif + break; + } + diff --git a/curl.spec b/curl.spec index e36f253..02aa074 100644 --- a/curl.spec +++ b/curl.spec @@ -1,63 +1,77 @@ +# Define %%{__isa_bits} for old releases +%{!?__isa_bits: %global __isa_bits %((echo '#include '; echo __WORDSIZE) | cpp - | grep -Ex '32|64')} + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.27.0 -Release: 11%{?dist} +Version: 7.29.0 +Release: 19%{?dist} License: MIT Group: Applications/Internet -Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2 +Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h -Source3: hide_selinux.c -# eliminate unnecessary inotify events on upload via file protocol (#844385) -Patch1: 0001-curl-7.27.0-1f8518c5.patch +# fix a SIGSEGV when closing an unused multi handle (#914411) +Patch1: 0001-curl-7.29.0-da3fc1ee.patch -# do not crash if MD5 fingerprint is not provided by libssh2 -Patch2: 0002-curl-7.27.0-f05e5136.patch +# switch SSL socket into non-blocking mode after handshake +Patch2: 0002-curl-7.29.0-9d0af301.patch -# fix a syntax error in curl-config (#871317) -Patch3: 0003-curl-7.27.0-382429e7.patch +# do not ignore poll() failures other than EINTR +Patch3: 0003-curl-7.29.0-491e026c.patch -# do not print misleading NSS error codes -Patch4: 0004-curl-7.27.0-52b6eda4.patch +# curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag +Patch4: 0004-curl-7.29.0-57ccdfa8.patch -# update the links to cipher-suites supported by NSS -Patch5: 0005-curl-7.27.0-f208bf5a.patch +# fix cookie tailmatching to prevent cross-domain leakage (CVE-2013-1944) +Patch5: 0005-curl-7.29.0-2eb8dcf2.patch -# prevent NSS from crashing on client auth hook failure -Patch6: 0006-curl-7.27.0-68d2830e.patch +# show proper host name on failed resolve (#957173) +Patch6: 0006-curl-7.29.0-25e577b3.patch -# clear session cache if a client cert from file is used -Patch7: 0007-curl-7.27.0-b36f1d26.patch +# prevent an artificial timeout event due to stale speed-check data (#906031) +Patch7: 0007-curl-7.29.0-b37b5233.patch -# fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE -Patch8: 0008-curl-7.27.0-26613d78.patch +# fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174) +Patch8: 0008-curl-7.29.0-192c4f78.patch -# fix buffer overflow when negotiating SASL DIGEST-MD5 auth (CVE-2013-0249) -Patch9: 0009-curl-7.27.0-f206d6c0.patch +# mention all option listed in 'curl --help' in curl.1 man page +Patch9: 0009-curl-7.29.0-3a0e931f.patch -# curl_global_init() now accepts the CURL_GLOBAL_ACK_EINTR flag -Patch10: 0010-curl-7.27.0-57ccdfa8.patch +# FTP: when EPSV gets a 229 but fails to connect, retry with PASV (#1002815) +Patch10: 0010-curl-7.29.0-7cc00d9a.patch -# fix cookie tailmatching to prevent cross-domain leakage (CVE-2013-1944) -Patch11: 0011-curl-7.27.0-2eb8dcf2.patch +# avoid a busy-loop in curl_easy_perform() +Patch11: 0011-curl-7.29.0-0feeab78.patch -# show proper host name on failed resolve (#957173) -Patch12: 0012-curl-7.27.0-25e577b3.patch +# avoid delay if FTP is aborted in CURLOPT_HEADERFUNCTION callback (#1005686) +Patch12: 0012-curl-7.29.0-c639d725.patch -# prevent an artificial timeout event due to stale speed-check data (#906031) -Patch13: 0013-curl-7.27.0-b37b5233.patch +# allow to use ECC ciphers if NSS implements them (#1058776) +Patch13: 0013-curl-7.29.0-665c160f.patch -# switch SSL socket into non-blocking mode after handshake (#960765) -Patch14: 0014-curl-7.27.0-9d0af301.patch +# re-use of wrong HTTP NTLM connection in libcurl (CVE-2014-0015) +Patch14: 0014-curl-7.29.0-8ae35102.patch -# fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174) -Patch15: 0015-curl-7.27.0-192c4f78.patch +# allow to use TLS > 1.0 if built against recent NSS (#1036789) +Patch15: 0015-curl-7.29.0-7fc9325a.patch + +# use proxy name in error message when proxy is used (#1042831) +Patch16: 0016-curl-7.29.0-1cf71bd7.patch + +# refresh expired cookie in test172 from upstream test-suite (#1063693) +Patch17: 0017-curl-7.29.0-ffb8a21d.patch + +# fix documentation of curl's options --tlsv1.[0-2] (#1066364) +Patch18: 0018-curl-7.29.0-03c28820.patch + +# fix connection re-use when using different log-in credentials (CVE-2014-0138) +Patch19: 0018-curl-7.29.0-517b06d6.patch # patch making libcurl multilib ready -Patch101: 0101-curl-7.27.0-multilib.patch +Patch101: 0101-curl-7.29.0-multilib.patch # prevent configure script from discarding -g in CFLAGS (#496778) -Patch102: 0102-curl-7.27.0-debug.patch +Patch102: 0102-curl-7.29.0-debug.patch # use localhost6 instead of ip6-localhost in the curl test-suite Patch104: 0104-curl-7.19.7-localhost6.patch @@ -65,20 +79,26 @@ Patch104: 0104-curl-7.19.7-localhost6.patch # disable valgrind for certain test-cases (libssh2 problem) Patch106: 0106-curl-7.21.0-libssh2-valgrind.patch +# http://thread.gmane.org/gmane.comp.web.curl.library/40551/focus=40561 +Patch105: 0105-curl-7.32.0-scp-upload.patch + # work around valgrind bug (#678518) Patch107: 0107-curl-7.21.4-libidn-valgrind.patch # Fix character encoding of docs, which are of mixed encoding originally so # a simple iconv can't fix them -Patch108: 0108-curl-7.27.0-utf8.patch +Patch108: 0108-curl-7.29.0-utf8.patch + +# For old openssl in EL-5 +Patch201: 0201-curl-7.29.0-openssl.patch Provides: webclient URL: http://curl.haxx.se/ -BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) +BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu) BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn-devel -BuildRequires: libssh2-devel >= 1.2.0 +BuildRequires: libssh2-devel BuildRequires: openssl-devel BuildRequires: openldap-devel >= %{openldap_version} BuildRequires: openssh-clients @@ -87,8 +107,23 @@ BuildRequires: pkgconfig BuildRequires: stunnel BuildRequires: zlib-devel -# valgrind is not available on s390(x), sparc or arm5 -%ifnarch s390 s390x %{sparc} %{arm} ppc +# perl modules used in the test suite +BuildRequires: perl(Cwd) +BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Exporter) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Spec) +BuildRequires: perl(IPC::Open2) +BuildRequires: perl(MIME::Base64) +BuildRequires: perl(strict) +BuildRequires: perl(Time::Local) +BuildRequires: perl(Time::HiRes) +BuildRequires: perl(warnings) +BuildRequires: perl(vars) + +# require valgrind to boost test coverage on i386 and x86_64 +%ifarch %{ix86} x86_64 BuildRequires: valgrind %endif @@ -165,6 +200,11 @@ documentation of the library, too. %patch13 -p1 %patch14 -p1 %patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 +%patch105 -p1 +%patch19 -p1 # Fedora patches %patch101 -p1 @@ -174,12 +214,13 @@ documentation of the library, too. %patch107 -p1 %patch108 -p1 +# For EL-5 with old openssl +%patch201 -p1 + # replace hard wired port numbers in the test suite -%ifarch x86_64 -sed -i s/899\\\([0-9]\\\)/649\\1/ tests/data/test* -%else -sed -i s/899\\\([0-9]\\\)/329\\1/ tests/data/test* -%endif +cd tests/data/ +sed -i s/899\\\([0-9]\\\)/%{?__isa_bits}9\\1/ test* +cd - # disable test 1112 (#565305) printf "1112\n" >> tests/data/DISABLED @@ -189,7 +230,6 @@ printf "1112\n" >> tests/data/DISABLED echo "1319" >> tests/data/DISABLED %endif - %build [ -x /usr/kerberos/bin/krb5-config ] && KRB5_PREFIX="=/usr/kerberos" %configure --disable-static \ @@ -224,23 +264,9 @@ export LD_LIBRARY_PATH cd tests make %{?_smp_mflags} -# make it possible to start a testing OpenSSH server with SELinux -# in the enforcing mode (#521087) -gcc -o hide_selinux.so -fPIC -shared %{SOURCE3} -LD_PRELOAD="`readlink -f ./hide_selinux.so`:$LD_PRELOAD" -export LD_PRELOAD - -# Ignore this tests for now (use !xxx) -DISABLED= - # use different port range for 32bit and 64bit build, thus make it possible # to run both in parallel on the same machine -%ifarch x86_64 -./runtests.pl -a -b6490 -p -v $DISABLED -%else -./runtests.pl -a -b3290 -p -v $DISABLED -%endif - +./runtests.pl -a -b%{?__isa_bits}90 -p -v %install rm -rf $RPM_BUILD_ROOT @@ -256,7 +282,7 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/mk-ca-bundle.1 # Make libcurl-devel multilib-ready (bug #488922) -%ifarch x86_64 +%if 0%{?__isa_bits} == 64 %define _curlbuild_h curlbuild-64.h %else %define _curlbuild_h curlbuild-32.h @@ -299,6 +325,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Sat Dec 20 2014 Remi Collet - 7.29.0-19 +- sync with 7.29.0-19 from RHEL-7: + * Mon Jun 24 2013 Remi Collet - 7.27.0-11 - sync with 7.27.0-11 from F18: fix heap-based buffer overflow in curl_easy_unescape() (CVE-2013-2174) -- cgit