do not run test-suite through valgrind on i686 brew builds

The architecture is being decommissioned in Fedora, which makes it
difficult to debug valgrind failures (usually not related to curl
anyway).

.gitignore

@@ -1 +1,2 @@
 /curl-[0-9.]*.tar.lzma
+/curl-[0-9.]*.tar.xz

0001-curl-7.47.1-psl-localhost.patch

@@ -1,47 +0,0 @@
-From 090ee789dda468fe0d9b715ec4e5dc47a948a239 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?Tim=20R=C3=BChsen?= <tim.ruehsen@gmx.de>
-Date: Wed, 2 Mar 2016 11:07:16 +0100
-Subject: [PATCH] cookie: do not refuse cookies for localhost
-
-Closes #658
----
- lib/cookie.c        | 10 ++++++----
- tests/data/test1136 |  1 +
- 2 files changed, 7 insertions(+), 4 deletions(-)
-
-diff --git a/lib/cookie.c b/lib/cookie.c
-index d62f446..e5c7b7e 100644
---- a/lib/cookie.c
-+++ b/lib/cookie.c
-@@ -788,10 +788,12 @@ Curl_cookie_add(struct SessionHandle *data,
- #ifdef USE_LIBPSL
-   /* Check if the domain is a Public Suffix and if yes, ignore the cookie.
-      This needs a libpsl compiled with builtin data. */
--  if(co->domain && !isip(co->domain) && (psl = psl_builtin()) != NULL) {
--    if(psl_is_public_suffix(psl, co->domain)) {
--      infof(data, "cookie '%s' dropped, domain '%s' is a public suffix\n",
--            co->name, co->domain);
-+  if(domain && co->domain && !isip(co->domain)) {
-+    if (((psl = psl_builtin()) != NULL)
-+        && !psl_is_cookie_domain_acceptable(psl, domain, co->domain)) {
-+      infof(data,
-+            "cookie '%s' dropped, domain '%s' must not set cookies for '%s'\n",
-+            co->name, domain, co->domain);
-       freecookie(co);
-       return NULL;
-     }
-diff --git a/tests/data/test1136 b/tests/data/test1136
-index e42ca06..d3327e8 100644
---- a/tests/data/test1136
-+++ b/tests/data/test1136
-@@ -58,6 +58,7 @@ http://www.example.ck/1136 http://www.ck/1136 http://z-1.compute-1.amazonaws.com
- 
- .www.example.ck	TRUE	/	FALSE	0	test2	allowed2
- .www.ck	TRUE	/	FALSE	0	test4	allowed4
-+.z-1.compute-1.amazonaws.com	TRUE	/	FALSE	0	test5	forbidden5
- </file>
- </verify>
- </testcase>
--- 
-2.5.0
-

0001-curl-7.67.0-upload-glob.patch

@@ -0,0 +1,316 @@
+From 37a36231c5e34ae31b1968481fad2e8d76613fbd Mon Sep 17 00:00:00 2001
+From: Daniel Stenberg <daniel@haxx.se>
+Date: Wed, 13 Nov 2019 11:33:29 +0100
+Subject: [PATCH] curl: fix -T globbing
+
+Regression from e59371a4936f8 (7.67.0)
+
+Added test 490, 491 and 492 to verify the functionality.
+
+Reported-by: Kamil Dudka
+Reported-by: Anderson Sasaki
+
+Fixes #4588
+Closes #4591
+
+Upstream-commit: 7a46aeb0be3fa00826b0c47a8bc06eddff448659
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ src/tool_operate.c      | 15 ++++---
+ tests/data/Makefile.inc |  2 +
+ tests/data/test490      | 68 +++++++++++++++++++++++++++++++
+ tests/data/test491      | 64 +++++++++++++++++++++++++++++
+ tests/data/test492      | 89 +++++++++++++++++++++++++++++++++++++++++
+ 5 files changed, 232 insertions(+), 6 deletions(-)
+ create mode 100644 tests/data/test490
+ create mode 100644 tests/data/test491
+ create mode 100644 tests/data/test492
+
+diff --git a/src/tool_operate.c b/src/tool_operate.c
+index 3087d2d..4ecb1ed 100644
+--- a/src/tool_operate.c
++++ b/src/tool_operate.c
+@@ -829,12 +829,6 @@ static CURLcode single_transfer(struct GlobalConfig *global,
+       separator = ((!state->outfiles ||
+                     !strcmp(state->outfiles, "-")) && urlnum > 1);
+ 
+-      /* Here's looping around each globbed URL */
+-
+-      if(state->li >= urlnum) {
+-        state->li = 0;
+-        state->up++;
+-      }
+       if(state->up < state->infilenum) {
+         struct per_transfer *per;
+         struct OutStruct *outs;
+@@ -1908,6 +1902,15 @@ static CURLcode single_transfer(struct GlobalConfig *global,
+         per->retrystart = tvnow();
+ 
+         state->li++;
++        /* Here's looping around each globbed URL */
++        if(state->li >= urlnum) {
++          state->li = 0;
++          state->urlnum = 0; /* forced reglob of URLs */
++          glob_cleanup(state->urls);
++          state->urls = NULL;
++          state->up++;
++          Curl_safefree(state->uploadfile); /* clear it to get the next */
++        }
+       }
+       else {
+         /* Free this URL node data without destroying the
+diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
+index 557f928..212900e 100644
+--- a/tests/data/Makefile.inc
++++ b/tests/data/Makefile.inc
+@@ -66,6 +66,8 @@ test393 test394 test395 \
+ test400 test401 test402 test403 test404 test405 test406 test407 test408 \
+ test409 \
+ \
++test490 test491 test492 \
++\
+ test500 test501 test502 test503 test504 test505 test506 test507 test508 \
+ test509 test510 test511 test512 test513 test514 test515 test516 test517 \
+ test518 test519 test520 test521 test522 test523 test524 test525 test526 \
+diff --git a/tests/data/test490 b/tests/data/test490
+new file mode 100644
+index 0000000..a3383a9
+--- /dev/null
++++ b/tests/data/test490
+@@ -0,0 +1,68 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP PUT
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Two globbed HTTP PUTs
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/490 -T '{log/in490,log/in490}'
++</command>
++<file name="log/in490">
++surprise!
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol>
++PUT /490 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Content-Length: 10
++Expect: 100-continue
++
++surprise!
++PUT /490 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Content-Length: 10
++Expect: 100-continue
++
++surprise!
++</protocol>
++</verify>
++</testcase>
+diff --git a/tests/data/test491 b/tests/data/test491
+new file mode 100644
+index 0000000..b49c06c
+--- /dev/null
++++ b/tests/data/test491
+@@ -0,0 +1,64 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP PUT
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Two globbed HTTP PUTs, the second upload file is missing
++ </name>
++ <command>
++http://%HOSTIP:%HTTPPORT/491 -T '{log/in491,log/bad491}'
++</command>
++<file name="log/in491">
++surprise!
++</file>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol>
++PUT /491 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Content-Length: 10
++Expect: 100-continue
++
++surprise!
++</protocol>
++<errorcode>
++26
++</errorcode>
++</verify>
++</testcase>
+diff --git a/tests/data/test492 b/tests/data/test492
+new file mode 100644
+index 0000000..12edd8b
+--- /dev/null
++++ b/tests/data/test492
+@@ -0,0 +1,89 @@
++<testcase>
++<info>
++<keywords>
++HTTP
++HTTP PUT
++</keywords>
++</info>
++
++#
++# Server-side
++<reply>
++<data>
++HTTP/1.1 200 OK
++Date: Thu, 09 Nov 2010 14:49:00 GMT
++Server: test-server/fake
++Last-Modified: Tue, 13 Jun 2000 12:10:00 GMT
++ETag: "21025-dc7-39462498"
++Accept-Ranges: bytes
++Content-Length: 6
++Connection: close
++Content-Type: text/html
++Funny-head: yesyes
++
++-foo-
++</data>
++</reply>
++
++#
++# Client-side
++<client>
++<server>
++http
++</server>
++ <name>
++Two globbed HTTP PUTs to two globbed URLs
++ </name>
++ <command>
++'http://%HOSTIP:%HTTPPORT/{one,two}/' -T '{log/first492,log/second492}' -H "Testno: 492"
++</command>
++<file name="log/first492">
++first 492 contents
++</file>
++<file1 name="log/second492">
++second 492 contents
++</file1>
++</client>
++
++#
++# Verify data after the test has been "shot"
++<verify>
++<strip>
++^User-Agent:.*
++</strip>
++<protocol>
++PUT /one/first492 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Testno: 492
++Content-Length: 19
++Expect: 100-continue
++
++first 492 contents
++PUT /two/first492 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Testno: 492
++Content-Length: 19
++Expect: 100-continue
++
++first 492 contents
++PUT /one/second492 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Testno: 492
++Content-Length: 20
++Expect: 100-continue
++
++second 492 contents
++PUT /two/second492 HTTP/1.1
++Host: 127.0.0.1:8990
++Accept: */*
++Testno: 492
++Content-Length: 20
++Expect: 100-continue
++
++second 492 contents
++</protocol>
++</verify>
++</testcase>
+-- 
+2.20.1
+

0101-curl-7.32.0-multilib.patch

@@ -13,7 +13,7 @@ diff --git a/curl-config.in b/curl-config.in
 index 150004d..95d0759 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -75,7 +75,7 @@ while test $# -gt 0; do
+@@ -76,7 +76,7 @@ while test $# -gt 0; do
          ;;
  
      --cc)
@@ -22,7 +22,7 @@ index 150004d..95d0759 100644
          ;;
  
      --prefix)
-@@ -142,29 +142,14 @@ while test $# -gt 0; do
+@@ -155,32 +155,17 @@ while test $# -gt 0; do
          ;;
  
      --libs)
@@ -38,6 +38,9 @@ index 150004d..95d0759 100644
 -        fi
 +        echo -lcurl
          ;;
+     --ssl-backends)
+         echo "@SSL_BACKENDS@"
+         ;;
  
      --static-libs)
 -        if test "X@ENABLE_STATIC@" != "Xno" ; then
@@ -58,8 +61,8 @@ diff --git a/docs/curl-config.1 b/docs/curl-config.1
 index 14a9d2b..ffcc004 100644
 --- a/docs/curl-config.1
 +++ b/docs/curl-config.1
-@@ -65,7 +65,9 @@ be listed using uppercase and are separated by newlines. There may be none,
- one, or several protocols in the list. (Added in 7.13.0)
+@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
+ comma-separated. (Added in 7.58.0)
  .IP "--static-libs"
  Shows the complete set of libs and other linker options you will need in order
 -to link your application with libcurl statically. (Added in 7.17.1)

0102-curl-7.36.0-debug.patch

@@ -12,7 +12,7 @@ diff --git a/configure b/configure
 index 8f079a3..53b4774 100755
 --- a/configure
 +++ b/configure
-@@ -16017,18 +16017,11 @@ $as_echo "yes" >&6; }
+@@ -16331,18 +16331,11 @@ $as_echo "yes" >&6; }
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
@@ -27,18 +27,18 @@ index 8f079a3..53b4774 100755
 +    flags_dbg_all=""
      flags_dbg_yes="-g"
      flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
+-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
 -    flags_opt_yes="-O2"
 +    flags_opt_all=""
 +    flags_opt_yes=""
      flags_opt_off="-O0"
  
-       if test -z "$SED"; then
+     OLDCPPFLAGS=$CPPFLAGS
 diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
 index 0cbba7a..9175b5b 100644
 --- a/m4/curl-compilers.m4
 +++ b/m4/curl-compilers.m4
-@@ -148,18 +148,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
+@@ -166,18 +166,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
      gccvhi=`echo $gccver | cut -d . -f1`
      gccvlo=`echo $gccver | cut -d . -f2`
      compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
@@ -53,7 +53,7 @@ index 0cbba7a..9175b5b 100644
 +    flags_dbg_all=""
      flags_dbg_yes="-g"
      flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os"
+-    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
 -    flags_opt_yes="-O2"
 +    flags_opt_all=""
 +    flags_opt_yes=""

0103-curl-7.59.0-python3.patch

@@ -0,0 +1,34 @@
+From 3c4c7340e455b7256c0786759422f34ec3e2d440 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 15 Mar 2018 14:49:56 +0100
+Subject: [PATCH] tests/{negtelnet,smb}server.py: migrate to Python 3
+
+Unfortunately, smbserver.py does not work with Python 3 because
+there is no 'impacket' module available for Python 3:
+
+https://github.com/CoreSecurity/impacket/issues/61
+---
+ tests/negtelnetserver.py | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/tests/negtelnetserver.py b/tests/negtelnetserver.py
+index 8cfd409..72ee771 100755
+--- a/tests/negtelnetserver.py
++++ b/tests/negtelnetserver.py
+@@ -73,11 +73,11 @@ class NegotiatingTelnetHandler(socketserver.BaseRequestHandler):
+                 response_data = response.encode('ascii')
+             else:
+                 log.debug("Received normal request - echoing back")
+-                response_data = data.strip()
++                response_data = data.decode('utf8').strip()
+ 
+             if response_data:
+                 log.debug("Sending %r", response_data)
+-                self.request.sendall(response_data)
++                self.request.sendall(response_data.encode('utf8'))
+ 
+         except IOError:
+             log.exception("IOError hit during request")
+-- 
+2.14.3
+

0104-curl-7.19.7-localhost6.patch

@@ -14,8 +14,8 @@ index e441278..b0958b6 100644
 +-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
  </command>
  <precheck>
--perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
-+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test server host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
+-perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
++perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
  </precheck>
  </client>
  

0105-curl-7.63.0-lib1560-valgrind.patch

@@ -0,0 +1,39 @@
+From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Mon, 4 Feb 2019 17:32:56 +0100
+Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
+
+... to prevent valgrind from reporting false positives on x86_64:
+
+Conditional jump or move depends on uninitialised value(s)
+   at 0x10BCAA: part2id (lib1560.c:489)
+   by 0x10BCAA: updateurl (lib1560.c:521)
+   by 0x10BCAA: set_parts (lib1560.c:630)
+   by 0x10BCAA: test (lib1560.c:802)
+   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
+
+Conditional jump or move depends on uninitialised value(s)
+   at 0x10BCC3: part2id (lib1560.c:491)
+   by 0x10BCC3: updateurl (lib1560.c:521)
+   by 0x10BCC3: set_parts (lib1560.c:630)
+   by 0x10BCC3: test (lib1560.c:802)
+   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
+---
+ tests/libtest/Makefile.inc | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
+index 080421b..ea3b806 100644
+--- a/tests/libtest/Makefile.inc
++++ b/tests/libtest/Makefile.inc
+@@ -534,6 +534,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+ lib1559_LDADD = $(TESTUTIL_LIBS)
+ 
+ lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
++lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
+ lib1560_LDADD = $(TESTUTIL_LIBS)
+ 
+ lib1591_SOURCES = lib1591.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
+-- 
+2.17.2
+

0107-curl-7.21.4-libidn-valgrind.patch

@@ -1,26 +0,0 @@
-From d6c42a5bf66d4d458b20836573d6989e53f7d423 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 18 Feb 2011 17:49:59 +0100
-Subject: [PATCH] curl: work around valgrind bug (RHBZ#678518)
-
-https://bugs.kde.org/show_bug.cgi?id=264936
----
- tests/data/test165 |    3 +++
- 1 files changed, 3 insertions(+), 0 deletions(-)
-
-diff --git a/tests/data/test165 b/tests/data/test165
-index ddfe1e9..b2cbc4f 100644
---- a/tests/data/test165
-+++ b/tests/data/test165
-@@ -54,5 +54,8 @@ Accept: */*
- Proxy-Connection: Keep-Alive
- 
- </protocol>
-+<valgrind>
-+disable
-+</valgrind>
- </verify>
- </testcase>
--- 
-1.7.4
-

curl-7.47.1.tar.lzma.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v1
-
-iEYEABECAAYFAla4X80ACgkQeOEcayedXJFLWACglcsd1JCV1a5mQlzMVI166llH
-66oAn3wjtUvix9Gn59EGwBz1k5Kby2gH
-=Zg6S
------END PGP SIGNATURE-----

curl-7.67.0.tar.xz.asc

@@ -0,0 +1,11 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl3CauAACgkQXMkI/bce
+EsKe7Qf+Py/Wufz3AqqpJ1Xr0oigaV1Sa5AAyRD+KX8jwSJTRaRahaECGMhmR9vh
+kBaMFtycctCKcK1masI9GSeTX5nCtmaWzELLsBXynm/l2W+hrW1AD2R++YuM384t
+O078GxgsgRH0m8MacSKoV5yPOv/h9URnVMTavkAIfnW50vw17akDZ9MW2NhJzKpP
+s6GgWTMB5gomTHlnlHjTjtNoVbKKrV4v9YyRwqzI3XHXYtYOA7iufP4wnT+dpSm5
+ZLdbg5Nq+1pCTEiMg3KZKYNriypoLJuWuSF+bKc54CGN63eoUxXgU6js9ViHS5JS
+3dPfzzRA8wgROem58QhHnrR9c2CmdQ==
+=5gov
+-----END PGP SIGNATURE-----

curl.spec

@@ -1,14 +1,12 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
-Version: 7.47.1
-Release: 4%{?dist}
+Version: 7.67.0
+Release: 2%{?dist}
 License: MIT
-Group: Applications/Internet
-Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
-Source2: curlbuild.h
+Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
 
-# do not refuse cookies for localhost (#1308791)
-Patch1: 0001-curl-7.47.1-psl-localhost.patch
+# fix infinite loop on upload using a glob (#1771025)
+Patch1:   0001-curl-7.67.0-upload-glob.patch
 
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch
@@ -16,31 +14,56 @@ Patch101: 0101-curl-7.32.0-multilib.patch
 # prevent configure script from discarding -g in CFLAGS (#496778)
 Patch102: 0102-curl-7.36.0-debug.patch
 
+# migrate tests/http_pipe.py to Python 3
+Patch103: 0103-curl-7.59.0-python3.patch
+
 # use localhost6 instead of ip6-localhost in the curl test-suite
 Patch104: 0104-curl-7.19.7-localhost6.patch
 
-# work around valgrind bug (#678518)
-Patch107: 0107-curl-7.21.4-libidn-valgrind.patch
+# prevent valgrind from reporting false positives on x86_64
+Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch
 
+Provides: curl-full = %{version}-%{release}
 Provides: webclient
-URL: http://curl.haxx.se/
-BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(id -nu)
+URL: https://curl.haxx.se/
+BuildRequires: automake
+BuildRequires: brotli-devel
+BuildRequires: coreutils
+BuildRequires: gcc
 BuildRequires: groff
 BuildRequires: krb5-devel
-BuildRequires: libidn-devel
+BuildRequires: libidn2-devel
 BuildRequires: libmetalink-devel
 BuildRequires: libnghttp2-devel
 BuildRequires: libpsl-devel
-BuildRequires: libssh2-devel
-BuildRequires: nss-devel
+BuildRequires: libssh-devel
+BuildRequires: make
 BuildRequires: openldap-devel
 BuildRequires: openssh-clients
 BuildRequires: openssh-server
+BuildRequires: openssl-devel
+BuildRequires: perl-interpreter
 BuildRequires: pkgconfig
-BuildRequires: python
+BuildRequires: python3-devel
+BuildRequires: sed
 BuildRequires: stunnel
 BuildRequires: zlib-devel
 
+# needed to compress content of tool_hugehelp.c after changing curl.1 man page
+BuildRequires: perl(IO::Compress::Gzip)
+
+# needed for generation of shell completions
+BuildRequires: perl(Getopt::Long)
+BuildRequires: perl(Pod::Usage)
+BuildRequires: perl(strict)
+BuildRequires: perl(warnings)
+
+# gnutls-serv is used by the upstream test-suite
+BuildRequires: gnutls-utils
+
+# nghttpx (an HTTP/2 proxy) is used by the upstream test-suite
+BuildRequires: nghttp2
+
 # perl modules used in the test suite
 BuildRequires: perl(Cwd)
 BuildRequires: perl(Digest::MD5)
@@ -50,27 +73,34 @@ BuildRequires: perl(File::Copy)
 BuildRequires: perl(File::Spec)
 BuildRequires: perl(IPC::Open2)
 BuildRequires: perl(MIME::Base64)
-BuildRequires: perl(strict)
 BuildRequires: perl(Time::Local)
 BuildRequires: perl(Time::HiRes)
-BuildRequires: perl(warnings)
 BuildRequires: perl(vars)
 
-# The test-suite runs automatically trough valgrind if valgrind is available
+# The test-suite runs automatically through valgrind if valgrind is available
 # on the system.  By not installing valgrind into mock's chroot, we disable
 # this feature for production builds on architectures where valgrind is known
 # to be less reliable, in order to avoid unnecessary build failures (see RHBZ
 # #810992, #816175, and #886891).  Nevertheless developers are free to install
 # valgrind manually to improve test coverage on any architecture.
-%ifarch %{ix86} x86_64
+%ifarch x86_64
 BuildRequires: valgrind
 %endif
 
-Requires: libcurl%{?_isa} = %{version}-%{release}
+# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
+Requires: libcurl%{?_isa} >= %{version}-%{release}
 
-# require at least the version of libssh2 that we were built against,
+# require at least the version of libpsl that we were built against,
+# to ensure that we have the necessary symbols available (#1631804)
+%global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0)
+
+# require at least the version of libssh that we were built against,
 # to ensure that we have the necessary symbols available (#525002, #642796)
-%global libssh2_version %(pkg-config --modversion libssh2 2>/dev/null || echo 0)
+%global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0)
+
+# require at least the version of openssl-libs that we were built against,
+# to ensure that we have the necessary symbols available (#1462184, #1462211)
+%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0)
 
 %description
 curl is a command line tool for transferring data with URL syntax, supporting
@@ -82,8 +112,11 @@ resume, proxy tunneling and a busload of other useful tricks.
 
 %package -n libcurl
 Summary: A library for getting files from web servers
-Group: Development/Libraries
-Requires: libssh2%{?_isa} >= %{libssh2_version}
+Requires: libpsl%{?_isa} >= %{libpsl_version}
+Requires: libssh%{?_isa} >= %{libssh_version}
+Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
+Provides: libcurl-full = %{version}-%{release}
+Provides: libcurl-full%{?_isa} = %{version}-%{release}
 
 %description -n libcurl
 libcurl is a free and easy-to-use client-side URL transfer library, supporting
@@ -95,19 +128,8 @@ resume, http proxy tunneling and more.
 
 %package -n libcurl-devel
 Summary: Files needed for building applications with libcurl
-Group: Development/Libraries
 Requires: libcurl%{?_isa} = %{version}-%{release}
 
-# From Fedora 14, %%{_datadir}/aclocal is included in the filesystem package
-%if 0%{?fedora} < 14
-Requires: %{_datadir}/aclocal
-%endif
-
-# From Fedora 11, RHEL-6, pkgconfig dependency is auto-detected
-%if 0%{?fedora} < 11 && 0%{?rhel} < 6
-Requires: pkgconfig
-%endif
-
 Provides: curl-devel = %{version}-%{release}
 Provides: curl-devel%{?_isa} = %{version}-%{release}
 Obsoletes: curl-devel < %{version}-%{release}
@@ -117,6 +139,37 @@ The libcurl-devel package includes header files and libraries necessary for
 developing programs which use the libcurl library. It contains the API
 documentation of the library, too.
 
+%package -n curl-minimal
+Summary: Conservatively configured build of curl for minimal installations
+Provides: curl = %{version}-%{release}
+Conflicts: curl
+RemovePathPostfixes: .minimal
+
+# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION
+Requires: libcurl%{?_isa} >= %{version}-%{release}
+
+%description -n curl-minimal
+This is a replacement of the 'curl' package for minimal installations.  It
+comes with a limited set of features compared to the 'curl' package.  On the
+other hand, the package is smaller and requires fewer run-time dependencies to
+be installed.
+
+%package -n libcurl-minimal
+Summary: Conservatively configured build of libcurl for minimal installations
+Requires: openssl-libs%{?_isa} >= 1:%{openssl_version}
+Provides: libcurl = %{version}-%{release}
+Provides: libcurl%{?_isa} = %{version}-%{release}
+Conflicts: libcurl
+RemovePathPostfixes: .minimal
+# needed for RemovePathPostfixes to work with shared libraries
+%undefine __brp_ldconfig
+
+%description -n libcurl-minimal
+This is a replacement of the 'libcurl' package for minimal installations.  It
+comes with a limited set of features compared to the 'libcurl' package.  On the
+other hand, the package is smaller and requires fewer run-time dependencies to
+be installed.
+
 %prep
 %setup -q
 
@@ -126,47 +179,86 @@ documentation of the library, too.
 # Fedora patches
 %patch101 -p1
 %patch102 -p1
+%patch103 -p1
 %patch104 -p1
-%patch107 -p1
+%patch105 -p1
 
-# use RSA instead of DSA for host authentication in SCP and SFTP test-cases
-# because DSA is no longer supported by OpenSSH
-sed -e 's/ds[as]/rsa/g' -i tests/ssh{help.pm,server.pl}
+# make tests/*.py use Python 3
+sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
 
-# disable test 1112 (#565305) and test 1801
+# regenerate Makefile.in files
+aclocal -I m4
+automake
+
+# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed
+# with errno 98: Address already in use' in Koji environment), and test 1801
 # <https://github.com/bagder/curl/commit/21e82bd6#commitcomment-12226582>
-printf "1112\n1801\n" >> tests/data/DISABLED
+# and test 1900, which is flaky and covers a deprecated feature of libcurl
+# <https://github.com/curl/curl/pull/2705>
+printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED
 
 # disable test 1319 on ppc64 (server times out)
 %ifarch ppc64
 echo "1319" >> tests/data/DISABLED
 %endif
 
+# temporarily disable test 582 on s390x (client times out)
+%ifarch s390x
+echo "582" >> tests/data/DISABLED
+%endif
+
+# adapt test 323 for updated OpenSSL
+sed -e 's/^35$/35,52/' -i tests/data/test323
+
 %build
-[ -x /usr/kerberos/bin/krb5-config ] && KRB5_PREFIX="=/usr/kerberos"
-%configure --disable-static \
+mkdir build-{full,minimal}
+export common_configure_opts=" \
+    --cache-file=../config.cache \
+    --disable-static \
     --enable-symbol-hiding \
     --enable-ipv6 \
-    --enable-ldaps \
-    --enable-manual \
     --enable-threaded-resolver \
-    --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \
-    --with-gssapi${KRB5_PREFIX} \
-    --with-libidn \
-    --with-libmetalink \
-    --with-libpsl \
-    --with-libssh2 \
+    --with-gssapi \
     --with-nghttp2 \
-    --without-ssl --with-nss
-#    --enable-debug
-# use ^^^ to turn off optimizations, etc.
+    --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt"
 
-# Remove bogus rpath
-sed -i \
-    -e 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' \
-    -e 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
+%global _configure ../configure
 
-make %{?_smp_mflags} V=1
+# configure minimal build
+(
+    cd build-minimal
+    %configure $common_configure_opts \
+        --disable-ldap \
+        --disable-ldaps \
+        --disable-manual \
+        --without-brotli \
+        --without-libidn2 \
+        --without-libmetalink \
+        --without-libpsl \
+        --without-libssh
+)
+
+# configure full build
+(
+    cd build-full
+    %configure $common_configure_opts \
+        --enable-ldap \
+        --enable-ldaps \
+        --enable-manual \
+        --with-brotli \
+        --with-libidn2 \
+        --with-libmetalink \
+        --with-libpsl \
+        --with-libssh
+)
+
+# avoid using rpath
+sed -e 's/^runpath_var=.*/runpath_var=/' \
+    -e 's/^hardcode_libdir_flag_spec=".*"$/hardcode_libdir_flag_spec=""/' \
+    -i build-{full,minimal}/libtool
+
+make %{?_smp_mflags} V=1 -C build-minimal
+make %{?_smp_mflags} V=1 -C build-full
 
 %check
 # we have to override LD_LIBRARY_PATH because we eliminated rpath
@@ -174,57 +266,72 @@ LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH"
 export LD_LIBRARY_PATH
 
 # compile upstream test-cases
-cd tests
+cd build-full/tests
 make %{?_smp_mflags} V=1
 
+# relax crypto policy for the test-suite to make it pass again (#1610888)
+export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX
+export OPENSSL_CONF=
+
 # run the upstream test-suite
-./runtests.pl -a -p -v '!flaky'
+srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky'
 
 %install
-rm -rf $RPM_BUILD_ROOT
+# install and rename the library that will be packaged as libcurl-minimal
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/lib
+rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.{la,so}
+for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do
+    mv -v $i $i.minimal
+done
 
-make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
-
-rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
+# install and rename the executable that will be packaged as curl-minimal
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C build-minimal/src
+mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal}
 
+# install libcurl.m4
 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal
 install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal
 
-# Make libcurl-devel multilib-ready (bug #488922)
-%if 0%{?__isa_bits} == 64
-%global _curlbuild_h curlbuild-64.h
-%else
-%global _curlbuild_h curlbuild-32.h
-%endif
-mv $RPM_BUILD_ROOT%{_includedir}/curl/curlbuild.h \
-   $RPM_BUILD_ROOT%{_includedir}/curl/%{_curlbuild_h}
+# install the executable and library that will be packaged as curl and libcurl
+cd build-full
+make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install
 
-install -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_includedir}/curl/curlbuild.h
+# install zsh completion for curl
+# (we have to override LD_LIBRARY_PATH because we eliminated rpath)
+LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \
+    make DESTDIR=$RPM_BUILD_ROOT INSTALL="install -p" install -C scripts
 
-%clean
-rm -rf $RPM_BUILD_ROOT
+# do not install /usr/share/fish/completions/curl.fish which is also installed
+# by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict
+rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish
 
-%post -n libcurl -p /sbin/ldconfig
+rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 
-%postun -n libcurl -p /sbin/ldconfig
+%ldconfig_scriptlets -n libcurl
+
+%ldconfig_scriptlets -n libcurl-minimal
 
 %files
-%doc CHANGES README*
-%doc docs/BUGS docs/FAQ docs/FEATURES
-%doc docs/MANUAL docs/RESOURCES
-%doc docs/TheArtOfHttpScripting docs/TODO
+%doc CHANGES
+%doc README
+%doc docs/BUGS
+%doc docs/FAQ
+%doc docs/FEATURES
+%doc docs/RESOURCES
+%doc docs/TODO
+%doc docs/TheArtOfHttpScripting
 %{_bindir}/curl
 %{_mandir}/man1/curl.1*
-%{_datadir}/zsh/site-functions
+%{_datadir}/zsh
 
 %files -n libcurl
-%{!?_licensedir:%global license %%doc}
 %license COPYING
-%{_libdir}/libcurl.so.*
+%{_libdir}/libcurl.so.4
+%{_libdir}/libcurl.so.4.[0-9].[0-9]
 
 %files -n libcurl-devel
-%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS
-%doc docs/CONTRIBUTE docs/libcurl/ABI
+%doc docs/examples/*.c docs/examples/Makefile.example docs/INTERNALS.md
+%doc docs/CONTRIBUTE.md docs/libcurl/ABI
 %{_bindir}/curl-config*
 %{_includedir}/curl
 %{_libdir}/*.so
@@ -233,7 +340,373 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man3/*
 %{_datadir}/aclocal/libcurl.m4
 
+%files -n curl-minimal
+%{_bindir}/curl.minimal
+%{_mandir}/man1/curl.1*
+
+%files -n libcurl-minimal
+%license COPYING
+%{_libdir}/libcurl.so.4.minimal
+%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
+
 %changelog
+* Thu Nov 14 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-2
+- fix infinite loop on upload using a glob (#1771025)
+
+* Wed Nov 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.67.1-1
+- new upstream release
+
+* Wed Sep 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.66.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2019-5481 - double free due to subsequent call of realloc()
+    CVE-2019-5482 - heap buffer overflow in function tftp_receive_packet()
+
+* Tue Aug 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-4
+- avoid reporting spurious error in the HTTP2 framing layer (#1690971)
+
+* Thu Aug 01 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.3-3
+- improve handling of gss_init_sec_context() failures
+
+* Wed Jul 24 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.65.3-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
+
+* Sat Jul 20 2019 Paul Howarth <paul@city-fan.org> - 7.65.3-1
+- new upstream release
+
+* Wed Jul 17 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.2-1
+- new upstream release
+
+* Wed Jun 05 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.1-1
+- new upstream release
+
+* Thu May 30 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-2
+- fix spurious timeout events with speed-limit (#1714893)
+
+* Wed May 22 2019 Kamil Dudka <kdudka@redhat.com> - 7.65.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2019-5436 - TFTP receive buffer overflow
+    CVE-2019-5435 - integer overflows in curl_url_set()
+
+* Thu May 09 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-2
+- do not treat failure of gss_init_sec_context() with --negotiate as fatal
+
+* Wed Mar 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.1-1
+- new upstream release
+
+* Mon Mar 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-6
+- remove verbose "Expire in" ... messages (#1690971)
+
+* Thu Mar 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-5
+- avoid spurious "Could not resolve host: [host name]" error messages
+
+* Wed Feb 27 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-4
+- fix NULL dereference if flushing cookies with no CookieInfo set (#1683676)
+
+* Mon Feb 25 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-3
+- prevent NetworkManager from leaking file descriptors (#1680198)
+
+* Mon Feb 11 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-2
+- make zsh completion work again
+
+* Wed Feb 06 2019 Kamil Dudka <kdudka@redhat.com> - 7.64.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2019-3823 - SMTP end-of-response out-of-bounds read
+    CVE-2019-3822 - NTLMv2 type-3 header stack buffer overflow
+    CVE-2018-16890 - NTLM type-2 out-of-bounds buffer read
+
+* Mon Feb 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-7
+- prevent valgrind from reporting false positives on x86_64
+
+* Thu Jan 31 2019 Fedora Release Engineering <releng@fedoraproject.org> - 7.63.0-6
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
+
+* Mon Jan 21 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-5
+- xattr: strip credentials from any URL that is stored (CVE-2018-20483)
+
+* Fri Jan 04 2019 Kamil Dudka <kdudka@redhat.com> - 7.63.0-4
+- replace 0105-curl-7.63.0-libstubgss-ldadd.patch by upstream patch
+
+* Wed Dec 19 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-3
+- curl -J: do not append to the destination file (#1658574)
+
+* Fri Dec 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-2
+- revert an upstream commit that broke `fedpkg new-sources` (#1659329)
+
+* Wed Dec 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.63.0-1
+- new upstream release
+
+* Wed Oct 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.62.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2018-16839 - SASL password overflow via integer overflow
+    CVE-2018-16840 - use-after-free in handle close
+    CVE-2018-16842 - warning message out-of-buffer read
+
+* Thu Oct 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-3
+- enable TLS 1.3 post-handshake auth in OpenSSL
+- update the documentation of --tlsv1.0 in curl(1) man page
+
+* Thu Oct 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-2
+- enforce versioned libpsl dependency for libcurl (#1631804)
+- test320: update expected output for gnutls-3.6.4
+- drop 0105-curl-7.61.0-tests-ssh-keygen.patch no longer needed (#1622594)
+
+* Wed Sep 05 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.1-1
+- new upstream release, which fixes the following vulnerability
+    CVE-2018-14618 - NTLM password overflow via integer overflow
+
+* Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8
+- make the --tls13-ciphers option work
+
+* Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-7
+- tests: make ssh-keygen always produce PEM format (#1622594)
+
+* Wed Aug 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-6
+- scp/sftp: fix infinite connect loop on invalid private key (#1595135)
+
+* Thu Aug 09 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-5
+- ssl: set engine implicitly when a PKCS#11 URI is provided (#1219544)
+
+* Tue Aug 07 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-4
+- relax crypto policy for the test-suite to make it pass again (#1610888)
+
+* Tue Jul 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-3
+- disable flaky test 1900, which covers deprecated HTTP pipelining
+- adapt test 323 for updated OpenSSL
+
+* Thu Jul 12 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.61.0-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
+
+* Wed Jul 11 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-1
+- new upstream release, which fixes the following vulnerability
+    CVE-2018-0500 - SMTP send heap buffer overflow
+
+* Tue Jul 10 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-3
+- enable support for brotli compression in libcurl-full
+
+* Wed Jul 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-2
+- do not hard-wire path of the Python 3 interpreter
+
+* Wed May 16 2018 Kamil Dudka <kdudka@redhat.com> - 7.60.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2018-1000300 - FTP shutdown response buffer overflow
+    CVE-2018-1000301 - RTSP bad headers buffer over-read
+
+* Thu Mar 15 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-3
+- make the test-suite use Python 3
+
+* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-2
+- ftp: fix typo in recursive callback detection for seeking
+
+* Wed Mar 14 2018 Kamil Dudka <kdudka@redhat.com> - 7.59.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2018-1000120 - FTP path trickery leads to NIL byte out of bounds write
+    CVE-2018-1000121 - LDAP NULL pointer dereference
+    CVE-2018-1000122 - RTSP RTP buffer over-read
+
+* Mon Mar 12 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-8
+- http2: mark the connection for close on GOAWAY
+
+* Mon Feb 19 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-7
+- Add explicity-used build requirements
+- Fix libcurl soname version number in %%files list to avoid accidental soname
+  bumps
+
+* Thu Feb 15 2018 Paul Howarth <paul@city-fan.org> - 7.58.0-6
+- switch to %%ldconfig_scriptlets
+- drop legacy BuildRoot: and Group: tags
+- enforce versioned libssh dependency for libcurl
+
+* Tue Feb 13 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-5
+- drop temporary workaround for #1540549
+
+* Wed Feb 07 2018 Fedora Release Engineering <releng@fedoraproject.org> - 7.58.0-4
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
+
+* Wed Jan 31 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-3
+- temporarily work around internal compiler error on x86_64 (#1540549)
+- disable brp-ldconfig to make RemovePathPostfixes work with shared libs again
+
+* Wed Jan 24 2018 Andreas Schneider <asn@redhat.com> - 7.58.0-2
+- use libssh (instead of libssh2) to implement SCP/SFTP in libcurl (#1531483)
+
+* Wed Jan 24 2018 Kamil Dudka <kdudka@redhat.com> - 7.58.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2018-1000005 - curl: HTTP/2 trailer out-of-bounds read
+    CVE-2018-1000007 - curl: HTTP authentication leak in redirects
+
+* Wed Nov 29 2017 Kamil Dudka <kdudka@redhat.com> - 7.57.0-1
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2017-8816 - curl: NTLM buffer overflow via integer overflow
+    CVE-2017-8817 - curl: FTP wildcard out of bounds read
+    CVE-2017-8818 - curl: SSL out of buffer access
+
+* Mon Oct 23 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.1-1
+- new upstream release (fixes CVE-2017-1000257)
+
+* Wed Oct 04 2017 Kamil Dudka <kdudka@redhat.com> - 7.56.0-1
+- new upstream release (fixes CVE-2017-1000254)
+
+* Mon Aug 28 2017 Kamil Dudka <kdudka@redhat.com> - 7.55.1-5
+- apply the patch for the previous commit and fix its name (#1485702)
+
+* Mon Aug 28 2017 Bastien Nocera <bnocera@redhat.com> - 7.55.1-4
+- Fix NetworkManager connectivity check not working (#1485702)
+
+* Tue Aug 22 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-3
+- utilize system wide crypto policies for TLS (#1483972)
+
+* Tue Aug 15 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-2
+- make zsh completion work again
+
+* Mon Aug 14 2017 Kamil Dudka <kdudka@redhat.com> 7.55.1-1
+- new upstream release
+
+* Wed Aug 09 2017 Kamil Dudka <kdudka@redhat.com> 7.55.0-1
+- drop multilib fix for libcurl header files no longer needed
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2017-1000099 - FILE buffer read out of bounds
+    CVE-2017-1000100 - TFTP sends more than buffer size
+    CVE-2017-1000101 - URL globbing out of bounds read
+
+* Wed Aug 02 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-8
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
+
+* Fri Jul 28 2017 Florian Weimer <fweimer@redhat.com> - 7.54.1-7
+- Rebuild with fixed binutils (#1475636)
+
+* Fri Jul 28 2017 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 7.54.1-6
+- Enable separate debuginfo back
+
+* Thu Jul 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-5
+- rebuild to fix broken linkage of cmake on ppc64le
+
+* Wed Jul 26 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-4
+- avoid build failure caused broken RPM code that produces debuginfo packages
+
+* Wed Jul 26 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.54.1-3
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
+
+* Mon Jun 19 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-2
+- enforce versioned openssl-libs dependency for libcurl (#1462184)
+
+* Wed Jun 14 2017 Kamil Dudka <kdudka@redhat.com> 7.54.1-1
+- new upstream release
+
+* Tue May 16 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-5
+- add *-full provides for curl and libcurl to make them explicitly installable
+
+* Thu May 04 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-4
+- make curl-minimal require a new enough version of libcurl
+
+* Thu Apr 27 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-3
+- switch the TLS backend back to OpenSSL (#1445153)
+
+* Tue Apr 25 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-2
+- nss: use libnssckbi.so as the default source of trust
+- nss: do not leak PKCS #11 slot while loading a key (#1444860)
+
+* Thu Apr 20 2017 Kamil Dudka <kdudka@redhat.com> 7.54.0-1
+- new upstream release (fixes CVE-2017-7468)
+
+* Thu Apr 13 2017 Paul Howarth <paul@city-fan.org> 7.53.1-7
+- add %%post and %%postun scriptlets for libcurl-minimal
+- libcurl-minimal provides both libcurl and libcurl%%{?_isa}
+- remove some legacy spec file cruft
+
+* Wed Apr 12 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-6
+- provide (lib)curl-minimal subpackages with lightweight build of (lib)curl
+
+* Mon Apr 10 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-5
+- disable upstream test 2033 (flaky test for HTTP/1 pipelining)
+
+* Fri Apr 07 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-4
+- fix out of bounds read in curl --write-out (CVE-2017-7407)
+
+* Mon Mar 06 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-3
+- make the dependency on nss-pem arch-specific (#1428550)
+
+* Thu Mar 02 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-2
+- re-enable valgrind on ix86 because sqlite is fixed (#1428286)
+
+* Fri Feb 24 2017 Kamil Dudka <kdudka@redhat.com> 7.53.1-1
+- new upstream release
+
+* Wed Feb 22 2017 Kamil Dudka <kdudka@redhat.com> 7.53.0-1
+- do not use valgrind on ix86 until sqlite is rebuilt by patched GCC (#1423434)
+- new upstream release (fixes CVE-2017-2629)
+
+* Fri Feb 10 2017 Fedora Release Engineering <releng@fedoraproject.org> - 7.52.1-2
+- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
+
+* Fri Dec 23 2016 Kamil Dudka <kdudka@redhat.com> 7.52.1-1
+- new upstream release (fixes CVE-2016-9586)
+
+* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
+- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
+
+* Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
+- stricter host name checking for file:// URLs
+- ssh: check md5 fingerprints case insensitively
+
+* Wed Nov 02 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-1
+- temporarily disable failing libidn2 test-cases
+- new upstream release, which fixes the following vulnerabilities
+    CVE-2016-8615 - Cookie injection for other servers
+    CVE-2016-8616 - Case insensitive password comparison
+    CVE-2016-8617 - Out-of-bounds write via unchecked multiplication
+    CVE-2016-8618 - Double-free in curl_maprintf
+    CVE-2016-8619 - Double-free in krb5 code
+    CVE-2016-8620 - Glob parser write/read out of bounds
+    CVE-2016-8621 - curl_getdate out-of-bounds read
+    CVE-2016-8622 - URL unescape heap overflow via integer truncation
+    CVE-2016-8623 - Use-after-free via shared cookies
+    CVE-2016-8624 - Invalid URL parsing with '#'
+    CVE-2016-8625 - IDNA 2003 makes curl use wrong host
+
+* Thu Oct 20 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-3
+- drop 0103-curl-7.50.0-stunnel.patch no longer needed
+
+* Fri Oct 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-2
+- use the just built version of libcurl while generating zsh completion
+
+* Wed Sep 14 2016 Kamil Dudka <kdudka@redhat.com> 7.50.3-1
+- new upstream release (fixes CVE-2016-7167)
+
+* Wed Sep 07 2016 Kamil Dudka <kdudka@redhat.com> 7.50.2-1
+- new upstream release
+
+* Fri Aug 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-2
+- work around race condition in PK11_FindSlotByName()
+- fix incorrect use of a previously loaded certificate from file
+  (related to CVE-2016-5420)
+
+* Wed Aug 03 2016 Kamil Dudka <kdudka@redhat.com> 7.50.1-1
+- new upstream release (fixes CVE-2016-5419, CVE-2016-5420, and CVE-2016-5421)
+
+* Tue Jul 26 2016 Kamil Dudka <kdudka@redhat.com> 7.50.0-2
+- run HTTP/2 tests on all architectures (#1360319 now worked around in nghttp2)
+
+* Thu Jul 21 2016 Kamil Dudka <kdudka@redhat.com> 7.50.0-1
+- run HTTP/2 tests only on Intel for now to work around #1358845
+- require nss-pem because it is no longer included in the nss package (#1347336)
+- fix HTTPS and FTPS tests (work around stunnel bug #1358810)
+- new upstream release
+
+* Fri Jun 17 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-3
+- use multilib-rpm-config to install arch-dependent header files
+
+* Fri Jun 03 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-2
+- fix SIGSEGV of the curl tool while parsing URL with too many globs (#1340757)
+
+* Mon May 30 2016 Kamil Dudka <kdudka@redhat.com> 7.49.1-1
+- new upstream release
+
+* Wed May 18 2016 Kamil Dudka <kdudka@redhat.com> 7.49.0-1
+- new upstream release
+
+* Wed Mar 23 2016 Kamil Dudka <kdudka@redhat.com> 7.48.0-1
+- new upstream release
+
 * Wed Mar 02 2016 Kamil Dudka <kdudka@redhat.com> 7.47.1-4
 - do not refuse cookies for localhost (#1308791)
 

curlbuild.h

@@ -1,9 +0,0 @@
-#include <bits/wordsize.h>
-
-#if __WORDSIZE == 32
-#include "curlbuild-32.h"
-#elif __WORDSIZE == 64
-#include "curlbuild-64.h"
-#else
-#error "Unknown word size"
-#endif

sources

@@ -1 +1 @@
-8242c073d8e5fc1c2a1aa946f1e903a4  curl-7.47.1.tar.lzma
+SHA512 (curl-7.67.0.tar.xz) = 1d5a344be92dd61b1ba5189eff0fe337e492f2e850794943570fe71c985d0af60bd412082be646e07aaa8639908593e1ce4bb2d07db35394ec377e8ce8b9ae29

tests/non-root-user-download/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/curl/Sanity/non-root-user-download
+#   Description: various download methods with non-root user
+#   Author: Karel Srot <ksrot@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/curl/Sanity/non-root-user-download
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     various download methods with non-root user" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        5m" >> $(METADATA)
+	@echo "RunFor:          curl" >> $(METADATA)
+	@echo "Requires:        curl" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/non-root-user-download/PURPOSE

@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/curl/Sanity/non-root-user-download
+Description: various download methods with non-root user
+Author: Karel Srot <ksrot@redhat.com>

tests/non-root-user-download/runtest.sh

@@ -0,0 +1,92 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/curl/Sanity/non-root-user-download
+#   Description: various download methods with non-root user
+#   Author: Karel Srot <ksrot@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh || exit 1
+. /usr/share/beakerlib/beakerlib.sh || exit 1
+
+PACKAGE="curl"
+
+FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
+CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed
+PASSWORD=pAssw0rd
+OPTIONS=""
+rlIsRHEL 7 && OPTIONS="--insecure"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "useradd -m curltester" 0 "Adding the test user"
+        rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
+        rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
+        [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
+        rlFileBackup $HOME/.ssh/known_hosts /etc/hosts
+        ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
+    rlPhaseEnd
+
+    rlPhaseStartTest "http download"
+        rlRun "su - curltester -c 'curl $HTTP_URL' &> http.log"
+        cat http.log
+        rlAssertGrep "$CONTENT" http.log
+    rlPhaseEnd
+
+    rlPhaseStartTest "ftp download"
+        rlRun "su - curltester -c 'curl $FTP_URL' &> ftp.log"
+        cat ftp.log
+        rlAssertGrep "$CONTENT" ftp.log
+    rlPhaseEnd
+
+if ! rlIsRHEL 5; then
+# scp sftp not supported on RHEL5
+
+    rlPhaseStartTest "scp download"
+        rlRun "curl -u curltester:$PASSWORD $OPTIONS scp://localhost/home/curltester/testfile &> scp.log"
+        cat scp.log
+        rlAssertGrep "$CONTENT" scp.log
+    rlPhaseEnd
+
+    rlPhaseStartTest "sftp download"
+        rlRun "curl -u curltester:$PASSWORD $OPTIONS sftp://localhost/home/curltester/testfile &> sftp.log"
+        cat sftp.log
+        rlAssertGrep "$CONTENT" sftp.log
+    rlPhaseEnd
+
+fi
+
+    rlPhaseStartCleanup
+        rlRun "rm -f $HOME/.ssh/known_hosts"
+        rlFileRestore
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+        rlRun "userdel -r --force curltester"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/non-root-user-download/runtest.yml

@@ -0,0 +1,64 @@
+- hosts: '{{ hosts | default("localhost") }}'
+  vars:
+    package: "curl"
+  tasks:
+    - name: "Set Content variables"
+      set_fact:
+        content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed"
+        password: "pAssw0rd"
+        crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1"
+    - name: "Create user curltester"
+      user: 
+        name: "curltester"
+        password: "{{ crypt_password }}"
+    - name: "Copy testfile"
+      copy:
+          dest: "/home/curltester/testfile"
+          content: "{{ content }}"
+    - block:
+      - name: "http download"
+        command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
+        args:
+            warn: false
+        register: http
+        become: yes
+        become_user: curltester
+      - name: "Compare http output"
+        fail:
+            msg: "{{ content }} not in {{ http.stdout }}"
+        when: content not in http.stdout
+      - name: "ftp download"
+        command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
+        args:
+            warn: false
+        register: ftp
+        become: yes
+        become_user: curltester
+      - name: "Compare ftp output"
+        fail:
+            msg: "{{ content }} not in {{ ftp.stdout }}"
+        when: content not in ftp.stdout
+      - name: "scp download"
+        command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile"
+        args:
+            warn: false
+        register: scp
+      - name: "Compare scp output"
+        fail:
+            msg: "{{ content }} not in {{ scp.stdout }}"
+        when: content not in scp.stdout
+      - name: "sftp download"
+        command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile"
+        args:
+            warn: false
+        register: sftp
+      - name: "Compare sftp output"
+        fail:
+            msg: "{{ content }} not in {{ sftp.stdout }}"
+        when: content not in sftp.stdout
+      always:
+      - name: "Remove user curltester"
+        user: 
+            name: "curltester"
+            remove: yes
+            state: absent

tests/scp-and-sftp-download-test/Makefile

@@ -0,0 +1,63 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test
+#   Description: downloads test file through scp and sftp
+#   Author: Karel Srot <ksrot@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test
+export TESTVERSION=1.0
+
+BUILT_FILES=
+
+FILES=$(METADATA) runtest.sh Makefile PURPOSE
+
+.PHONY: all install download clean
+
+run: $(FILES) build
+	./runtest.sh
+
+build: $(BUILT_FILES)
+	test -x runtest.sh || chmod a+x runtest.sh
+
+clean:
+	rm -f *~ $(BUILT_FILES)
+
+
+include /usr/share/rhts/lib/rhts-make.include
+
+$(METADATA): Makefile
+	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
+	@echo "Name:            $(TEST)" >> $(METADATA)
+	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
+	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
+	@echo "Description:     downloads test file through scp and sftp" >> $(METADATA)
+	@echo "Type:            Sanity" >> $(METADATA)
+	@echo "TestTime:        10m" >> $(METADATA)
+	@echo "RunFor:          curl" >> $(METADATA)
+	@echo "Requires:        curl openssh" >> $(METADATA)
+	@echo "Priority:        Normal" >> $(METADATA)
+	@echo "License:         GPLv2" >> $(METADATA)
+	@echo "Confidential:    no" >> $(METADATA)
+	@echo "Destructive:     no" >> $(METADATA)
+
+	rhts-lint $(METADATA)

tests/scp-and-sftp-download-test/PURPOSE

@@ -0,0 +1,12 @@
+PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test
+Description: downloads test file through scp and sftp
+Author: Karel Srot <ksrot@redhat.com>
+
+Test scenario:
+- scp download
+- sftp download
+- scp upload
+- sftp upload
+
+When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
+with empty --pubkey parameter (--pubkey "") or with the paramiter omitted

tests/scp-and-sftp-download-test/runtest.sh

@@ -0,0 +1,130 @@
+#!/bin/bash
+# vim: dict=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   runtest.sh of /CoreOS/curl/Sanity/scp-and-sftp-download-test
+#   Description: downloads test file through scp and sftp
+#   Author: Karel Srot <ksrot@redhat.com>
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#
+#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
+#
+#   This copyrighted material is made available to anyone wishing
+#   to use, modify, copy, or redistribute it subject to the terms
+#   and conditions of the GNU General Public License version 2.
+#
+#   This program is distributed in the hope that it will be
+#   useful, but WITHOUT ANY WARRANTY; without even the implied
+#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+#   PURPOSE. See the GNU General Public License for more details.
+#
+#   You should have received a copy of the GNU General Public
+#   License along with this program; if not, write to the Free
+#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+#   Boston, MA 02110-1301, USA.
+#
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# Include Beaker environment
+. /usr/bin/rhts-environment.sh
+. /usr/lib/beakerlib/beakerlib.sh
+
+PACKAGE="curl"
+
+# GLOBAL/ENVIRONMENT VARIABLE:
+# PUBKEY_PARAM
+
+if [ "$PUBKEY_PARAM" == 'none' ]; then
+  PUBKEY_PARAM=""
+elif [ "$PUBKEY_PARAM" == 'empty' ]; then
+  PUBKEY_PARAM="--pubkey ''"
+else
+  PUBKEY_PARAM='--pubkey /root/.ssh/id_rsa.pub'
+fi
+
+FILESIZE=200 #MB
+OPTIONS=""
+rlIsRHEL 7 && OPTIONS="--insecure"
+
+rlJournalStart
+    rlPhaseStartSetup
+        rlAssertRpm $PACKAGE
+        rlFileBackup --clean  /root/.ssh/known_hosts /root/.ssh
+        rlFileBackup --clean  /etc/ssh/sshd_config
+        rlRun "useradd -m curltestuser"
+
+        # In FIPS-140 we need to explicitly allow one of libssh2-implemented
+        # Kex algorithms (eg. DH14-SHA1).
+        rlRun "echo 'KexAlgorithms +diffie-hellman-group14-sha1' >> /etc/ssh/sshd_config" 0
+        rlServiceStop "sshd"
+        rlRun "service sshd start && sleep 5" 0
+
+        # file for download test
+        rlRun "su - curltestuser -c 'dd if=/dev/zero of=testfile bs=1M count=200'" 0 "Creating $FILESIZE MB large test file"
+        SUM=`sha256sum /home/curltestuser/testfile | cut -d ' ' -f 1`
+        rlRun "TmpDir=\$(mktemp -d)" 0 "Creating tmp directory"
+        rlRun "pushd $TmpDir"
+        rlRun "rm -vf /root/.ssh/*"
+        rlRun "ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''" 0 "Generate ssh key"
+        rlRun "mkdir /home/curltestuser/.ssh && cat /root/.ssh/id_rsa.pub > /home/curltestuser/.ssh/authorized_keys && chown -R curltestuser.curltestuser /home/curltestuser/.ssh/" 0 "Save the key to .ssh/authorized_keys"
+
+        # this is a workaround as libssh2 is not able to use newer hashes
+        #rlRun "ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/root/.ssh/known_hosts curltestuser@localhost 'exit'" 0 "First ssh login to add localhost to known_hosts"
+        rlRun "ssh-keyscan localhost >>/root/.ssh/known_hosts"
+
+        # files for upload test
+        rlRun "dd if=/dev/zero of=uploadfile1 bs=1M count=50" 0 "Creating 50 MB large test file"
+        UPSUM1=`sha256sum uploadfile1 | cut -d ' ' -f 1`
+        rlRun "dd if=/dev/zero of=uploadfile2 bs=1M count=20" 0 "Creating 20 MB large test file"
+        UPSUM2=`sha256sum uploadfile2 | cut -d ' ' -f 1`
+    rlPhaseEnd
+
+    rlPhaseStartTest "scp download test"
+        rlRun "curl -o ./scp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS scp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download"
+        rlAssertExists scp_file
+        SCPSUM=`sha256sum ./scp_file | cut -d ' ' -f 1`
+        rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SCPSUM
+        rm -f ./scp_file
+    rlPhaseEnd
+
+    rlPhaseStartTest "sftp download test"
+        rlRun "curl -o ./sftp_file -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS sftp://localhost/home/curltestuser/testfile" 0 "Initiate curl scp download"
+        rlAssertExists sftp_file
+        SFTPSUM=`sha256sum ./sftp_file | cut -d ' ' -f 1`
+        rlAssertEquals "Checking that whole file was properly downloaded" $SUM $SFTPSUM
+        rm -f ./sftp_file
+    rlPhaseEnd
+
+    rlPhaseStartTest "scp upload test"
+        rlRun "curl -T '{uploadfile1,uploadfile2}' scp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl scp upload"
+        rlAssertExists /home/curltestuser/uploadfile1
+        rlAssertExists /home/curltestuser/uploadfile2
+        SCPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1`
+        SCPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1`
+        rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SCPUPSUM1}
+        rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SCPUPSUM2}
+        rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2
+    rlPhaseEnd
+
+    rlPhaseStartTest "sftp upload test"
+        rlRun "curl -T '{uploadfile1,uploadfile2}' sftp://localhost/home/curltestuser/ -u curltestuser: --key /root/.ssh/id_rsa $PUBKEY_PARAM $OPTIONS" 0 "Initiate curl sftp upload"
+        rlAssertExists /home/curltestuser/uploadfile1
+        rlAssertExists /home/curltestuser/uploadfile2
+        SFTPUPSUM1=`sha256sum /home/curltestuser/uploadfile1 | cut -d ' ' -f 1`
+        SFTPUPSUM2=`sha256sum /home/curltestuser/uploadfile2 | cut -d ' ' -f 1`
+        rlAssertEquals "Checking that 1st file was properly uploaded" ${UPSUM1} ${SFTPUPSUM1}
+        rlAssertEquals "Checking that 2nd file was properly uploaded" ${UPSUM2} ${SFTPUPSUM2}
+        rm -f /home/curltestuser/uploadfile1 /home/curltestuser/uploadfile2
+    rlPhaseEnd
+
+
+    rlPhaseStartCleanup
+        rlRun "userdel -r --force curltestuser"
+        rlRun "popd"
+        rlRun "rm -r $TmpDir" 0 "Removing tmp directory"
+        rlFileRestore
+        rlServiceRestore "sshd"
+    rlPhaseEnd
+rlJournalPrintText
+rlJournalEnd

tests/tests.yml

@@ -0,0 +1,26 @@
+---
+# Tests for Classic
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - classic
+    tests:
+    - scp-and-sftp-download-test
+    - non-root-user-download
+    required_packages:
+    - findutils         # non-root-user-download needs find command
+                        # scp-and-sftp-download-test needs find command
+    - passwd            # non-root-user-download needs passwd command
+    - openssh-clients   # non-root-user-download needs ssh-keyscan command
+
+# Tests for Atomic
+- hosts: localhost
+  roles:
+  - role: standard-test-beakerlib
+    tags:
+    - atomic
+    tests:
+    - scp-and-sftp-download-test
+    - non-root-user-download
+