From 69703f004546b8df53af43728ae4d0cd170a23c9 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 21 May 2014 10:42:01 +0200 Subject: [PATCH] new upstream release - 7.37.0 --- 0001-curl-7.36.0-f82e0edc.patch | 46 --- 0002-curl-7.36.0-9317eced.patch | 364 ---------------------- 0003-curl-7.36.0-8868a226.patch | 526 -------------------------------- 0004-curl-7.36.0-ec5fde24.patch | 31 -- curl-7.36.0.tar.lzma.asc | 7 - curl-7.37.0.tar.lzma.asc | 7 + curl.spec | 23 +- sources | 2 +- 8 files changed, 13 insertions(+), 993 deletions(-) delete mode 100644 0001-curl-7.36.0-f82e0edc.patch delete mode 100644 0002-curl-7.36.0-9317eced.patch delete mode 100644 0003-curl-7.36.0-8868a226.patch delete mode 100644 0004-curl-7.36.0-ec5fde24.patch delete mode 100644 curl-7.36.0.tar.lzma.asc create mode 100644 curl-7.37.0.tar.lzma.asc diff --git a/0001-curl-7.36.0-f82e0edc.patch b/0001-curl-7.36.0-f82e0edc.patch deleted file mode 100644 index d054083..0000000 --- a/0001-curl-7.36.0-f82e0edc.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 29c2b12b636304c1e357f543be3d6da34e5d832d Mon Sep 17 00:00:00 2001 -From: Dan Fandrich -Date: Wed, 26 Mar 2014 22:02:31 +0100 -Subject: [PATCH] test815/816: Use authentication for both URLs - -The improved connection reuse logic would otherwise create a new -connection for each one, which isn't supported by the test -server, nor expected by the test. - -[upstream commit f82e0edc171b33528bc4f59036505d98ecf1d816] - -Signed-off-by: Kamil Dudka ---- - tests/data/test815 | 2 +- - tests/data/test816 | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/tests/data/test815 b/tests/data/test815 -index c006c6d..5c5ef79 100644 ---- a/tests/data/test815 -+++ b/tests/data/test815 -@@ -26,7 +26,7 @@ imap - IMAP STORE - delete message (CUSTOMREQUEST) - - --imap://%HOSTIP:%IMAPPORT/815 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/815 -X CLOSE -+imap://%HOSTIP:%IMAPPORT/815 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/815 -X CLOSE -u user:secret - - - -diff --git a/tests/data/test816 b/tests/data/test816 -index 386f877..b8b1a9d 100644 ---- a/tests/data/test816 -+++ b/tests/data/test816 -@@ -29,7 +29,7 @@ imap - IMAP STORE - delete message with confirmation (CUSTOMREQUEST) - - --imap://%HOSTIP:%IMAPPORT/816 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/816 -X EXPUNGE -+imap://%HOSTIP:%IMAPPORT/816 -X 'STORE 123 +Flags \Deleted' -u user:secret -: imap://%HOSTIP:%IMAPPORT/816 -X EXPUNGE -u user:secret - - - --- -1.7.1 - diff --git a/0002-curl-7.36.0-9317eced.patch b/0002-curl-7.36.0-9317eced.patch deleted file mode 100644 index 87ae6fa..0000000 --- a/0002-curl-7.36.0-9317eced.patch +++ /dev/null @@ -1,364 +0,0 @@ -From 3d1fa5aee501d0a8ca82c5d7b4964648f0092523 Mon Sep 17 00:00:00 2001 -From: Paul Marks -Date: Sun, 30 Mar 2014 07:50:37 +0200 -Subject: [PATCH 1/4] curl: stop interpreting IPv6 literals as glob patterns. - -This makes it possible to fetch from an IPv6 literal without specifying -the -g option. Globbing remains available elsehwere in the URL. - -For example: - curl http://[::1]/file[1-3].txt - -This creates no ambiguity, because there is no overlap between the -syntax of valid globs and valid IPv6 literals. Globs contain hyphens -and at most 1 colon, while IPv6 literals have no hyphens, and at least 2 -colons. - -The peek_ipv6() parser simply whitelists a set of characters and counts -colons, because the real validation happens later on. The character set -includes A-Z, in case someone decides to implement support for scopes -like [fe80::1%25eth0] in the future. - -Signed-off-by: Paul Marks - -[upstream commit 0bc4938eecccefdf8906bf9c488e4cd9c8467e99] - -Signed-off-by: Kamil Dudka ---- - src/tool_urlglob.c | 48 +++++++++++++++++++++++++++++++++++++++++++++--- - tests/data/test1230 | 2 +- - 2 files changed, 46 insertions(+), 4 deletions(-) - -diff --git a/src/tool_urlglob.c b/src/tool_urlglob.c -index ec5014b..943e0ab 100644 ---- a/src/tool_urlglob.c -+++ b/src/tool_urlglob.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2014, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -302,6 +302,36 @@ static GlobCode glob_range(URLGlob *glob, char **patternp, - return GLOB_OK; - } - -+static bool peek_ipv6(const char *str, size_t *skip) -+{ -+ /* -+ * Scan for a potential IPv6 literal. -+ * - Valid globs contain a hyphen and <= 1 colon. -+ * - IPv6 literals contain no hyphens and >= 2 colons. -+ */ -+ size_t i = 0; -+ size_t colons = 0; -+ if(str[i++] != '[') { -+ return FALSE; -+ } -+ for(;;) { -+ const char c = str[i++]; -+ if(ISALNUM(c) || c == '.' || c == '%') { -+ /* ok */ -+ } -+ else if(c == ':') { -+ colons++; -+ } -+ else if(c == ']') { -+ *skip = i; -+ return colons >= 2; -+ } -+ else { -+ return FALSE; -+ } -+ } -+} -+ - static GlobCode glob_parse(URLGlob *glob, char *pattern, - size_t pos, unsigned long *amount) - { -@@ -315,8 +345,20 @@ static GlobCode glob_parse(URLGlob *glob, char *pattern, - - while(*pattern && !res) { - char *buf = glob->glob_buffer; -- int sublen = 0; -- while(*pattern && *pattern != '{' && *pattern != '[') { -+ size_t sublen = 0; -+ while(*pattern && *pattern != '{') { -+ if(*pattern == '[') { -+ /* Skip over potential IPv6 literals. */ -+ size_t skip; -+ if(peek_ipv6(pattern, &skip)) { -+ memcpy(buf, pattern, skip); -+ buf += skip; -+ pattern += skip; -+ sublen += skip; -+ continue; -+ } -+ break; -+ } - if(*pattern == '}' || *pattern == ']') - return GLOBERROR("unmatched close brace/bracket", pos, GLOB_ERROR); - -diff --git a/tests/data/test1230 b/tests/data/test1230 -index b16269d..3c1d3d4 100644 ---- a/tests/data/test1230 -+++ b/tests/data/test1230 -@@ -56,7 +56,7 @@ HTTP CONNECT to IPv6 numerical address - - # 0x4ce == 1230, the test number - ---g http://[1234:1234:1234::4ce]:%HTTPPORT/wanted/page/1230 -p -x %HOSTIP:%HTTPPORT -+http://[1234:1234:1234::4ce]:%HTTPPORT/wanted/page/1230 -p -x %HOSTIP:%HTTPPORT - - - --- -1.7.1 - - -From 38c0e09f4a020fdcdcfeb149d89d8551e534143f Mon Sep 17 00:00:00 2001 -From: Till Maas -Date: Sat, 15 Mar 2014 22:42:50 +0100 -Subject: [PATCH 2/4] URL parser: IPv6 zone identifiers are now supported - -[upstream commit 9317eced98408c7fefa6dd5f1559050e1ec8a3b7] - -Signed-off-by: Kamil Dudka ---- - docs/KNOWN_BUGS | 11 +-------- - docs/MANUAL | 6 ++-- - lib/url.c | 69 +++++++++++++++++++++++++++++++++++++++++++++--------- - 3 files changed, 61 insertions(+), 25 deletions(-) - -diff --git a/docs/KNOWN_BUGS b/docs/KNOWN_BUGS -index ad997a0..c8ad032 100644 ---- a/docs/KNOWN_BUGS -+++ b/docs/KNOWN_BUGS -@@ -180,16 +180,7 @@ may have been fixed since this was written! - --cflags suffers from the same effects with CFLAGS/CPPFLAGS. - - 30. You need to use -g to the command line tool in order to use RFC2732-style -- IPv6 numerical addresses in URLs. -- --29. IPv6 URLs with zone ID is not nicely supported. -- http://www.ietf.org/internet-drafts/draft-fenner-literal-zone-02.txt (expired) -- specifies the use of a plus sign instead of a percent when specifying zone -- IDs in URLs to get around the problem of percent signs being -- special. According to the reporter, Firefox deals with the URL _with_ a -- percent letter (which seems like a blatant URL spec violation). -- libcurl supports zone IDs where the percent sign is URL-escaped (i.e. %25): -- http://curl.haxx.se/bug/view.cgi?id=555 -+ or RFC6874-style IPv6 numerical addresses in URLs. - - 26. NTLM authentication using SSPI (on Windows) when (lib)curl is running in - "system context" will make it use wrong(?) user name - at least when compared -diff --git a/docs/MANUAL b/docs/MANUAL -index 4ad2e13..da8f602 100644 ---- a/docs/MANUAL -+++ b/docs/MANUAL -@@ -956,9 +956,9 @@ IPv6 - When this style is used, the -g option must be given to stop curl from - interpreting the square brackets as special globbing characters. Link local - and site local addresses including a scope identifier, such as fe80::1234%1, -- may also be used, but the scope portion must be numeric and the percent -- character must be URL escaped. The previous example in an SFTP URL might -- look like: -+ may also be used, but the scope portion must be numeric or match an existing -+ network interface on Linux and the percent character must be URL escaped. The -+ previous example in an SFTP URL might look like: - - sftp://[fe80::1234%251]/ - -diff --git a/lib/url.c b/lib/url.c -index 0e420c7..40751cc 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3951,23 +3951,59 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, - if(result != CURLE_OK) - return result; - -- if(conn->host.name[0] == '[') { -+ if(conn->host.name[0] == '[' && !data->state.this_is_a_follow) { - /* This looks like an IPv6 address literal. See if there is an address -- scope. */ -- char *percent = strstr (conn->host.name, "%25"); -+ scope if there is no location header */ -+ char *percent = strchr(conn->host.name, '%'); - if(percent) { -+ unsigned int identifier_offset = 3; - char *endp; -- unsigned long scope = strtoul (percent + 3, &endp, 10); -+ unsigned long scope; -+ if(strncmp("%25", percent, 3) != 0) { -+ infof(data, -+ "Please URL encode %% as %%25, see RFC 6874.\n"); -+ identifier_offset = 1; -+ } -+ scope = strtoul(percent + identifier_offset, &endp, 10); - if(*endp == ']') { - /* The address scope was well formed. Knock it out of the - hostname. */ - memmove(percent, endp, strlen(endp)+1); -- if(!data->state.this_is_a_follow) -- /* Don't honour a scope given in a Location: header */ -- conn->scope = (unsigned int)scope; -+ conn->scope = (unsigned int)scope; -+ } -+ else { -+ /* Zone identifier is not numeric */ -+#ifdef HAVE_NET_IF_H -+ char ifname[IFNAMSIZ + 2]; -+ char *square_bracket; -+ unsigned int scopeidx = 0; -+ strncpy(ifname, percent + identifier_offset, IFNAMSIZ + 2); -+ /* Ensure nullbyte termination */ -+ ifname[IFNAMSIZ + 1] = '\0'; -+ square_bracket = strchr(ifname, ']'); -+ if(square_bracket) { -+ /* Remove ']' */ -+ *square_bracket = '\0'; -+ scopeidx = if_nametoindex(ifname); -+ if(scopeidx == 0) { -+ infof(data, "Invalid network interface: %s; %s\n", ifname, -+ strerror(errno)); -+ } -+ } -+ if(scopeidx > 0) { -+ /* Remove zone identifier from hostname */ -+ memmove(percent, -+ percent + identifier_offset + strlen(ifname), -+ identifier_offset + strlen(ifname)); -+ conn->scope = scopeidx; -+ } -+ else { -+#endif /* HAVE_NET_IF_H */ -+ infof(data, "Invalid IPv6 address format\n"); -+#ifdef HAVE_NET_IF_H -+ } -+#endif /* HAVE_NET_IF_H */ - } -- else -- infof(data, "Invalid IPv6 address format\n"); - } - } - -@@ -4350,12 +4386,21 @@ static CURLcode parse_proxy(struct SessionHandle *data, - /* start scanning for port number at this point */ - portptr = proxyptr; - -- /* detect and extract RFC2732-style IPv6-addresses */ -+ /* detect and extract RFC6874-style IPv6-addresses */ - if(*proxyptr == '[') { - char *ptr = ++proxyptr; /* advance beyond the initial bracket */ -- while(*ptr && (ISXDIGIT(*ptr) || (*ptr == ':') || (*ptr == '%') || -- (*ptr == '.'))) -+ while(*ptr && (ISXDIGIT(*ptr) || (*ptr == ':') || (*ptr == '.'))) -+ ptr++; -+ if(*ptr == '%') { -+ /* There might be a zone identifier */ -+ if(strncmp("%25", ptr, 3)) -+ infof(data, "Please URL encode %% as %%25, see RFC 6874.\n"); - ptr++; -+ /* Allow unresered characters as defined in RFC 3986 */ -+ while(*ptr && (ISALPHA(*ptr) || ISXDIGIT(*ptr) || (*ptr == '-') || -+ (*ptr == '.') || (*ptr == '_') || (*ptr == '~'))) -+ ptr++; -+ } - if(*ptr == ']') - /* yeps, it ended nicely with a bracket as well */ - *ptr++ = 0; --- -1.7.1 - - -From 5894ce84ce36fb460df0580754cab17142430f00 Mon Sep 17 00:00:00 2001 -From: Dan Fandrich -Date: Mon, 31 Mar 2014 09:02:55 +0200 -Subject: [PATCH 3/4] docs: Removed mention of -g hack when using IPv6 literals - -This limitation was removed in commit 0bc4938e - -[upstream commit ed4972ffdb11fc62a8bae33ff4eafbd73973ad9f] - -Signed-off-by: Kamil Dudka ---- - docs/MANUAL | 2 +- - docs/TODO | 8 -------- - 2 files changed, 1 insertions(+), 9 deletions(-) - -diff --git a/docs/MANUAL b/docs/MANUAL -index da8f602..11960e1 100644 ---- a/docs/MANUAL -+++ b/docs/MANUAL -@@ -50,7 +50,7 @@ SIMPLE USAGE - - Get the main page from an IPv6 web server: - -- curl -g "http://[2001:1890:1112:1::20]/" -+ curl "http://[2001:1890:1112:1::20]/" - - DOWNLOAD TO A FILE - -diff --git a/docs/TODO b/docs/TODO -index 2b7ac96..871261a 100644 ---- a/docs/TODO -+++ b/docs/TODO -@@ -88,7 +88,6 @@ - 15.4 simultaneous parallel transfers - 15.5 provide formpost headers - 15.6 warning when setting an option -- 15.7 IPv6 addresses with globbing - - 16. Build - 16.1 roffit -@@ -489,13 +488,6 @@ to provide the data to send. - This can be useful to tell when support for a particular feature hasn't been - compiled into the library. - --15.7 IPv6 addresses with globbing -- -- Currently the command line client needs to get url globbing disabled (with -- -g) for it to support IPv6 numerical addresses. This is a rather silly flaw -- that should be corrected. It probably involves a smarter detection of the -- '[' and ']' letters. -- - 16. Build - - 16.1 roffit --- -1.7.1 - - -From 3e33d0d436d0d6817480172db89836b3d5ba9db5 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 31 Mar 2014 09:35:32 +0200 -Subject: [PATCH 4/4] ipv6: strip off zone identifiers in redirects too - -Follow up to 9317eced984 makes test 1056 work again. - -[upstream commit 13682d1a24bba5386530805d8fbcf987b19c3552] - -Signed-off-by: Kamil Dudka ---- - lib/url.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index 40751cc..ebd38cc 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3951,7 +3951,7 @@ static CURLcode parseurlandfillconn(struct SessionHandle *data, - if(result != CURLE_OK) - return result; - -- if(conn->host.name[0] == '[' && !data->state.this_is_a_follow) { -+ if(conn->host.name[0] == '[') { - /* This looks like an IPv6 address literal. See if there is an address - scope if there is no location header */ - char *percent = strchr(conn->host.name, '%'); --- -1.7.1 - diff --git a/0003-curl-7.36.0-8868a226.patch b/0003-curl-7.36.0-8868a226.patch deleted file mode 100644 index 954776c..0000000 --- a/0003-curl-7.36.0-8868a226.patch +++ /dev/null @@ -1,526 +0,0 @@ -From 79dd8298f45b9f5dd97c06c397d40e45f905d5d3 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 17 Apr 2014 13:12:59 +0200 -Subject: [PATCH 1/3] nss: split Curl_nss_connect() into 4 functions - -[upstream commit a43bba3a34ed8912c4ca10f213590d1998ba0d29] - -Signed-off-by: Kamil Dudka ---- - lib/vtls/nss.c | 134 +++++++++++++++++++++++++++++++++++++++----------------- - 1 files changed, 94 insertions(+), 40 deletions(-) - -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 80e26e2..4f4e6c8 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -1296,9 +1296,62 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, - return CURLE_SSL_CONNECT_ERROR; - } - --CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) -+static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, -+ struct SessionHandle *data, -+ CURLcode curlerr) - { -+ SSLVersionRange sslver; - PRErrorCode err = 0; -+ -+ /* reset the flag to avoid an infinite loop */ -+ data->state.ssl_connect_retry = FALSE; -+ -+ if(is_nss_error(curlerr)) { -+ /* read NSPR error code */ -+ err = PR_GetError(); -+ if(is_cc_error(err)) -+ curlerr = CURLE_SSL_CERTPROBLEM; -+ -+ /* print the error number and error string */ -+ infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); -+ -+ /* print a human-readable message describing the error if available */ -+ nss_print_error_message(data, err); -+ } -+ -+ /* cleanup on connection failure */ -+ Curl_llist_destroy(connssl->obj_list, NULL); -+ connssl->obj_list = NULL; -+ -+ if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) -+ && (sslver.min == SSL_LIBRARY_VERSION_3_0) -+ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) -+ && isTLSIntoleranceError(err)) { -+ /* schedule reconnect through Curl_retry_request() */ -+ data->state.ssl_connect_retry = TRUE; -+ infof(data, "Error in TLS handshake, trying SSLv3...\n"); -+ return CURLE_OK; -+ } -+ -+ return curlerr; -+} -+ -+/* Switch the SSL socket into non-blocking mode. */ -+static CURLcode nss_set_nonblock(struct ssl_connect_data *connssl, -+ struct SessionHandle *data) -+{ -+ static PRSocketOptionData sock_opt; -+ sock_opt.option = PR_SockOpt_Nonblocking; -+ sock_opt.value.non_blocking = PR_TRUE; -+ -+ if(PR_SetSocketOption(connssl->handle, &sock_opt) != PR_SUCCESS) -+ return nss_fail_connect(connssl, data, CURLE_SSL_CONNECT_ERROR); -+ -+ return CURLE_OK; -+} -+ -+static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) -+{ - PRFileDesc *model = NULL; - PRBool ssl_no_cache; - PRBool ssl_cbc_random_iv; -@@ -1306,9 +1359,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - curl_socket_t sockfd = conn->sock[sockindex]; - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - CURLcode curlerr; -- PRSocketOptionData sock_opt; -- long time_left; -- PRUint32 timeout; - - SSLVersionRange sslver = { - SSL_LIBRARY_VERSION_3_0, /* min */ -@@ -1534,16 +1584,32 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - - SSL_SetURL(connssl->handle, conn->host.name); - -+ return CURLE_OK; -+ -+error: -+ if(model) -+ PR_Close(model); -+ -+ return nss_fail_connect(connssl, data, curlerr); -+} -+ -+static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) -+{ -+ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -+ struct SessionHandle *data = conn->data; -+ CURLcode curlerr = CURLE_SSL_CONNECT_ERROR; -+ PRUint32 timeout; -+ - /* check timeout situation */ -- time_left = Curl_timeleft(data, NULL, TRUE); -+ const long time_left = Curl_timeleft(data, NULL, TRUE); - if(time_left < 0L) { - failf(data, "timed out before SSL handshake"); - curlerr = CURLE_OPERATION_TIMEDOUT; - goto error; - } -- timeout = PR_MillisecondsToInterval((PRUint32) time_left); - - /* Force the handshake now */ -+ timeout = PR_MillisecondsToInterval((PRUint32) time_left); - if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) { - if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) - curlerr = CURLE_PEER_FAILED_VERIFICATION; -@@ -1552,12 +1618,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - goto error; - } - -- /* switch the SSL socket into non-blocking mode */ -- sock_opt.option = PR_SockOpt_Nonblocking; -- sock_opt.value.non_blocking = PR_TRUE; -- if(PR_SetSocketOption(connssl->handle, &sock_opt) != PR_SUCCESS) -- goto error; -- - connssl->state = ssl_connection_complete; - conn->recv[sockindex] = nss_recv; - conn->send[sockindex] = nss_send; -@@ -1585,40 +1645,34 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - - return CURLE_OK; - -- error: -- /* reset the flag to avoid an infinite loop */ -- data->state.ssl_connect_retry = FALSE; -+error: -+ return nss_fail_connect(connssl, data, curlerr); -+} - -- if(is_nss_error(curlerr)) { -- /* read NSPR error code */ -- err = PR_GetError(); -- if(is_cc_error(err)) -- curlerr = CURLE_SSL_CERTPROBLEM; -+CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) -+{ -+ struct ssl_connect_data *connssl = &conn->ssl[sockindex]; -+ struct SessionHandle *data = conn->data; -+ CURLcode rv; - -- /* print the error number and error string */ -- infof(data, "NSS error %d (%s)\n", err, nss_error_to_name(err)); -+ rv = nss_setup_connect(conn, sockindex); -+ if(rv) -+ return rv; - -- /* print a human-readable message describing the error if available */ -- nss_print_error_message(data, err); -+ rv = nss_do_connect(conn, sockindex); -+ switch(rv) { -+ case CURLE_OK: -+ break; -+ default: -+ return rv; - } - -- if(model) -- PR_Close(model); -- -- /* cleanup on connection failure */ -- Curl_llist_destroy(connssl->obj_list, NULL); -- connssl->obj_list = NULL; -- -- if((sslver.min == SSL_LIBRARY_VERSION_3_0) -- && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) -- && isTLSIntoleranceError(err)) { -- /* schedule reconnect through Curl_retry_request() */ -- data->state.ssl_connect_retry = TRUE; -- infof(data, "Error in TLS handshake, trying SSLv3...\n"); -- return CURLE_OK; -- } -+ /* switch the SSL socket into non-blocking mode */ -+ rv = nss_set_nonblock(connssl, data); -+ if(rv) -+ return rv; - -- return curlerr; -+ return CURLE_OK; - } - - static ssize_t nss_send(struct connectdata *conn, /* connection data */ --- -1.7.1 - - -From f6c04350401c111f92f1428f80a28b66f6609cac Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 17 Apr 2014 13:27:39 +0200 -Subject: [PATCH 2/3] nss: implement non-blocking SSL handshake - -[upstream commit 8868a226cdad66a9a07d6e3f168884817592a1df] - -Signed-off-by: Kamil Dudka ---- - lib/urldata.h | 1 + - lib/vtls/nss.c | 57 ++++++++++++++++++++++++++++++++++++++++++++++-------- - lib/vtls/nssg.h | 1 + - 3 files changed, 50 insertions(+), 9 deletions(-) - -diff --git a/lib/urldata.h b/lib/urldata.h -index 25f9676..d3bb350 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -318,6 +318,7 @@ struct ssl_connect_data { - struct SessionHandle *data; - struct curl_llist *obj_list; - PK11GenericObject *obj_clicert; -+ ssl_connect_state connecting_state; - #endif /* USE_NSS */ - #ifdef USE_QSOSSL - SSLHandle *handle; -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 4f4e6c8..e076e54 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -1611,7 +1611,10 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) - /* Force the handshake now */ - timeout = PR_MillisecondsToInterval((PRUint32) time_left); - if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) { -- if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) -+ if(PR_GetError() == PR_WOULD_BLOCK_ERROR) -+ /* TODO: propagate the blocking direction from the NSPR layer */ -+ return CURLE_AGAIN; -+ else if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) - curlerr = CURLE_PEER_FAILED_VERIFICATION; - else if(conn->data->set.ssl.certverifyresult!=0) - curlerr = CURLE_SSL_CACERT; -@@ -1649,32 +1652,68 @@ error: - return nss_fail_connect(connssl, data, curlerr); - } - --CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) -+static CURLcode nss_connect_common(struct connectdata *conn, int sockindex, -+ bool *done) - { - struct ssl_connect_data *connssl = &conn->ssl[sockindex]; - struct SessionHandle *data = conn->data; -+ const bool blocking = (done == NULL); - CURLcode rv; - -- rv = nss_setup_connect(conn, sockindex); -- if(rv) -- return rv; -+ if(connssl->connecting_state == ssl_connect_1) { -+ rv = nss_setup_connect(conn, sockindex); -+ if(rv) -+ /* we do not expect CURLE_AGAIN from nss_setup_connect() */ -+ return rv; -+ -+ if(!blocking) { -+ /* in non-blocking mode, set NSS non-blocking mode before handshake */ -+ rv = nss_set_nonblock(connssl, data); -+ if(rv) -+ return rv; -+ } -+ -+ connssl->connecting_state = ssl_connect_2; -+ } - - rv = nss_do_connect(conn, sockindex); - switch(rv) { - case CURLE_OK: - break; -+ case CURLE_AGAIN: -+ if(!blocking) -+ /* CURLE_AGAIN in non-blocking mode is not an error */ -+ return CURLE_OK; -+ /* fall through */ - default: - return rv; - } - -- /* switch the SSL socket into non-blocking mode */ -- rv = nss_set_nonblock(connssl, data); -- if(rv) -- return rv; -+ if(blocking) { -+ /* in blocking mode, set NSS non-blocking mode _after_ SSL handshake */ -+ rv = nss_set_nonblock(connssl, data); -+ if(rv) -+ return rv; -+ } -+ else -+ /* signal completed SSL handshake */ -+ *done = TRUE; - -+ connssl->connecting_state = ssl_connect_done; - return CURLE_OK; - } - -+CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) -+{ -+ return nss_connect_common(conn, sockindex, /* blocking */ NULL); -+} -+ -+CURLcode Curl_nss_connect_nonblocking(struct connectdata *conn, -+ int sockindex, bool *done) -+{ -+ return nss_connect_common(conn, sockindex, done); -+} -+ - static ssize_t nss_send(struct connectdata *conn, /* connection data */ - int sockindex, /* socketindex */ - const void *mem, /* send this data */ -diff --git a/lib/vtls/nssg.h b/lib/vtls/nssg.h -index 38181a9..21e96ce 100644 ---- a/lib/vtls/nssg.h -+++ b/lib/vtls/nssg.h -@@ -68,6 +68,7 @@ void Curl_nss_md5sum(unsigned char *tmp, /* input */ - #define curlssl_init Curl_nss_init - #define curlssl_cleanup Curl_nss_cleanup - #define curlssl_connect Curl_nss_connect -+#define curlssl_connect_nonblocking Curl_nss_connect_nonblocking - - /* NSS has its own session ID cache */ - #define curlssl_session_free(x) Curl_nop_stmt --- -1.7.1 - - -From 9fb78efb737ea8c2a9f7c27ea501b1fcf6a90599 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 23 Apr 2014 15:37:26 +0200 -Subject: [PATCH 3/3] nss: propagate blocking direction from NSPR I/O - -... during the non-blocking SSL handshake - -[upstream commit 9c941e92c4bd3d2a5dbe243f7517b6a6029afc6e] - -Signed-off-by: Kamil Dudka ---- - lib/http.c | 2 +- - lib/vtls/nss.c | 108 +++++++++++++++++++++++++++++++++++++++++++++++++++++--- - 2 files changed, 104 insertions(+), 6 deletions(-) - -diff --git a/lib/http.c b/lib/http.c -index 4a29058..3f8a4c0 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -1361,7 +1361,7 @@ static CURLcode https_connecting(struct connectdata *conn, bool *done) - #endif - - #if defined(USE_SSLEAY) || defined(USE_GNUTLS) || defined(USE_SCHANNEL) || \ -- defined(USE_DARWINSSL) || defined(USE_POLARSSL) -+ defined(USE_DARWINSSL) || defined(USE_POLARSSL) || defined(USE_NSS) - /* This function is for OpenSSL, GnuTLS, darwinssl, schannel and polarssl only. - It should be made to query the generic SSL layer instead. */ - static int https_getsock(struct connectdata *conn, -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index e076e54..3447f97 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -180,6 +180,10 @@ static const cipher_s cipherlist[] = { - static const char* pem_library = "libnsspem.so"; - SECMODModule* mod = NULL; - -+/* NSPR I/O layer we use to detect blocking direction during SSL handshake */ -+static PRDescIdentity nspr_io_identity = PR_INVALID_IO_LAYER; -+static PRIOMethods nspr_io_methods; -+ - static const char* nss_error_to_name(PRErrorCode code) - { - const char *name = PR_ErrorToName(code); -@@ -940,6 +944,60 @@ isTLSIntoleranceError(PRInt32 err) - } - } - -+/* update blocking direction in case of PR_WOULD_BLOCK_ERROR */ -+static void nss_update_connecting_state(ssl_connect_state state, void *secret) -+{ -+ struct ssl_connect_data *connssl = (struct ssl_connect_data *)secret; -+ if(PR_GetError() != PR_WOULD_BLOCK_ERROR) -+ /* an unrelated error is passing by */ -+ return; -+ -+ switch(connssl->connecting_state) { -+ case ssl_connect_2: -+ case ssl_connect_2_reading: -+ case ssl_connect_2_writing: -+ break; -+ default: -+ /* we are not called from an SSL handshake */ -+ return; -+ } -+ -+ /* update the state accordingly */ -+ connssl->connecting_state = state; -+} -+ -+/* recv() wrapper we use to detect blocking direction during SSL handshake */ -+static PRInt32 nspr_io_recv(PRFileDesc *fd, void *buf, PRInt32 amount, -+ PRIntn flags, PRIntervalTime timeout) -+{ -+ const PRRecvFN recv_fn = fd->lower->methods->recv; -+ const PRInt32 rv = recv_fn(fd->lower, buf, amount, flags, timeout); -+ if(rv < 0) -+ /* check for PR_WOULD_BLOCK_ERROR and update blocking direction */ -+ nss_update_connecting_state(ssl_connect_2_reading, fd->secret); -+ return rv; -+} -+ -+/* send() wrapper we use to detect blocking direction during SSL handshake */ -+static PRInt32 nspr_io_send(PRFileDesc *fd, const void *buf, PRInt32 amount, -+ PRIntn flags, PRIntervalTime timeout) -+{ -+ const PRSendFN send_fn = fd->lower->methods->send; -+ const PRInt32 rv = send_fn(fd->lower, buf, amount, flags, timeout); -+ if(rv < 0) -+ /* check for PR_WOULD_BLOCK_ERROR and update blocking direction */ -+ nss_update_connecting_state(ssl_connect_2_writing, fd->secret); -+ return rv; -+} -+ -+/* close() wrapper to avoid assertion failure due to fd->secret != NULL */ -+static PRStatus nspr_io_close(PRFileDesc *fd) -+{ -+ const PRCloseFN close_fn = PR_GetDefaultIOMethods()->close; -+ fd->secret = NULL; -+ return close_fn(fd); -+} -+ - static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) - { - NSSInitParameters initparams; -@@ -1004,6 +1062,21 @@ static CURLcode nss_init(struct SessionHandle *data) - } - } - -+ if(nspr_io_identity == PR_INVALID_IO_LAYER) { -+ /* allocate an identity for our own NSPR I/O layer */ -+ nspr_io_identity = PR_GetUniqueIdentity("libcurl"); -+ if(nspr_io_identity == PR_INVALID_IO_LAYER) -+ return CURLE_OUT_OF_MEMORY; -+ -+ /* the default methods just call down to the lower I/O layer */ -+ memcpy(&nspr_io_methods, PR_GetDefaultIOMethods(), sizeof nspr_io_methods); -+ -+ /* override certain methods in the table by our wrappers */ -+ nspr_io_methods.recv = nspr_io_recv; -+ nspr_io_methods.send = nspr_io_send; -+ nspr_io_methods.close = nspr_io_close; -+ } -+ - rv = nss_init_core(data, cert_dir); - if(rv) - return rv; -@@ -1353,6 +1426,8 @@ static CURLcode nss_set_nonblock(struct ssl_connect_data *connssl, - static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) - { - PRFileDesc *model = NULL; -+ PRFileDesc *nspr_io = NULL; -+ PRFileDesc *nspr_io_stub = NULL; - PRBool ssl_no_cache; - PRBool ssl_cbc_random_iv; - struct SessionHandle *data = conn->data; -@@ -1525,11 +1600,34 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) - goto error; - } - -- /* Import our model socket onto the existing file descriptor */ -- connssl->handle = PR_ImportTCPSocket(sockfd); -- connssl->handle = SSL_ImportFD(model, connssl->handle); -- if(!connssl->handle) -+ /* wrap OS file descriptor by NSPR's file descriptor abstraction */ -+ nspr_io = PR_ImportTCPSocket(sockfd); -+ if(!nspr_io) -+ goto error; -+ -+ /* create our own NSPR I/O layer */ -+ nspr_io_stub = PR_CreateIOLayerStub(nspr_io_identity, &nspr_io_methods); -+ if(!nspr_io_stub) { -+ PR_Close(nspr_io); -+ goto error; -+ } -+ -+ /* make the per-connection data accessible from NSPR I/O callbacks */ -+ nspr_io_stub->secret = (void *)connssl; -+ -+ /* push our new layer to the NSPR I/O stack */ -+ if(PR_PushIOLayer(nspr_io, PR_TOP_IO_LAYER, nspr_io_stub) != PR_SUCCESS) { -+ PR_Close(nspr_io); -+ PR_Close(nspr_io_stub); - goto error; -+ } -+ -+ /* import our model socket onto the current I/O stack */ -+ connssl->handle = SSL_ImportFD(model, nspr_io); -+ if(!connssl->handle) { -+ PR_Close(nspr_io); -+ goto error; -+ } - - PR_Close(model); /* We don't need this any more */ - model = NULL; -@@ -1612,7 +1710,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) - timeout = PR_MillisecondsToInterval((PRUint32) time_left); - if(SSL_ForceHandshakeWithTimeout(connssl->handle, timeout) != SECSuccess) { - if(PR_GetError() == PR_WOULD_BLOCK_ERROR) -- /* TODO: propagate the blocking direction from the NSPR layer */ -+ /* blocking direction is updated by nss_update_connecting_state() */ - return CURLE_AGAIN; - else if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) - curlerr = CURLE_PEER_FAILED_VERIFICATION; --- -1.7.1 - diff --git a/0004-curl-7.36.0-ec5fde24.patch b/0004-curl-7.36.0-ec5fde24.patch deleted file mode 100644 index dabe230..0000000 --- a/0004-curl-7.36.0-ec5fde24.patch +++ /dev/null @@ -1,31 +0,0 @@ -From c6cecc7bd90e0e89308e8e5c6c590861c00db6f3 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 5 May 2014 14:49:30 +0200 -Subject: [PATCH] http: avoid auth failure on a duplicated header - -... 'WWW-Authenticate: Negotiate' received from server - -Reported by: David Woodhouse -Bug: https://bugzilla.redhat.com/1093348 - -[upstream commit ec5fde24de5ddd1910730f0cbac5e77820b26eb9] ---- - lib/http.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/http.c b/lib/http.c -index 3f8a4c0..90b37d8 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -752,7 +752,7 @@ CURLcode Curl_http_input_auth(struct connectdata *conn, bool proxy, - infof(data, "Authentication problem. Ignoring this.\n"); - data->state.authproblem = TRUE; - } -- else { -+ else if(data->state.negotiate.state == GSS_AUTHNONE) { - neg = Curl_input_negotiate(conn, proxy, auth); - if(neg == 0) { - DEBUGASSERT(!data->req.newurl); --- -1.8.3.1 - diff --git a/curl-7.36.0.tar.lzma.asc b/curl-7.36.0.tar.lzma.asc deleted file mode 100644 index 32220e2..0000000 --- a/curl-7.36.0.tar.lzma.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1 - -iEYEABECAAYFAlMyeZEACgkQeOEcayedXJFTpACfaOmp5/t6thzl/LLM4L6/AO70 -i5oAoJLzbaqGU31OhelQxcyrRX2gDubB -=++7u ------END PGP SIGNATURE----- diff --git a/curl-7.37.0.tar.lzma.asc b/curl-7.37.0.tar.lzma.asc new file mode 100644 index 0000000..7fa17d3 --- /dev/null +++ b/curl-7.37.0.tar.lzma.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1 + +iEYEABECAAYFAlN8QMkACgkQeOEcayedXJE24wCgr1aAWOegokq2WJQVLDIrW32n +je4AoPKSxcgo3RY8MW8SLPvmtGFSDVdz +=jHo4 +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 18a2582..6ccf49e 100644 --- a/curl.spec +++ b/curl.spec @@ -1,24 +1,12 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.36.0 -Release: 4%{?dist} +Version: 7.37.0 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h -# adapt tests 815 and 816 such that they work with the fix for CVE-2014-0138 -Patch1: 0001-curl-7.36.0-f82e0edc.patch - -# extend URL parser to support IPv6 zone identifiers (#680996) -Patch2: 0002-curl-7.36.0-9317eced.patch - -# nss: implement non-blocking SSL handshake -Patch3: 0003-curl-7.36.0-8868a226.patch - -# auth failure on duplicated 'WWW-Authenticate: Negotiate' header (#1093348) -Patch4: 0004-curl-7.36.0-ec5fde24.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -131,10 +119,6 @@ documentation of the library, too. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 # Fedora patches %patch101 -p1 @@ -256,6 +240,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed May 21 2014 Kamil Dudka 7.37.0-1 +- new upstream release + * Fri May 09 2014 Kamil Dudka 7.36.0-4 - auth failure on duplicated 'WWW-Authenticate: Negotiate' header (#1093348) diff --git a/sources b/sources index 6f8474a..7139084 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -291081121e604b04e0035bfdd736d196 curl-7.36.0.tar.lzma +54bfd1eb5214f604186d6f5ac61c7781 curl-7.37.0.tar.lzma