rpms
/
curl
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

new upstream release - 7.37.0

This commit is contained in:
Kamil Dudka 2014-05-21 10:42:01 +02:00
parent 8b3cb24b84
commit 69703f0045
8 changed files with 13 additions and 993 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
0001-curl-7.36.0-f82e0edc.patch
View File

@ -1,46 +0,0 @@
From 29c2b12b636304c1e357f543be3d6da34e5d832d Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Wed, 26 Mar 2014 22:02:31 +0100
Subject: [PATCH] test815/816: Use authentication for both URLs
The improved connection reuse logic would otherwise create a new
connection for each one, which isn't supported by the test
server, nor expected by the test.
[upstream commit f82e0edc171b33528bc4f59036505d98ecf1d816]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
tests/data/test815 | 2 +-
tests/data/test816 | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/tests/data/test815 b/tests/data/test815
index c006c6d..5c5ef79 100644
--- a/tests/data/test815
+++ b/tests/data/test815
@@ -26,7 +26,7 @@ imap
IMAP STORE - delete message (CUSTOMREQUEST)
</name>
<command>
-imap://%HOSTIP:%IMAPPORT/815 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/815 -X CLOSE
+imap://%HOSTIP:%IMAPPORT/815 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/815 -X CLOSE -u user:secret
</command>
</client>
diff --git a/tests/data/test816 b/tests/data/test816
index 386f877..b8b1a9d 100644
--- a/tests/data/test816
+++ b/tests/data/test816
@@ -29,7 +29,7 @@ imap
IMAP STORE - delete message with confirmation (CUSTOMREQUEST)
</name>
<command>
-imap://%HOSTIP:%IMAPPORT/816 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/816 -X EXPUNGE
+imap://%HOSTIP:%IMAPPORT/816 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/816 -X EXPUNGE -u user:secret
</command>
</client>
--
1.7.1

364
0002-curl-7.36.0-9317eced.patch
View File

@ -1,364 +0,0 @@
From 3d1fa5aee501d0a8ca82c5d7b4964648f0092523 Mon Sep 17 00:00:00 2001
From: Paul Marks <pmarks@google.com>
Date: Sun, 30 Mar 2014 07:50:37 +0200
Subject: [PATCH 1/4] curl: stop interpreting IPv6 literals as glob patterns.
This makes it possible to fetch from an IPv6 literal without specifying
the -g option. Globbing remains available elsehwere in the URL.
For example:
curl http://[::1]/file[1-3].txt
This creates no ambiguity, because there is no overlap between the
syntax of valid globs and valid IPv6 literals. Globs contain hyphens
and at most 1 colon, while IPv6 literals have no hyphens, and at least 2
colons.
The peek_ipv6() parser simply whitelists a set of characters and counts
colons, because the real validation happens later on. The character set
includes A-Z, in case someone decides to implement support for scopes
like [fe80::1%25eth0] in the future.
Signed-off-by: Paul Marks <pmarks@google.com>
[upstream commit 0bc4938eecccefdf8906bf9c488e4cd9c8467e99]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
src/tool_urlglob.c | 48 +++++++++++++++++++++++++++++++++++++++++++++---
tests/data/test1230 | 2 +-
2 files changed, 46 insertions(+), 4 deletions(-)
diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c
index ec5014b..943e0ab 100644
--- a/src/tool_urlglob.c
+++ b/src/tool_urlglob.c
@@ -5,7 +5,7 @@
* | (__| |_| | _ <| |___
* \___|\___/|_| \_\_____|
*
- * Copyright (C) 1998 - 2013, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2014, Daniel Stenberg, <daniel@haxx.se>, et al.
*
* This software is licensed as described in the file COPYING, which
* you should have received as part of this distribution. The terms
@@ -302,6 +302,36 @@ static GlobCode glob_range(URLGlob *glob, char **patternp,
return GLOB_OK;
}
+static bool peek_ipv6(const char *str, size_t *skip)
+{
+ /*
+ * Scan for a potential IPv6 literal.
+ * - Valid globs contain a hyphen and <= 1 colon.
+ * - IPv6 literals contain no hyphens and >= 2 colons.
+ */
+ size_t i = 0;
+ size_t colons = 0;
+ if(str[i++] != '[') {
+ return FALSE;
+ }
+ for(;;) {
+ const char c = str[i++];
+ if(ISALNUM(c) || c == '.' || c == '%') {
+ /* ok */
+ }
+ else if(c == ':') {
+ colons++;
+ }
+ else if(c == ']') {
+ *skip = i;
+ return colons >= 2;
+ }
+ else {
+ return FALSE;
+ }
+ }
+}
+
static GlobCode glob_parse(URLGlob *glob, char *pattern,
size_t pos, unsigned long *amount)
{
@@ -315,8 +345,20 @@ static GlobCode glob_parse(URLGlob *glob, char *pattern,
while(*pattern && !res) {
char *buf = glob->glob_buffer;
- int sublen = 0;
- while(*pattern && *pattern != '{' && *pattern != '[') {
+ size_t sublen = 0;
+ while(*pattern && *pattern != '{') {
+ if(*pattern == '[') {
+ /* Skip over potential IPv6 literals. */
+ size_t skip;
+ if(peek_ipv6(pattern, &skip)) {
+ memcpy(buf, pattern, skip);
+ buf += skip;
+ pattern += skip;
+ sublen += skip;
+ continue;
+ }
+ break;
+ }
if(*pattern == '}' || *pattern == ']')
return GLOBERROR("unmatched close brace/bracket", pos, GLOB_ERROR);
diff --git a/tests/data/test1230 b/tests/data/test1230
index b16269d..3c1d3d4 100644
--- a/tests/data/test1230
+++ b/tests/data/test1230
@@ -56,7 +56,7 @@ HTTP CONNECT to IPv6 numerical address
</name>
# 0x4ce == 1230, the test number
<command>
--g http://[1234:1234:1234::4ce]:%HTTPPORT/wanted/page/1230 -p -x %HOSTIP:%HTTPPORT
+http://[1234:1234:1234::4ce]:%HTTPPORT/wanted/page/1230 -p -x %HOSTIP:%HTTPPORT
</command>
</client>
--
1.7.1
From 38c0e09f4a020fdcdcfeb149d89d8551e534143f Mon Sep 17 00:00:00 2001
From: Till Maas <opensource@till.name>
Date: Sat, 15 Mar 2014 22:42:50 +0100
Subject: [PATCH 2/4] URL parser: IPv6 zone identifiers are now supported
[upstream commit 9317eced98408c7fefa6dd5f1559050e1ec8a3b7]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/KNOWN_BUGS | 11 +--------
docs/MANUAL | 6 ++--
lib/url.c | 69 +++++++++++++++++++++++++++++++++++++++++++++---------
3 files changed, 61 insertions(+), 25 deletions(-)
diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS
index ad997a0..c8ad032 100644
--- a/docs/KNOWN_BUGS
+++ b/docs/KNOWN_BUGS
@@ -180,16 +180,7 @@ may have been fixed since this was written!
--cflags suffers from the same effects with CFLAGS/CPPFLAGS.
30. You need to use -g to the command line tool in order to use RFC2732-style
- IPv6 numerical addresses in URLs.
-
-29. IPv6 URLs with zone ID is not nicely supported.
- http://www.ietf.org/internet-drafts/draft-fenner-literal-zone-02.txt (expired)
- specifies the use of a plus sign instead of a percent when specifying zone
- IDs in URLs to get around the problem of percent signs being
- special. According to the reporter, Firefox deals with the URL _with_ a
- percent letter (which seems like a blatant URL spec violation).
- libcurl supports zone IDs where the percent sign is URL-escaped (i.e. %25):
- http://curl.haxx.se/bug/view.cgi?id=555
+ or RFC6874-style IPv6 numerical addresses in URLs.
26. NTLM authentication using SSPI (on Windows) when (lib)curl is running in
"system context" will make it use wrong(?) user name - at least when compared
diff --git a/docs/MANUAL b/docs/MANUAL
index 4ad2e13..da8f602 100644
--- a/docs/MANUAL
+++ b/docs/MANUAL
@@ -956,9 +956,9 @@ IPv6
When this style is used, the -g option must be given to stop curl from
interpreting the square brackets as special globbing characters. Link local
and site local addresses including a scope identifier, such as fe80::1234%1,
- may also be used, but the scope portion must be numeric and the percent
- character must be URL escaped. The previous example in an SFTP URL might
- look like:
+ may also be used, but the scope portion must be numeric or match an existing
+ network interface on Linux and the percent character must be URL escaped. The
+ previous example in an SFTP URL might look like:
sftp://[fe80::1234%251]/
diff --git a/lib/url.c b/lib/url.c
index 0e420c7..40751cc 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3951,23 +3951,59 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
if(result != CURLE_OK)
return result;
- if(conn->host.name[0] == '[') {
+ if(conn->host.name[0] == '[' && !data->state.this_is_a_follow) {
/* This looks like an IPv6 address literal. See if there is an address
- scope. */
- char *percent = strstr (conn->host.name, "%25");
+ scope if there is no location header */
+ char *percent = strchr(conn->host.name, '%');
if(percent) {
+ unsigned int identifier_offset = 3;
char *endp;
- unsigned long scope = strtoul (percent + 3, &endp, 10);
+ unsigned long scope;
+ if(strncmp("%25", percent, 3) != 0) {
+ infof(data,
+ "Please URL encode %% as %%25, see RFC 6874.\n");
+ identifier_offset = 1;
+ }
+ scope = strtoul(percent + identifier_offset, &endp, 10);
if(*endp == ']') {
/* The address scope was well formed. Knock it out of the
hostname. */
memmove(percent, endp, strlen(endp)+1);
- if(!data->state.this_is_a_follow)
- /* Don't honour a scope given in a Location: header */
- conn->scope = (unsigned int)scope;
+ conn->scope = (unsigned int)scope;
+ }
+ else {
+ /* Zone identifier is not numeric */
+#ifdef HAVE_NET_IF_H
+ char ifname[IFNAMSIZ + 2];
+ char *square_bracket;
+ unsigned int scopeidx = 0;
+ strncpy(ifname, percent + identifier_offset, IFNAMSIZ + 2);
+ /* Ensure nullbyte termination */
+ ifname[IFNAMSIZ + 1] = '\0';
+ square_bracket = strchr(ifname, ']');
+ if(square_bracket) {
+ /* Remove ']' */
+ *square_bracket = '\0';
+ scopeidx = if_nametoindex(ifname);
+ if(scopeidx == 0) {
+ infof(data, "Invalid network interface: %s; %s\n", ifname,
+ strerror(errno));
+ }
+ }
+ if(scopeidx > 0) {
+ /* Remove zone identifier from hostname */
+ memmove(percent,
+ percent + identifier_offset + strlen(ifname),
+ identifier_offset + strlen(ifname));
+ conn->scope = scopeidx;
+ }
+ else {
+#endif /* HAVE_NET_IF_H */
+ infof(data, "Invalid IPv6 address format\n");
+#ifdef HAVE_NET_IF_H
+ }
+#endif /* HAVE_NET_IF_H */
}
- else
- infof(data, "Invalid IPv6 address format\n");
}
}
@@ -4350,12 +4386,21 @@ static CURLcode parse_proxy(struct SessionHandle *data,
/* start scanning for port number at this point */
portptr = proxyptr;
- /* detect and extract RFC2732-style IPv6-addresses */
+ /* detect and extract RFC6874-style IPv6-addresses */
if(*proxyptr == '[') {
char *ptr = ++proxyptr; /* advance beyond the initial bracket */
- while(*ptr && (ISXDIGIT(*ptr) || (*ptr == ':') || (*ptr == '%') ||
- (*ptr == '.')))
+ while(*ptr && (ISXDIGIT(*ptr) || (*ptr == ':') || (*ptr == '.')))
+ ptr++;
+ if(*ptr == '%') {
+ /* There might be a zone identifier */
+ if(strncmp("%25", ptr, 3))
+ infof(data, "Please URL encode %% as %%25, see RFC 6874.\n");
ptr++;
+ /* Allow unresered characters as defined in RFC 3986 */
+ while(*ptr && (ISALPHA(*ptr) || ISXDIGIT(*ptr) || (*ptr == '-') ||
+ (*ptr == '.') || (*ptr == '_') || (*ptr == '~')))
+ ptr++;
+ }
if(*ptr == ']')
/* yeps, it ended nicely with a bracket as well */
*ptr++ = 0;
--
1.7.1
From 5894ce84ce36fb460df0580754cab17142430f00 Mon Sep 17 00:00:00 2001
From: Dan Fandrich <dan@coneharvesters.com>
Date: Mon, 31 Mar 2014 09:02:55 +0200
Subject: [PATCH 3/4] docs: Removed mention of -g hack when using IPv6 literals
This limitation was removed in commit 0bc4938e
[upstream commit ed4972ffdb11fc62a8bae33ff4eafbd73973ad9f]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
docs/MANUAL | 2 +-
docs/TODO | 8 --------
2 files changed, 1 insertions(+), 9 deletions(-)
diff --git a/docs/MANUAL b/docs/MANUAL
index da8f602..11960e1 100644
--- a/docs/MANUAL
+++ b/docs/MANUAL
@@ -50,7 +50,7 @@ SIMPLE USAGE
Get the main page from an IPv6 web server:
- curl -g "http://[2001:1890:1112:1::20]/"
+ curl "http://[2001:1890:1112:1::20]/"
DOWNLOAD TO A FILE
diff --git a/docs/TODO b/docs/TODO
index 2b7ac96..871261a 100644
--- a/docs/TODO
+++ b/docs/TODO
@@ -88,7 +88,6 @@
15.4 simultaneous parallel transfers
15.5 provide formpost headers
15.6 warning when setting an option
- 15.7 IPv6 addresses with globbing
16. Build
16.1 roffit
@@ -489,13 +488,6 @@ to provide the data to send.
This can be useful to tell when support for a particular feature hasn't been
compiled into the library.
-15.7 IPv6 addresses with globbing
-
- Currently the command line client needs to get url globbing disabled (with
- -g) for it to support IPv6 numerical addresses. This is a rather silly flaw
- that should be corrected. It probably involves a smarter detection of the
- '[' and ']' letters.
-
16. Build
16.1 roffit
--
1.7.1
From 3e33d0d436d0d6817480172db89836b3d5ba9db5 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Mon, 31 Mar 2014 09:35:32 +0200
Subject: [PATCH 4/4] ipv6: strip off zone identifiers in redirects too
Follow up to 9317eced984 makes test 1056 work again.
[upstream commit 13682d1a24bba5386530805d8fbcf987b19c3552]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/lib/url.c b/lib/url.c
index 40751cc..ebd38cc 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -3951,7 +3951,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data,
if(result != CURLE_OK)
return result;
- if(conn->host.name[0] == '[' && !data->state.this_is_a_follow) {
+ if(conn->host.name[0] == '[') {
/* This looks like an IPv6 address literal. See if there is an address
scope if there is no location header */
char *percent = strchr(conn->host.name, '%');
--
1.7.1

526
0003-curl-7.36.0-8868a226.patch
View File

@ -1,526 +0,0 @@
From 79dd8298f45b9f5dd97c06c397d40e45f905d5d3 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 17 Apr 2014 13:12:59 +0200
Subject: [PATCH 1/3] nss: split Curl_nss_connect() into 4 functions
[upstream commit a43bba3a34ed8912c4ca10f213590d1998ba0d29]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/nss.c | 134 +++++++++++++++++++++++++++++++++++++++-----------------
1 files changed, 94 insertions(+), 40 deletions(-)
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 80e26e2..4f4e6c8 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1296,9 +1296,62 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
return CURLE_SSL_CONNECT_ERROR;
}
-CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
+ struct SessionHandle *data,
+ CURLcode curlerr)
{
+ SSLVersionRange sslver;
PRErrorCode err = 0;
+
+ /* reset the flag to avoid an infinite loop */
+ data->state.ssl_connect_retry = FALSE;
+
+ if(is_nss_error(curlerr)) {
+ /* read NSPR error code */
+ err = PR_GetError();
+ if(is_cc_error(err))
+ curlerr = CURLE_SSL_CERTPROBLEM;
+
+ /* print the error number and error string */
+ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
+
+ /* print a human-readable message describing the error if available */
+ nss_print_error_message(data, err);
+ }
+
+ /* cleanup on connection failure */
+ Curl_llist_destroy(connssl->obj_list, NULL);
+ connssl->obj_list = NULL;
+
+ if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
+ && (sslver.min == SSL_LIBRARY_VERSION_3_0)
+ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
+ && isTLSIntoleranceError(err)) {
+ /* schedule reconnect through Curl_retry_request() */
+ data->state.ssl_connect_retry = TRUE;
+ infof(data, "Error in TLS handshake, trying SSLv3...\n");
+ return CURLE_OK;
+ }
+
+ return curlerr;
+}
+
+/* Switch the SSL socket into non-blocking mode. */
+static CURLcode nss_set_nonblock(struct ssl_connect_data *connssl,
+ struct SessionHandle *data)
+{
+ static PRSocketOptionData sock_opt;
+ sock_opt.option = PR_SockOpt_Nonblocking;
+ sock_opt.value.non_blocking = PR_TRUE;
+
+ if(PR_SetSocketOption(connssl->handle, &sock_opt) != PR_SUCCESS)
+ return nss_fail_connect(connssl, data, CURLE_SSL_CONNECT_ERROR);
+
+ return CURLE_OK;
+}
+
+static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+{
PRFileDesc *model = NULL;
PRBool ssl_no_cache;
PRBool ssl_cbc_random_iv;
@@ -1306,9 +1359,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
curl_socket_t sockfd = conn->sock[sockindex];
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
CURLcode curlerr;
- PRSocketOptionData sock_opt;
- long time_left;
- PRUint32 timeout;
SSLVersionRange sslver = {
SSL_LIBRARY_VERSION_3_0, /* min */
@@ -1534,16 +1584,32 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
SSL_SetURL(connssl->handle, conn->host.name);
+ return CURLE_OK;
+
+error:
+ if(model)
+ PR_Close(model);
+
+ return nss_fail_connect(connssl, data, curlerr);
+}
+
+static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
+{
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct SessionHandle *data = conn->data;
+ CURLcode curlerr = CURLE_SSL_CONNECT_ERROR;
+ PRUint32 timeout;
+
/* check timeout situation */
- time_left = Curl_timeleft(data, NULL, TRUE);
+ const long time_left = Curl_timeleft(data, NULL, TRUE);
if(time_left < 0L) {
failf(data, "timed out before SSL handshake");
curlerr = CURLE_OPERATION_TIMEDOUT;
goto error;
}
- timeout = PR_MillisecondsToInterval((PRUint32) time_left);
/* Force the handshake now */
+ timeout = PR_MillisecondsToInterval((PRUint32) time_left);
if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) {
if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
curlerr = CURLE_PEER_FAILED_VERIFICATION;
@@ -1552,12 +1618,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
goto error;
}
- /* switch the SSL socket into non-blocking mode */
- sock_opt.option = PR_SockOpt_Nonblocking;
- sock_opt.value.non_blocking = PR_TRUE;
- if(PR_SetSocketOption(connssl->handle, &sock_opt) != PR_SUCCESS)
- goto error;
-
connssl->state = ssl_connection_complete;
conn->recv[sockindex] = nss_recv;
conn->send[sockindex] = nss_send;
@@ -1585,40 +1645,34 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
return CURLE_OK;
- error:
- /* reset the flag to avoid an infinite loop */
- data->state.ssl_connect_retry = FALSE;
+error:
+ return nss_fail_connect(connssl, data, curlerr);
+}
- if(is_nss_error(curlerr)) {
- /* read NSPR error code */
- err = PR_GetError();
- if(is_cc_error(err))
- curlerr = CURLE_SSL_CERTPROBLEM;
+CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+{
+ struct ssl_connect_data *connssl = &conn->ssl[sockindex];
+ struct SessionHandle *data = conn->data;
+ CURLcode rv;
- /* print the error number and error string */
- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err));
+ rv = nss_setup_connect(conn, sockindex);
+ if(rv)
+ return rv;
- /* print a human-readable message describing the error if available */
- nss_print_error_message(data, err);
+ rv = nss_do_connect(conn, sockindex);
+ switch(rv) {
+ case CURLE_OK:
+ break;
+ default:
+ return rv;
}
- if(model)
- PR_Close(model);
-
- /* cleanup on connection failure */
- Curl_llist_destroy(connssl->obj_list, NULL);
- connssl->obj_list = NULL;
-
- if((sslver.min == SSL_LIBRARY_VERSION_3_0)
- && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
- && isTLSIntoleranceError(err)) {
- /* schedule reconnect through Curl_retry_request() */
- data->state.ssl_connect_retry = TRUE;
- infof(data, "Error in TLS handshake, trying SSLv3...\n");
- return CURLE_OK;
- }
+ /* switch the SSL socket into non-blocking mode */
+ rv = nss_set_nonblock(connssl, data);
+ if(rv)
+ return rv;
- return curlerr;
+ return CURLE_OK;
}
static ssize_t nss_send(struct connectdata *conn, /* connection data */
--
1.7.1
From f6c04350401c111f92f1428f80a28b66f6609cac Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Thu, 17 Apr 2014 13:27:39 +0200
Subject: [PATCH 2/3] nss: implement non-blocking SSL handshake
[upstream commit 8868a226cdad66a9a07d6e3f168884817592a1df]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/urldata.h | 1 +
lib/vtls/nss.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++--------
lib/vtls/nssg.h | 1 +
3 files changed, 50 insertions(+), 9 deletions(-)
diff --git a/lib/urldata.h b/lib/urldata.h
index 25f9676..d3bb350 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -318,6 +318,7 @@ struct ssl_connect_data {
struct SessionHandle *data;
struct curl_llist *obj_list;
PK11GenericObject *obj_clicert;
+ ssl_connect_state connecting_state;
#endif /* USE_NSS */
#ifdef USE_QSOSSL
SSLHandle *handle;
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index 4f4e6c8..e076e54 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -1611,7 +1611,10 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
/* Force the handshake now */
timeout = PR_MillisecondsToInterval((PRUint32) time_left);
if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) {
- if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
+ if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
+ /* TODO: propagate the blocking direction from the NSPR layer */
+ return CURLE_AGAIN;
+ else if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
curlerr = CURLE_PEER_FAILED_VERIFICATION;
else if(conn->data->set.ssl.certverifyresult!=0)
curlerr = CURLE_SSL_CACERT;
@@ -1649,32 +1652,68 @@ error:
return nss_fail_connect(connssl, data, curlerr);
}
-CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+static CURLcode nss_connect_common(struct connectdata *conn, int sockindex,
+ bool *done)
{
struct ssl_connect_data *connssl = &conn->ssl[sockindex];
struct SessionHandle *data = conn->data;
+ const bool blocking = (done == NULL);
CURLcode rv;
- rv = nss_setup_connect(conn, sockindex);
- if(rv)
- return rv;
+ if(connssl->connecting_state == ssl_connect_1) {
+ rv = nss_setup_connect(conn, sockindex);
+ if(rv)
+ /* we do not expect CURLE_AGAIN from nss_setup_connect() */
+ return rv;
+
+ if(!blocking) {
+ /* in non-blocking mode, set NSS non-blocking mode before handshake */
+ rv = nss_set_nonblock(connssl, data);
+ if(rv)
+ return rv;
+ }
+
+ connssl->connecting_state = ssl_connect_2;
+ }
rv = nss_do_connect(conn, sockindex);
switch(rv) {
case CURLE_OK:
break;
+ case CURLE_AGAIN:
+ if(!blocking)
+ /* CURLE_AGAIN in non-blocking mode is not an error */
+ return CURLE_OK;
+ /* fall through */
default:
return rv;
}
- /* switch the SSL socket into non-blocking mode */
- rv = nss_set_nonblock(connssl, data);
- if(rv)
- return rv;
+ if(blocking) {
+ /* in blocking mode, set NSS non-blocking mode _after_ SSL handshake */
+ rv = nss_set_nonblock(connssl, data);
+ if(rv)
+ return rv;
+ }
+ else
+ /* signal completed SSL handshake */
+ *done = TRUE;
+ connssl->connecting_state = ssl_connect_done;
return CURLE_OK;
}
+CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
+{
+ return nss_connect_common(conn, sockindex, /* blocking */ NULL);
+}
+
+CURLcode Curl_nss_connect_nonblocking(struct connectdata *conn,
+ int sockindex, bool *done)
+{
+ return nss_connect_common(conn, sockindex, done);
+}
+
static ssize_t nss_send(struct connectdata *conn, /* connection data */
int sockindex, /* socketindex */
const void *mem, /* send this data */
diff --git a/lib/vtls/nssg.h b/lib/vtls/nssg.h
index 38181a9..21e96ce 100644
--- a/lib/vtls/nssg.h
+++ b/lib/vtls/nssg.h
@@ -68,6 +68,7 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */
#define curlssl_init Curl_nss_init
#define curlssl_cleanup Curl_nss_cleanup
#define curlssl_connect Curl_nss_connect
+#define curlssl_connect_nonblocking Curl_nss_connect_nonblocking
/* NSS has its own session ID cache */
#define curlssl_session_free(x) Curl_nop_stmt
--
1.7.1
From 9fb78efb737ea8c2a9f7c27ea501b1fcf6a90599 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 23 Apr 2014 15:37:26 +0200
Subject: [PATCH 3/3] nss: propagate blocking direction from NSPR I/O
... during the non-blocking SSL handshake
[upstream commit 9c941e92c4bd3d2a5dbe243f7517b6a6029afc6e]
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/http.c | 2 +-
lib/vtls/nss.c | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++---
2 files changed, 104 insertions(+), 6 deletions(-)
diff --git a/lib/http.c b/lib/http.c
index 4a29058..3f8a4c0 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -1361,7 +1361,7 @@ static CURLcode https_connecting(struct connectdata *conn, bool *done)
#endif
#if defined(USE_SSLEAY) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \
- defined(USE_DARWINSSL) || defined(USE_POLARSSL)
+ defined(USE_DARWINSSL) || defined(USE_POLARSSL) || defined(USE_NSS)
/* This function is for OpenSSL, GnuTLS, darwinssl, schannel and polarssl only.
It should be made to query the generic SSL layer instead. */
static int https_getsock(struct connectdata *conn,
diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
index e076e54..3447f97 100644
--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
@@ -180,6 +180,10 @@ static const cipher_s cipherlist[] = {
static const char* pem_library = "libnsspem.so";
SECMODModule* mod = NULL;
+/* NSPR I/O layer we use to detect blocking direction during SSL handshake */
+static PRDescIdentity nspr_io_identity = PR_INVALID_IO_LAYER;
+static PRIOMethods nspr_io_methods;
+
static const char* nss_error_to_name(PRErrorCode code)
{
const char *name = PR_ErrorToName(code);
@@ -940,6 +944,60 @@ isTLSIntoleranceError(PRInt32 err)
}
}
+/* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
+static void nss_update_connecting_state(ssl_connect_state state, void *secret)
+{
+ struct ssl_connect_data *connssl = (struct ssl_connect_data *)secret;
+ if(PR_GetError() != PR_WOULD_BLOCK_ERROR)
+ /* an unrelated error is passing by */
+ return;
+
+ switch(connssl->connecting_state) {
+ case ssl_connect_2:
+ case ssl_connect_2_reading:
+ case ssl_connect_2_writing:
+ break;
+ default:
+ /* we are not called from an SSL handshake */
+ return;
+ }
+
+ /* update the state accordingly */
+ connssl->connecting_state = state;
+}
+
+/* recv() wrapper we use to detect blocking direction during SSL handshake */
+static PRInt32 nspr_io_recv(PRFileDesc *fd, void *buf, PRInt32 amount,
+ PRIntn flags, PRIntervalTime timeout)
+{
+ const PRRecvFN recv_fn = fd->lower->methods->recv;
+ const PRInt32 rv = recv_fn(fd->lower, buf, amount, flags, timeout);
+ if(rv < 0)
+ /* check for PR_WOULD_BLOCK_ERROR and update blocking direction */
+ nss_update_connecting_state(ssl_connect_2_reading, fd->secret);
+ return rv;
+}
+
+/* send() wrapper we use to detect blocking direction during SSL handshake */
+static PRInt32 nspr_io_send(PRFileDesc *fd, const void *buf, PRInt32 amount,
+ PRIntn flags, PRIntervalTime timeout)
+{
+ const PRSendFN send_fn = fd->lower->methods->send;
+ const PRInt32 rv = send_fn(fd->lower, buf, amount, flags, timeout);
+ if(rv < 0)
+ /* check for PR_WOULD_BLOCK_ERROR and update blocking direction */
+ nss_update_connecting_state(ssl_connect_2_writing, fd->secret);
+ return rv;
+}
+
+/* close() wrapper to avoid assertion failure due to fd->secret != NULL */
+static PRStatus nspr_io_close(PRFileDesc *fd)
+{
+ const PRCloseFN close_fn = PR_GetDefaultIOMethods()->close;
+ fd->secret = NULL;
+ return close_fn(fd);
+}
+
static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir)
{
NSSInitParameters initparams;
@@ -1004,6 +1062,21 @@ static CURLcode nss_init(struct SessionHandle *data)
}
}
+ if(nspr_io_identity == PR_INVALID_IO_LAYER) {
+ /* allocate an identity for our own NSPR I/O layer */
+ nspr_io_identity = PR_GetUniqueIdentity("libcurl");
+ if(nspr_io_identity == PR_INVALID_IO_LAYER)
+ return CURLE_OUT_OF_MEMORY;
+
+ /* the default methods just call down to the lower I/O layer */
+ memcpy(&nspr_io_methods, PR_GetDefaultIOMethods(), sizeof nspr_io_methods);
+
+ /* override certain methods in the table by our wrappers */
+ nspr_io_methods.recv = nspr_io_recv;
+ nspr_io_methods.send = nspr_io_send;
+ nspr_io_methods.close = nspr_io_close;
+ }
+
rv = nss_init_core(data, cert_dir);
if(rv)
return rv;
@@ -1353,6 +1426,8 @@ static CURLcode nss_set_nonblock(struct ssl_connect_data *connssl,
static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
{
PRFileDesc *model = NULL;
+ PRFileDesc *nspr_io = NULL;
+ PRFileDesc *nspr_io_stub = NULL;
PRBool ssl_no_cache;
PRBool ssl_cbc_random_iv;
struct SessionHandle *data = conn->data;
@@ -1525,11 +1600,34 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
goto error;
}
- /* Import our model socket onto the existing file descriptor */
- connssl->handle = PR_ImportTCPSocket(sockfd);
- connssl->handle = SSL_ImportFD(model, connssl->handle);
- if(!connssl->handle)
+ /* wrap OS file descriptor by NSPR's file descriptor abstraction */
+ nspr_io = PR_ImportTCPSocket(sockfd);
+ if(!nspr_io)
+ goto error;
+
+ /* create our own NSPR I/O layer */
+ nspr_io_stub = PR_CreateIOLayerStub(nspr_io_identity, &nspr_io_methods);
+ if(!nspr_io_stub) {
+ PR_Close(nspr_io);
+ goto error;
+ }
+
+ /* make the per-connection data accessible from NSPR I/O callbacks */
+ nspr_io_stub->secret = (void *)connssl;
+
+ /* push our new layer to the NSPR I/O stack */
+ if(PR_PushIOLayer(nspr_io, PR_TOP_IO_LAYER, nspr_io_stub) != PR_SUCCESS) {
+ PR_Close(nspr_io);
+ PR_Close(nspr_io_stub);
goto error;
+ }
+
+ /* import our model socket onto the current I/O stack */
+ connssl->handle = SSL_ImportFD(model, nspr_io);
+ if(!connssl->handle) {
+ PR_Close(nspr_io);
+ goto error;
+ }
PR_Close(model); /* We don't need this any more */
model = NULL;
@@ -1612,7 +1710,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
timeout = PR_MillisecondsToInterval((PRUint32) time_left);
if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) {
if(PR_GetError() == PR_WOULD_BLOCK_ERROR)
- /* TODO: propagate the blocking direction from the NSPR layer */
+ /* blocking direction is updated by nss_update_connecting_state() */
return CURLE_AGAIN;
else if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN)
curlerr = CURLE_PEER_FAILED_VERIFICATION;
--
1.7.1

31
0004-curl-7.36.0-ec5fde24.patch
View File

@ -1,31 +0,0 @@
From c6cecc7bd90e0e89308e8e5c6c590861c00db6f3 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 5 May 2014 14:49:30 +0200
Subject: [PATCH] http: avoid auth failure on a duplicated header
... 'WWW-Authenticate: Negotiate' received from server
Reported by: David Woodhouse
Bug: https://bugzilla.redhat.com/1093348
[upstream commit ec5fde24de5ddd1910730f0cbac5e77820b26eb9]
---
lib/http.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/http.c b/lib/http.c
index 3f8a4c0..90b37d8 100644
--- a/lib/http.c
+++ b/lib/http.c
@@ -752,7 +752,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy,
infof(data, "Authentication problem. Ignoring this.\n");
data->state.authproblem = TRUE;
}
- else {
+ else if(data->state.negotiate.state == GSS_AUTHNONE) {
neg = Curl_input_negotiate(conn, proxy, auth);
if(neg == 0) {
DEBUGASSERT(!data->req.newurl);
--
1.8.3.1

7
curl-7.36.0.tar.lzma.asc
View File

@ -1,7 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlMyeZEACgkQeOEcayedXJFTpACfaOmp5/t6thzl/LLM4L6/AO70
i5oAoJLzbaqGU31OhelQxcyrRX2gDubB
=++7u
-----END PGP SIGNATURE-----

7
curl-7.37.0.tar.lzma.asc Normal file
View File

@ -0,0 +1,7 @@
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEABECAAYFAlN8QMkACgkQeOEcayedXJE24wCgr1aAWOegokq2WJQVLDIrW32n
je4AoPKSxcgo3RY8MW8SLPvmtGFSDVdz
=jHo4
-----END PGP SIGNATURE-----

23
curl.spec
View File

@ -1,24 +1,12 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.36.0
Release: 4%{?dist}
Version: 7.37.0
Release: 1%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
Source2: curlbuild.h
# adapt tests 815 and 816 such that they work with the fix for CVE-2014-0138
Patch1: 0001-curl-7.36.0-f82e0edc.patch
# extend URL parser to support IPv6 zone identifiers (#680996)
Patch2: 0002-curl-7.36.0-9317eced.patch
# nss: implement non-blocking SSL handshake
Patch3: 0003-curl-7.36.0-8868a226.patch
# auth failure on duplicated 'WWW-Authenticate: Negotiate' header (#1093348)
Patch4: 0004-curl-7.36.0-ec5fde24.patch
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@ -131,10 +119,6 @@ documentation of the library, too.
%setup -q
# upstream patches
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
# Fedora patches
%patch101 -p1
@ -256,6 +240,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
* Wed May 21 2014 Kamil Dudka <kdudka@redhat.com> 7.37.0-1
- new upstream release
* Fri May 09 2014 Kamil Dudka <kdudka@redhat.com> 7.36.0-4
- auth failure on duplicated 'WWW-Authenticate: Negotiate' header (#1093348)

2
sources
View File

@ -1 +1 @@
291081121e604b04e0035bfdd736d196 curl-7.36.0.tar.lzma
54bfd1eb5214f604186d6f5ac61c7781 curl-7.37.0.tar.lzma