From a16bdb8ecc60b76a243409443d718d2a667cd7d3 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 18 Dec 2013 16:49:27 +0100 Subject: [PATCH] new upstream release - 7.34.0 --- 0001-curl-7.33.0-4d49ffe1.patch | 32 - 0002-curl-7.33.0-86c64f3d.patch | 44 -- 0003-curl-7.33.0-f70b2c77.patch | 32 - 0004-curl-7.33.0-7fc9325a.patch | 1178 ------------------------------- 0102-curl-7.32.0-debug.patch | 2 +- 0103-curl-7.32.0-metalink.patch | 2 +- curl-7.33.0.tar.lzma.asc | 7 - curl-7.34.0.tar.lzma.asc | 7 + curl.spec | 23 +- sources | 2 +- 10 files changed, 15 insertions(+), 1314 deletions(-) delete mode 100644 0001-curl-7.33.0-4d49ffe1.patch delete mode 100644 0002-curl-7.33.0-86c64f3d.patch delete mode 100644 0003-curl-7.33.0-f70b2c77.patch delete mode 100644 0004-curl-7.33.0-7fc9325a.patch delete mode 100644 curl-7.33.0.tar.lzma.asc create mode 100644 curl-7.34.0.tar.lzma.asc diff --git a/0001-curl-7.33.0-4d49ffe1.patch b/0001-curl-7.33.0-4d49ffe1.patch deleted file mode 100644 index d7f7ff8..0000000 --- a/0001-curl-7.33.0-4d49ffe1.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 2a9dd8d2e6d013c1c2ed7f5e12b4bcc89cc8f3bb Mon Sep 17 00:00:00 2001 -From: Steve Holme -Date: Tue, 15 Oct 2013 21:31:14 +0100 -Subject: [PATCH] test906: Fixed failing test on some platforms - -Bug: http://sourceforge.net/p/curl/bugs/1291 -Reported-by: David Walser - -[upstream commit 4d49ffe165a51d45cef79bf81cb867dbcf06b092] - -Signed-off-by: Kamil Dudka ---- - tests/data/test906 | 3 +++ - 1 files changed, 3 insertions(+), 0 deletions(-) - -diff --git a/tests/data/test906 b/tests/data/test906 -index 5072e90..6cf6bed 100644 ---- a/tests/data/test906 -+++ b/tests/data/test906 -@@ -41,6 +41,9 @@ mail body - - smtp://%HOSTIP:%SMTPPORT/906 --mail-rcpt recipient@example.com --mail-from sender@example.com -u testuser:testpass -T - - -+ -+chkhostname curlhost -+ - - - # --- -1.7.1 - diff --git a/0002-curl-7.33.0-86c64f3d.patch b/0002-curl-7.33.0-86c64f3d.patch deleted file mode 100644 index b664333..0000000 --- a/0002-curl-7.33.0-86c64f3d.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 8002bea97bdea4fcade466de2b88172ba03d5259 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 18 Oct 2013 15:37:18 +0200 -Subject: [PATCH] curl_sasl: initialize NSS before using crypto - -[upstream commit 86c64f3daf0079e96f4694b10fe1bc53944110fc] ---- - lib/curl_sasl.c | 13 ++++++++++++- - 1 files changed, 12 insertions(+), 1 deletions(-) - -diff --git a/lib/curl_sasl.c b/lib/curl_sasl.c -index b3ffc66..9a0bc0f 100644 ---- a/lib/curl_sasl.c -+++ b/lib/curl_sasl.c -@@ -40,6 +40,10 @@ - #include "warnless.h" - #include "curl_memory.h" - -+#ifdef USE_NSS -+#include "nssg.h" /* for Curl_nss_force_init() */ -+#endif -+ - #define _MPRINTF_REPLACE /* use our functions only */ - #include - -@@ -468,7 +472,14 @@ CURLcode Curl_sasl_create_ntlm_type3_message(struct SessionHandle *data, - struct ntlmdata *ntlm, - char **outptr, size_t *outlen) - { -- CURLcode result = Curl_ntlm_decode_type2_message(data, header, ntlm); -+ CURLcode result; -+#ifdef USE_NSS -+ /* make sure the crypto backend is initialized */ -+ result = Curl_nss_force_init(data); -+ if(result) -+ return result; -+#endif -+ result = Curl_ntlm_decode_type2_message(data, header, ntlm); - - if(!result) - result = Curl_ntlm_create_type3_message(data, userp, passwdp, ntlm, --- -1.7.1 - diff --git a/0003-curl-7.33.0-f70b2c77.patch b/0003-curl-7.33.0-f70b2c77.patch deleted file mode 100644 index 23edadd..0000000 --- a/0003-curl-7.33.0-f70b2c77.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 06c74b11fa976246307fbcbd36f71f59f2beaa6f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 21 Oct 2013 18:47:54 +0200 -Subject: [PATCH] ssh: initialize per-handle data in ssh_connect() - -... if not already initialized. This fixes a regression introduced by -commit 4ad8e142da463ab208d5b5565e53291c8e5ef038, which caused test619 -to intermittently fail on certain machines (namely Fedora build hosts). - -[upstream commit f70b2c77f4889316acb75d41e97a7f28c9a6a995] ---- - lib/ssh.c | 4 ++++ - 1 files changed, 4 insertions(+), 0 deletions(-) - -diff --git a/lib/ssh.c b/lib/ssh.c -index 79f58bb..e8b8b7c 100644 ---- a/lib/ssh.c -+++ b/lib/ssh.c -@@ -2719,6 +2719,10 @@ static CURLcode ssh_connect(struct connectdata *conn, bool *done) - CURLcode result; - struct SessionHandle *data = conn->data; - -+ /* initialize per-handle data if not already */ -+ if(!data->req.protop) -+ ssh_setup_connection(conn); -+ - /* We default to persistent connections. We set this already in this connect - function to make the re-use checks properly be able to check this bit. */ - conn->bits.close = FALSE; --- -1.7.1 - diff --git a/0004-curl-7.33.0-7fc9325a.patch b/0004-curl-7.33.0-7fc9325a.patch deleted file mode 100644 index 70c1c57..0000000 --- a/0004-curl-7.33.0-7fc9325a.patch +++ /dev/null @@ -1,1178 +0,0 @@ -From 1763d30fc3febc79da0e2e6fb2d608b46fc2d6c3 Mon Sep 17 00:00:00 2001 -From: Gergely Nagy -Date: Thu, 19 Sep 2013 15:17:13 +0200 -Subject: [PATCH 1/9] SSL: protocol version can be specified more precisely - -CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, -CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version -(CURL_SSLVERSION_TLSv1 means TLS 1.x). - -axTLS: -axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one -of these should be used, so we don't allow the new enum values. - -darwinssl: -Added support for the new enum values. - -SChannel: -Added support for the new enum values. - -CyaSSL: -Added support for the new enum values. -Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it -did the same before this commit), because CyaSSL cannot be configured to -use TLS 1.0-1.2. - -GSKit: -GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow -those values. -Bugfix: There was a typo that caused wrong SSL versions to be passed to -GSKit. - -NSS: -TLS minor version cannot be set, so we don't allow the new enum values. - -QsoSSL: -TLS minor version cannot be set, so we don't allow the new enum values. - -OpenSSL: -Added support for the new enum values. -Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, -now it enables 1.0-1.2. - -Command-line tool: -Added command line options for the new values. - -[upstream commit ad34a2d5c87c7f4b14e8dded34569395de0d8c5b] ---- - docs/libcurl/curl_easy_setopt.3 | 8 +++++- - docs/libcurl/symbols-in-versions | 3 ++ - include/curl/curl.h | 5 +++- - lib/axtls.c | 3 +- - lib/curl_darwinssl.c | 34 +++++++++++++++++++++++++ - lib/curl_schannel.c | 9 ++++++ - lib/cyassl.c | 13 +++++++++- - lib/gskit.c | 11 +++++++- - lib/nss.c | 6 ++++ - lib/qssl.c | 6 ++++ - lib/ssluse.c | 51 +++++++++++++++++++++++++++---------- - packages/OS400/curl.inc.in | 6 ++++ - src/tool_getparam.c | 25 ++++++++++++++++-- - src/tool_setopt.c | 3 ++ - 14 files changed, 161 insertions(+), 22 deletions(-) - -diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 -index 6c92883..77fc550 100644 ---- a/docs/libcurl/curl_easy_setopt.3 -+++ b/docs/libcurl/curl_easy_setopt.3 -@@ -2417,11 +2417,17 @@ The default action. This will attempt to figure out the remote SSL protocol - version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled - by default with 7.18.1). - .IP CURL_SSLVERSION_TLSv1 --Force TLSv1 -+Force TLSv1.x - .IP CURL_SSLVERSION_SSLv2 - Force SSLv2 - .IP CURL_SSLVERSION_SSLv3 - Force SSLv3 -+.IP CURL_SSLVERSION_TLSv1_0 -+Force TLSv1.0 -+.IP CURL_SSLVERSION_TLSv1_1 -+Force TLSv1.1 -+.IP CURL_SSLVERSION_TLSv1_2 -+Force TLSv1.2 - .RE - .IP CURLOPT_SSL_VERIFYPEER - Pass a long as parameter. By default, curl assumes a value of 1. -diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index 7c362cd..35b0878 100644 ---- a/docs/libcurl/symbols-in-versions -+++ b/docs/libcurl/symbols-in-versions -@@ -695,6 +695,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 - CURL_SSLVERSION_SSLv2 7.9.2 - CURL_SSLVERSION_SSLv3 7.9.2 - CURL_SSLVERSION_TLSv1 7.9.2 -+CURL_SSLVERSION_TLSv1_0 7.33.0 -+CURL_SSLVERSION_TLSv1_1 7.33.0 -+CURL_SSLVERSION_TLSv1_2 7.33.0 - CURL_TIMECOND_IFMODSINCE 7.9.7 - CURL_TIMECOND_IFUNMODSINCE 7.9.7 - CURL_TIMECOND_LASTMOD 7.9.7 -diff --git a/include/curl/curl.h b/include/curl/curl.h -index 4e09cf7..e3c6bf2 100644 ---- a/include/curl/curl.h -+++ b/include/curl/curl.h -@@ -1659,9 +1659,12 @@ enum CURL_NETRC_OPTION { - - enum { - CURL_SSLVERSION_DEFAULT, -- CURL_SSLVERSION_TLSv1, -+ CURL_SSLVERSION_TLSv1, /* TLS 1.x */ - CURL_SSLVERSION_SSLv2, - CURL_SSLVERSION_SSLv3, -+ CURL_SSLVERSION_TLSv1_0, -+ CURL_SSLVERSION_TLSv1_1, -+ CURL_SSLVERSION_TLSv1_2, - - CURL_SSLVERSION_LAST /* never use, keep last */ - }; -diff --git a/lib/axtls.c b/lib/axtls.c -index 44e6b93..8c92588 100644 ---- a/lib/axtls.c -+++ b/lib/axtls.c -@@ -164,7 +164,8 @@ static CURLcode connect_prep(struct connectdata *conn, int sockindex) - case CURL_SSLVERSION_TLSv1: - break; - default: -- failf(data, "axTLS only supports TLSv1"); -+ failf(data, "axTLS only supports TLS 1.0 and 1.1, " -+ "and it cannot be specified which one to use"); - return CURLE_SSL_CONNECT_ERROR; - } - -diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c -index 43fe053..4406d0e 100644 ---- a/lib/curl_darwinssl.c -+++ b/lib/curl_darwinssl.c -@@ -1056,6 +1056,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, - (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); - (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); - break; -+ case CURL_SSLVERSION_TLSv1_0: -+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); -+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1); -+ break; -+ case CURL_SSLVERSION_TLSv1_1: -+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11); -+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11); -+ break; -+ case CURL_SSLVERSION_TLSv1_2: -+ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); -+ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); -+ break; - case CURL_SSLVERSION_SSLv3: - (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); - (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3); -@@ -1100,6 +1112,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, - kTLSProtocol12, - true); - break; -+ case CURL_SSLVERSION_TLSv1_0: -+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, -+ kTLSProtocol1, -+ true); -+ break; -+ case CURL_SSLVERSION_TLSv1_1: -+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, -+ kTLSProtocol11, -+ true); -+ break; -+ case CURL_SSLVERSION_TLSv1_2: -+ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, -+ kTLSProtocol12, -+ true); -+ break; - case CURL_SSLVERSION_SSLv3: - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kSSLProtocol3, -@@ -1130,10 +1157,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, - true); - break; - case CURL_SSLVERSION_TLSv1: -+ case CURL_SSLVERSION_TLSv1_0: - (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kTLSProtocol1, - true); - break; -+ case CURL_SSLVERSION_TLSv1_1: -+ failf(data, "Your version of the OS does not support TLSv1.1"); -+ return CURLE_SSL_CONNECT_ERROR; -+ case CURL_SSLVERSION_TLSv1_2: -+ failf(data, "Your version of the OS does not support TLSv1.2"); -+ return CURLE_SSL_CONNECT_ERROR; - case CURL_SSLVERSION_SSLv2: - err = SSLSetProtocolVersionEnabled(connssl->ssl_ctx, - kSSLProtocol2, -diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c -index 68139db..9a16527 100644 ---- a/lib/curl_schannel.c -+++ b/lib/curl_schannel.c -@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) - SP_PROT_TLS1_1_CLIENT | - SP_PROT_TLS1_2_CLIENT; - break; -+ case CURL_SSLVERSION_TLSv1_0: -+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT; -+ break; -+ case CURL_SSLVERSION_TLSv1_1: -+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT; -+ break; -+ case CURL_SSLVERSION_TLSv1_2: -+ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT; -+ break; - case CURL_SSLVERSION_SSLv3: - schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT; - break; -diff --git a/lib/cyassl.c b/lib/cyassl.c -index 7c78464..ff11bdd 100644 ---- a/lib/cyassl.c -+++ b/lib/cyassl.c -@@ -5,7 +5,7 @@ - * | (__| |_| | _ <| |___ - * \___|\___/|_| \_\_____| - * -- * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. -+ * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. - * - * This software is licensed as described in the file COPYING, which - * you should have received as part of this distribution. The terms -@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn, - req_method = SSLv23_client_method(); - break; - case CURL_SSLVERSION_TLSv1: -+ infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, " -+ "TLS 1.0 is used exclusively\n"); - req_method = TLSv1_client_method(); - break; -+ case CURL_SSLVERSION_TLSv1_0: -+ req_method = TLSv1_client_method(); -+ break; -+ case CURL_SSLVERSION_TLSv1_1: -+ req_method = TLSv1_1_client_method(); -+ break; -+ case CURL_SSLVERSION_TLSv1_2: -+ req_method = TLSv1_2_client_method(); -+ break; - case CURL_SSLVERSION_SSLv3: - req_method = SSLv3_client_method(); - break; -diff --git a/lib/gskit.c b/lib/gskit.c -index 5cda85b..187c58d 100644 ---- a/lib/gskit.c -+++ b/lib/gskit.c -@@ -503,8 +503,17 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex) - sni = (char *) NULL; - break; - case CURL_SSLVERSION_TLSv1: -+ case CURL_SSLVERSION_TLSv1_0: - tlsv1enable = true; - break; -+ case CURL_SSLVERSION_TLSv1_1: -+ failf(data, "GSKit doesn't support TLS 1.1!"); -+ cc = CURLE_SSL_CONNECT_ERROR; -+ break; -+ case CURL_SSLVERSION_TLSv1_2: -+ failf(data, "GSKit doesn't support TLS 1.2!"); -+ cc = CURLE_SSL_CONNECT_ERROR; -+ break; - default: /* CURL_SSLVERSION_DEFAULT. */ - sslv3enable = true; - tlsv1enable = true; -@@ -555,7 +564,7 @@ static CURLcode gskit_connect_step1(struct connectdata * conn, int sockindex) - GSK_PROTOCOL_SSLV3_OFF); - if(cc == CURLE_OK) - cc = set_enum(data, connssl->handle, GSK_PROTOCOL_TLSV1, -- sslv3enable? GSK_PROTOCOL_TLSV1_ON: -+ tlsv1enable? GSK_PROTOCOL_TLSV1_ON: - GSK_PROTOCOL_TLSV1_OFF); - if(cc == CURLE_OK) - cc = set_enum(data, connssl->handle, GSK_SERVER_AUTH_TYPE, -diff --git a/lib/nss.c b/lib/nss.c -index 2d4bf9e..34dfbb1 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1267,6 +1267,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - case CURL_SSLVERSION_SSLv3: - ssl3 = PR_TRUE; - break; -+ case CURL_SSLVERSION_TLSv1_0: -+ case CURL_SSLVERSION_TLSv1_1: -+ case CURL_SSLVERSION_TLSv1_2: -+ failf(data, "TLS minor version cannot be set\n"); -+ curlerr = CURLE_SSL_CONNECT_ERROR; -+ goto error; - } - - if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) -diff --git a/lib/qssl.c b/lib/qssl.c -index b8a8dae..42bf890 100644 ---- a/lib/qssl.c -+++ b/lib/qssl.c -@@ -204,6 +204,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) - case CURL_SSLVERSION_SSLv3: - h->protocol = SSL_VERSION_3; - break; -+ -+ case CURL_SSLVERSION_TLSv1_0: -+ case CURL_SSLVERSION_TLSv1_1: -+ case CURL_SSLVERSION_TLSv1_2: -+ failf(data, "TLS minor version cannot be set"); -+ return CURLE_SSL_CONNECT_ERROR; - } - - h->peerCert = NULL; -diff --git a/lib/ssluse.c b/lib/ssluse.c -index c747420..84fd737 100644 ---- a/lib/ssluse.c -+++ b/lib/ssluse.c -@@ -1431,19 +1431,12 @@ ossl_connect_step1(struct connectdata *conn, - switch(data->set.ssl.version) { - default: - case CURL_SSLVERSION_DEFAULT: --#ifdef USE_TLS_SRP -- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { -- infof(data, "Set version TLSv1 for SRP authorisation\n"); -- req_method = TLSv1_client_method() ; -- } -- else --#endif -- /* we try to figure out version */ -- req_method = SSLv23_client_method(); -- use_sni(TRUE); -- break; - case CURL_SSLVERSION_TLSv1: -- req_method = TLSv1_client_method(); -+ case CURL_SSLVERSION_TLSv1_0: -+ case CURL_SSLVERSION_TLSv1_1: -+ case CURL_SSLVERSION_TLSv1_2: -+ /* it will be handled later with the context options */ -+ req_method = SSLv23_client_method(); - use_sni(TRUE); - break; - case CURL_SSLVERSION_SSLv2: -@@ -1556,9 +1549,39 @@ ossl_connect_step1(struct connectdata *conn, - ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; - #endif - -- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ -- if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) -+ switch(data->set.ssl.version) { -+ case CURL_SSLVERSION_DEFAULT: -+ ctx_options |= SSL_OP_NO_SSLv2; -+#ifdef USE_TLS_SRP -+ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { -+ infof(data, "Set version TLSv1.x for SRP authorisation\n"); -+ ctx_options |= SSL_OP_NO_SSLv3; -+ } -+#endif -+ break; -+ case CURL_SSLVERSION_TLSv1: -+ ctx_options |= SSL_OP_NO_SSLv2; -+ ctx_options |= SSL_OP_NO_SSLv3; -+ break; -+ case CURL_SSLVERSION_TLSv1_0: - ctx_options |= SSL_OP_NO_SSLv2; -+ ctx_options |= SSL_OP_NO_SSLv3; -+ ctx_options |= SSL_OP_NO_TLSv1_1; -+ ctx_options |= SSL_OP_NO_TLSv1_2; -+ break; -+ case CURL_SSLVERSION_TLSv1_1: -+ ctx_options |= SSL_OP_NO_SSLv2; -+ ctx_options |= SSL_OP_NO_SSLv3; -+ ctx_options |= SSL_OP_NO_TLSv1; -+ ctx_options |= SSL_OP_NO_TLSv1_2; -+ break; -+ case CURL_SSLVERSION_TLSv1_2: -+ ctx_options |= SSL_OP_NO_SSLv2; -+ ctx_options |= SSL_OP_NO_SSLv3; -+ ctx_options |= SSL_OP_NO_TLSv1; -+ ctx_options |= SSL_OP_NO_TLSv1_1; -+ break; -+ } - - SSL_CTX_set_options(connssl->ctx, ctx_options); - -diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in -index 1015843..b14d84f 100644 ---- a/packages/OS400/curl.inc.in -+++ b/packages/OS400/curl.inc.in -@@ -228,6 +228,12 @@ - d c 2 - d CURL_SSLVERSION_SSLv3... - d c 3 -+ d CURL_SSLVERSION_TLSv1_0... -+ d c 4 -+ d CURL_SSLVERSION_TLSv1_1... -+ d c 5 -+ d CURL_SSLVERSION_TLSv1_2... -+ d c 6 - * - d CURL_TLSAUTH_NONE... - d c 0 -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 6a405ff..d0feb71 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -184,6 +184,9 @@ static const struct LongShort aliases[]= { - {"01", "http1.1", FALSE}, - {"02", "http2.0", FALSE}, - {"1", "tlsv1", FALSE}, -+ {"10", "tlsv1.0", FALSE}, -+ {"11", "tlsv1.1", FALSE}, -+ {"12", "tlsv1.2", FALSE}, - {"2", "sslv2", FALSE}, - {"3", "sslv3", FALSE}, - {"4", "ipv4", FALSE}, -@@ -1023,9 +1026,25 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ - break; - } - break; -- case '1': -- /* TLS version 1 */ -- config->ssl_version = CURL_SSLVERSION_TLSv1; -+ case '1': /* --tlsv1* options */ -+ switch(subletter) { -+ case '\0': -+ /* TLS version 1.x */ -+ config->ssl_version = CURL_SSLVERSION_TLSv1; -+ break; -+ case '0': -+ /* TLS version 1.0 */ -+ config->ssl_version = CURL_SSLVERSION_TLSv1_0; -+ break; -+ case '1': -+ /* TLS version 1.1 */ -+ config->ssl_version = CURL_SSLVERSION_TLSv1_1; -+ break; -+ case '2': -+ /* TLS version 1.2 */ -+ config->ssl_version = CURL_SSLVERSION_TLSv1_2; -+ break; -+ } - break; - case '2': - /* SSL version 2 */ -diff --git a/src/tool_setopt.c b/src/tool_setopt.c -index cb93e11..f29bcd6 100644 ---- a/src/tool_setopt.c -+++ b/src/tool_setopt.c -@@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = { - NV(CURL_SSLVERSION_TLSv1), - NV(CURL_SSLVERSION_SSLv2), - NV(CURL_SSLVERSION_SSLv3), -+ NV(CURL_SSLVERSION_TLSv1_0), -+ NV(CURL_SSLVERSION_TLSv1_1), -+ NV(CURL_SSLVERSION_TLSv1_2), - NVEND, - }; - --- -1.7.1 - - -From 5c27a05f194b204831e540509768f93777191b01 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 15 Oct 2013 20:31:04 +0200 -Subject: [PATCH 2/9] curl: document the new --tlsv1.[012] options - -[upstream commit 076726f1412205622414abd908723c4b33ca12cb] ---- - docs/curl.1 | 20 ++++++++++++++++---- - 1 files changed, 16 insertions(+), 4 deletions(-) - -diff --git a/docs/curl.1 b/docs/curl.1 -index 30ef4cc..fe18459 100644 ---- a/docs/curl.1 -+++ b/docs/curl.1 -@@ -1498,14 +1498,26 @@ Set TLS authentication type. Currently, the only supported option is "SRP", - for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are - specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP". - (Added in 7.21.4) --.IP "--tlsuser " --Set username for use with the TLS authentication method specified with --\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in --7.21.4) - .IP "--tlspassword " - Set password for use with the TLS authentication method specified with - \fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set. (Added in - 7.21.4) -+.IP "--tlsuser " -+Set username for use with the TLS authentication method specified with -+\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in -+7.21.4) -+.IP "--tlsv1.0" -+(SSL) -+Forces curl to use TLS version 1.0 when negotiating with a remote TLS server. -+(Added in 7.34.0) -+.IP "--tlsv1.1" -+(SSL) -+Forces curl to use TLS version 1.1 when negotiating with a remote TLS server. -+(Added in 7.34.0) -+.IP "--tlsv1.2" -+(SSL) -+Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. -+(Added in 7.34.0) - .IP "--tr-encoding" - (HTTP) Request a compressed Transfer-Encoding response using one of the - algorithms curl supports, and uncompress the data while receiving it. --- -1.7.1 - - -From 2ee1df2a787f2e692a7ebe6aae00eaa1e1cca77b Mon Sep 17 00:00:00 2001 -From: Steve Holme -Date: Wed, 16 Oct 2013 20:06:23 +0100 -Subject: [PATCH 3/9] SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f - -[upstream commit 2c84ffe1549ea7d5029ba7863f53013562e6758d] ---- - docs/libcurl/symbols-in-versions | 6 +++--- - 1 files changed, 3 insertions(+), 3 deletions(-) - -diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions -index 35b0878..ac679d9 100644 ---- a/docs/libcurl/symbols-in-versions -+++ b/docs/libcurl/symbols-in-versions -@@ -695,9 +695,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 - CURL_SSLVERSION_SSLv2 7.9.2 - CURL_SSLVERSION_SSLv3 7.9.2 - CURL_SSLVERSION_TLSv1 7.9.2 --CURL_SSLVERSION_TLSv1_0 7.33.0 --CURL_SSLVERSION_TLSv1_1 7.33.0 --CURL_SSLVERSION_TLSv1_2 7.33.0 -+CURL_SSLVERSION_TLSv1_0 7.34.0 -+CURL_SSLVERSION_TLSv1_1 7.34.0 -+CURL_SSLVERSION_TLSv1_2 7.34.0 - CURL_TIMECOND_IFMODSINCE 7.9.7 - CURL_TIMECOND_IFUNMODSINCE 7.9.7 - CURL_TIMECOND_LASTMOD 7.9.7 --- -1.7.1 - - -From fc6fd8049270e78db67af9bb47fb6fc506fd851a Mon Sep 17 00:00:00 2001 -From: Steve Holme -Date: Wed, 16 Oct 2013 20:18:15 +0100 -Subject: [PATCH 4/9] DOCS: Added libcurl version number to CURLOPT_SSLVERSION - -[upstream commit 75b9b26465d5f01b52564293c2d553649f801f70] ---- - docs/libcurl/curl_easy_setopt.3 | 8 +++++--- - 1 files changed, 5 insertions(+), 3 deletions(-) - -diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 -index 77fc550..b9d834b 100644 ---- a/docs/libcurl/curl_easy_setopt.3 -+++ b/docs/libcurl/curl_easy_setopt.3 -@@ -2410,6 +2410,8 @@ Even though this option doesn't need any parameter, in some configurations - arguments. Therefore, it's recommended to pass 1 as parameter to this option. - .IP CURLOPT_SSLVERSION - Pass a long as parameter to control what version of SSL/TLS to attempt to use. -+(Added in 7.9.2) -+ - The available options are: - .RS - .IP CURL_SSLVERSION_DEFAULT -@@ -2423,11 +2425,11 @@ Force SSLv2 - .IP CURL_SSLVERSION_SSLv3 - Force SSLv3 - .IP CURL_SSLVERSION_TLSv1_0 --Force TLSv1.0 -+Force TLSv1.0 (Added in 7.34.0) - .IP CURL_SSLVERSION_TLSv1_1 --Force TLSv1.1 -+Force TLSv1.1 (Added in 7.34.0) - .IP CURL_SSLVERSION_TLSv1_2 --Force TLSv1.2 -+Force TLSv1.2 (Added in 7.34.0) - .RE - .IP CURLOPT_SSL_VERIFYPEER - Pass a long as parameter. By default, curl assumes a value of 1. --- -1.7.1 - - -From 97d4a2d8c479bb97631ba3f115840d97f51501a6 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 25 Nov 2013 16:03:52 +0100 -Subject: [PATCH 5/9] nss: use a better API for controlling SSL version - -This change introduces a dependency on NSS 3.14+. - -[upstream commit 30e7e7552ba4397896ecac82ea04f38d52c4cc8f] ---- - configure | 20 ++++++++++---------- - configure.ac | 4 ++-- - docs/INTERNALS | 2 +- - lib/nss.c | 40 +++++++++++++++++++--------------------- - 4 files changed, 32 insertions(+), 34 deletions(-) - -diff --git a/configure b/configure -index f00d6fb..91f305f 100755 ---- a/configure -+++ b/configure -@@ -23598,9 +23598,9 @@ $as_echo "found" >&6; } - CPPFLAGS="$CPPFLAGS $addcflags" - fi - -- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PK11_CreateGenericObject in -lnss3" >&5 --$as_echo_n "checking for PK11_CreateGenericObject in -lnss3... " >&6; } --if ${ac_cv_lib_nss3_PK11_CreateGenericObject+:} false; then : -+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5 -+$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; } -+if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then : - $as_echo_n "(cached) " >&6 - else - ac_check_lib_save_LIBS=$LIBS -@@ -23612,26 +23612,26 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext - #ifdef __cplusplus - extern "C" - #endif --char PK11_CreateGenericObject (); -+char SSL_VersionRangeSet (); - int main (void) - { --return PK11_CreateGenericObject (); -+return SSL_VersionRangeSet (); - ; - return 0; - } - _ACEOF - if ac_fn_c_try_link "$LINENO"; then : -- ac_cv_lib_nss3_PK11_CreateGenericObject=yes -+ ac_cv_lib_nss3_SSL_VersionRangeSet=yes - else -- ac_cv_lib_nss3_PK11_CreateGenericObject=no -+ ac_cv_lib_nss3_SSL_VersionRangeSet=no - fi - rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LIBS=$ac_check_lib_save_LIBS - fi --{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_PK11_CreateGenericObject" >&5 --$as_echo "$ac_cv_lib_nss3_PK11_CreateGenericObject" >&6; } --if test "x$ac_cv_lib_nss3_PK11_CreateGenericObject" = xyes; then : -+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5 -+$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; } -+if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then : - - - $as_echo "#define USE_NSS 1" >>confdefs.h -diff --git a/configure.ac b/configure.ac -index f861124..c857554 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2067,8 +2067,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then - CPPFLAGS="$CPPFLAGS $addcflags" - fi - -- dnl The function PK11_CreateGenericObject is needed to load libnsspem.so -- AC_CHECK_LIB(nss3, PK11_CreateGenericObject, -+ dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0 -+ AC_CHECK_LIB(nss3, SSL_VersionRangeSet, - [ - AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) - AC_SUBST(USE_NSS, [1]) -diff --git a/docs/INTERNALS b/docs/INTERNALS -index 66e11a4..c8e433c 100644 ---- a/docs/INTERNALS -+++ b/docs/INTERNALS -@@ -43,7 +43,7 @@ Portability - openldap 2.0 - MIT krb5 lib 1.2.4 - qsossl V5R3M0 -- NSS 3.12.x -+ NSS 3.14.x - axTLS 1.2.7 - Heimdal ? - -diff --git a/lib/nss.c b/lib/nss.c -index 34dfbb1..fe243fa 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1176,9 +1176,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - { - PRErrorCode err = 0; - PRFileDesc *model = NULL; -- PRBool ssl2 = PR_FALSE; -- PRBool ssl3 = PR_FALSE; -- PRBool tlsv1 = PR_FALSE; -+ SSLVersionRange sslver; - PRBool ssl_no_cache; - PRBool ssl_cbc_random_iv; - struct SessionHandle *data = conn->data; -@@ -1252,20 +1250,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - switch (data->set.ssl.version) { - default: - case CURL_SSLVERSION_DEFAULT: -- ssl3 = PR_TRUE; -- if(data->state.ssl_connect_retry) -+ sslver.min = SSL_LIBRARY_VERSION_3_0; -+ if(data->state.ssl_connect_retry) { - infof(data, "TLS disabled due to previous handshake failure\n"); -+ sslver.max = SSL_LIBRARY_VERSION_3_0; -+ } - else -- tlsv1 = PR_TRUE; -+ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; - break; - case CURL_SSLVERSION_TLSv1: -- tlsv1 = PR_TRUE; -+ sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; -+ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; - break; - case CURL_SSLVERSION_SSLv2: -- ssl2 = PR_TRUE; -+ sslver.min = SSL_LIBRARY_VERSION_2; -+ sslver.max = SSL_LIBRARY_VERSION_2; - break; - case CURL_SSLVERSION_SSLv3: -- ssl3 = PR_TRUE; -+ sslver.min = SSL_LIBRARY_VERSION_3_0; -+ sslver.max = SSL_LIBRARY_VERSION_3_0; - break; - case CURL_SSLVERSION_TLSv1_0: - case CURL_SSLVERSION_TLSv1_1: -@@ -1275,14 +1278,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - goto error; - } - -- if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) -- goto error; -- if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) -- goto error; -- if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) -- goto error; -- -- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) -+ if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) - goto error; - - ssl_cbc_random_iv = !data->set.ssl_enable_beast; -@@ -1468,11 +1464,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - if(model) - PR_Close(model); - -- /* cleanup on connection failure */ -- Curl_llist_destroy(connssl->obj_list, NULL); -- connssl->obj_list = NULL; -+ /* cleanup on connection failure */ -+ Curl_llist_destroy(connssl->obj_list, NULL); -+ connssl->obj_list = NULL; - -- if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { -+ if((sslver.min == SSL_LIBRARY_VERSION_3_0) -+ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) -+ && isTLSIntoleranceError(err)) { - /* schedule reconnect through Curl_retry_request() */ - data->state.ssl_connect_retry = TRUE; - infof(data, "Error in TLS handshake, trying SSLv3...\n"); --- -1.7.1 - - -From ea24e0836e7490baf05e390444a3e1825d2e2f4b Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 25 Nov 2013 16:14:55 +0100 -Subject: [PATCH 6/9] nss: put SSL version selection into separate fnc - -[upstream commit 4fb8241add5b68e95fbf44d3c2bf470201a9915d] ---- - lib/nss.c | 72 +++++++++++++++++++++++++++++++++++------------------------- - 1 files changed, 42 insertions(+), 30 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index fe243fa..a295494 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1172,6 +1172,46 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, - return CURLE_OK; - } - -+static CURLcode nss_init_sslver(SSLVersionRange *sslver, -+ struct SessionHandle *data) -+{ -+ switch (data->set.ssl.version) { -+ default: -+ case CURL_SSLVERSION_DEFAULT: -+ sslver->min = SSL_LIBRARY_VERSION_3_0; -+ if(data->state.ssl_connect_retry) { -+ infof(data, "TLS disabled due to previous handshake failure\n"); -+ sslver->max = SSL_LIBRARY_VERSION_3_0; -+ } -+ else -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; -+ return CURLE_OK; -+ -+ case CURL_SSLVERSION_TLSv1: -+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; -+ return CURLE_OK; -+ -+ case CURL_SSLVERSION_SSLv2: -+ sslver->min = SSL_LIBRARY_VERSION_2; -+ sslver->max = SSL_LIBRARY_VERSION_2; -+ return CURLE_OK; -+ -+ case CURL_SSLVERSION_SSLv3: -+ sslver->min = SSL_LIBRARY_VERSION_3_0; -+ sslver->max = SSL_LIBRARY_VERSION_3_0; -+ return CURLE_OK; -+ -+ case CURL_SSLVERSION_TLSv1_0: -+ case CURL_SSLVERSION_TLSv1_1: -+ case CURL_SSLVERSION_TLSv1_2: -+ break; -+ } -+ -+ failf(data, "TLS minor version cannot be set"); -+ return CURLE_SSL_CONNECT_ERROR; -+} -+ - CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - { - PRErrorCode err = 0; -@@ -1247,37 +1287,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) - goto error; - -- switch (data->set.ssl.version) { -- default: -- case CURL_SSLVERSION_DEFAULT: -- sslver.min = SSL_LIBRARY_VERSION_3_0; -- if(data->state.ssl_connect_retry) { -- infof(data, "TLS disabled due to previous handshake failure\n"); -- sslver.max = SSL_LIBRARY_VERSION_3_0; -- } -- else -- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; -- break; -- case CURL_SSLVERSION_TLSv1: -- sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; -- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; -- break; -- case CURL_SSLVERSION_SSLv2: -- sslver.min = SSL_LIBRARY_VERSION_2; -- sslver.max = SSL_LIBRARY_VERSION_2; -- break; -- case CURL_SSLVERSION_SSLv3: -- sslver.min = SSL_LIBRARY_VERSION_3_0; -- sslver.max = SSL_LIBRARY_VERSION_3_0; -- break; -- case CURL_SSLVERSION_TLSv1_0: -- case CURL_SSLVERSION_TLSv1_1: -- case CURL_SSLVERSION_TLSv1_2: -- failf(data, "TLS minor version cannot be set\n"); -- curlerr = CURLE_SSL_CONNECT_ERROR; -+ /* enable/disable the requested SSL version(s) */ -+ if(nss_init_sslver(&sslver, data) != CURLE_OK) - goto error; -- } -- - if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) - goto error; - --- -1.7.1 - - -From 6b292d3310bc9bd0e16909e412b44f1846838ba6 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 25 Nov 2013 16:25:15 +0100 -Subject: [PATCH 7/9] nss: allow to use TLS > 1.0 if built against recent NSS - -Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html - -[upstream commit 7fc9325a52a6dad1f8b859a3269472ffc125edd0] ---- - lib/nss.c | 22 ++++++++++++++++++++++ - 1 files changed, 22 insertions(+), 0 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index a295494..43c2141 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1189,7 +1189,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, - - case CURL_SSLVERSION_TLSv1: - sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; -+#ifdef SSL_LIBRARY_VERSION_TLS_1_2 -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; -+#elif defined SSL_LIBRARY_VERSION_TLS_1_1 -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; -+#else - sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; -+#endif - return CURLE_OK; - - case CURL_SSLVERSION_SSLv2: -@@ -1203,8 +1209,24 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, - return CURLE_OK; - - case CURL_SSLVERSION_TLSv1_0: -+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; -+ return CURLE_OK; -+ - case CURL_SSLVERSION_TLSv1_1: -+#ifdef SSL_LIBRARY_VERSION_TLS_1_1 -+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_1; -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; -+ return CURLE_OK; -+#endif -+ break; -+ - case CURL_SSLVERSION_TLSv1_2: -+#ifdef SSL_LIBRARY_VERSION_TLS_1_2 -+ sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; -+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; -+ return CURLE_OK; -+#endif - break; - } - --- -1.7.1 - - -From 6149dcd0a753647cc152287b6562df91073923b3 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 2 Dec 2013 14:25:07 +0100 -Subject: [PATCH 8/9] nss: unconditionally require NSS_InitContext() - -... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway - -[upstream commit 865666afca926faa1c721020fc54364540caf734] ---- - configure | 12 ------------ - configure.ac | 8 -------- - lib/nss.c | 26 -------------------------- - 3 files changed, 0 insertions(+), 46 deletions(-) - -diff --git a/configure b/configure -index 91f305f..10d4836 100755 ---- a/configure -+++ b/configure -@@ -23654,18 +23654,6 @@ fi - { $as_echo "$as_me:${as_lineno-$LINENO}: detected NSS version $version" >&5 - $as_echo "$as_me: detected NSS version $version" >&6;} - -- ac_fn_c_check_func "$LINENO" "NSS_InitContext" "ac_cv_func_NSS_InitContext" --if test "x$ac_cv_func_NSS_InitContext" = xyes; then : -- -- --$as_echo "#define HAVE_NSS_INITCONTEXT 1" >>confdefs.h -- -- HAVE_NSS_INITCONTEXT=1 -- -- --fi -- -- - if test "x$cross_compiling" != "xyes"; then - LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff" - export LD_LIBRARY_PATH -diff --git a/configure.ac b/configure.ac -index c857554..908fd6c 100644 ---- a/configure.ac -+++ b/configure.ac -@@ -2084,14 +2084,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then - if test "x$USE_NSS" = "xyes"; then - AC_MSG_NOTICE([detected NSS version $version]) - -- dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent -- dnl collisions on NSS initialization/shutdown with other libraries -- AC_CHECK_FUNC(NSS_InitContext, -- [ -- AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function]) -- AC_SUBST(HAVE_NSS_INITCONTEXT, [1]) -- ]) -- - dnl when shared libs were found in a path that the run-time - dnl linker doesn't search through, we need to add it to - dnl LD_LIBRARY_PATH to prevent further configure tests to fail -diff --git a/lib/nss.c b/lib/nss.c -index 43c2141..d6b95b7 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -76,9 +76,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); - - PRLock * nss_initlock = NULL; - PRLock * nss_crllock = NULL; --#ifdef HAVE_NSS_INITCONTEXT - NSSInitContext * nss_context = NULL; --#endif - - volatile int initialized = 0; - -@@ -854,7 +852,6 @@ isTLSIntoleranceError(PRInt32 err) - - static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) - { --#ifdef HAVE_NSS_INITCONTEXT - NSSInitParameters initparams; - - if(nss_context != NULL) -@@ -862,12 +859,6 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) - - memset((void *) &initparams, '\0', sizeof(initparams)); - initparams.length = sizeof(initparams); --#else /* HAVE_NSS_INITCONTEXT */ -- SECStatus rv; -- -- if(NSS_IsInitialized()) -- return CURLE_OK; --#endif - - if(cert_dir) { - const bool use_sql = NSS_VersionCheck("3.12.0"); -@@ -876,35 +867,22 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) - return CURLE_OUT_OF_MEMORY; - - infof(data, "Initializing NSS with certpath: %s\n", certpath); --#ifdef HAVE_NSS_INITCONTEXT - nss_context = NSS_InitContext(certpath, "", "", "", &initparams, - NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); - free(certpath); - - if(nss_context != NULL) - return CURLE_OK; --#else /* HAVE_NSS_INITCONTEXT */ -- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); -- free(certpath); -- -- if(rv == SECSuccess) -- return CURLE_OK; --#endif - - infof(data, "Unable to initialize NSS database\n"); - } - - infof(data, "Initializing NSS with certpath: none\n"); --#ifdef HAVE_NSS_INITCONTEXT - nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY - | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN - | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD); - if(nss_context != NULL) - return CURLE_OK; --#else /* HAVE_NSS_INITCONTEXT */ -- if(NSS_NoDB_Init(NULL) == SECSuccess) -- return CURLE_OK; --#endif - - infof(data, "Unable to initialize NSS\n"); - return CURLE_SSL_CACERT_BADFILE; -@@ -1000,12 +978,8 @@ void Curl_nss_cleanup(void) - SECMOD_DestroyModule(mod); - mod = NULL; - } --#ifdef HAVE_NSS_INITCONTEXT - NSS_ShutdownContext(nss_context); - nss_context = NULL; --#else /* HAVE_NSS_INITCONTEXT */ -- NSS_Shutdown(); --#endif - } - PR_Unlock(nss_initlock); - --- -1.7.1 - - -From e0fcc1bbc4e9b69803a84613cd7a4eed662ca13f Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 2 Dec 2013 16:09:12 +0100 -Subject: [PATCH 9/9] nss: make sure that 'sslver' is always initialized - -[upstream commit e221b55f67a2e12717e911f25d1bb6c85fcebfab] ---- - lib/nss.c | 9 +++++---- - 1 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/lib/nss.c b/lib/nss.c -index d6b95b7..7da6a3b 100644 ---- a/lib/nss.c -+++ b/lib/nss.c -@@ -1152,13 +1152,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, - switch (data->set.ssl.version) { - default: - case CURL_SSLVERSION_DEFAULT: -- sslver->min = SSL_LIBRARY_VERSION_3_0; - if(data->state.ssl_connect_retry) { - infof(data, "TLS disabled due to previous handshake failure\n"); - sslver->max = SSL_LIBRARY_VERSION_3_0; - } -- else -- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; - return CURLE_OK; - - case CURL_SSLVERSION_TLSv1: -@@ -1212,7 +1209,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - { - PRErrorCode err = 0; - PRFileDesc *model = NULL; -- SSLVersionRange sslver; - PRBool ssl_no_cache; - PRBool ssl_cbc_random_iv; - struct SessionHandle *data = conn->data; -@@ -1224,6 +1220,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) - long time_left; - PRUint32 timeout; - -+ SSLVersionRange sslver = { -+ SSL_LIBRARY_VERSION_3_0, /* min */ -+ SSL_LIBRARY_VERSION_TLS_1_0 /* max */ -+ }; -+ - if(connssl->state == ssl_connection_complete) - return CURLE_OK; - --- -1.7.1 - - -From a3592df2afa075a2c905638c2d8d3513810eff09 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 2 Dec 2013 17:00:35 +0100 -Subject: [PATCH 10/10] tool_metalink: do not use HAVE_NSS_INITCONTEXT - -... no longer provided by the configure script - -[upstream commit ff9b66a8d4abb2fd92b12ae8ae3e4e7f39856af7] ---- - src/tool_metalink.c | 8 ++------ - 1 files changed, 2 insertions(+), 6 deletions(-) - -diff --git a/src/tool_metalink.c b/src/tool_metalink.c -index be5fc26..050f59d 100644 ---- a/src/tool_metalink.c -+++ b/src/tool_metalink.c -@@ -54,9 +54,7 @@ - # define MD5_CTX void * - # define SHA_CTX void * - # define SHA256_CTX void * --# ifdef HAVE_NSS_INITCONTEXT -- static NSSInitContext *nss_context; --# endif -+ static NSSInitContext *nss_context; - #elif (defined(__MAC_OS_X_VERSION_MAX_ALLOWED) && \ - (__MAC_OS_X_VERSION_MAX_ALLOWED >= 1040)) || \ - (defined(__IPHONE_OS_VERSION_MAX_ALLOWED) && \ -@@ -240,7 +238,6 @@ static int nss_hash_init(void **pctx, SECOidTag hash_alg) - PK11Context *ctx; - - /* we have to initialize NSS if not initialized alraedy */ --#ifdef HAVE_NSS_INITCONTEXT - if(!NSS_IsInitialized() && !nss_context) { - static NSSInitParameters params; - params.length = sizeof params; -@@ -248,7 +245,6 @@ static int nss_hash_init(void **pctx, SECOidTag hash_alg) - | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN - | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD); - } --#endif - - ctx = PK11_CreateDigestContext(hash_alg); - if(!ctx) -@@ -894,7 +890,7 @@ void clean_metalink(struct Configurable *config) - - void metalink_cleanup(void) - { --#if defined(USE_NSS) && defined(HAVE_NSS_INITCONTEXT) -+#ifdef USE_NSS - if(nss_context) { - NSS_ShutdownContext(nss_context); - nss_context = NULL; --- -1.7.1 - diff --git a/0102-curl-7.32.0-debug.patch b/0102-curl-7.32.0-debug.patch index e93616d..81cdc0f 100644 --- a/0102-curl-7.32.0-debug.patch +++ b/0102-curl-7.32.0-debug.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index 8f079a3..53b4774 100755 --- a/configure +++ b/configure -@@ -16000,18 +16000,11 @@ $as_echo "yes" >&6; } +@@ -15999,18 +15999,11 @@ $as_echo "yes" >&6; } gccvhi=`echo $gccver | cut -d . -f1` gccvlo=`echo $gccver | cut -d . -f2` compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` diff --git a/0103-curl-7.32.0-metalink.patch b/0103-curl-7.32.0-metalink.patch index f00d874..1f0ecde 100644 --- a/0103-curl-7.32.0-metalink.patch +++ b/0103-curl-7.32.0-metalink.patch @@ -12,7 +12,7 @@ diff --git a/configure b/configure index a466175..cb63075 100755 --- a/configure +++ b/configure -@@ -15465,13 +15465,9 @@ fi +@@ -15464,13 +15464,9 @@ fi diff --git a/curl-7.33.0.tar.lzma.asc b/curl-7.33.0.tar.lzma.asc deleted file mode 100644 index 44e1b73..0000000 --- a/curl-7.33.0.tar.lzma.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v1.4.15 (GNU/Linux) - -iEYEABECAAYFAlJcAyIACgkQeOEcayedXJGmzgCgiGvAZ1jUvbBw/ywZSday3J9j -KucAn2xv4XLijiR4cDH6z8bnN0zH+lpk -=o6A/ ------END PGP SIGNATURE----- diff --git a/curl-7.34.0.tar.lzma.asc b/curl-7.34.0.tar.lzma.asc new file mode 100644 index 0000000..3aabae6 --- /dev/null +++ b/curl-7.34.0.tar.lzma.asc @@ -0,0 +1,7 @@ +-----BEGIN PGP SIGNATURE----- +Version: GnuPG v1.4.15 (GNU/Linux) + +iEYEABECAAYFAlKwApYACgkQeOEcayedXJFJBwCffGnq3xU7TrvmolGByalNcwAj +lcUAoJdHDyD3IFQ98N0sCjKE6SKDTZMi +=Mx7t +-----END PGP SIGNATURE----- diff --git a/curl.spec b/curl.spec index 2dfc11f..bbdeaa6 100644 --- a/curl.spec +++ b/curl.spec @@ -1,24 +1,12 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.33.0 -Release: 2%{?dist} +Version: 7.34.0 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h -# test906: Fixed failing test on some platforms -Patch1: 0001-curl-7.33.0-4d49ffe1.patch - -# fix missing initialization in NTLM code causing test 906 to fail -Patch2: 0002-curl-7.33.0-86c64f3d.patch - -# fix missing initialization in SSH code causing test 619 to fail -Patch3: 0003-curl-7.33.0-f70b2c77.patch - -# allow to use TLS > 1.0 if built against recent NSS -Patch4: 0004-curl-7.33.0-7fc9325a.patch - # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -116,10 +104,6 @@ documentation of the library, too. %setup -q # upstream patches -%patch1 -p1 -%patch2 -p1 -%patch3 -p1 -%patch4 -p1 # Fedora patches %patch101 -p1 @@ -238,6 +222,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Dec 18 2013 Kamil Dudka 7.34.0-1 +- new upstream release + * Mon Dec 02 2013 Kamil Dudka 7.33.0-2 - allow to use TLS > 1.0 if built against recent NSS diff --git a/sources b/sources index 7e556ed..ab504cb 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -eb463192f37c260163e006d6c4d3f114 curl-7.33.0.tar.lzma +552371ae5e40bd7d9c92c62ac4b7be81 curl-7.34.0.tar.lzma