diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/.gitignore b/.gitignore index 7dcfd8f..9bb4285 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,6 @@ /curl-[0-9.]*.tar.lzma +/curl-[0-9.]*.tar.lzma.asc /curl-[0-9.]*.tar.xz +/curl-[0-9.]*.tar.xz.asc +/curl-[0-9]*.[0-9]*.[0-9]*/ +/*.src.rpm diff --git a/0001-curl-7.71.1-tool-krb-opt.patch b/0001-curl-7.71.1-tool-krb-opt.patch deleted file mode 100644 index 5e76f50..0000000 --- a/0001-curl-7.71.1-tool-krb-opt.patch +++ /dev/null @@ -1,65 +0,0 @@ -From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Thu, 2 Jul 2020 17:41:37 +0200 -Subject: [PATCH 1/2] tool_getparam: make --krb option work again - -It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301. - -Bug: https://bugzilla.redhat.com/1833193 -Closes #5640 - -Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a -Signed-off-by: Kamil Dudka ---- - src/tool_getparam.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/tool_getparam.c b/src/tool_getparam.c -index 3409621..9c6bc8a 100644 ---- a/src/tool_getparam.c -+++ b/src/tool_getparam.c -@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ - break; - case 'x': /* --krb */ - /* kerberos level string */ -- if(curlinfo->features & CURL_VERSION_KERBEROS4) -+ if(curlinfo->features & CURL_VERSION_SPNEGO) - GetStr(&config->krblevel, nextarg); - else - return PARAM_LIBCURL_DOESNT_SUPPORT; --- -2.21.3 - - -From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 2 Jul 2020 23:46:40 +0200 -Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated - -This came up in #5640. It make sense to clarify this in the docs! - -Reminded-by: Kamil Dudka -Closes #5642 - -Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/curl_version_info.3 | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3 -index 2d21dfb..0d26e87 100644 ---- a/docs/libcurl/curl_version_info.3 -+++ b/docs/libcurl/curl_version_info.3 -@@ -151,7 +151,7 @@ letters. (Added in 7.12.0) - .IP CURL_VERSION_IPV6 - supports IPv6 - .IP CURL_VERSION_KERBEROS4 --supports Kerberos V4 (when using FTP) -+supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0. - .IP CURL_VERSION_KERBEROS5 - supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy - (Added in 7.40.0) --- -2.21.3 - diff --git a/0002-curl-7.71.1-unset-nobody.patch b/0002-curl-7.71.1-unset-nobody.patch deleted file mode 100644 index 1646a72..0000000 --- a/0002-curl-7.71.1-unset-nobody.patch +++ /dev/null @@ -1,148 +0,0 @@ -From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jul 2020 11:44:01 +0200 -Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD - -Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented -action but before 7.71.0 that used to switch back to GET and with this -change (assuming the method is still set to HEAD) this behavior is -brought back. - -Reported-by: causal-agent on github -Fixes #5725 -Closes #5728 - -Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe -Signed-off-by: Kamil Dudka ---- - lib/setopt.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/lib/setopt.c b/lib/setopt.c -index 90edf6a..d621335 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - if(data->set.opt_no_body) - /* in HTTP lingo, no body means using the HEAD request... */ - data->set.method = HTTPREQ_HEAD; -+ else if(data->set.method == HTTPREQ_HEAD) -+ data->set.method = HTTPREQ_GET; - break; - case CURLOPT_FAILONERROR: - /* --- -2.25.4 - - -From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jul 2020 11:54:29 +0200 -Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means - -... and mention that HTTP with other methods than HEAD might get a body and -there's no option available to stop that. - -Closes #5729 - -Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------ - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3 -index f720f49..3674dde 100644 ---- a/docs/libcurl/opts/CURLOPT_NOBODY.3 -+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3 -@@ -5,7 +5,7 @@ - .\" * | (__| |_| | _ <| |___ - .\" * \___|\___/|_| \_\_____| - .\" * --.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. -+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. - .\" * - .\" * This software is licensed as described in the file COPYING, which - .\" * you should have received as part of this distribution. The terms -@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes - libcurl do a HEAD request. For most other protocols it means just not asking - to transfer the body data. - --Enabling this option means asking for a download but without a body. -+For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the -+option (with 0) will make it a GET again - only if the method is still set to -+be HEAD. The proper way to get back to a GET request is to set -+\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD -+options. -+ -+Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body. -+ -+If you do a transfer with HTTP that involves a method other than HEAD, you -+will get a body (unless the resource and server sends a zero byte body for the -+specific URL you request). - .SH DEFAULT - 0, the body is transferred - .SH PROTOCOLS -@@ -43,9 +53,9 @@ Most - .nf - curl = curl_easy_init(); - if(curl) { -- curl_easy_setopt(curl, CURLOPT_URL, "http://example.com"); -+ curl_easy_setopt(curl, CURLOPT_URL, "https://example.com"); - -- /* get us the resource without a body! */ -+ /* get us the resource without a body - use HEAD! */ - curl_easy_setopt(curl, CURLOPT_NOBODY, 1L); - - /* Perform the request */ -@@ -57,5 +67,5 @@ Always - .SH RETURN VALUE - Returns CURLE_OK - .SH "SEE ALSO" --.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), " --.BR CURLOPT_REQUEST_TARGET "(3), " -+.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), " -+.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), " --- -2.25.4 - - -From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 27 Jul 2020 23:59:00 +0200 -Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options - -As test 1140 fails otherwise! - -Follow-up to e1bac81cc815 - -Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249 -Signed-off-by: Kamil Dudka ---- - docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3 -index 3674dde..112fb1a 100644 ---- a/docs/libcurl/opts/CURLOPT_NOBODY.3 -+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3 -@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes - libcurl do a HEAD request. For most other protocols it means just not asking - to transfer the body data. - --For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the -+For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the - option (with 0) will make it a GET again - only if the method is still set to - be HEAD. The proper way to get back to a GET request is to set --\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD -+\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD - options. - --Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body. -+Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body. - - If you do a transfer with HTTP that involves a method other than HEAD, you - will get a body (unless the resource and server sends a zero byte body for the --- -2.25.4 - diff --git a/0004-curl-7.71.1-CVE-2020-8231.patch b/0004-curl-7.71.1-CVE-2020-8231.patch deleted file mode 100644 index 1a09b84..0000000 --- a/0004-curl-7.71.1-CVE-2020-8231.patch +++ /dev/null @@ -1,281 +0,0 @@ -From 6830828c9eecd9ab14404f2f49f19b56dec62130 Mon Sep 17 00:00:00 2001 -From: Marc Aldorasi -Date: Thu, 30 Jul 2020 14:16:17 -0400 -Subject: [PATCH 1/2] multi_remove_handle: close unused connect-only - connections - -Previously any connect-only connections in a multi handle would be kept -alive until the multi handle was closed. Since these connections cannot -be re-used, they can be marked for closure when the associated easy -handle is removed from the multi handle. - -Closes #5749 - -Upstream-commit: d5bb459ccf1fc5980ae4b95c05b4ecf6454a7599 -Signed-off-by: Kamil Dudka ---- - lib/multi.c | 34 ++++++++++++++++++++++++++++++---- - tests/data/test1554 | 6 ++++++ - 2 files changed, 36 insertions(+), 4 deletions(-) - -diff --git a/lib/multi.c b/lib/multi.c -index 249e360..f1371bd 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -689,6 +689,26 @@ static CURLcode multi_done(struct Curl_easy *data, - return result; - } - -+static int close_connect_only(struct connectdata *conn, void *param) -+{ -+ struct Curl_easy *data = param; -+ -+ if(data->state.lastconnect != conn) -+ return 0; -+ -+ if(conn->data != data) -+ return 1; -+ conn->data = NULL; -+ -+ if(!conn->bits.connect_only) -+ return 1; -+ -+ connclose(conn, "Removing connect-only easy handle"); -+ conn->bits.connect_only = FALSE; -+ -+ return 1; -+} -+ - CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - struct Curl_easy *data) - { -@@ -776,10 +796,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - multi_done() as that may actually call Curl_expire that uses this */ - Curl_llist_destroy(&data->state.timeoutlist, NULL); - -- /* as this was using a shared connection cache we clear the pointer to that -- since we're not part of that multi handle anymore */ -- data->state.conn_cache = NULL; -- - /* change state without using multistate(), only to make singlesocket() do - what we want */ - data->mstate = CURLM_STATE_COMPLETED; -@@ -789,12 +805,22 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - /* Remove the association between the connection and the handle */ - Curl_detach_connnection(data); - -+ if(data->state.lastconnect) { -+ /* Mark any connect-only connection for closure */ -+ Curl_conncache_foreach(data, data->state.conn_cache, -+ data, &close_connect_only); -+ } -+ - #ifdef USE_LIBPSL - /* Remove the PSL association. */ - if(data->psl == &multi->psl) - data->psl = NULL; - #endif - -+ /* as this was using a shared connection cache we clear the pointer to that -+ since we're not part of that multi handle anymore */ -+ data->state.conn_cache = NULL; -+ - data->multi = NULL; /* clear the association to this multi handle */ - - /* make sure there's no pending message in the queue sent from this easy -diff --git a/tests/data/test1554 b/tests/data/test1554 -index d3926d9..fffa6ad 100644 ---- a/tests/data/test1554 -+++ b/tests/data/test1554 -@@ -50,6 +50,8 @@ run 1: foobar and so on fun! - <- Mutex unlock - -> Mutex lock - <- Mutex unlock -+-> Mutex lock -+<- Mutex unlock - run 1: foobar and so on fun! - -> Mutex lock - <- Mutex unlock -@@ -65,6 +67,8 @@ run 1: foobar and so on fun! - <- Mutex unlock - -> Mutex lock - <- Mutex unlock -+-> Mutex lock -+<- Mutex unlock - run 1: foobar and so on fun! - -> Mutex lock - <- Mutex unlock -@@ -74,6 +78,8 @@ run 1: foobar and so on fun! - <- Mutex unlock - -> Mutex lock - <- Mutex unlock -+-> Mutex lock -+<- Mutex unlock - - - --- -2.25.4 - - -From 01148ee40dd913a169435b0f9ea90e6393821e70 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sun, 16 Aug 2020 11:34:35 +0200 -Subject: [PATCH 2/2] Curl_easy: remember last connection by id, not by pointer - -CVE-2020-8231 - -Bug: https://curl.haxx.se/docs/CVE-2020-8231.html - -Reported-by: Marc Aldorasi -Closes #5824 - -Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22 -Signed-off-by: Kamil Dudka ---- - lib/connect.c | 19 ++++++++++--------- - lib/easy.c | 3 +-- - lib/multi.c | 9 +++++---- - lib/url.c | 2 +- - lib/urldata.h | 2 +- - 5 files changed, 18 insertions(+), 17 deletions(-) - -diff --git a/lib/connect.c b/lib/connect.c -index 29293f0..e1c5662 100644 ---- a/lib/connect.c -+++ b/lib/connect.c -@@ -1363,15 +1363,15 @@ CURLcode Curl_connecthost(struct connectdata *conn, /* context */ - } - - struct connfind { -- struct connectdata *tofind; -- bool found; -+ long id_tofind; -+ struct connectdata *found; - }; - - static int conn_is_conn(struct connectdata *conn, void *param) - { - struct connfind *f = (struct connfind *)param; -- if(conn == f->tofind) { -- f->found = TRUE; -+ if(conn->connection_id == f->id_tofind) { -+ f->found = conn; - return 1; - } - return 0; -@@ -1393,21 +1393,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data, - * - that is associated with a multi handle, and whose connection - * was detached with CURLOPT_CONNECT_ONLY - */ -- if(data->state.lastconnect && (data->multi_easy || data->multi)) { -- struct connectdata *c = data->state.lastconnect; -+ if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) { -+ struct connectdata *c; - struct connfind find; -- find.tofind = data->state.lastconnect; -- find.found = FALSE; -+ find.id_tofind = data->state.lastconnect_id; -+ find.found = NULL; - - Curl_conncache_foreach(data, data->multi_easy? - &data->multi_easy->conn_cache: - &data->multi->conn_cache, &find, conn_is_conn); - - if(!find.found) { -- data->state.lastconnect = NULL; -+ data->state.lastconnect_id = -1; - return CURL_SOCKET_BAD; - } - -+ c = find.found; - if(connp) { - /* only store this if the caller cares for it */ - *connp = c; -diff --git a/lib/easy.c b/lib/easy.c -index 292cca7..a69eb9e 100644 ---- a/lib/easy.c -+++ b/lib/easy.c -@@ -838,8 +838,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data) - - /* the connection cache is setup on demand */ - outcurl->state.conn_cache = NULL; -- -- outcurl->state.lastconnect = NULL; -+ outcurl->state.lastconnect_id = -1; - - outcurl->progress.flags = data->progress.flags; - outcurl->progress.callback = data->progress.callback; -diff --git a/lib/multi.c b/lib/multi.c -index f1371bd..778c537 100644 ---- a/lib/multi.c -+++ b/lib/multi.c -@@ -455,6 +455,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi, - data->state.conn_cache = &data->share->conn_cache; - else - data->state.conn_cache = &multi->conn_cache; -+ data->state.lastconnect_id = -1; - - #ifdef USE_LIBPSL - /* Do the same for PSL. */ -@@ -677,11 +678,11 @@ static CURLcode multi_done(struct Curl_easy *data, - CONNCACHE_UNLOCK(data); - if(Curl_conncache_return_conn(data, conn)) { - /* remember the most recently used connection */ -- data->state.lastconnect = conn; -+ data->state.lastconnect_id = conn->connection_id; - infof(data, "%s\n", buffer); - } - else -- data->state.lastconnect = NULL; -+ data->state.lastconnect_id = -1; - } - - Curl_safefree(data->state.buffer); -@@ -693,7 +694,7 @@ static int close_connect_only(struct connectdata *conn, void *param) - { - struct Curl_easy *data = param; - -- if(data->state.lastconnect != conn) -+ if(data->state.lastconnect_id != conn->connection_id) - return 0; - - if(conn->data != data) -@@ -805,7 +806,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi, - /* Remove the association between the connection and the handle */ - Curl_detach_connnection(data); - -- if(data->state.lastconnect) { -+ if(data->state.lastconnect_id != -1) { - /* Mark any connect-only connection for closure */ - Curl_conncache_foreach(data, data->state.conn_cache, - data, &close_connect_only); -diff --git a/lib/url.c b/lib/url.c -index a1a6b69..2919a3d 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -630,7 +630,7 @@ CURLcode Curl_open(struct Curl_easy **curl) - Curl_initinfo(data); - - /* most recent connection is not yet defined */ -- data->state.lastconnect = NULL; -+ data->state.lastconnect_id = -1; - - data->progress.flags |= PGRS_HIDE; - data->state.current_speed = -1; /* init to negative == impossible */ -diff --git a/lib/urldata.h b/lib/urldata.h -index f80a02d..6d8eb69 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1300,7 +1300,7 @@ struct UrlState { - /* buffers to store authentication data in, as parsed from input options */ - struct curltime keeps_speed; /* for the progress meter really */ - -- struct connectdata *lastconnect; /* The last connection, NULL if undefined */ -+ long lastconnect_id; /* The last connection, -1 if undefined */ - struct dynbuf headerb; /* buffer to store headers in */ - - char *buffer; /* download buffer */ --- -2.25.4 - diff --git a/0005-curl-7.71.1-CVE-2020-8284.patch b/0005-curl-7.71.1-CVE-2020-8284.patch deleted file mode 100644 index f5677e3..0000000 --- a/0005-curl-7.71.1-CVE-2020-8284.patch +++ /dev/null @@ -1,208 +0,0 @@ -From c7cc15980d50a51857de66b701b7762789139b46 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Tue, 24 Nov 2020 14:56:57 +0100 -Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default - -The command line tool also independently sets --ftp-skip-pasv-ip by -default. - -Ten test cases updated to adapt the modified --libcurl output. - -Bug: https://curl.se/docs/CVE-2020-8284.html -CVE-2020-8284 - -Reported-by: Varnavas Papaioannou - -Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46 -Signed-off-by: Kamil Dudka ---- - docs/cmdline-opts/ftp-skip-pasv-ip.d | 2 ++ - docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++--- - lib/url.c | 1 + - src/tool_cfgable.c | 1 + - tests/data/test1400 | 1 + - tests/data/test1401 | 1 + - tests/data/test1402 | 1 + - tests/data/test1403 | 1 + - tests/data/test1404 | 1 + - tests/data/test1405 | 1 + - tests/data/test1406 | 1 + - tests/data/test1407 | 1 + - tests/data/test1420 | 1 + - 13 files changed, 18 insertions(+), 3 deletions(-) - -diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d -index da6ab11..4be8b43 100644 ---- a/docs/cmdline-opts/ftp-skip-pasv-ip.d -+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d -@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl - will re-use the same IP address it already uses for the control - connection. - -+Since curl 7.74.0 this option is enabled by default. -+ - This option has no effect if PORT, EPRT or EPSV is used instead of PASV. -diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 -index e68d2e7..29bc672 100644 ---- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 -+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 -@@ -5,7 +5,7 @@ - .\" * | (__| |_| | _ <| |___ - .\" * \___|\___/|_| \_\_____| - .\" * --.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, , et al. -+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, , et al. - .\" * - .\" * This software is licensed as described in the file COPYING, which - .\" * you should have received as part of this distribution. The terms -@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port - number from the 227-response. - - This option thus allows libcurl to work around broken server installations --that due to NATs, firewalls or incompetence report the wrong IP address back. -+that due to NATs, firewalls or incompetence report the wrong IP address -+back. Setting the option also reduces the risk for various sorts of client -+abuse by malicious servers. - - This option has no effect if PORT, EPRT or EPSV is used instead of PASV. - .SH DEFAULT --0 -+1 since 7.74.0, was 0 before then. - .SH PROTOCOLS - FTP - .SH EXAMPLE -diff --git a/lib/url.c b/lib/url.c -index 2919a3d..41029d6 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -480,6 +480,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) - set->ftp_use_eprt = TRUE; /* FTP defaults to EPRT operations */ - set->ftp_use_pret = FALSE; /* mainly useful for drftpd servers */ - set->ftp_filemethod = FTPFILE_MULTICWD; -+ set->ftp_skip_ip = TRUE; /* skip PASV IP by default */ - #endif - set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */ - -diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c -index 63bdeaa..22770c4 100644 ---- a/src/tool_cfgable.c -+++ b/src/tool_cfgable.c -@@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config) - config->tcp_nodelay = TRUE; /* enabled by default */ - config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT; - config->http09_allowed = FALSE; -+ config->ftp_skip_ip = TRUE; - } - - static void free_config_fields(struct OperationConfig *config) -diff --git a/tests/data/test1400 b/tests/data/test1400 -index c0d409b..ade50d4 100644 ---- a/tests/data/test1400 -+++ b/tests/data/test1400 -@@ -76,6 +76,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); - curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - - /* Here is a list of options the curl code used that cannot get generated -diff --git a/tests/data/test1401 b/tests/data/test1401 -index ec3b25c..a2e9ef2 100644 ---- a/tests/data/test1401 -+++ b/tests/data/test1401 -@@ -90,6 +90,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); - curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip"); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE | - (long)CURLPROTO_FTP | -diff --git a/tests/data/test1402 b/tests/data/test1402 -index bf7eb7b..99d4b70 100644 ---- a/tests/data/test1402 -+++ b/tests/data/test1402 -@@ -81,6 +81,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); - curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - - /* Here is a list of options the curl code used that cannot get generated -diff --git a/tests/data/test1403 b/tests/data/test1403 -index 731d274..90f9b4e 100644 ---- a/tests/data/test1403 -+++ b/tests/data/test1403 -@@ -76,6 +76,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); - curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - - /* Here is a list of options the curl code used that cannot get generated -diff --git a/tests/data/test1404 b/tests/data/test1404 -index d3c66a9..d351c3e 100644 ---- a/tests/data/test1404 -+++ b/tests/data/test1404 -@@ -147,6 +147,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped"); - curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - - /* Here is a list of options the curl code used that cannot get generated -diff --git a/tests/data/test1405 b/tests/data/test1405 -index dcc8f80..d1ebb7c 100644 ---- a/tests/data/test1405 -+++ b/tests/data/test1405 -@@ -89,6 +89,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2); - curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - - /* Here is a list of options the curl code used that cannot get generated -diff --git a/tests/data/test1406 b/tests/data/test1406 -index 8803c84..31db82a 100644 ---- a/tests/data/test1406 -+++ b/tests/data/test1406 -@@ -79,6 +79,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406"); - curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com"); - curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1); -diff --git a/tests/data/test1407 b/tests/data/test1407 -index 917a5de..d329509 100644 ---- a/tests/data/test1407 -+++ b/tests/data/test1407 -@@ -62,6 +62,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L); - curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - - /* Here is a list of options the curl code used that cannot get generated -diff --git a/tests/data/test1420 b/tests/data/test1420 -index 03c4584..c1ba190 100644 ---- a/tests/data/test1420 -+++ b/tests/data/test1420 -@@ -67,6 +67,7 @@ int main(int argc, char *argv[]) - curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1"); - curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret"); - curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L); -+ curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L); - curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L); - - /* Here is a list of options the curl code used that cannot get generated --- -2.26.2 - diff --git a/0006-curl-7.71.1-CVE-2020-8285.patch b/0006-curl-7.71.1-CVE-2020-8285.patch deleted file mode 100644 index 6bb47f7..0000000 --- a/0006-curl-7.71.1-CVE-2020-8285.patch +++ /dev/null @@ -1,1864 +0,0 @@ -From 95b64952b958215972a2e4e193b5104bc91b5927 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Mon, 23 Nov 2020 08:32:41 +0100 -Subject: [PATCH 1/2] urldata: remove 'void *protop' and create the union 'p' - -... to avoid the use of 'void *' for the protocol specific structs done -per transfer. - -Closes #6238 - -Upstream-commit: a95a6ce6b809693a1195e3b4347a6cfa0fbc2ee7 -Signed-off-by: Kamil Dudka ---- - docs/INTERNALS.md | 4 ++-- - lib/file.c | 14 ++++++------- - lib/ftp.c | 36 ++++++++++++++++----------------- - lib/http.c | 14 ++++++------- - lib/http2.c | 50 +++++++++++++++++++++++----------------------- - lib/http_proxy.c | 6 +++--- - lib/imap.c | 26 ++++++++++++------------ - lib/mqtt.c | 10 +++++----- - lib/openldap.c | 8 ++++---- - lib/pop3.c | 14 ++++++------- - lib/rtsp.c | 8 ++++---- - lib/smb.c | 20 +++++++++---------- - lib/smtp.c | 22 ++++++++++---------- - lib/telnet.c | 30 ++++++++++++++-------------- - lib/transfer.c | 8 ++++---- - lib/url.c | 2 +- - lib/urldata.h | 19 ++++++++++++++++-- - lib/vquic/ngtcp2.c | 24 +++++++++++----------- - lib/vquic/quiche.c | 10 +++++----- - lib/vssh/libssh.c | 10 +++++----- - lib/vssh/libssh2.c | 8 ++++---- - lib/vssh/wolfssh.c | 8 ++++---- - 22 files changed, 183 insertions(+), 168 deletions(-) - -diff --git a/docs/INTERNALS.md b/docs/INTERNALS.md -index 635e7b2..ca8988e 100644 ---- a/docs/INTERNALS.md -+++ b/docs/INTERNALS.md -@@ -980,8 +980,8 @@ for older and later versions as things don't change drastically that often. - protocol specific data that then gets associated with that `Curl_easy` for - the rest of this transfer. It gets freed again at the end of the transfer. - It will be called before the `connectdata` for the transfer has been -- selected/created. Most protocols will allocate its private -- `struct [PROTOCOL]` here and assign `Curl_easy->req.protop` to point to it. -+ selected/created. Most protocols will allocate its private `struct -+ [PROTOCOL]` here and assign `Curl_easy->req.p.[protocol]` to it. - - `->connect_it` allows a protocol to do some specific actions after the TCP - connect is done, that can still be considered part of the connection phase. -diff --git a/lib/file.c b/lib/file.c -index cd3e49c..110e5c2 100644 ---- a/lib/file.c -+++ b/lib/file.c -@@ -119,8 +119,8 @@ const struct Curl_handler Curl_handler_file = { - static CURLcode file_setup_connection(struct connectdata *conn) - { - /* allocate the FILE specific struct */ -- conn->data->req.protop = calloc(1, sizeof(struct FILEPROTO)); -- if(!conn->data->req.protop) -+ conn->data->req.p.file = calloc(1, sizeof(struct FILEPROTO)); -+ if(!conn->data->req.p.file) - return CURLE_OUT_OF_MEMORY; - - return CURLE_OK; -@@ -135,7 +135,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) - { - struct Curl_easy *data = conn->data; - char *real_path; -- struct FILEPROTO *file = data->req.protop; -+ struct FILEPROTO *file = data->req.p.file; - int fd; - #ifdef DOS_FILESYSTEM - size_t i; -@@ -209,7 +209,7 @@ static CURLcode file_connect(struct connectdata *conn, bool *done) - static CURLcode file_done(struct connectdata *conn, - CURLcode status, bool premature) - { -- struct FILEPROTO *file = conn->data->req.protop; -+ struct FILEPROTO *file = conn->data->req.p.file; - (void)status; /* not used */ - (void)premature; /* not used */ - -@@ -227,7 +227,7 @@ static CURLcode file_done(struct connectdata *conn, - static CURLcode file_disconnect(struct connectdata *conn, - bool dead_connection) - { -- struct FILEPROTO *file = conn->data->req.protop; -+ struct FILEPROTO *file = conn->data->req.p.file; - (void)dead_connection; /* not used */ - - if(file) { -@@ -249,7 +249,7 @@ static CURLcode file_disconnect(struct connectdata *conn, - - static CURLcode file_upload(struct connectdata *conn) - { -- struct FILEPROTO *file = conn->data->req.protop; -+ struct FILEPROTO *file = conn->data->req.p.file; - const char *dir = strchr(file->path, DIRSEP); - int fd; - int mode; -@@ -391,7 +391,7 @@ static CURLcode file_do(struct connectdata *conn, bool *done) - if(data->set.upload) - return file_upload(conn); - -- file = conn->data->req.protop; -+ file = conn->data->req.p.file; - - /* get the fd from the connection phase */ - fd = file->fd; -diff --git a/lib/ftp.c b/lib/ftp.c -index 20351ff..5195b67 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -1345,7 +1345,7 @@ static CURLcode ftp_state_use_pasv(struct connectdata *conn) - static CURLcode ftp_state_prepare_transfer(struct connectdata *conn) - { - CURLcode result = CURLE_OK; -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - struct Curl_easy *data = conn->data; - - if(ftp->transfer != FTPTRANSFER_BODY) { -@@ -1388,7 +1388,7 @@ static CURLcode ftp_state_prepare_transfer(struct connectdata *conn) - static CURLcode ftp_state_rest(struct connectdata *conn) - { - CURLcode result = CURLE_OK; -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - - if((ftp->transfer != FTPTRANSFER_BODY) && ftpc->file) { -@@ -1409,7 +1409,7 @@ static CURLcode ftp_state_rest(struct connectdata *conn) - static CURLcode ftp_state_size(struct connectdata *conn) - { - CURLcode result = CURLE_OK; -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - - if((ftp->transfer == FTPTRANSFER_INFO) && ftpc->file) { -@@ -1430,7 +1430,7 @@ static CURLcode ftp_state_list(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - - /* If this output is to be machine-parsed, the NLST command might be better - to use, since the LIST command output is not specified or standard in any -@@ -1508,7 +1508,7 @@ static CURLcode ftp_state_stor_prequote(struct connectdata *conn) - static CURLcode ftp_state_type(struct connectdata *conn) - { - CURLcode result = CURLE_OK; -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - struct Curl_easy *data = conn->data; - struct ftp_conn *ftpc = &conn->proto.ftpc; - -@@ -1565,7 +1565,7 @@ static CURLcode ftp_state_ul_setup(struct connectdata *conn, - bool sizechecked) - { - CURLcode result = CURLE_OK; -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - struct Curl_easy *data = conn->data; - struct ftp_conn *ftpc = &conn->proto.ftpc; - -@@ -1664,7 +1664,7 @@ static CURLcode ftp_state_quote(struct connectdata *conn, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - bool quote = FALSE; - struct curl_slist *item; -@@ -2033,7 +2033,7 @@ static CURLcode ftp_state_mdtm_resp(struct connectdata *conn, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - - switch(ftpcode) { -@@ -2166,7 +2166,7 @@ static CURLcode ftp_state_retr(struct connectdata *conn, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - - if(data->set.max_filesize && (filesize > data->set.max_filesize)) { -@@ -2378,7 +2378,7 @@ static CURLcode ftp_state_get_resp(struct connectdata *conn, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - - if((ftpcode == 150) || (ftpcode == 125)) { - -@@ -3138,7 +3138,7 @@ static CURLcode ftp_done(struct connectdata *conn, CURLcode status, - bool premature) - { - struct Curl_easy *data = conn->data; -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - struct pingpong *pp = &ftpc->pp; - ssize_t nread; -@@ -3492,7 +3492,7 @@ static CURLcode ftp_do_more(struct connectdata *conn, int *completep) - bool complete = FALSE; - - /* the ftp struct is inited in ftp_connect() */ -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - - /* if the second connection isn't done yet, wait for it */ - if(!conn->bits.tcpconnect[SECONDARYSOCKET]) { -@@ -3657,7 +3657,7 @@ CURLcode ftp_perform(struct connectdata *conn, - - if(conn->data->set.opt_no_body) { - /* requested no body means no transfer... */ -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - ftp->transfer = FTPTRANSFER_INFO; - } - -@@ -3692,7 +3692,7 @@ static void wc_data_dtor(void *ptr) - static CURLcode init_wc_data(struct connectdata *conn) - { - char *last_slash; -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - char *path = ftp->path; - struct WildcardData *wildcard = &(conn->data->wildcard); - CURLcode result = CURLE_OK; -@@ -3826,7 +3826,7 @@ static CURLcode wc_statemach(struct connectdata *conn) - /* filelist has at least one file, lets get first one */ - struct ftp_conn *ftpc = &conn->proto.ftpc; - struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - - char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); - if(!tmp_path) -@@ -4099,7 +4099,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) - { - struct Curl_easy *data = conn->data; - /* the ftp struct is already inited in ftp_connect() */ -- struct FTP *ftp = data->req.protop; -+ struct FTP *ftp = data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - const char *slashPos = NULL; - const char *fileName = NULL; -@@ -4244,7 +4244,7 @@ CURLcode ftp_parse_url_path(struct connectdata *conn) - static CURLcode ftp_dophase_done(struct connectdata *conn, - bool connected) - { -- struct FTP *ftp = conn->data->req.protop; -+ struct FTP *ftp = conn->data->req.p.ftp; - struct ftp_conn *ftpc = &conn->proto.ftpc; - - if(connected) { -@@ -4341,7 +4341,7 @@ static CURLcode ftp_setup_connection(struct connectdata *conn) - char *type; - struct FTP *ftp; - -- conn->data->req.protop = ftp = calloc(sizeof(struct FTP), 1); -+ conn->data->req.p.ftp = ftp = calloc(sizeof(struct FTP), 1); - if(NULL == ftp) - return CURLE_OUT_OF_MEMORY; - -diff --git a/lib/http.c b/lib/http.c -index 28d66c2..8cf4b61 100644 ---- a/lib/http.c -+++ b/lib/http.c -@@ -162,14 +162,14 @@ static CURLcode http_setup_conn(struct connectdata *conn) - during this request */ - struct HTTP *http; - struct Curl_easy *data = conn->data; -- DEBUGASSERT(data->req.protop == NULL); -+ DEBUGASSERT(data->req.p.http == NULL); - - http = calloc(1, sizeof(struct HTTP)); - if(!http) - return CURLE_OUT_OF_MEMORY; - - Curl_mime_initpart(&http->form, conn->data); -- data->req.protop = http; -+ data->req.p.http = http; - - if(data->set.httpversion == CURL_HTTP_VERSION_3) { - if(conn->handler->flags & PROTOPT_SSL) -@@ -425,7 +425,7 @@ static bool pickoneauth(struct auth *pick, unsigned long mask) - static CURLcode http_perhapsrewind(struct connectdata *conn) - { - struct Curl_easy *data = conn->data; -- struct HTTP *http = data->req.protop; -+ struct HTTP *http = data->req.p.http; - curl_off_t bytessent; - curl_off_t expectsend = -1; /* default is unknown */ - -@@ -1109,7 +1109,7 @@ static size_t readmoredata(char *buffer, - void *userp) - { - struct connectdata *conn = (struct connectdata *)userp; -- struct HTTP *http = conn->data->req.protop; -+ struct HTTP *http = conn->data->req.p.http; - size_t fullsize = size * nitems; - - if(!http->postsize) -@@ -1167,7 +1167,7 @@ CURLcode Curl_buffer_send(struct dynbuf *in, - char *ptr; - size_t size; - struct Curl_easy *data = conn->data; -- struct HTTP *http = data->req.protop; -+ struct HTTP *http = data->req.p.http; - size_t sendsize; - curl_socket_t sockfd; - size_t headersize; -@@ -1517,7 +1517,7 @@ CURLcode Curl_http_done(struct connectdata *conn, - CURLcode status, bool premature) - { - struct Curl_easy *data = conn->data; -- struct HTTP *http = data->req.protop; -+ struct HTTP *http = data->req.p.http; - - /* Clear multipass flag. If authentication isn't done yet, then it will get - * a chance to be set back to true when we output the next auth header */ -@@ -1978,7 +1978,7 @@ CURLcode Curl_http(struct connectdata *conn, bool *done) - return result; - } - } -- http = data->req.protop; -+ http = data->req.p.http; - DEBUGASSERT(http); - - if(!data->state.this_is_a_follow) { -diff --git a/lib/http2.c b/lib/http2.c -index 6cf651f..4f3a5bf 100644 ---- a/lib/http2.c -+++ b/lib/http2.c -@@ -257,7 +257,7 @@ static unsigned int http2_conncheck(struct connectdata *check, - /* called from http_setup_conn */ - void Curl_http2_setup_req(struct Curl_easy *data) - { -- struct HTTP *http = data->req.protop; -+ struct HTTP *http = data->req.p.http; - http->bodystarted = FALSE; - http->status_code = -1; - http->pausedata = NULL; -@@ -391,7 +391,7 @@ char *curl_pushheader_bynum(struct curl_pushheaders *h, size_t num) - if(!h || !GOOD_EASY_HANDLE(h->data)) - return NULL; - else { -- struct HTTP *stream = h->data->req.protop; -+ struct HTTP *stream = h->data->req.p.http; - if(num < stream->push_headers_used) - return stream->push_headers[num]; - } -@@ -413,7 +413,7 @@ char *curl_pushheader_byname(struct curl_pushheaders *h, const char *header) - !strcmp(header, ":") || strchr(header + 1, ':')) - return NULL; - else { -- struct HTTP *stream = h->data->req.protop; -+ struct HTTP *stream = h->data->req.p.http; - size_t len = strlen(header); - size_t i; - for(i = 0; ipush_headers_used; i++) { -@@ -460,7 +460,7 @@ static struct Curl_easy *duphandle(struct Curl_easy *data) - (void)Curl_close(&second); - } - else { -- second->req.protop = http; -+ second->req.p.http = http; - Curl_dyn_init(&http->header_recvbuf, DYN_H2_HEADERS); - Curl_http2_setup_req(second); - second->state.stream_weight = data->state.stream_weight; -@@ -537,7 +537,7 @@ static int push_promise(struct Curl_easy *data, - /* ask the application */ - H2BUGF(infof(data, "Got PUSH_PROMISE, ask application!\n")); - -- stream = data->req.protop; -+ stream = data->req.p.http; - if(!stream) { - failf(data, "Internal NULL stream!\n"); - (void)Curl_close(&newhandle); -@@ -564,13 +564,13 @@ static int push_promise(struct Curl_easy *data, - - if(rv) { - /* denied, kill off the new handle again */ -- http2_stream_free(newhandle->req.protop); -- newhandle->req.protop = NULL; -+ http2_stream_free(newhandle->req.p.http); -+ newhandle->req.p.http = NULL; - (void)Curl_close(&newhandle); - goto fail; - } - -- newstream = newhandle->req.protop; -+ newstream = newhandle->req.p.http; - newstream->stream_id = frame->promised_stream_id; - newhandle->req.maxdownload = -1; - newhandle->req.size = -1; -@@ -580,8 +580,8 @@ static int push_promise(struct Curl_easy *data, - rc = Curl_multi_add_perform(data->multi, newhandle, conn); - if(rc) { - infof(data, "failed to add handle to multi\n"); -- http2_stream_free(newhandle->req.protop); -- newhandle->req.protop = NULL; -+ http2_stream_free(newhandle->req.p.http); -+ newhandle->req.p.http = NULL; - Curl_close(&newhandle); - rv = 1; - goto fail; -@@ -663,7 +663,7 @@ static int on_frame_recv(nghttp2_session *session, const nghttp2_frame *frame, - return 0; - } - -- stream = data_s->req.protop; -+ stream = data_s->req.p.http; - if(!stream) { - H2BUGF(infof(data_s, "No proto pointer for stream: %x\n", - stream_id)); -@@ -774,7 +774,7 @@ static int on_data_chunk_recv(nghttp2_session *session, uint8_t flags, - internal error more than anything else! */ - return NGHTTP2_ERR_CALLBACK_FAILURE; - -- stream = data_s->req.protop; -+ stream = data_s->req.p.http; - if(!stream) - return NGHTTP2_ERR_CALLBACK_FAILURE; - -@@ -840,7 +840,7 @@ static int on_stream_close(nghttp2_session *session, int32_t stream_id, - } - H2BUGF(infof(data_s, "on_stream_close(), %s (err %d), stream %u\n", - nghttp2_strerror(error_code), error_code, stream_id)); -- stream = data_s->req.protop; -+ stream = data_s->req.p.http; - if(!stream) - return NGHTTP2_ERR_CALLBACK_FAILURE; - -@@ -885,7 +885,7 @@ static int on_begin_headers(nghttp2_session *session, - return 0; - } - -- stream = data_s->req.protop; -+ stream = data_s->req.p.http; - if(!stream || !stream->bodystarted) { - return 0; - } -@@ -943,7 +943,7 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame, - internal error more than anything else! */ - return NGHTTP2_ERR_CALLBACK_FAILURE; - -- stream = data_s->req.protop; -+ stream = data_s->req.p.http; - if(!stream) { - failf(data_s, "Internal NULL stream! 5\n"); - return NGHTTP2_ERR_CALLBACK_FAILURE; -@@ -1098,7 +1098,7 @@ static ssize_t data_source_read_callback(nghttp2_session *session, - internal error more than anything else! */ - return NGHTTP2_ERR_CALLBACK_FAILURE; - -- stream = data_s->req.protop; -+ stream = data_s->req.p.http; - if(!stream) - return NGHTTP2_ERR_CALLBACK_FAILURE; - } -@@ -1159,7 +1159,7 @@ static void populate_settings(struct connectdata *conn, - - void Curl_http2_done(struct Curl_easy *data, bool premature) - { -- struct HTTP *http = data->req.protop; -+ struct HTTP *http = data->req.p.http; - struct http_conn *httpc = &data->conn->proto.httpc; - - /* there might be allocated resources done before this got the 'h2' pointer -@@ -1387,7 +1387,7 @@ CURLcode Curl_http2_done_sending(struct connectdata *conn) - (conn->handler == &Curl_handler_http2)) { - /* make sure this is only attempted for HTTP/2 transfers */ - -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - - struct http_conn *httpc = &conn->proto.httpc; - nghttp2_session *h2 = httpc->h2; -@@ -1486,7 +1486,7 @@ static void h2_pri_spec(struct Curl_easy *data, - nghttp2_priority_spec *pri_spec) - { - struct HTTP *depstream = (data->set.stream_depends_on? -- data->set.stream_depends_on->req.protop:NULL); -+ data->set.stream_depends_on->req.p.http:NULL); - int32_t depstream_id = depstream? depstream->stream_id:0; - nghttp2_priority_spec_init(pri_spec, depstream_id, data->set.stream_weight, - data->set.stream_depends_e); -@@ -1503,7 +1503,7 @@ static void h2_pri_spec(struct Curl_easy *data, - static int h2_session_send(struct Curl_easy *data, - nghttp2_session *h2) - { -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - if((data->set.stream_weight != data->state.stream_weight) || - (data->set.stream_depends_e != data->state.stream_depends_e) || - (data->set.stream_depends_on != data->state.stream_depends_on) ) { -@@ -1533,7 +1533,7 @@ static ssize_t http2_recv(struct connectdata *conn, int sockindex, - ssize_t nread; - struct http_conn *httpc = &conn->proto.httpc; - struct Curl_easy *data = conn->data; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - - (void)sockindex; /* we always do HTTP2 on sockindex 0 */ - -@@ -1838,7 +1838,7 @@ static ssize_t http2_send(struct connectdata *conn, int sockindex, - */ - int rv; - struct http_conn *httpc = &conn->proto.httpc; -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - nghttp2_nv *nva = NULL; - size_t nheader; - size_t i; -@@ -2144,7 +2144,7 @@ CURLcode Curl_http2_setup(struct connectdata *conn) - { - CURLcode result; - struct http_conn *httpc = &conn->proto.httpc; -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - - DEBUGASSERT(conn->data->state.buffer); - -@@ -2198,7 +2198,7 @@ CURLcode Curl_http2_switched(struct connectdata *conn, - int rv; - ssize_t nproc; - struct Curl_easy *data = conn->data; -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - - result = Curl_http2_setup(conn); - if(result) -@@ -2318,7 +2318,7 @@ CURLcode Curl_http2_stream_pause(struct Curl_easy *data, bool pause) - return CURLE_OK; - #ifdef NGHTTP2_HAS_SET_LOCAL_WINDOW_SIZE - else { -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - struct http_conn *httpc = &data->conn->proto.httpc; - uint32_t window = !pause * HTTP2_HUGE_WINDOW_SIZE; - int rv = nghttp2_session_set_local_window_size(httpc->h2, -diff --git a/lib/http_proxy.c b/lib/http_proxy.c -index f188cbf..69aacb4 100644 ---- a/lib/http_proxy.c -+++ b/lib/http_proxy.c -@@ -102,9 +102,9 @@ CURLcode Curl_proxy_connect(struct connectdata *conn, int sockindex) - * This function might be called several times in the multi interface case - * if the proxy's CONNECT response is not instant. - */ -- prot_save = conn->data->req.protop; -+ prot_save = conn->data->req.p.http; - memset(&http_proxy, 0, sizeof(http_proxy)); -- conn->data->req.protop = &http_proxy; -+ conn->data->req.p.http = &http_proxy; - connkeep(conn, "HTTP proxy CONNECT"); - - /* for the secondary socket (FTP), use the "connect to host" -@@ -125,7 +125,7 @@ CURLcode Curl_proxy_connect(struct connectdata *conn, int sockindex) - else - remote_port = conn->remote_port; - result = Curl_proxyCONNECT(conn, sockindex, hostname, remote_port); -- conn->data->req.protop = prot_save; -+ conn->data->req.p.http = prot_save; - if(CURLE_OK != result) - return result; - Curl_safefree(data->state.aptr.proxyuserpwd); -diff --git a/lib/imap.c b/lib/imap.c -index cad0e59..bda23a5 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -244,7 +244,7 @@ static bool imap_matchresp(const char *line, size_t len, const char *cmd) - static bool imap_endofresp(struct connectdata *conn, char *line, size_t len, - int *resp) - { -- struct IMAP *imap = conn->data->req.protop; -+ struct IMAP *imap = conn->data->req.p.imap; - struct imap_conn *imapc = &conn->proto.imapc; - const char *id = imapc->resptag; - size_t id_len = strlen(id); -@@ -605,7 +605,7 @@ static CURLcode imap_perform_list(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = data->req.protop; -+ struct IMAP *imap = data->req.p.imap; - - if(imap->custom) - /* Send the custom request */ -@@ -640,7 +640,7 @@ static CURLcode imap_perform_select(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = data->req.protop; -+ struct IMAP *imap = data->req.p.imap; - struct imap_conn *imapc = &conn->proto.imapc; - char *mailbox; - -@@ -679,7 +679,7 @@ static CURLcode imap_perform_select(struct connectdata *conn) - static CURLcode imap_perform_fetch(struct connectdata *conn) - { - CURLcode result = CURLE_OK; -- struct IMAP *imap = conn->data->req.protop; -+ struct IMAP *imap = conn->data->req.p.imap; - /* Check we have a UID */ - if(imap->uid) { - -@@ -727,7 +727,7 @@ static CURLcode imap_perform_append(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = data->req.protop; -+ struct IMAP *imap = data->req.p.imap; - char *mailbox; - - /* Check we have a mailbox */ -@@ -797,7 +797,7 @@ static CURLcode imap_perform_append(struct connectdata *conn) - static CURLcode imap_perform_search(struct connectdata *conn) - { - CURLcode result = CURLE_OK; -- struct IMAP *imap = conn->data->req.protop; -+ struct IMAP *imap = conn->data->req.p.imap; - - /* Check we have a query string */ - if(!imap->query) { -@@ -1051,7 +1051,7 @@ static CURLcode imap_state_select_resp(struct connectdata *conn, int imapcode, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = conn->data->req.protop; -+ struct IMAP *imap = conn->data->req.p.imap; - struct imap_conn *imapc = &conn->proto.imapc; - const char *line = data->state.buffer; - -@@ -1380,7 +1380,7 @@ static CURLcode imap_init(struct connectdata *conn) - struct Curl_easy *data = conn->data; - struct IMAP *imap; - -- imap = data->req.protop = calloc(sizeof(struct IMAP), 1); -+ imap = data->req.p.imap = calloc(sizeof(struct IMAP), 1); - if(!imap) - result = CURLE_OUT_OF_MEMORY; - -@@ -1457,7 +1457,7 @@ static CURLcode imap_done(struct connectdata *conn, CURLcode status, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = data->req.protop; -+ struct IMAP *imap = data->req.p.imap; - - (void)premature; - -@@ -1517,7 +1517,7 @@ static CURLcode imap_perform(struct connectdata *conn, bool *connected, - /* This is IMAP and no proxy */ - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = data->req.protop; -+ struct IMAP *imap = data->req.p.imap; - struct imap_conn *imapc = &conn->proto.imapc; - bool selected = FALSE; - -@@ -1640,7 +1640,7 @@ static CURLcode imap_disconnect(struct connectdata *conn, bool dead_connection) - /* Call this when the DO phase has completed */ - static CURLcode imap_dophase_done(struct connectdata *conn, bool connected) - { -- struct IMAP *imap = conn->data->req.protop; -+ struct IMAP *imap = conn->data->req.p.imap; - - (void)connected; - -@@ -1942,7 +1942,7 @@ static CURLcode imap_parse_url_path(struct connectdata *conn) - /* The imap struct is already initialised in imap_connect() */ - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = data->req.protop; -+ struct IMAP *imap = data->req.p.imap; - const char *begin = &data->state.up.path[1]; /* skip leading slash */ - const char *ptr = begin; - -@@ -2074,7 +2074,7 @@ static CURLcode imap_parse_custom_request(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct IMAP *imap = data->req.protop; -+ struct IMAP *imap = data->req.p.imap; - const char *custom = data->set.str[STRING_CUSTOMREQUEST]; - - if(custom) { -diff --git a/lib/mqtt.c b/lib/mqtt.c -index f6f4416..86b22b8 100644 ---- a/lib/mqtt.c -+++ b/lib/mqtt.c -@@ -95,12 +95,12 @@ static CURLcode mqtt_setup_conn(struct connectdata *conn) - during this request */ - struct MQTT *mq; - struct Curl_easy *data = conn->data; -- DEBUGASSERT(data->req.protop == NULL); -+ DEBUGASSERT(data->req.p.mqtt == NULL); - - mq = calloc(1, sizeof(struct MQTT)); - if(!mq) - return CURLE_OUT_OF_MEMORY; -- data->req.protop = mq; -+ data->req.p.mqtt = mq; - return CURLE_OK; - } - -@@ -110,7 +110,7 @@ static CURLcode mqtt_send(struct connectdata *conn, - CURLcode result = CURLE_OK; - curl_socket_t sockfd = conn->sock[FIRSTSOCKET]; - struct Curl_easy *data = conn->data; -- struct MQTT *mq = data->req.protop; -+ struct MQTT *mq = data->req.p.mqtt; - ssize_t n; - result = Curl_write(conn, sockfd, buf, len, &n); - if(!result && data->set.verbose) -@@ -426,7 +426,7 @@ static CURLcode mqtt_read_publish(struct connectdata *conn, - unsigned char *pkt = (unsigned char *)data->state.buffer; - size_t remlen; - struct mqtt_conn *mqtt = &conn->proto.mqtt; -- struct MQTT *mq = data->req.protop; -+ struct MQTT *mq = data->req.p.mqtt; - unsigned char packet; - - switch(mqtt->state) { -@@ -533,7 +533,7 @@ static CURLcode mqtt_doing(struct connectdata *conn, bool *done) - CURLcode result = CURLE_OK; - struct mqtt_conn *mqtt = &conn->proto.mqtt; - struct Curl_easy *data = conn->data; -- struct MQTT *mq = data->req.protop; -+ struct MQTT *mq = data->req.p.mqtt; - ssize_t nread; - curl_socket_t sockfd = conn->sock[FIRSTSOCKET]; - unsigned char *pkt = (unsigned char *)data->state.buffer; -diff --git a/lib/openldap.c b/lib/openldap.c -index 782d6a0..c955df6 100644 ---- a/lib/openldap.c -+++ b/lib/openldap.c -@@ -410,7 +410,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done) - if(!lr) - return CURLE_OUT_OF_MEMORY; - lr->msgid = msgid; -- data->req.protop = lr; -+ data->req.p.ldap = lr; - Curl_setup_transfer(data, FIRSTSOCKET, -1, FALSE, -1); - *done = TRUE; - return CURLE_OK; -@@ -419,7 +419,7 @@ static CURLcode ldap_do(struct connectdata *conn, bool *done) - static CURLcode ldap_done(struct connectdata *conn, CURLcode res, - bool premature) - { -- struct ldapreqinfo *lr = conn->data->req.protop; -+ struct ldapreqinfo *lr = conn->data->req.p.ldap; - - (void)res; - (void)premature; -@@ -431,7 +431,7 @@ static CURLcode ldap_done(struct connectdata *conn, CURLcode res, - ldap_abandon_ext(li->ld, lr->msgid, NULL, NULL); - lr->msgid = 0; - } -- conn->data->req.protop = NULL; -+ conn->data->req.p.ldap = NULL; - free(lr); - } - -@@ -443,7 +443,7 @@ static ssize_t ldap_recv(struct connectdata *conn, int sockindex, char *buf, - { - struct ldapconninfo *li = conn->proto.ldapc; - struct Curl_easy *data = conn->data; -- struct ldapreqinfo *lr = data->req.protop; -+ struct ldapreqinfo *lr = data->req.p.ldap; - int rc, ret; - LDAPMessage *msg = NULL; - LDAPMessage *ent; -diff --git a/lib/pop3.c b/lib/pop3.c -index 9ff5c78..04cc887 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -551,7 +551,7 @@ static CURLcode pop3_perform_command(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct POP3 *pop3 = data->req.protop; -+ struct POP3 *pop3 = data->req.p.pop3; - const char *command = NULL; - - /* Calculate the default command */ -@@ -884,7 +884,7 @@ static CURLcode pop3_state_command_resp(struct connectdata *conn, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct POP3 *pop3 = data->req.protop; -+ struct POP3 *pop3 = data->req.p.pop3; - struct pop3_conn *pop3c = &conn->proto.pop3c; - struct pingpong *pp = &pop3c->pp; - -@@ -1046,7 +1046,7 @@ static CURLcode pop3_init(struct connectdata *conn) - struct Curl_easy *data = conn->data; - struct POP3 *pop3; - -- pop3 = data->req.protop = calloc(sizeof(struct POP3), 1); -+ pop3 = data->req.p.pop3 = calloc(sizeof(struct POP3), 1); - if(!pop3) - result = CURLE_OUT_OF_MEMORY; - -@@ -1120,7 +1120,7 @@ static CURLcode pop3_done(struct connectdata *conn, CURLcode status, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct POP3 *pop3 = data->req.protop; -+ struct POP3 *pop3 = data->req.p.pop3; - - (void)premature; - -@@ -1154,7 +1154,7 @@ static CURLcode pop3_perform(struct connectdata *conn, bool *connected, - { - /* This is POP3 and no proxy */ - CURLcode result = CURLE_OK; -- struct POP3 *pop3 = conn->data->req.protop; -+ struct POP3 *pop3 = conn->data->req.p.pop3; - - DEBUGF(infof(conn->data, "DO phase starts\n")); - -@@ -1386,7 +1386,7 @@ static CURLcode pop3_parse_url_path(struct connectdata *conn) - { - /* The POP3 struct is already initialised in pop3_connect() */ - struct Curl_easy *data = conn->data; -- struct POP3 *pop3 = data->req.protop; -+ struct POP3 *pop3 = data->req.p.pop3; - const char *path = &data->state.up.path[1]; /* skip leading path */ - - /* URL decode the path for the message ID */ -@@ -1403,7 +1403,7 @@ static CURLcode pop3_parse_custom_request(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct POP3 *pop3 = data->req.protop; -+ struct POP3 *pop3 = data->req.p.pop3; - const char *custom = data->set.str[STRING_CUSTOMREQUEST]; - - /* URL decode the custom request */ -diff --git a/lib/rtsp.c b/lib/rtsp.c -index dbd7dc6..29e6d58 100644 ---- a/lib/rtsp.c -+++ b/lib/rtsp.c -@@ -114,7 +114,7 @@ static CURLcode rtsp_setup_connection(struct connectdata *conn) - { - struct RTSP *rtsp; - -- conn->data->req.protop = rtsp = calloc(1, sizeof(struct RTSP)); -+ conn->data->req.p.rtsp = rtsp = calloc(1, sizeof(struct RTSP)); - if(!rtsp) - return CURLE_OUT_OF_MEMORY; - -@@ -199,7 +199,7 @@ static CURLcode rtsp_done(struct connectdata *conn, - CURLcode status, bool premature) - { - struct Curl_easy *data = conn->data; -- struct RTSP *rtsp = data->req.protop; -+ struct RTSP *rtsp = data->req.p.rtsp; - CURLcode httpStatus; - - /* Bypass HTTP empty-reply checks on receive */ -@@ -232,7 +232,7 @@ static CURLcode rtsp_do(struct connectdata *conn, bool *done) - struct Curl_easy *data = conn->data; - CURLcode result = CURLE_OK; - Curl_RtspReq rtspreq = data->set.rtspreq; -- struct RTSP *rtsp = data->req.protop; -+ struct RTSP *rtsp = data->req.p.rtsp; - struct dynbuf req_buffer; - curl_off_t postsize = 0; /* for ANNOUNCE and SET_PARAMETER */ - curl_off_t putsize = 0; /* for ANNOUNCE and SET_PARAMETER */ -@@ -764,7 +764,7 @@ CURLcode Curl_rtsp_parseheader(struct connectdata *conn, - /* Store the received CSeq. Match is verified in rtsp_done */ - int nc = sscanf(&header[4], ": %ld", &CSeq); - if(nc == 1) { -- struct RTSP *rtsp = data->req.protop; -+ struct RTSP *rtsp = data->req.p.rtsp; - rtsp->CSeq_recv = CSeq; /* mark the request */ - data->state.rtsp_CSeq_recv = CSeq; /* update the handle */ - } -diff --git a/lib/smb.c b/lib/smb.c -index d493adc..9eba7ab 100644 ---- a/lib/smb.c -+++ b/lib/smb.c -@@ -204,7 +204,7 @@ static void conn_state(struct connectdata *conn, enum smb_conn_state newstate) - static void request_state(struct connectdata *conn, - enum smb_req_state newstate) - { -- struct smb_request *req = conn->data->req.protop; -+ struct smb_request *req = conn->data->req.p.smb; - #if defined(DEBUGBUILD) && !defined(CURL_DISABLE_VERBOSE_STRINGS) - /* For debug purposes */ - static const char * const names[] = { -@@ -234,7 +234,7 @@ static CURLcode smb_setup_connection(struct connectdata *conn) - struct smb_request *req; - - /* Initialize the request state */ -- conn->data->req.protop = req = calloc(1, sizeof(struct smb_request)); -+ conn->data->req.p.smb = req = calloc(1, sizeof(struct smb_request)); - if(!req) - return CURLE_OUT_OF_MEMORY; - -@@ -342,7 +342,7 @@ static void smb_format_message(struct connectdata *conn, struct smb_header *h, - unsigned char cmd, size_t len) - { - struct smb_conn *smbc = &conn->proto.smbc; -- struct smb_request *req = conn->data->req.protop; -+ struct smb_request *req = conn->data->req.p.smb; - unsigned int pid; - - memset(h, 0, sizeof(*h)); -@@ -505,7 +505,7 @@ static CURLcode smb_send_tree_connect(struct connectdata *conn) - - static CURLcode smb_send_open(struct connectdata *conn) - { -- struct smb_request *req = conn->data->req.protop; -+ struct smb_request *req = conn->data->req.p.smb; - struct smb_nt_create msg; - size_t byte_count; - -@@ -535,7 +535,7 @@ static CURLcode smb_send_open(struct connectdata *conn) - - static CURLcode smb_send_close(struct connectdata *conn) - { -- struct smb_request *req = conn->data->req.protop; -+ struct smb_request *req = conn->data->req.p.smb; - struct smb_close msg; - - memset(&msg, 0, sizeof(msg)); -@@ -556,7 +556,7 @@ static CURLcode smb_send_tree_disconnect(struct connectdata *conn) - - static CURLcode smb_send_read(struct connectdata *conn) - { -- struct smb_request *req = conn->data->req.protop; -+ struct smb_request *req = conn->data->req.p.smb; - curl_off_t offset = conn->data->req.offset; - struct smb_read msg; - -@@ -575,7 +575,7 @@ static CURLcode smb_send_read(struct connectdata *conn) - static CURLcode smb_send_write(struct connectdata *conn) - { - struct smb_write *msg; -- struct smb_request *req = conn->data->req.protop; -+ struct smb_request *req = conn->data->req.p.smb; - curl_off_t offset = conn->data->req.offset; - curl_off_t upload_size = conn->data->req.size - conn->data->req.bytecount; - CURLcode result = Curl_get_upload_buffer(conn->data); -@@ -738,7 +738,7 @@ static void get_posix_time(time_t *out, curl_off_t timestamp) - - static CURLcode smb_request_state(struct connectdata *conn, bool *done) - { -- struct smb_request *req = conn->data->req.protop; -+ struct smb_request *req = conn->data->req.p.smb; - struct smb_header *h; - struct smb_conn *smbc = &conn->proto.smbc; - enum smb_req_state next_state = SMB_DONE; -@@ -923,7 +923,7 @@ static CURLcode smb_done(struct connectdata *conn, CURLcode status, - bool premature) - { - (void) premature; -- Curl_safefree(conn->data->req.protop); -+ Curl_safefree(conn->data->req.p.smb); - return status; - } - -@@ -957,7 +957,7 @@ static CURLcode smb_do(struct connectdata *conn, bool *done) - static CURLcode smb_parse_url_path(struct connectdata *conn) - { - struct Curl_easy *data = conn->data; -- struct smb_request *req = data->req.protop; -+ struct smb_request *req = data->req.p.smb; - struct smb_conn *smbc = &conn->proto.smbc; - char *path; - char *slash; -diff --git a/lib/smtp.c b/lib/smtp.c -index 685513b..e4f91c2 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -484,7 +484,7 @@ static CURLcode smtp_perform_command(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - - if(smtp->rcpt) { - /* We notify the server we are sending UTF-8 data if a) it supports the -@@ -697,7 +697,7 @@ static CURLcode smtp_perform_mail(struct connectdata *conn) - any there do, as we need to correctly identify our support for SMTPUTF8 - in the envelope, as per RFC-6531 sect. 3.4 */ - if(conn->proto.smtpc.utf8_supported && !utf8) { -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - struct curl_slist *rcpt = smtp->rcpt; - - while(rcpt && !utf8) { -@@ -741,7 +741,7 @@ static CURLcode smtp_perform_rcpt_to(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - char *address = NULL; - struct hostname host = { NULL, NULL, NULL, NULL }; - -@@ -989,7 +989,7 @@ static CURLcode smtp_state_command_resp(struct connectdata *conn, int smtpcode, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - char *line = data->state.buffer; - size_t len = strlen(line); - -@@ -1055,7 +1055,7 @@ static CURLcode smtp_state_rcpt_resp(struct connectdata *conn, int smtpcode, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - bool is_smtp_err = FALSE; - bool is_smtp_blocking_err = FALSE; - -@@ -1278,7 +1278,7 @@ static CURLcode smtp_init(struct connectdata *conn) - struct Curl_easy *data = conn->data; - struct SMTP *smtp; - -- smtp = data->req.protop = calloc(sizeof(struct SMTP), 1); -+ smtp = data->req.p.smtp = calloc(sizeof(struct SMTP), 1); - if(!smtp) - result = CURLE_OUT_OF_MEMORY; - -@@ -1356,7 +1356,7 @@ static CURLcode smtp_done(struct connectdata *conn, CURLcode status, - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - struct pingpong *pp = &conn->proto.smtpc.pp; - char *eob; - ssize_t len; -@@ -1442,7 +1442,7 @@ static CURLcode smtp_perform(struct connectdata *conn, bool *connected, - /* This is SMTP and no proxy */ - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - - DEBUGF(infof(conn->data, "DO phase starts\n")); - -@@ -1550,7 +1550,7 @@ static CURLcode smtp_disconnect(struct connectdata *conn, bool dead_connection) - /* Call this when the DO phase has completed */ - static CURLcode smtp_dophase_done(struct connectdata *conn, bool connected) - { -- struct SMTP *smtp = conn->data->req.protop; -+ struct SMTP *smtp = conn->data->req.p.smtp; - - (void)connected; - -@@ -1703,7 +1703,7 @@ static CURLcode smtp_parse_custom_request(struct connectdata *conn) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - const char *custom = data->set.str[STRING_CUSTOMREQUEST]; - - /* URL decode the custom request */ -@@ -1794,7 +1794,7 @@ CURLcode Curl_smtp_escape_eob(struct connectdata *conn, const ssize_t nread) - ssize_t i; - ssize_t si; - struct Curl_easy *data = conn->data; -- struct SMTP *smtp = data->req.protop; -+ struct SMTP *smtp = data->req.p.smtp; - char *scratch = data->state.scratch; - char *newscratch = NULL; - char *oldscratch = NULL; -diff --git a/lib/telnet.c b/lib/telnet.c -index c3b58e5..1fc5af1 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -247,7 +247,7 @@ CURLcode init_telnet(struct connectdata *conn) - if(!tn) - return CURLE_OUT_OF_MEMORY; - -- conn->data->req.protop = tn; /* make us known */ -+ conn->data->req.p.telnet = tn; /* make us known */ - - tn->telrcv_state = CURL_TS_DATA; - -@@ -292,7 +292,7 @@ CURLcode init_telnet(struct connectdata *conn) - static void negotiate(struct connectdata *conn) - { - int i; -- struct TELNET *tn = (struct TELNET *) conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *) conn->data->req.p.telnet; - - for(i = 0; i < CURL_NTELOPTS; i++) { - if(i == CURL_TELOPT_ECHO) -@@ -365,7 +365,7 @@ static void send_negotiation(struct connectdata *conn, int cmd, int option) - static - void set_remote_option(struct connectdata *conn, int option, int newstate) - { -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - if(newstate == CURL_YES) { - switch(tn->him[option]) { - case CURL_NO: -@@ -439,7 +439,7 @@ void set_remote_option(struct connectdata *conn, int option, int newstate) - static - void rec_will(struct connectdata *conn, int option) - { -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - switch(tn->him[option]) { - case CURL_NO: - if(tn->him_preferred[option] == CURL_YES) { -@@ -487,7 +487,7 @@ void rec_will(struct connectdata *conn, int option) - static - void rec_wont(struct connectdata *conn, int option) - { -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - switch(tn->him[option]) { - case CURL_NO: - /* Already disabled */ -@@ -529,7 +529,7 @@ void rec_wont(struct connectdata *conn, int option) - static void - set_local_option(struct connectdata *conn, int option, int newstate) - { -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - if(newstate == CURL_YES) { - switch(tn->us[option]) { - case CURL_NO: -@@ -603,7 +603,7 @@ set_local_option(struct connectdata *conn, int option, int newstate) - static - void rec_do(struct connectdata *conn, int option) - { -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - switch(tn->us[option]) { - case CURL_NO: - if(tn->us_preferred[option] == CURL_YES) { -@@ -663,7 +663,7 @@ void rec_do(struct connectdata *conn, int option) - static - void rec_dont(struct connectdata *conn, int option) - { -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - switch(tn->us[option]) { - case CURL_NO: - /* Already disabled */ -@@ -822,7 +822,7 @@ static CURLcode check_telnet_options(struct connectdata *conn) - char option_keyword[128] = ""; - char option_arg[256] = ""; - struct Curl_easy *data = conn->data; -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - CURLcode result = CURLE_OK; - int binary_option; - -@@ -929,7 +929,7 @@ static void suboption(struct connectdata *conn) - char varname[128] = ""; - char varval[128] = ""; - struct Curl_easy *data = conn->data; -- struct TELNET *tn = (struct TELNET *)data->req.protop; -+ struct TELNET *tn = (struct TELNET *)data->req.p.telnet; - - printsub(data, '<', (unsigned char *)tn->subbuffer, CURL_SB_LEN(tn) + 2); - switch(CURL_SB_GET(tn)) { -@@ -1004,7 +1004,7 @@ static void sendsuboption(struct connectdata *conn, int option) - unsigned char *uc1, *uc2; - - struct Curl_easy *data = conn->data; -- struct TELNET *tn = (struct TELNET *)data->req.protop; -+ struct TELNET *tn = (struct TELNET *)data->req.p.telnet; - - switch(option) { - case CURL_TELOPT_NAWS: -@@ -1062,7 +1062,7 @@ CURLcode telrcv(struct connectdata *conn, - int in = 0; - int startwrite = -1; - struct Curl_easy *data = conn->data; -- struct TELNET *tn = (struct TELNET *)data->req.protop; -+ struct TELNET *tn = (struct TELNET *)data->req.p.telnet; - - #define startskipping() \ - if(startwrite >= 0) { \ -@@ -1280,7 +1280,7 @@ static CURLcode send_telnet_data(struct connectdata *conn, - static CURLcode telnet_done(struct connectdata *conn, - CURLcode status, bool premature) - { -- struct TELNET *tn = (struct TELNET *)conn->data->req.protop; -+ struct TELNET *tn = (struct TELNET *)conn->data->req.p.telnet; - (void)status; /* unused */ - (void)premature; /* not used */ - -@@ -1290,7 +1290,7 @@ static CURLcode telnet_done(struct connectdata *conn, - curl_slist_free_all(tn->telnet_vars); - tn->telnet_vars = NULL; - -- Curl_safefree(conn->data->req.protop); -+ Curl_safefree(conn->data->req.p.telnet); - - return CURLE_OK; - } -@@ -1333,7 +1333,7 @@ static CURLcode telnet_do(struct connectdata *conn, bool *done) - if(result) - return result; - -- tn = (struct TELNET *)data->req.protop; -+ tn = data->req.p.telnet; - - result = check_telnet_options(conn); - if(result) -diff --git a/lib/transfer.c b/lib/transfer.c -index 133a478..44104ab 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -167,7 +167,7 @@ CURLcode Curl_fillreadbuffer(struct connectdata *conn, size_t bytes, - bool sending_http_headers = FALSE; - - if(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)) { -- const struct HTTP *http = data->req.protop; -+ const struct HTTP *http = data->req.p.http; - - if(http->sending == HTTPSEND_REQUEST) - /* We're sending the HTTP request headers, not the data. -@@ -426,7 +426,7 @@ CURLcode Curl_readrewind(struct connectdata *conn) - CURLOPT_HTTPPOST, call app to rewind - */ - if(conn->handler->protocol & PROTO_FAMILY_HTTP) { -- struct HTTP *http = data->req.protop; -+ struct HTTP *http = data->req.p.http; - - if(http->sendit) - mimepart = http->sendit; -@@ -1024,7 +1024,7 @@ static CURLcode readwrite_upload(struct Curl_easy *data, - /* HTTP pollution, this should be written nicer to become more - protocol agnostic. */ - size_t fillcount; -- struct HTTP *http = k->protop; -+ struct HTTP *http = k->p.http; - - if((k->exp100 == EXP100_SENDING_REQUEST) && - (http->sending == HTTPSEND_BODY)) { -@@ -1846,7 +1846,7 @@ Curl_setup_transfer( - { - struct SingleRequest *k = &data->req; - struct connectdata *conn = data->conn; -- struct HTTP *http = data->req.protop; -+ struct HTTP *http = data->req.p.http; - bool httpsending = ((conn->handler->protocol&PROTO_FAMILY_HTTP) && - (http->sending == HTTPSEND_REQUEST)); - DEBUGASSERT(conn != NULL); -diff --git a/lib/url.c b/lib/url.c -index 41029d6..307b66e 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -2060,7 +2060,7 @@ static CURLcode setup_connection_internals(struct connectdata *conn) - - void Curl_free_request_state(struct Curl_easy *data) - { -- Curl_safefree(data->req.protop); -+ Curl_safefree(data->req.p.http); - Curl_safefree(data->req.newurl); - - #ifndef CURL_DISABLE_DOH -diff --git a/lib/urldata.h b/lib/urldata.h -index 6d8eb69..df9d998 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -645,8 +645,23 @@ struct SingleRequest { - and the 'upload_present' contains the number of bytes available at this - position */ - char *upload_fromhere; -- void *protop; /* Allocated protocol-specific data. Each protocol -- handler makes sure this points to data it needs. */ -+ -+ /* Allocated protocol-specific data. Each protocol handler makes sure this -+ points to data it needs. */ -+ union { -+ struct FILEPROTO *file; -+ struct FTP *ftp; -+ struct HTTP *http; -+ struct IMAP *imap; -+ struct ldapreqinfo *ldap; -+ struct MQTT *mqtt; -+ struct POP3 *pop3; -+ struct RTSP *rtsp; -+ struct smb_request *smb; -+ struct SMTP *smtp; -+ struct SSHPROTO *ssh; -+ struct TELNET *telnet; -+ } p; - #ifndef CURL_DISABLE_DOH - struct dohdata doh; /* DoH specific data for this request */ - #endif -diff --git a/lib/vquic/ngtcp2.c b/lib/vquic/ngtcp2.c -index d29cb37..117d667 100644 ---- a/lib/vquic/ngtcp2.c -+++ b/lib/vquic/ngtcp2.c -@@ -961,7 +961,7 @@ static int cb_h3_stream_close(nghttp3_conn *conn, int64_t stream_id, - void *stream_user_data) - { - struct Curl_easy *data = stream_user_data; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - (void)conn; - (void)stream_id; - (void)app_error_code; -@@ -1007,7 +1007,7 @@ static int cb_h3_recv_data(nghttp3_conn *conn, int64_t stream_id, - void *user_data, void *stream_user_data) - { - struct Curl_easy *data = stream_user_data; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - CURLcode result = CURLE_OK; - (void)conn; - -@@ -1066,7 +1066,7 @@ static int cb_h3_end_headers(nghttp3_conn *conn, int64_t stream_id, - void *user_data, void *stream_user_data) - { - struct Curl_easy *data = stream_user_data; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - CURLcode result = CURLE_OK; - (void)conn; - (void)stream_id; -@@ -1090,7 +1090,7 @@ static int cb_h3_recv_header(nghttp3_conn *conn, int64_t stream_id, - nghttp3_vec h3name = nghttp3_rcbuf_get_buf(name); - nghttp3_vec h3val = nghttp3_rcbuf_get_buf(value); - struct Curl_easy *data = stream_user_data; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - CURLcode result = CURLE_OK; - (void)conn; - (void)stream_id; -@@ -1254,7 +1254,7 @@ static ssize_t ngh3_stream_recv(struct connectdata *conn, - CURLcode *curlcode) - { - curl_socket_t sockfd = conn->sock[sockindex]; -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - struct quicsocket *qs = conn->quic; - - if(!stream->memlen) { -@@ -1312,7 +1312,7 @@ static int cb_h3_acked_stream_data(nghttp3_conn *conn, int64_t stream_id, - void *stream_user_data) - { - struct Curl_easy *data = stream_user_data; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - (void)conn; - (void)stream_id; - (void)user_data; -@@ -1334,7 +1334,7 @@ static ssize_t cb_h3_readfunction(nghttp3_conn *conn, int64_t stream_id, - { - struct Curl_easy *data = stream_user_data; - size_t nread; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - (void)conn; - (void)stream_id; - (void)user_data; -@@ -1397,7 +1397,7 @@ static ssize_t cb_h3_readfunction(nghttp3_conn *conn, int64_t stream_id, - static CURLcode http_request(struct connectdata *conn, const void *mem, - size_t len) - { -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - size_t nheader; - size_t i; - size_t authority_idx; -@@ -1640,7 +1640,7 @@ static ssize_t ngh3_stream_send(struct connectdata *conn, - ssize_t sent; - struct quicsocket *qs = conn->quic; - curl_socket_t sockfd = conn->sock[sockindex]; -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - - if(!stream->h3req) { - CURLcode result = http_request(conn, mem, len); -@@ -1908,7 +1908,7 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn) - { - if(conn->handler == &Curl_handler_http3) { - /* only for HTTP/3 transfers */ -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - struct quicsocket *qs = conn->quic; - stream->upload_done = TRUE; - (void)nghttp3_conn_resume_stream(qs->h3conn, stream->stream3_id); -@@ -1925,7 +1925,7 @@ void Curl_quic_done(struct Curl_easy *data, bool premature) - (void)premature; - if(data->conn->handler == &Curl_handler_http3) { - /* only for HTTP/3 transfers */ -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - Curl_dyn_free(&stream->overflow); - } - } -@@ -1940,7 +1940,7 @@ bool Curl_quic_data_pending(const struct Curl_easy *data) - buffer and allocated an overflow buffer. Since it's possible that - there's no more data coming on the socket, we need to keep reading - until the overflow buffer is empty. */ -- const struct HTTP *stream = data->req.protop; -+ const struct HTTP *stream = data->req.p.http; - return Curl_dyn_len(&stream->overflow) > 0; - } - -diff --git a/lib/vquic/quiche.c b/lib/vquic/quiche.c -index be6f15c..de9f72b 100644 ---- a/lib/vquic/quiche.c -+++ b/lib/vquic/quiche.c -@@ -125,7 +125,7 @@ static unsigned int quiche_conncheck(struct connectdata *conn, - - static CURLcode quiche_do(struct connectdata *conn, bool *done) - { -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - stream->h3req = FALSE; /* not sent */ - return Curl_http(conn, done); - } -@@ -454,7 +454,7 @@ static ssize_t h3_stream_recv(struct connectdata *conn, - int rc; - struct h3h1header headers; - struct Curl_easy *data = conn->data; -- struct HTTP *stream = data->req.protop; -+ struct HTTP *stream = data->req.p.http; - headers.dest = buf; - headers.destlen = buffersize; - headers.nlen = 0; -@@ -542,7 +542,7 @@ static ssize_t h3_stream_send(struct connectdata *conn, - ssize_t sent; - struct quicsocket *qs = conn->quic; - curl_socket_t sockfd = conn->sock[sockindex]; -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - - if(!stream->h3req) { - CURLcode result = http_request(conn, mem, len); -@@ -590,7 +590,7 @@ static CURLcode http_request(struct connectdata *conn, const void *mem, - { - /* - */ -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - size_t nheader; - size_t i; - size_t authority_idx; -@@ -818,7 +818,7 @@ CURLcode Curl_quic_done_sending(struct connectdata *conn) - if(conn->handler == &Curl_handler_http3) { - /* only for HTTP/3 transfers */ - ssize_t sent; -- struct HTTP *stream = conn->data->req.protop; -+ struct HTTP *stream = conn->data->req.p.http; - struct quicsocket *qs = conn->quic; - fprintf(stderr, "!!! Curl_quic_done_sending\n"); - stream->upload_done = TRUE; -diff --git a/lib/vssh/libssh.c b/lib/vssh/libssh.c -index 8988e23..a84e1bf 100644 ---- a/lib/vssh/libssh.c -+++ b/lib/vssh/libssh.c -@@ -662,7 +662,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SSHPROTO *protop = data->req.protop; -+ struct SSHPROTO *protop = data->req.p.ssh; - struct ssh_conn *sshc = &conn->proto.sshc; - curl_socket_t sock = conn->sock[FIRSTSOCKET]; - int rc = SSH_NO_ERROR, err; -@@ -2129,7 +2129,7 @@ static CURLcode myssh_setup_connection(struct connectdata *conn) - { - struct SSHPROTO *ssh; - -- conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO)); -+ conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO)); - if(!ssh) - return CURLE_OUT_OF_MEMORY; - -@@ -2152,7 +2152,7 @@ static CURLcode myssh_connect(struct connectdata *conn, bool *done) - int rc; - - /* initialize per-handle data if not already */ -- if(!data->req.protop) -+ if(!data->req.p.ssh) - myssh_setup_connection(conn); - - /* We default to persistent connections. We set this already in this connect -@@ -2353,7 +2353,7 @@ static CURLcode scp_disconnect(struct connectdata *conn, - static CURLcode myssh_done(struct connectdata *conn, CURLcode status) - { - CURLcode result = CURLE_OK; -- struct SSHPROTO *protop = conn->data->req.protop; -+ struct SSHPROTO *protop = conn->data->req.p.ssh; - - if(!status) { - /* run the state-machine */ -@@ -2606,7 +2606,7 @@ static void sftp_quote(struct connectdata *conn) - { - const char *cp; - struct Curl_easy *data = conn->data; -- struct SSHPROTO *protop = data->req.protop; -+ struct SSHPROTO *protop = data->req.p.ssh; - struct ssh_conn *sshc = &conn->proto.sshc; - CURLcode result; - -diff --git a/lib/vssh/libssh2.c b/lib/vssh/libssh2.c -index 555afc9..f55db93 100644 ---- a/lib/vssh/libssh2.c -+++ b/lib/vssh/libssh2.c -@@ -789,7 +789,7 @@ static CURLcode ssh_statemach_act(struct connectdata *conn, bool *block) - { - CURLcode result = CURLE_OK; - struct Curl_easy *data = conn->data; -- struct SSHPROTO *sftp_scp = data->req.protop; -+ struct SSHPROTO *sftp_scp = data->req.p.ssh; - struct ssh_conn *sshc = &conn->proto.sshc; - curl_socket_t sock = conn->sock[FIRSTSOCKET]; - int rc = LIBSSH2_ERROR_NONE; -@@ -2989,7 +2989,7 @@ static CURLcode ssh_setup_connection(struct connectdata *conn) - { - struct SSHPROTO *ssh; - -- conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO)); -+ conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO)); - if(!ssh) - return CURLE_OUT_OF_MEMORY; - -@@ -3013,7 +3013,7 @@ static CURLcode ssh_connect(struct connectdata *conn, bool *done) - struct Curl_easy *data = conn->data; - - /* initialize per-handle data if not already */ -- if(!data->req.protop) -+ if(!data->req.p.ssh) - ssh_setup_connection(conn); - - /* We default to persistent connections. We set this already in this connect -@@ -3192,7 +3192,7 @@ static CURLcode scp_disconnect(struct connectdata *conn, bool dead_connection) - static CURLcode ssh_done(struct connectdata *conn, CURLcode status) - { - CURLcode result = CURLE_OK; -- struct SSHPROTO *sftp_scp = conn->data->req.protop; -+ struct SSHPROTO *sftp_scp = conn->data->req.p.ssh; - - if(!status) { - /* run the state-machine */ -diff --git a/lib/vssh/wolfssh.c b/lib/vssh/wolfssh.c -index dcbbab6..1b990e3 100644 ---- a/lib/vssh/wolfssh.c -+++ b/lib/vssh/wolfssh.c -@@ -322,7 +322,7 @@ static CURLcode wssh_setup_connection(struct connectdata *conn) - { - struct SSHPROTO *ssh; - -- conn->data->req.protop = ssh = calloc(1, sizeof(struct SSHPROTO)); -+ conn->data->req.p.ssh = ssh = calloc(1, sizeof(struct SSHPROTO)); - if(!ssh) - return CURLE_OUT_OF_MEMORY; - -@@ -356,7 +356,7 @@ static CURLcode wssh_connect(struct connectdata *conn, bool *done) - int rc; - - /* initialize per-handle data if not already */ -- if(!data->req.protop) -+ if(!data->req.p.ssh) - wssh_setup_connection(conn); - - /* We default to persistent connections. We set this already in this connect -@@ -429,7 +429,7 @@ static CURLcode wssh_statemach_act(struct connectdata *conn, bool *block) - CURLcode result = CURLE_OK; - struct ssh_conn *sshc = &conn->proto.sshc; - struct Curl_easy *data = conn->data; -- struct SSHPROTO *sftp_scp = data->req.protop; -+ struct SSHPROTO *sftp_scp = data->req.p.ssh; - WS_SFTPNAME *name; - int rc = 0; - *block = FALSE; /* we're not blocking by default */ -@@ -1027,7 +1027,7 @@ static CURLcode wssh_block_statemach(struct connectdata *conn, - static CURLcode wssh_done(struct connectdata *conn, CURLcode status) - { - CURLcode result = CURLE_OK; -- struct SSHPROTO *sftp_scp = conn->data->req.protop; -+ struct SSHPROTO *sftp_scp = conn->data->req.p.ssh; - - if(!status) { - /* run the state-machine */ --- -2.26.2 - - -From 1958c2008bbcde60e22bcd3bfc738c0dad70d71d Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 28 Nov 2020 00:27:21 +0100 -Subject: [PATCH 2/2] ftp: make wc_statemach loop instead of recurse - -CVE-2020-8285 - -Fixes #6255 -Bug: https://curl.se/docs/CVE-2020-8285.html -Reported-by: xnynx on github - -Upstream-commit: 69a358f2186e04cf44698b5100332cbf1ee7f01d -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 202 +++++++++++++++++++++++++++--------------------------- - 1 file changed, 102 insertions(+), 100 deletions(-) - -diff --git a/lib/ftp.c b/lib/ftp.c -index 5195b67..71c9642 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -3784,129 +3784,131 @@ static CURLcode init_wc_data(struct connectdata *conn) - return result; - } - --/* This is called recursively */ - static CURLcode wc_statemach(struct connectdata *conn) - { - struct WildcardData * const wildcard = &(conn->data->wildcard); - CURLcode result = CURLE_OK; - -- switch(wildcard->state) { -- case CURLWC_INIT: -- result = init_wc_data(conn); -- if(wildcard->state == CURLWC_CLEAN) -- /* only listing! */ -- break; -- wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; -- break; -+ for(;;) { -+ switch(wildcard->state) { -+ case CURLWC_INIT: -+ result = init_wc_data(conn); -+ if(wildcard->state == CURLWC_CLEAN) -+ /* only listing! */ -+ return result; -+ wildcard->state = result ? CURLWC_ERROR : CURLWC_MATCHING; -+ return result; - -- case CURLWC_MATCHING: { -- /* In this state is LIST response successfully parsed, so lets restore -- previous WRITEFUNCTION callback and WRITEDATA pointer */ -- struct ftp_wc *ftpwc = wildcard->protdata; -- conn->data->set.fwrite_func = ftpwc->backup.write_function; -- conn->data->set.out = ftpwc->backup.file_descriptor; -- ftpwc->backup.write_function = ZERO_NULL; -- ftpwc->backup.file_descriptor = NULL; -- wildcard->state = CURLWC_DOWNLOADING; -- -- if(Curl_ftp_parselist_geterror(ftpwc->parser)) { -- /* error found in LIST parsing */ -- wildcard->state = CURLWC_CLEAN; -- return wc_statemach(conn); -- } -- if(wildcard->filelist.size == 0) { -- /* no corresponding file */ -- wildcard->state = CURLWC_CLEAN; -- return CURLE_REMOTE_FILE_NOT_FOUND; -+ case CURLWC_MATCHING: { -+ /* In this state is LIST response successfully parsed, so lets restore -+ previous WRITEFUNCTION callback and WRITEDATA pointer */ -+ struct ftp_wc *ftpwc = wildcard->protdata; -+ conn->data->set.fwrite_func = ftpwc->backup.write_function; -+ conn->data->set.out = ftpwc->backup.file_descriptor; -+ ftpwc->backup.write_function = ZERO_NULL; -+ ftpwc->backup.file_descriptor = NULL; -+ wildcard->state = CURLWC_DOWNLOADING; -+ -+ if(Curl_ftp_parselist_geterror(ftpwc->parser)) { -+ /* error found in LIST parsing */ -+ wildcard->state = CURLWC_CLEAN; -+ continue; -+ } -+ if(wildcard->filelist.size == 0) { -+ /* no corresponding file */ -+ wildcard->state = CURLWC_CLEAN; -+ return CURLE_REMOTE_FILE_NOT_FOUND; -+ } -+ continue; - } -- return wc_statemach(conn); -- } - -- case CURLWC_DOWNLOADING: { -- /* filelist has at least one file, lets get first one */ -- struct ftp_conn *ftpc = &conn->proto.ftpc; -- struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; -- struct FTP *ftp = conn->data->req.p.ftp; -+ case CURLWC_DOWNLOADING: { -+ /* filelist has at least one file, lets get first one */ -+ struct ftp_conn *ftpc = &conn->proto.ftpc; -+ struct curl_fileinfo *finfo = wildcard->filelist.head->ptr; -+ struct FTP *ftp = conn->data->req.p.ftp; - -- char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); -- if(!tmp_path) -- return CURLE_OUT_OF_MEMORY; -+ char *tmp_path = aprintf("%s%s", wildcard->path, finfo->filename); -+ if(!tmp_path) -+ return CURLE_OUT_OF_MEMORY; - -- /* switch default ftp->path and tmp_path */ -- free(ftp->pathalloc); -- ftp->pathalloc = ftp->path = tmp_path; -- -- infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); -- if(conn->data->set.chunk_bgn) { -- long userresponse; -- Curl_set_in_callback(conn->data, true); -- userresponse = conn->data->set.chunk_bgn( -- finfo, wildcard->customptr, (int)wildcard->filelist.size); -- Curl_set_in_callback(conn->data, false); -- switch(userresponse) { -- case CURL_CHUNK_BGN_FUNC_SKIP: -- infof(conn->data, "Wildcard - \"%s\" skipped by user\n", -- finfo->filename); -- wildcard->state = CURLWC_SKIP; -- return wc_statemach(conn); -- case CURL_CHUNK_BGN_FUNC_FAIL: -- return CURLE_CHUNK_FAILED; -+ /* switch default ftp->path and tmp_path */ -+ free(ftp->pathalloc); -+ ftp->pathalloc = ftp->path = tmp_path; -+ -+ infof(conn->data, "Wildcard - START of \"%s\"\n", finfo->filename); -+ if(conn->data->set.chunk_bgn) { -+ long userresponse; -+ Curl_set_in_callback(conn->data, true); -+ userresponse = conn->data->set.chunk_bgn( -+ finfo, wildcard->customptr, (int)wildcard->filelist.size); -+ Curl_set_in_callback(conn->data, false); -+ switch(userresponse) { -+ case CURL_CHUNK_BGN_FUNC_SKIP: -+ infof(conn->data, "Wildcard - \"%s\" skipped by user\n", -+ finfo->filename); -+ wildcard->state = CURLWC_SKIP; -+ continue; -+ case CURL_CHUNK_BGN_FUNC_FAIL: -+ return CURLE_CHUNK_FAILED; -+ } - } -- } - -- if(finfo->filetype != CURLFILETYPE_FILE) { -- wildcard->state = CURLWC_SKIP; -- return wc_statemach(conn); -- } -+ if(finfo->filetype != CURLFILETYPE_FILE) { -+ wildcard->state = CURLWC_SKIP; -+ continue; -+ } - -- if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) -- ftpc->known_filesize = finfo->size; -+ if(finfo->flags & CURLFINFOFLAG_KNOWN_SIZE) -+ ftpc->known_filesize = finfo->size; - -- result = ftp_parse_url_path(conn); -- if(result) -- return result; -+ result = ftp_parse_url_path(conn); -+ if(result) -+ return result; - -- /* we don't need the Curl_fileinfo of first file anymore */ -- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); -+ /* we don't need the Curl_fileinfo of first file anymore */ -+ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); - -- if(wildcard->filelist.size == 0) { /* remains only one file to down. */ -- wildcard->state = CURLWC_CLEAN; -- /* after that will be ftp_do called once again and no transfer -- will be done because of CURLWC_CLEAN state */ -- return CURLE_OK; -+ if(wildcard->filelist.size == 0) { /* remains only one file to down. */ -+ wildcard->state = CURLWC_CLEAN; -+ /* after that will be ftp_do called once again and no transfer -+ will be done because of CURLWC_CLEAN state */ -+ return CURLE_OK; -+ } -+ return result; - } -- } break; - -- case CURLWC_SKIP: { -- if(conn->data->set.chunk_end) { -- Curl_set_in_callback(conn->data, true); -- conn->data->set.chunk_end(conn->data->wildcard.customptr); -- Curl_set_in_callback(conn->data, false); -+ case CURLWC_SKIP: { -+ if(conn->data->set.chunk_end) { -+ Curl_set_in_callback(conn->data, true); -+ conn->data->set.chunk_end(conn->data->wildcard.customptr); -+ Curl_set_in_callback(conn->data, false); -+ } -+ Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); -+ wildcard->state = (wildcard->filelist.size == 0) ? -+ CURLWC_CLEAN : CURLWC_DOWNLOADING; -+ continue; - } -- Curl_llist_remove(&wildcard->filelist, wildcard->filelist.head, NULL); -- wildcard->state = (wildcard->filelist.size == 0) ? -- CURLWC_CLEAN : CURLWC_DOWNLOADING; -- return wc_statemach(conn); -- } - -- case CURLWC_CLEAN: { -- struct ftp_wc *ftpwc = wildcard->protdata; -- result = CURLE_OK; -- if(ftpwc) -- result = Curl_ftp_parselist_geterror(ftpwc->parser); -+ case CURLWC_CLEAN: { -+ struct ftp_wc *ftpwc = wildcard->protdata; -+ result = CURLE_OK; -+ if(ftpwc) -+ result = Curl_ftp_parselist_geterror(ftpwc->parser); - -- wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; -- } break; -+ wildcard->state = result ? CURLWC_ERROR : CURLWC_DONE; -+ return result; -+ } - -- case CURLWC_DONE: -- case CURLWC_ERROR: -- case CURLWC_CLEAR: -- if(wildcard->dtor) -- wildcard->dtor(wildcard->protdata); -- break; -+ case CURLWC_DONE: -+ case CURLWC_ERROR: -+ case CURLWC_CLEAR: -+ if(wildcard->dtor) -+ wildcard->dtor(wildcard->protdata); -+ return result; -+ } - } -- -- return result; -+ /* UNREACHABLE */ - } - - /*********************************************************************** --- -2.26.2 - diff --git a/0007-curl-7.71.1-CVE-2020-8286.patch b/0007-curl-7.71.1-CVE-2020-8286.patch deleted file mode 100644 index ecd9401..0000000 --- a/0007-curl-7.71.1-CVE-2020-8286.patch +++ /dev/null @@ -1,129 +0,0 @@ -From 2ad3b3d39e45a9eeaf6845f393928ef0095893e7 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Wed, 2 Dec 2020 23:01:11 +0100 -Subject: [PATCH] openssl: make the OCSP verification verify the certificate id - -CVE-2020-8286 - -Reported by anonymous - -Bug: https://curl.se/docs/CVE-2020-8286.html - -Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199 -Signed-off-by: Kamil Dudka ---- - lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++---------------- - 1 file changed, 54 insertions(+), 29 deletions(-) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 2e9f900..5803fd1 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -1775,6 +1775,11 @@ static CURLcode verifystatus(struct connectdata *conn, - X509_STORE *st = NULL; - STACK_OF(X509) *ch = NULL; - struct ssl_backend_data *backend = connssl->backend; -+ X509 *cert; -+ OCSP_CERTID *id = NULL; -+ int cert_status, crl_reason; -+ ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; -+ int ret; - - long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status); - -@@ -1843,43 +1848,63 @@ static CURLcode verifystatus(struct connectdata *conn, - goto end; - } - -- for(i = 0; i < OCSP_resp_count(br); i++) { -- int cert_status, crl_reason; -- OCSP_SINGLERESP *single = NULL; -- -- ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd; -+ /* Compute the certificate's ID */ -+ cert = SSL_get_peer_certificate(backend->handle); -+ if(!cert) { -+ failf(data, "Error getting peer certficate"); -+ result = CURLE_SSL_INVALIDCERTSTATUS; -+ goto end; -+ } - -- single = OCSP_resp_get0(br, i); -- if(!single) -- continue; -+ for(i = 0; i < sk_X509_num(ch); i++) { -+ X509 *issuer = sk_X509_value(ch, i); -+ if(X509_check_issued(issuer, cert) == X509_V_OK) { -+ id = OCSP_cert_to_id(EVP_sha1(), cert, issuer); -+ break; -+ } -+ } -+ X509_free(cert); - -- cert_status = OCSP_single_get0_status(single, &crl_reason, &rev, -- &thisupd, &nextupd); -+ if(!id) { -+ failf(data, "Error computing OCSP ID"); -+ result = CURLE_SSL_INVALIDCERTSTATUS; -+ goto end; -+ } - -- if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { -- failf(data, "OCSP response has expired"); -- result = CURLE_SSL_INVALIDCERTSTATUS; -- goto end; -- } -+ /* Find the single OCSP response corresponding to the certificate ID */ -+ ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev, -+ &thisupd, &nextupd); -+ OCSP_CERTID_free(id); -+ if(ret != 1) { -+ failf(data, "Could not find certificate ID in OCSP response"); -+ result = CURLE_SSL_INVALIDCERTSTATUS; -+ goto end; -+ } - -- infof(data, "SSL certificate status: %s (%d)\n", -- OCSP_cert_status_str(cert_status), cert_status); -+ /* Validate the corresponding single OCSP response */ -+ if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) { -+ failf(data, "OCSP response has expired"); -+ result = CURLE_SSL_INVALIDCERTSTATUS; -+ goto end; -+ } - -- switch(cert_status) { -- case V_OCSP_CERTSTATUS_GOOD: -- break; -+ infof(data, "SSL certificate status: %s (%d)\n", -+ OCSP_cert_status_str(cert_status), cert_status); - -- case V_OCSP_CERTSTATUS_REVOKED: -- result = CURLE_SSL_INVALIDCERTSTATUS; -+ switch(cert_status) { -+ case V_OCSP_CERTSTATUS_GOOD: -+ break; - -- failf(data, "SSL certificate revocation reason: %s (%d)", -- OCSP_crl_reason_str(crl_reason), crl_reason); -- goto end; -+ case V_OCSP_CERTSTATUS_REVOKED: -+ result = CURLE_SSL_INVALIDCERTSTATUS; -+ failf(data, "SSL certificate revocation reason: %s (%d)", -+ OCSP_crl_reason_str(crl_reason), crl_reason); -+ goto end; - -- case V_OCSP_CERTSTATUS_UNKNOWN: -- result = CURLE_SSL_INVALIDCERTSTATUS; -- goto end; -- } -+ case V_OCSP_CERTSTATUS_UNKNOWN: -+ default: -+ result = CURLE_SSL_INVALIDCERTSTATUS; -+ goto end; - } - - end: --- -2.26.2 - diff --git a/0008-curl-7.71.1-CVE-2021-22876.patch b/0008-curl-7.71.1-CVE-2021-22876.patch deleted file mode 100644 index b2c66aa..0000000 --- a/0008-curl-7.71.1-CVE-2021-22876.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 1c875f3e08124c32205a7d33b5c10256ff9352cc Mon Sep 17 00:00:00 2001 -From: Viktor Szakats -Date: Tue, 23 Feb 2021 14:54:46 +0100 -Subject: [PATCH] transfer: strip credentials from the auto-referer header - field - -Added test 2081 to verify. - -CVE-2021-22876 - -Bug: https://curl.se/docs/CVE-2021-22876.html - -Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c -Signed-off-by: Kamil Dudka ---- - lib/transfer.c | 24 ++++++++++++++++++++++-- - 1 file changed, 22 insertions(+), 2 deletions(-) - -diff --git a/lib/transfer.c b/lib/transfer.c -index 44104ab..3325a0e 100644 ---- a/lib/transfer.c -+++ b/lib/transfer.c -@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data, - data->set.followlocation++; /* count location-followers */ - - if(data->set.http_auto_referer) { -+ CURLU *u; -+ char *referer; -+ - /* We are asked to automatically set the previous URL as the referer - when we get the next URL. We pick the ->url field, which may or may - not be 100% correct */ -@@ -1591,9 +1594,26 @@ CURLcode Curl_follow(struct Curl_easy *data, - data->change.referer_alloc = FALSE; - } - -- data->change.referer = strdup(data->change.url); -- if(!data->change.referer) -+ /* Make a copy of the URL without crenditals and fragment */ -+ u = curl_url(); -+ if(!u) -+ return CURLE_OUT_OF_MEMORY; -+ -+ uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0); -+ if(!uc) -+ uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0); -+ if(!uc) -+ uc = curl_url_set(u, CURLUPART_USER, NULL, 0); -+ if(!uc) -+ uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0); -+ if(!uc) -+ uc = curl_url_get(u, CURLUPART_URL, &referer, 0); -+ -+ curl_url_cleanup(u); -+ -+ if(uc || referer == NULL) - return CURLE_OUT_OF_MEMORY; -+ data->change.referer = referer; - data->change.referer_alloc = TRUE; /* yes, free this later */ - } - } --- -2.26.3 - diff --git a/0009-curl-7.71.1-CVE-2021-22890.patch b/0009-curl-7.71.1-CVE-2021-22890.patch deleted file mode 100644 index 2d2b874..0000000 --- a/0009-curl-7.71.1-CVE-2021-22890.patch +++ /dev/null @@ -1,217 +0,0 @@ -From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Fri, 19 Mar 2021 12:38:49 +0100 -Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() - -To make sure we set and extract the correct session. - -Reported-by: Mingtao Yang -Bug: https://curl.se/docs/CVE-2021-22890.html - -CVE-2021-22890 - -Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844 -Signed-off-by: Kamil Dudka ---- - lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++----------- - lib/vtls/vtls.c | 12 ++++++++--- - lib/vtls/vtls.h | 2 ++ - 3 files changed, 51 insertions(+), 15 deletions(-) - -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 5803fd1..16276f3 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void) - */ - static int ossl_get_ssl_sockindex_index(void) - { -- static int ssl_ex_data_sockindex_index = -1; -- if(ssl_ex_data_sockindex_index < 0) { -- ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, -- NULL); -+ static int sockindex_index = -1; -+ if(sockindex_index < 0) { -+ sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); - } -- return ssl_ex_data_sockindex_index; -+ return sockindex_index; -+} -+ -+/* Return an extra data index for proxy boolean. -+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data(). -+ */ -+static int ossl_get_proxy_index(void) -+{ -+ static int proxy_index = -1; -+ if(proxy_index < 0) { -+ proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); -+ } -+ return proxy_index; - } - - static int passwd_callback(char *buf, int num, int encrypting, -@@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void) - Curl_tls_keylog_open(); - - /* Initialize the extra data indexes */ -- if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0) -+ if(ossl_get_ssl_conn_index() < 0 || -+ ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0) - return 0; - - return 1; -@@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - curl_socket_t *sockindex_ptr; - int connectdata_idx = ossl_get_ssl_conn_index(); - int sockindex_idx = ossl_get_ssl_sockindex_index(); -+ int proxy_idx = ossl_get_proxy_index(); -+ bool isproxy; - -- if(connectdata_idx < 0 || sockindex_idx < 0) -+ if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0) - return 0; - - conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx); -@@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx); - sockindex = (int)(sockindex_ptr - conn->sock); - -+ isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE; -+ - if(SSL_SET_OPTION(primary.sessionid)) { - bool incache; - void *old_ssl_sessionid = NULL; - - Curl_ssl_sessionid_lock(conn); -- incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL, -- sockindex)); -+ if(isproxy) -+ incache = FALSE; -+ else -+ incache = !(Curl_ssl_getsessionid(conn, isproxy, -+ &old_ssl_sessionid, NULL, sockindex)); - if(incache) { - if(old_ssl_sessionid != ssl_sessionid) { - infof(data, "old SSL session ID is stale, removing\n"); -@@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid) - } - - if(!incache) { -- if(!Curl_ssl_addsessionid(conn, ssl_sessionid, -+ if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid, - 0 /* unknown size */, sockindex)) { - /* the session has been put into the session cache */ - res = 1; -@@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex) - void *ssl_sessionid = NULL; - int connectdata_idx = ossl_get_ssl_conn_index(); - int sockindex_idx = ossl_get_ssl_sockindex_index(); -+ int proxy_idx = ossl_get_proxy_index(); - -- if(connectdata_idx >= 0 && sockindex_idx >= 0) { -+ if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) { - /* Store the data needed for the "new session" callback. - * The sockindex is stored as a pointer to an array element. */ - SSL_set_ex_data(backend->handle, connectdata_idx, conn); - SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex); -+#ifndef CURL_DISABLE_PROXY -+ SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1: -+ NULL); -+#else -+ SSL_set_ex_data(backend->handle, proxy_idx, NULL); -+#endif -+ - } - - Curl_ssl_sessionid_lock(conn); -- if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) { -+ if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE, -+ &ssl_sessionid, NULL, sockindex)) { - /* we got a session id, use it! */ - if(!SSL_set_session(backend->handle, ssl_sessionid)) { - Curl_ssl_sessionid_unlock(conn); -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index c3a55fb..e50fdd2 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn) - * there's one suitable, it is provided. Returns TRUE when no entry matched. - */ - bool Curl_ssl_getsessionid(struct connectdata *conn, -+ const bool isProxy, - void **ssl_sessionid, - size_t *idsize, /* set 0 if unknown */ - int sockindex) -@@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, - bool no_match = TRUE; - - #ifndef CURL_DISABLE_PROXY -- const bool isProxy = CONNECT_PROXY_SSL(); - struct ssl_primary_config * const ssl_config = isProxy ? - &conn->proxy_ssl_config : - &conn->ssl_config; -@@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, - struct ssl_primary_config * const ssl_config = &conn->ssl_config; - const char * const name = conn->host.name; - int port = conn->remote_port; -- (void)sockindex; - #endif -+ (void)sockindex; - *ssl_sessionid = NULL; - -+#ifdef CURL_DISABLE_PROXY -+ if(isProxy) -+ return TRUE; -+#endif -+ - DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - - if(!SSL_SET_OPTION(primary.sessionid)) -@@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid) - * later on. - */ - CURLcode Curl_ssl_addsessionid(struct connectdata *conn, -+ bool isProxy, - void *ssl_sessionid, - size_t idsize, - int sockindex) -@@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, - int conn_to_port; - long *general_age; - #ifndef CURL_DISABLE_PROXY -- const bool isProxy = CONNECT_PROXY_SSL(); - struct ssl_primary_config * const ssl_config = isProxy ? - &conn->proxy_ssl_config : - &conn->ssl_config; -@@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn, - const char *hostname = conn->host.name; - (void)sockindex; - #endif -+ (void)sockindex; - DEBUGASSERT(SSL_SET_OPTION(primary.sessionid)); - - clone_host = strdup(hostname); -diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h -index bcc8444..343cad0 100644 ---- a/lib/vtls/vtls.h -+++ b/lib/vtls/vtls.h -@@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn); - * under sessionid mutex). - */ - bool Curl_ssl_getsessionid(struct connectdata *conn, -+ const bool isproxy, - void **ssl_sessionid, - size_t *idsize, /* set 0 if unknown */ - int sockindex); -@@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn, - * object with cache (e.g. incrementing refcount on success) - */ - CURLcode Curl_ssl_addsessionid(struct connectdata *conn, -+ const bool isProxy, - void *ssl_sessionid, - size_t idsize, - int sockindex); --- -2.26.3 - diff --git a/0010-curl-7.71.1-CVE-2021-22924.patch b/0010-curl-7.71.1-CVE-2021-22924.patch deleted file mode 100644 index 0ed70d9..0000000 --- a/0010-curl-7.71.1-CVE-2021-22924.patch +++ /dev/null @@ -1,788 +0,0 @@ -From c3e2c52593b94bd93775b50063e1d54bc7b1b911 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Thu, 18 Feb 2021 10:13:56 +0100 -Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names - -It doesn't provide any useful info but only makes the names longer. - -Closes #6624 - -Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e -Signed-off-by: Kamil Dudka ---- - lib/doh.c | 12 ++++++------ - lib/setopt.c | 38 +++++++++++++++++++------------------- - lib/url.c | 42 +++++++++++++++++++++--------------------- - lib/urldata.h | 34 +++++++++++++++++----------------- - lib/vtls/gskit.c | 2 +- - lib/vtls/gtls.c | 2 +- - lib/vtls/mbedtls.c | 4 ++-- - lib/vtls/nss.c | 2 +- - lib/vtls/openssl.c | 2 +- - lib/vtls/schannel.c | 2 +- - lib/vtls/sectransp.c | 7 ++++--- - lib/vtls/wolfssl.c | 4 ++-- - 12 files changed, 76 insertions(+), 75 deletions(-) - -diff --git a/lib/doh.c b/lib/doh.c -index ebb2c24..cbd34f6 100644 ---- a/lib/doh.c -+++ b/lib/doh.c -@@ -318,17 +318,17 @@ static CURLcode dohprobe(struct Curl_easy *data, - ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L); - if(data->set.ssl.primary.verifystatus) - ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L); -- if(data->set.str[STRING_SSL_CAFILE_ORIG]) { -+ if(data->set.str[STRING_SSL_CAFILE]) { - ERROR_CHECK_SETOPT(CURLOPT_CAINFO, -- data->set.str[STRING_SSL_CAFILE_ORIG]); -+ data->set.str[STRING_SSL_CAFILE]); - } -- if(data->set.str[STRING_SSL_CAPATH_ORIG]) { -+ if(data->set.str[STRING_SSL_CAPATH]) { - ERROR_CHECK_SETOPT(CURLOPT_CAPATH, -- data->set.str[STRING_SSL_CAPATH_ORIG]); -+ data->set.str[STRING_SSL_CAPATH]); - } -- if(data->set.str[STRING_SSL_CRLFILE_ORIG]) { -+ if(data->set.str[STRING_SSL_CRLFILE]) { - ERROR_CHECK_SETOPT(CURLOPT_CRLFILE, -- data->set.str[STRING_SSL_CRLFILE_ORIG]); -+ data->set.str[STRING_SSL_CRLFILE]); - } - if(data->set.ssl.certinfo) - ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L); -diff --git a/lib/setopt.c b/lib/setopt.c -index d621335..58d92e2 100644 ---- a/lib/setopt.c -+++ b/lib/setopt.c -@@ -174,7 +174,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - break; - case CURLOPT_SSL_CIPHER_LIST: - /* set a list of cipher we want to use in the SSL connection */ -- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST], - va_arg(param, char *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -187,7 +187,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - case CURLOPT_TLS13_CIPHERS: - if(Curl_ssl_tls13_ciphersuites()) { - /* set preferred list of TLS 1.3 cipher suites */ -- result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST], - va_arg(param, char *)); - } - else -@@ -1643,14 +1643,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - /* - * String that holds file name of the SSL certificate to use - */ -- result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_CERT], - va_arg(param, char *)); - break; - case CURLOPT_SSLCERT_BLOB: - /* - * Blob that holds file name of the SSL certificate to use - */ -- result = Curl_setblobopt(&data->set.blobs[BLOB_CERT_ORIG], -+ result = Curl_setblobopt(&data->set.blobs[BLOB_CERT], - va_arg(param, struct curl_blob *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -1673,7 +1673,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - /* - * String that holds file type of the SSL certificate to use - */ -- result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE], - va_arg(param, char *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -1689,14 +1689,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - /* - * String that holds file name of the SSL key to use - */ -- result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_KEY], - va_arg(param, char *)); - break; - case CURLOPT_SSLKEY_BLOB: - /* - * Blob that holds file name of the SSL key to use - */ -- result = Curl_setblobopt(&data->set.blobs[BLOB_KEY_ORIG], -+ result = Curl_setblobopt(&data->set.blobs[BLOB_KEY], - va_arg(param, struct curl_blob *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -1719,7 +1719,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - /* - * String that holds file type of the SSL key to use - */ -- result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE], - va_arg(param, char *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -1735,7 +1735,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - /* - * String that holds the SSL or SSH private key password. - */ -- result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD], - va_arg(param, char *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -1944,7 +1944,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - */ - #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY) -- result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY], - va_arg(param, char *)); - else - #endif -@@ -1969,7 +1969,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - /* - * Set CA info for SSL connection. Specify file name of the CA certificate - */ -- result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE], - va_arg(param, char *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -1990,7 +1990,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - #ifdef USE_SSL - if(Curl_ssl->supports & SSLSUPP_CA_PATH) - /* This does not work on windows. */ -- result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH], - va_arg(param, char *)); - else - #endif -@@ -2017,7 +2017,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - * Set CRL file info for SSL connection. Specify file name of the CRL - * to check certificates revocation - */ -- result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE], - va_arg(param, char *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -2035,14 +2035,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - * Set Issuer certificate file - * to check certificates issuer - */ -- result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT], - va_arg(param, char *)); - break; - case CURLOPT_ISSUERCERT_BLOB: - /* - * Blob that holds Issuer certificate to check certificates issuer - */ -- result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG], -+ result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT], - va_arg(param, struct curl_blob *)); - break; - #ifndef CURL_DISABLE_PROXY -@@ -2638,9 +2638,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - #endif - #ifdef USE_TLS_SRP - case CURLOPT_TLSAUTH_USERNAME: -- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; - case CURLOPT_PROXY_TLSAUTH_USERNAME: -@@ -2653,9 +2653,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) - #endif - break; - case CURLOPT_TLSAUTH_PASSWORD: -- result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG], -+ result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD], - va_arg(param, char *)); -- if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype) -+ if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype) - data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */ - break; - case CURLOPT_PROXY_TLSAUTH_PASSWORD: -diff --git a/lib/url.c b/lib/url.c -index 307b66e..dd18c63 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -543,7 +543,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) - */ - if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) { - #if defined(CURL_CA_BUNDLE) -- result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE); -+ result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE); - if(result) - return result; - -@@ -553,7 +553,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data) - return result; - #endif - #if defined(CURL_CA_PATH) -- result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH); -+ result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH); - if(result) - return result; - -@@ -3600,17 +3600,17 @@ static CURLcode create_conn(struct Curl_easy *data, - that will be freed as part of the Curl_easy struct, but all cloned - copies will be separately allocated. - */ -- data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG]; -- data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG]; -+ data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; -+ data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; - data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; - data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; - data->set.ssl.primary.cipher_list = -- data->set.str[STRING_SSL_CIPHER_LIST_ORIG]; -+ data->set.str[STRING_SSL_CIPHER_LIST]; - data->set.ssl.primary.cipher_list13 = -- data->set.str[STRING_SSL_CIPHER13_LIST_ORIG]; -+ data->set.str[STRING_SSL_CIPHER13_LIST]; - data->set.ssl.primary.pinned_key = -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -- data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; -+ data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT]; - - #ifndef CURL_DISABLE_PROXY - data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY]; -@@ -3636,26 +3636,26 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; - #endif -- data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG]; -- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG]; -- data->set.ssl.cert = data->set.str[STRING_CERT_ORIG]; -- data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG]; -- data->set.ssl.key = data->set.str[STRING_KEY_ORIG]; -- data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG]; -- data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG]; -- data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG]; -+ data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -+ data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; -+ data->set.ssl.cert = data->set.str[STRING_CERT]; -+ data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; -+ data->set.ssl.key = data->set.str[STRING_KEY]; -+ data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE]; -+ data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD]; -+ data->set.ssl.primary.clientcert = data->set.str[STRING_CERT]; - #ifdef USE_TLS_SRP -- data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG]; -- data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG]; -+ data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME]; -+ data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD]; - #ifndef CURL_DISABLE_PROXY - data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY]; - data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY]; - #endif - #endif - -- data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG]; -- data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG]; -- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG]; -+ data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT]; -+ data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; -+ data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; - - if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, - &conn->ssl_config)) { -diff --git a/lib/urldata.h b/lib/urldata.h -index df9d998..0fb046f 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -1491,9 +1491,9 @@ struct Curl_multi; /* declared and used only in multi.c */ - * are catered for in curl_easy_setopt_ccsid() - */ - enum dupstring { -- STRING_CERT_ORIG, /* client certificate file name */ -+ STRING_CERT, /* client certificate file name */ - STRING_CERT_PROXY, /* client certificate file name */ -- STRING_CERT_TYPE_ORIG, /* format for certificate (default: PEM)*/ -+ STRING_CERT_TYPE, /* format for certificate (default: PEM)*/ - STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/ - STRING_COOKIE, /* HTTP cookie string to send */ - STRING_COOKIEJAR, /* dump all cookies to this file */ -@@ -1504,11 +1504,11 @@ enum dupstring { - STRING_FTP_ACCOUNT, /* ftp account data */ - STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */ - STRING_FTPPORT, /* port to send with the FTP PORT command */ -- STRING_KEY_ORIG, /* private key file name */ -+ STRING_KEY, /* private key file name */ - STRING_KEY_PROXY, /* private key file name */ -- STRING_KEY_PASSWD_ORIG, /* plain text private key password */ -+ STRING_KEY_PASSWD, /* plain text private key password */ - STRING_KEY_PASSWD_PROXY, /* plain text private key password */ -- STRING_KEY_TYPE_ORIG, /* format for private key (default: PEM) */ -+ STRING_KEY_TYPE, /* format for private key (default: PEM) */ - STRING_KEY_TYPE_PROXY, /* format for private key (default: PEM) */ - STRING_KRB_LEVEL, /* krb security level */ - STRING_NETRC_FILE, /* if not NULL, use this instead of trying to find -@@ -1518,22 +1518,22 @@ enum dupstring { - STRING_SET_RANGE, /* range, if used */ - STRING_SET_REFERER, /* custom string for the HTTP referer field */ - STRING_SET_URL, /* what original URL to work on */ -- STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */ -+ STRING_SSL_CAPATH, /* CA directory name (doesn't work on windows) */ - STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */ -- STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */ -+ STRING_SSL_CAFILE, /* certificate file to verify peer against */ - STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */ -- STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */ -+ STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */ - STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */ -- STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */ -+ STRING_SSL_CIPHER_LIST, /* list of ciphers to use */ - STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */ -- STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */ -+ STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */ - STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */ - STRING_SSL_EGDSOCKET, /* path to file containing the EGD daemon socket */ - STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */ - STRING_USERAGENT, /* User-Agent string */ -- STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */ -+ STRING_SSL_CRLFILE, /* crl file to check certificate */ - STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */ -- STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */ -+ STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */ - STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */ - STRING_SSL_ENGINE, /* name of ssl engine */ - STRING_USERNAME, /* , if used */ -@@ -1557,9 +1557,9 @@ enum dupstring { - STRING_MAIL_FROM, - STRING_MAIL_AUTH, - -- STRING_TLSAUTH_USERNAME_ORIG, /* TLS auth */ -+ STRING_TLSAUTH_USERNAME, /* TLS auth */ - STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth */ -- STRING_TLSAUTH_PASSWORD_ORIG, /* TLS auth */ -+ STRING_TLSAUTH_PASSWORD, /* TLS auth */ - STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth */ - - STRING_BEARER, /* , if used */ -@@ -1593,11 +1593,11 @@ enum dupstring { - }; - - enum dupblob { -- BLOB_CERT_ORIG, -+ BLOB_CERT, - BLOB_CERT_PROXY, -- BLOB_KEY_ORIG, -+ BLOB_KEY, - BLOB_KEY_PROXY, -- BLOB_SSL_ISSUERCERT_ORIG, -+ BLOB_SSL_ISSUERCERT, - BLOB_SSL_ISSUERCERT_PROXY, - BLOB_LAST - }; -diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c -index 0538e4a..de9a9db 100644 ---- a/lib/vtls/gskit.c -+++ b/lib/vtls/gskit.c -@@ -1039,7 +1039,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex) - - /* Check pinned public key. */ - ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - if(!result && ptr) { - curl_X509certificate x509; - curl_asn1Element *p; -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 9b4c365..2ce5749 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -1184,7 +1184,7 @@ gtls_connect_step3(struct connectdata *conn, - } - - ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - if(ptr) { - result = pkp_pin_peer_pubkey(data, x509_cert, ptr); - if(result != CURLE_OK) { -diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c -index 545f824..bf3683d 100644 ---- a/lib/vtls/mbedtls.c -+++ b/lib/vtls/mbedtls.c -@@ -546,10 +546,10 @@ mbed_connect_step2(struct connectdata *conn, - #ifndef CURL_DISABLE_PROXY - const char * const pinnedpubkey = SSL_IS_PROXY() ? - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - #else - const char * const pinnedpubkey = -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - #endif - - conn->recv[sockindex] = mbed_recv; -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index fca2926..9dad33f 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -2131,7 +2131,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) - &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult; - const char * const pinnedpubkey = SSL_IS_PROXY() ? - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - - - /* check timeout situation */ -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index 16276f3..acf6577 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -3965,7 +3965,7 @@ static CURLcode servercert(struct connectdata *conn, - result = CURLE_OK; - - ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - if(!result && ptr) { - result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr); - if(result) -diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c -index 1996526..ba82513 100644 ---- a/lib/vtls/schannel.c -+++ b/lib/vtls/schannel.c -@@ -1243,7 +1243,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex) - - pubkey_ptr = SSL_IS_PROXY() ? - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - if(pubkey_ptr) { - result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr); - if(result) { -diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c -index 2627aff..120df3a 100644 ---- a/lib/vtls/sectransp.c -+++ b/lib/vtls/sectransp.c -@@ -2609,9 +2609,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex) - connssl->connecting_state = ssl_connect_3; - - #ifdef SECTRANSP_PINNEDPUBKEY -- if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) { -- CURLcode result = pkp_pin_peer_pubkey(data, backend->ssl_ctx, -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]); -+ if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) { -+ CURLcode result = -+ pkp_pin_peer_pubkey(data, backend->ssl_ctx, -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]); - if(result) { - failf(data, "SSL: public key does not match pinned public key!"); - return result; -diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c -index 7b2a124..fc41748 100644 ---- a/lib/vtls/wolfssl.c -+++ b/lib/vtls/wolfssl.c -@@ -549,12 +549,12 @@ wolfssl_connect_step2(struct connectdata *conn, - conn->http_proxy.host.dispname : conn->host.dispname; - const char * const pinnedpubkey = SSL_IS_PROXY() ? - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] : -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - #else - const char * const hostname = conn->host.name; - const char * const dispname = conn->host.dispname; - const char * const pinnedpubkey = -- data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]; -+ data->set.str[STRING_SSL_PINNEDPUBLICKEY]; - #endif - - conn->recv[sockindex] = wolfssl_recv; --- -2.31.1 - - -From fea46e2ddc6050b0aa008033325afbb0606d2b55 Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 19 Jun 2021 00:42:28 +0200 -Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and - case sensitivity - -CVE-2021-22924 - -Reported-by: Harry Sintonen -Bug: https://curl.se/docs/CVE-2021-22924.html - -Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161 -Signed-off-by: Kamil Dudka ---- - lib/url.c | 9 ++++++--- - lib/urldata.h | 4 ++-- - lib/vtls/gtls.c | 10 +++++----- - lib/vtls/nss.c | 4 ++-- - lib/vtls/openssl.c | 18 +++++++++--------- - lib/vtls/vtls.c | 26 +++++++++++++++++++++----- - 6 files changed, 45 insertions(+), 26 deletions(-) - -diff --git a/lib/url.c b/lib/url.c -index dd18c63..71e226e 100644 ---- a/lib/url.c -+++ b/lib/url.c -@@ -3602,6 +3602,8 @@ static CURLcode create_conn(struct Curl_easy *data, - */ - data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH]; - data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE]; -+ data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; -+ data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; - data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE]; - data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET]; - data->set.ssl.primary.cipher_list = -@@ -3625,8 +3627,11 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.primary.pinned_key = - data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY]; - data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY]; -+ data->set.proxy_ssl.primary.issuercert = -+ data->set.str[STRING_SSL_ISSUERCERT_PROXY]; -+ data->set.proxy_ssl.primary.issuercert_blob = -+ data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY]; -- data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY]; - data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY]; - data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY]; - data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY]; -@@ -3637,7 +3642,6 @@ static CURLcode create_conn(struct Curl_easy *data, - data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY]; - #endif - data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE]; -- data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT]; - data->set.ssl.cert = data->set.str[STRING_CERT]; - data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE]; - data->set.ssl.key = data->set.str[STRING_KEY]; -@@ -3655,7 +3659,6 @@ static CURLcode create_conn(struct Curl_easy *data, - - data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT]; - data->set.ssl.key_blob = data->set.blobs[BLOB_KEY]; -- data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT]; - - if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary, - &conn->ssl_config)) { -diff --git a/lib/urldata.h b/lib/urldata.h -index 0fb046f..8b5b597 100644 ---- a/lib/urldata.h -+++ b/lib/urldata.h -@@ -223,6 +223,7 @@ struct ssl_primary_config { - long version_max; /* max supported version the client wants to use*/ - char *CApath; /* certificate dir (doesn't work on windows) */ - char *CAfile; /* certificate to verify peer against */ -+ char *issuercert; /* optional issuer certificate filename */ - char *clientcert; - char *random_file; /* path to file containing "random" data */ - char *egdsocket; /* path to file containing the EGD daemon socket */ -@@ -230,6 +231,7 @@ struct ssl_primary_config { - char *cipher_list13; /* list of TLS 1.3 cipher suites to use */ - char *pinned_key; - struct curl_blob *cert_blob; -+ struct curl_blob *issuercert_blob; - BIT(verifypeer); /* set TRUE if this is desired */ - BIT(verifyhost); /* set TRUE if CN/SAN must match hostname */ - BIT(verifystatus); /* set TRUE if certificate status must be checked */ -@@ -240,8 +242,6 @@ struct ssl_config_data { - struct ssl_primary_config primary; - long certverifyresult; /* result from the certificate verification */ - char *CRLfile; /* CRL to check certificate revocation */ -- char *issuercert;/* optional issuer certificate filename */ -- struct curl_blob *issuercert_blob; - curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */ - void *fsslctxp; /* parameter for call back */ - char *cert; /* client certificate file name */ -diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c -index 2ce5749..1b87085 100644 ---- a/lib/vtls/gtls.c -+++ b/lib/vtls/gtls.c -@@ -851,7 +851,7 @@ gtls_connect_step3(struct connectdata *conn, - if(!chainp) { - if(SSL_CONN_CONFIG(verifypeer) || - SSL_CONN_CONFIG(verifyhost) || -- SSL_SET_OPTION(issuercert)) { -+ SSL_CONN_CONFIG(issuercert)) { - #ifdef USE_TLS_SRP - if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP - && SSL_SET_OPTION(username) != NULL -@@ -1035,21 +1035,21 @@ gtls_connect_step3(struct connectdata *conn, - gnutls_x509_crt_t format */ - gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER); - -- if(SSL_SET_OPTION(issuercert)) { -+ if(SSL_CONN_CONFIG(issuercert)) { - gnutls_x509_crt_init(&x509_issuer); -- issuerp = load_file(SSL_SET_OPTION(issuercert)); -+ issuerp = load_file(SSL_CONN_CONFIG(issuercert)); - gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM); - rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer); - gnutls_x509_crt_deinit(x509_issuer); - unload_file(issuerp); - if(rc <= 0) { - failf(data, "server certificate issuer check failed (IssuerCert: %s)", -- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); -+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); - gnutls_x509_crt_deinit(x509_cert); - return CURLE_SSL_ISSUER_ERROR; - } - infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n", -- SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none"); -+ SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none"); - } - - size = sizeof(certname); -diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c -index 9dad33f..d1b0016 100644 ---- a/lib/vtls/nss.c -+++ b/lib/vtls/nss.c -@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex) - if(result) - goto error; - -- if(SSL_SET_OPTION(issuercert)) { -+ if(SSL_CONN_CONFIG(issuercert)) { - SECStatus ret = SECFailure; -- char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert)); -+ char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert)); - if(nickname) { - /* we support only nicknames in case of issuercert for now */ - ret = check_issuer_cert(backend->handle, nickname); -diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c -index acf6577..56171ae 100644 ---- a/lib/vtls/openssl.c -+++ b/lib/vtls/openssl.c -@@ -3871,10 +3871,10 @@ static CURLcode servercert(struct connectdata *conn, - deallocating the certificate. */ - - /* e.g. match issuer name with provided issuer certificate */ -- if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) { -- if(SSL_SET_OPTION(issuercert_blob)) -- fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data, -- (int)SSL_SET_OPTION(issuercert_blob)->len); -+ if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) { -+ if(SSL_CONN_CONFIG(issuercert_blob)) -+ fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data, -+ (int)SSL_CONN_CONFIG(issuercert_blob)->len); - else { - fp = BIO_new(BIO_s_file()); - if(fp == NULL) { -@@ -3888,10 +3888,10 @@ static CURLcode servercert(struct connectdata *conn, - return CURLE_OUT_OF_MEMORY; - } - -- if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) { -+ if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) { - if(strict) - failf(data, "SSL: Unable to open issuer cert (%s)", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(backend->server_cert); - backend->server_cert = NULL; -@@ -3903,7 +3903,7 @@ static CURLcode servercert(struct connectdata *conn, - if(!issuer) { - if(strict) - failf(data, "SSL: Unable to read issuer cert (%s)", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(issuer); - X509_free(backend->server_cert); -@@ -3914,7 +3914,7 @@ static CURLcode servercert(struct connectdata *conn, - if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) { - if(strict) - failf(data, "SSL: Certificate issuer check failed (%s)", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(issuer); - X509_free(backend->server_cert); -@@ -3923,7 +3923,7 @@ static CURLcode servercert(struct connectdata *conn, - } - - infof(data, " SSL certificate issuer check ok (%s)\n", -- SSL_SET_OPTION(issuercert)); -+ SSL_CONN_CONFIG(issuercert)); - BIO_free(fp); - X509_free(issuer); - } -diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c -index e50fdd2..855ee66 100644 ---- a/lib/vtls/vtls.c -+++ b/lib/vtls/vtls.c -@@ -121,6 +121,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second) - return !memcmp(first->data, second->data, first->len); /* same data */ - } - -+static bool safecmp(char *a, char *b) -+{ -+ if(a && b) -+ return !strcmp(a, b); -+ else if(!a && !b) -+ return TRUE; /* match */ -+ return FALSE; /* no match */ -+} -+ -+ - bool - Curl_ssl_config_matches(struct ssl_primary_config *data, - struct ssl_primary_config *needle) -@@ -131,11 +141,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data, - (data->verifyhost == needle->verifyhost) && - (data->verifystatus == needle->verifystatus) && - blobcmp(data->cert_blob, needle->cert_blob) && -- Curl_safe_strcasecompare(data->CApath, needle->CApath) && -- Curl_safe_strcasecompare(data->CAfile, needle->CAfile) && -- Curl_safe_strcasecompare(data->clientcert, needle->clientcert) && -- Curl_safe_strcasecompare(data->random_file, needle->random_file) && -- Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) && -+ blobcmp(data->issuercert_blob, needle->issuercert_blob) && -+ safecmp(data->CApath, needle->CApath) && -+ safecmp(data->CAfile, needle->CAfile) && -+ safecmp(data->issuercert, needle->issuercert) && -+ safecmp(data->clientcert, needle->clientcert) && -+ safecmp(data->random_file, needle->random_file) && -+ safecmp(data->egdsocket, needle->egdsocket) && - Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) && - Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) && - Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key)) -@@ -156,8 +168,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source, - dest->sessionid = source->sessionid; - - CLONE_BLOB(cert_blob); -+ CLONE_BLOB(issuercert_blob); - CLONE_STRING(CApath); - CLONE_STRING(CAfile); -+ CLONE_STRING(issuercert); - CLONE_STRING(clientcert); - CLONE_STRING(random_file); - CLONE_STRING(egdsocket); -@@ -172,6 +186,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) - { - Curl_safefree(sslc->CApath); - Curl_safefree(sslc->CAfile); -+ Curl_safefree(sslc->issuercert); - Curl_safefree(sslc->clientcert); - Curl_safefree(sslc->random_file); - Curl_safefree(sslc->egdsocket); -@@ -179,6 +194,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc) - Curl_safefree(sslc->cipher_list13); - Curl_safefree(sslc->pinned_key); - Curl_safefree(sslc->cert_blob); -+ Curl_safefree(sslc->issuercert_blob); - } - - #ifdef USE_SSL --- -2.31.1 - diff --git a/0011-curl-7.71.1-CVE-2021-22898.patch b/0011-curl-7.71.1-CVE-2021-22898.patch deleted file mode 100644 index 2609375..0000000 --- a/0011-curl-7.71.1-CVE-2021-22898.patch +++ /dev/null @@ -1,31 +0,0 @@ -From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001 -From: Harry Sintonen -Date: Fri, 7 May 2021 13:09:57 +0200 -Subject: [PATCH] telnet: check sscanf() for correct number of matches - -CVE-2021-22898 - -Bug: https://curl.se/docs/CVE-2021-22898.html - -Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde -Signed-off-by: Kamil Dudka ---- - lib/telnet.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/lib/telnet.c b/lib/telnet.c -index 1fc5af1..ea6bc71 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn) - size_t tmplen = (strlen(v->data) + 1); - /* Add the variable only if it fits */ - if(len + tmplen < (int)sizeof(temp)-6) { -- if(sscanf(v->data, "%127[^,],%127s", varname, varval)) { -+ if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { - msnprintf((char *)&temp[len], sizeof(temp) - len, - "%c%s%c%s", CURL_NEW_ENV_VAR, varname, - CURL_NEW_ENV_VALUE, varval); --- -2.31.1 - diff --git a/0012-curl-7.71.1-CVE-2021-22925.patch b/0012-curl-7.71.1-CVE-2021-22925.patch deleted file mode 100644 index 330d9f7..0000000 --- a/0012-curl-7.71.1-CVE-2021-22925.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001 -From: Daniel Stenberg -Date: Sat, 12 Jun 2021 18:25:15 +0200 -Subject: [PATCH] telnet: fix option parser to not send uninitialized contents - -CVE-2021-22925 - -Reported-by: Red Hat Product Security -Bug: https://curl.se/docs/CVE-2021-22925.html - -Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a -Signed-off-by: Kamil Dudka ---- - lib/telnet.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/lib/telnet.c b/lib/telnet.c -index ea6bc71..f8428b8 100644 ---- a/lib/telnet.c -+++ b/lib/telnet.c -@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn) - size_t tmplen = (strlen(v->data) + 1); - /* Add the variable only if it fits */ - if(len + tmplen < (int)sizeof(temp)-6) { -- if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) { -- msnprintf((char *)&temp[len], sizeof(temp) - len, -- "%c%s%c%s", CURL_NEW_ENV_VAR, varname, -- CURL_NEW_ENV_VALUE, varval); -- len += tmplen; -- } -+ int rv; -+ char sep[2] = ""; -+ varval[0] = 0; -+ rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval); -+ if(rv == 1) -+ len += msnprintf((char *)&temp[len], sizeof(temp) - len, -+ "%c%s", CURL_NEW_ENV_VAR, varname); -+ else if(rv >= 2) -+ len += msnprintf((char *)&temp[len], sizeof(temp) - len, -+ "%c%s%c%s", CURL_NEW_ENV_VAR, varname, -+ CURL_NEW_ENV_VALUE, varval); - } - } - msnprintf((char *)&temp[len], sizeof(temp) - len, --- -2.31.1 - diff --git a/0013-curl-7.71.1-CVE-2021-22945.patch b/0013-curl-7.71.1-CVE-2021-22945.patch deleted file mode 100644 index 79dc9f8..0000000 --- a/0013-curl-7.71.1-CVE-2021-22945.patch +++ /dev/null @@ -1,33 +0,0 @@ -From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001 -From: z2_ on hackerone <> -Date: Tue, 24 Aug 2021 09:50:33 +0200 -Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds - -CVE-2021-22945 - -Bug: https://curl.se/docs/CVE-2021-22945.html - -Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49 -Signed-off-by: Kamil Dudka ---- - lib/mqtt.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/lib/mqtt.c b/lib/mqtt.c -index d88fa73..f3fc045 100644 ---- a/lib/mqtt.c -+++ b/lib/mqtt.c -@@ -123,6 +123,10 @@ static CURLcode mqtt_send(struct connectdata *conn, - mq->sendleftovers = sendleftovers; - mq->nsend = nsend; - } -+ else { -+ mq->sendleftovers = NULL; -+ mq->nsend = 0; -+ } - return result; - } - --- -2.31.1 - diff --git a/0014-curl-7.71.1-CVE-2021-22946.patch b/0014-curl-7.71.1-CVE-2021-22946.patch deleted file mode 100644 index c408988..0000000 --- a/0014-curl-7.71.1-CVE-2021-22946.patch +++ /dev/null @@ -1,331 +0,0 @@ -From 03ca8c6faca7de6628f9cbec3001ec6466c88d07 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Wed, 8 Sep 2021 11:56:22 +0200 -Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd - -In imap and pop3, check if TLS is required even when capabilities -request has failed. - -In ftp, ignore preauthentication (230 status of server greeting) if TLS -is required. - -Bug: https://curl.se/docs/CVE-2021-22946.html - -CVE-2021-22946 - -Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 9 ++++--- - lib/imap.c | 24 ++++++++---------- - lib/pop3.c | 33 +++++++++++------------- - tests/data/Makefile.inc | 2 ++ - tests/data/test984 | 56 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test985 | 54 +++++++++++++++++++++++++++++++++++++++ - tests/data/test986 | 53 ++++++++++++++++++++++++++++++++++++++ - 7 files changed, 195 insertions(+), 36 deletions(-) - create mode 100644 tests/data/test984 - create mode 100644 tests/data/test985 - create mode 100644 tests/data/test986 - -diff --git a/lib/ftp.c b/lib/ftp.c -index 71c9642..30ebeaa 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -2622,9 +2622,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) - /* we have now received a full FTP server response */ - switch(ftpc->state) { - case FTP_WAIT220: -- if(ftpcode == 230) -- /* 230 User logged in - already! */ -- return ftp_state_user_resp(conn, ftpcode, ftpc->state); -+ if(ftpcode == 230) { -+ /* 230 User logged in - already! Take as 220 if TLS required. */ -+ if(data->set.use_ssl <= CURLUSESSL_TRY || -+ conn->ssl[FIRSTSOCKET].use) -+ return ftp_state_user_resp(conn, ftpcode, ftpc->state); -+ } - else if(ftpcode != 220) { - failf(data, "Got a %03d ftp-server response when 220 was expected", - ftpcode); -diff --git a/lib/imap.c b/lib/imap.c -index bda23a5..7e159d4 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn, - line += wordlen; - } - } -- else if(imapcode == IMAP_RESP_OK) { -- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -- /* We don't have a SSL/TLS connection yet, but SSL is requested */ -- if(imapc->tls_supported) -- /* Switch to TLS connection now */ -- result = imap_perform_starttls(conn); -- else if(data->set.use_ssl == CURLUSESSL_TRY) -- /* Fallback and carry on with authentication */ -- result = imap_perform_authentication(conn); -- else { -- failf(data, "STARTTLS not supported."); -- result = CURLE_USE_SSL_FAILED; -- } -+ else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -+ /* PREAUTH is not compatible with STARTTLS. */ -+ if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) { -+ /* Switch to TLS connection now */ -+ result = imap_perform_starttls(conn); - } -- else -+ else if(data->set.use_ssl <= CURLUSESSL_TRY) - result = imap_perform_authentication(conn); -+ else { -+ failf(data, "STARTTLS not available."); -+ result = CURLE_USE_SSL_FAILED; -+ } - } - else - result = imap_perform_authentication(conn); -diff --git a/lib/pop3.c b/lib/pop3.c -index 04cc887..3e916ce 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code, - } - } - } -- else if(pop3code == '+') { -- if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) { -- /* We don't have a SSL/TLS connection yet, but SSL is requested */ -- if(pop3c->tls_supported) -- /* Switch to TLS connection now */ -- result = pop3_perform_starttls(conn); -- else if(data->set.use_ssl == CURLUSESSL_TRY) -- /* Fallback and carry on with authentication */ -- result = pop3_perform_authentication(conn); -- else { -- failf(data, "STLS not supported."); -- result = CURLE_USE_SSL_FAILED; -- } -- } -- else -- result = pop3_perform_authentication(conn); -- } - else { - /* Clear text is supported when CAPA isn't recognised */ -- pop3c->authtypes |= POP3_TYPE_CLEARTEXT; -+ if(pop3code != '+') -+ pop3c->authtypes |= POP3_TYPE_CLEARTEXT; - -- result = pop3_perform_authentication(conn); -+ if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use) -+ result = pop3_perform_authentication(conn); -+ else if(pop3code == '+' && pop3c->tls_supported) -+ /* Switch to TLS connection now */ -+ result = pop3_perform_starttls(conn); -+ else if(data->set.use_ssl <= CURLUSESSL_TRY) -+ /* Fallback and carry on with authentication */ -+ result = pop3_perform_authentication(conn); -+ else { -+ failf(data, "STLS not supported."); -+ result = CURLE_USE_SSL_FAILED; -+ } - } - - return result; -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index ef9252b..1ba482b 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ - test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ - \ -+test984 test985 test986 \ -+\ - test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ - test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ - test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \ -diff --git a/tests/data/test984 b/tests/data/test984 -new file mode 100644 -index 0000000..e573f23 ---- /dev/null -+++ b/tests/data/test984 -@@ -0,0 +1,56 @@ -+ -+ -+ -+IMAP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY CAPABILITY A001 BAD Not implemented -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+imap -+ -+ -+IMAP require STARTTLS with failing capabilities -+ -+ -+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd -+ -+ -+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) -+From: Fred Foobar -+Subject: afternoon meeting -+To: joe@example.com -+Message-Id: -+MIME-Version: 1.0 -+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII -+ -+Hello Joe, do you think we can meet at 3:30 tomorrow? -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 64 is CURLE_USE_SSL_FAILED -+ -+64 -+ -+ -+A001 CAPABILITY -+ -+ -+ -diff --git a/tests/data/test985 b/tests/data/test985 -new file mode 100644 -index 0000000..d0db4aa ---- /dev/null -+++ b/tests/data/test985 -@@ -0,0 +1,54 @@ -+ -+ -+ -+POP3 -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY CAPA -ERR Not implemented -+ -+ -+From: me@somewhere -+To: fake@nowhere -+ -+body -+ -+-- -+ yours sincerely -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+pop3 -+ -+ -+POP3 require STARTTLS with failing capabilities -+ -+ -+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 64 is CURLE_USE_SSL_FAILED -+ -+64 -+ -+ -+CAPA -+ -+ -+ -diff --git a/tests/data/test986 b/tests/data/test986 -new file mode 100644 -index 0000000..a709437 ---- /dev/null -+++ b/tests/data/test986 -@@ -0,0 +1,53 @@ -+ -+ -+ -+FTP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY welcome 230 Welcome -+REPLY AUTH 500 unknown command -+ -+ -+ -+# Client-side -+ -+ -+SSL -+ -+ -+ftp -+ -+ -+FTP require STARTTLS while preauthenticated -+ -+ -+data -+ to -+ see -+that FTPS -+works -+ so does it? -+ -+ -+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+# 64 is CURLE_USE_SSL_FAILED -+ -+64 -+ -+ -+AUTH SSL -+AUTH TLS -+ -+ -+ --- -2.31.1 - diff --git a/0015-curl-7.71.1-CVE-2021-22947.patch b/0015-curl-7.71.1-CVE-2021-22947.patch deleted file mode 100644 index 2d2c374..0000000 --- a/0015-curl-7.71.1-CVE-2021-22947.patch +++ /dev/null @@ -1,354 +0,0 @@ -From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001 -From: Patrick Monnerat -Date: Tue, 7 Sep 2021 13:26:42 +0200 -Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response - pipelining - -If a server pipelines future responses within the STARTTLS response, the -former are preserved in the pingpong cache across TLS negotiation and -used as responses to the encrypted commands. - -This fix detects pipelined STARTTLS responses and rejects them with an -error. - -CVE-2021-22947 - -Bug: https://curl.se/docs/CVE-2021-22947.html - -Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68 -Signed-off-by: Kamil Dudka ---- - lib/ftp.c | 3 +++ - lib/imap.c | 4 +++ - lib/pop3.c | 4 +++ - lib/smtp.c | 4 +++ - tests/data/Makefile.inc | 2 +- - tests/data/test980 | 52 ++++++++++++++++++++++++++++++++++++ - tests/data/test981 | 59 +++++++++++++++++++++++++++++++++++++++++ - tests/data/test982 | 57 +++++++++++++++++++++++++++++++++++++++ - tests/data/test983 | 52 ++++++++++++++++++++++++++++++++++++ - 9 files changed, 236 insertions(+), 1 deletion(-) - create mode 100644 tests/data/test980 - create mode 100644 tests/data/test981 - create mode 100644 tests/data/test982 - create mode 100644 tests/data/test983 - -diff --git a/lib/ftp.c b/lib/ftp.c -index 71f998e..e920138 100644 ---- a/lib/ftp.c -+++ b/lib/ftp.c -@@ -2692,6 +2692,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn) - case FTP_AUTH: - /* we have gotten the response to a previous AUTH command */ - -+ if(pp->cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */ -+ - /* RFC2228 (page 5) says: - * - * If the server is willing to accept the named security mechanism, -diff --git a/lib/imap.c b/lib/imap.c -index feb7445..09bc5d6 100644 ---- a/lib/imap.c -+++ b/lib/imap.c -@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn, - - (void)instate; /* no use for this yet */ - -+ /* Pipelining in response is forbidden. */ -+ if(data->conn->proto.imapc.pp.cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; -+ - if(imapcode != IMAP_RESP_OK) { - if(data->set.use_ssl != CURLUSESSL_TRY) { - failf(data, "STARTTLS denied"); -diff --git a/lib/pop3.c b/lib/pop3.c -index 7698d1c..dccfced 100644 ---- a/lib/pop3.c -+++ b/lib/pop3.c -@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn, - - (void)instate; /* no use for this yet */ - -+ /* Pipelining in response is forbidden. */ -+ if(data->conn->proto.pop3c.pp.cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; -+ - if(pop3code != '+') { - if(data->set.use_ssl != CURLUSESSL_TRY) { - failf(data, "STARTTLS denied"); -diff --git a/lib/smtp.c b/lib/smtp.c -index 1defb25..1f89777 100644 ---- a/lib/smtp.c -+++ b/lib/smtp.c -@@ -817,6 +817,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn, - - (void)instate; /* no use for this yet */ - -+ /* Pipelining in response is forbidden. */ -+ if(data->conn->proto.smtpc.pp.cache_size) -+ return CURLE_WEIRD_SERVER_REPLY; -+ - if(smtpcode != 220) { - if(data->set.use_ssl != CURLUSESSL_TRY) { - failf(data, "STARTTLS denied, code %d", smtpcode); -diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc -index 163ce59..42b0569 100644 ---- a/tests/data/Makefile.inc -+++ b/tests/data/Makefile.inc -@@ -115,7 +115,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \ - test954 test955 test956 test957 test958 test959 test960 test961 test962 \ - test963 test964 test965 test966 test967 test968 test969 test970 test971 \ - \ --test984 test985 test986 \ -+test980 test981 test982 test983 test984 test985 test986 \ - \ - test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \ - test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \ -diff --git a/tests/data/test980 b/tests/data/test980 -new file mode 100644 -index 0000000..97567f8 ---- /dev/null -+++ b/tests/data/test980 -@@ -0,0 +1,52 @@ -+ -+ -+ -+SMTP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+CAPA STARTTLS -+AUTH PLAIN -+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted -+REPLY AUTH 535 5.7.8 Authentication credentials invalid -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+smtp -+ -+ -+SMTP STARTTLS pipelined server response -+ -+ -+mail body -+ -+ -+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T - -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+EHLO %TESTNUMBER -+STARTTLS -+ -+ -+ -diff --git a/tests/data/test981 b/tests/data/test981 -new file mode 100644 -index 0000000..2b98ce4 ---- /dev/null -+++ b/tests/data/test981 -@@ -0,0 +1,59 @@ -+ -+ -+ -+IMAP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+CAPA STARTTLS -+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted -+REPLY LOGIN A003 BAD Authentication credentials invalid -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+imap -+ -+ -+IMAP STARTTLS pipelined server response -+ -+ -+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl -+ -+ -+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST) -+From: Fred Foobar -+Subject: afternoon meeting -+To: joe@example.com -+Message-Id: -+MIME-Version: 1.0 -+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII -+ -+Hello Joe, do you think we can meet at 3:30 tomorrow? -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+A001 CAPABILITY -+A002 STARTTLS -+ -+ -+ -diff --git a/tests/data/test982 b/tests/data/test982 -new file mode 100644 -index 0000000..9e07cc0 ---- /dev/null -+++ b/tests/data/test982 -@@ -0,0 +1,57 @@ -+ -+ -+ -+POP3 -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+CAPA STLS USER -+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated -+REPLY PASS -ERR Authentication credentials invalid -+ -+ -+From: me@somewhere -+To: fake@nowhere -+ -+body -+ -+-- -+ yours sincerely -+ -+ -+ -+# -+# Client-side -+ -+ -+SSL -+ -+ -+pop3 -+ -+ -+POP3 STARTTLS pipelined server response -+ -+ -+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl -+ -+ -+ -+# -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+CAPA -+STLS -+ -+ -+ -diff --git a/tests/data/test983 b/tests/data/test983 -new file mode 100644 -index 0000000..300ec45 ---- /dev/null -+++ b/tests/data/test983 -@@ -0,0 +1,52 @@ -+ -+ -+ -+FTP -+STARTTLS -+ -+ -+ -+# -+# Server-side -+ -+ -+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete -+REPLY PASS 530 Login incorrect -+ -+ -+ -+# Client-side -+ -+ -+SSL -+ -+ -+ftp -+ -+ -+FTP STARTTLS pipelined server response -+ -+ -+data -+ to -+ see -+that FTPS -+works -+ so does it? -+ -+ -+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP -+ -+ -+ -+# Verify data after the test has been "shot" -+ -+# 8 is CURLE_WEIRD_SERVER_REPLY -+ -+8 -+ -+ -+AUTH SSL -+ -+ -+ --- -2.31.1 - diff --git a/0101-curl-7.32.0-multilib.patch b/0101-curl-7.32.0-multilib.patch index b4de30d..f7f66e6 100644 --- a/0101-curl-7.32.0-multilib.patch +++ b/0101-curl-7.32.0-multilib.patch @@ -1,91 +1,92 @@ -From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Fri, 12 Apr 2013 12:04:05 +0200 +From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001 +From: Jan Macku +Date: Tue, 16 Dec 2025 10:04:40 +0100 Subject: [PATCH] prevent multilib conflicts on the curl-config script --- - curl-config.in | 23 +++++------------------ - docs/curl-config.1 | 4 +++- - libcurl.pc.in | 1 + + curl-config.in | 23 +++++------------------ + docs/curl-config.md | 4 +++- + libcurl.pc.in | 1 + 3 files changed, 9 insertions(+), 19 deletions(-) diff --git a/curl-config.in b/curl-config.in -index 150004d..95d0759 100644 +index a1c8185875..bb43ca8335 100644 --- a/curl-config.in +++ b/curl-config.in -@@ -76,7 +76,7 @@ while test $# -gt 0; do - ;; +@@ -74,7 +74,7 @@ while test "$#" -gt 0; do + ;; - --cc) -- echo "@CC@" -+ echo "gcc" - ;; + --cc) +- echo '@CC@' ++ echo 'gcc' + ;; - --prefix) -@@ -155,32 +155,19 @@ while test $# -gt 0; do - ;; + --prefix) +@@ -149,16 +149,7 @@ while test "$#" -gt 0; do + ;; - --libs) -- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then -- CURLLIBDIR="-L@libdir@ " -- else -- CURLLIBDIR="" -- fi -- if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then -- echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ -- else -- echo ${CURLLIBDIR}-lcurl -- fi -+ echo -lcurl - ;; - --ssl-backends) - echo "@SSL_BACKENDS@" - ;; + --libs) +- if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then +- curllibdir="-L@libdir@ " +- else +- curllibdir='' +- fi +- if test '@ENABLE_SHARED@' = 'no'; then +- echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo "${curllibdir}-lcurl" +- fi ++ echo '-lcurl' + ;; - --static-libs) -- if test "X@ENABLE_STATIC@" != "Xno" ; then -- echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@ -- else -- echo "curl was built with static libraries disabled" >&2 -- exit 1 -- fi -+ echo "curl was built with static libraries disabled" >&2 -+ exit 1 - ;; + --ssl-backends) +@@ -166,16 +157,12 @@ while test "$#" -gt 0; do + ;; - --configure) -- echo @CONFIGURE_OPTIONS@ -+ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' - ;; + --static-libs) +- if test '@ENABLE_STATIC@' != 'no'; then +- echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@" +- else +- echo 'curl was built with static libraries disabled' >&2 +- exit 1 +- fi ++ echo 'curl was built with static libraries disabled' >&2 ++ exit 1 + ;; - *) -diff --git a/docs/curl-config.1 b/docs/curl-config.1 -index 14a9d2b..ffcc004 100644 ---- a/docs/curl-config.1 -+++ b/docs/curl-config.1 -@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear - comma-separated. (Added in 7.58.0) - .IP "--static-libs" - Shows the complete set of libs and other linker options you will need in order --to link your application with libcurl statically. (Added in 7.17.1) -+to link your application with libcurl statically. Note that Fedora/RHEL libcurl + --configure) +- echo @CONFIGURE_OPTIONS@ ++ pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//' + ;; + + *) +diff --git a/docs/curl-config.md b/docs/curl-config.md +index 12ad245b79..fa0e03d273 100644 +--- a/docs/curl-config.md ++++ b/docs/curl-config.md +@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated. + ## `--static-libs` + + Shows the complete set of libs and other linker options you need in order to +-link your application with libcurl statically. (Added in 7.17.1) ++link your application with libcurl statically. Note that Fedora/RHEL libcurl +packages do not provide any static libraries, thus cannot be linked statically. +(Added in 7.17.1) - .IP "--version" - Outputs version information about the installed libcurl. - .IP "--vernum" + + ## `--version` + diff --git a/libcurl.pc.in b/libcurl.pc.in -index 2ba9c39..f8f8b00 100644 +index c0ba5244a8..f3645e1748 100644 --- a/libcurl.pc.in +++ b/libcurl.pc.in -@@ -29,6 +29,7 @@ libdir=@libdir@ +@@ -28,6 +28,7 @@ libdir=@libdir@ includedir=@includedir@ supported_protocols="@SUPPORT_PROTOCOLS@" supported_features="@SUPPORT_FEATURES@" +configure_options=@CONFIGURE_OPTIONS@ Name: libcurl - URL: https://curl.haxx.se/ + URL: https://curl.se/ -- -2.5.0 +2.52.0 diff --git a/0102-curl-7.36.0-debug.patch b/0102-curl-7.36.0-debug.patch deleted file mode 100644 index c096d67..0000000 --- a/0102-curl-7.36.0-debug.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Wed, 31 Oct 2012 11:38:30 +0100 -Subject: [PATCH] prevent configure script from discarding -g in CFLAGS - (#496778) - ---- - m4/curl-compilers.m4 | 26 ++++++-------------------- - 1 file changed, 6 insertions(+), 20 deletions(-) - -diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4 -index c64db4bc6..d115a4aed 100644 ---- a/m4/curl-compilers.m4 -+++ b/m4/curl-compilers.m4 -@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [ - clangvhi=`echo $clangver | cut -d . -f1` - clangvlo=`echo $clangver | cut -d . -f2` - compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4" -- flags_opt_yes="-Os" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - else - AC_MSG_RESULT([no]) -@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [ - gccvhi=`echo $gccver | cut -d . -f1` - gccvlo=`echo $gccver | cut -d . -f2` - compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null` -- flags_dbg_all="-g -g0 -g1 -g2 -g3" -- flags_dbg_all="$flags_dbg_all -ggdb" -- flags_dbg_all="$flags_dbg_all -gstabs" -- flags_dbg_all="$flags_dbg_all -gstabs+" -- flags_dbg_all="$flags_dbg_all -gcoff" -- flags_dbg_all="$flags_dbg_all -gxcoff" -- flags_dbg_all="$flags_dbg_all -gdwarf-2" -- flags_dbg_all="$flags_dbg_all -gvms" -+ flags_dbg_all="" - flags_dbg_yes="-g" - flags_dbg_off="" -- flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast" -- flags_opt_yes="-O2" -+ flags_opt_all="" -+ flags_opt_yes="" - flags_opt_off="-O0" - CURL_CHECK_DEF([_WIN32], [], [silent]) - else --- -1.7.1 - diff --git a/0104-curl-7.19.7-localhost6.patch b/0104-curl-7.19.7-localhost6.patch deleted file mode 100644 index caa8bc2..0000000 --- a/0104-curl-7.19.7-localhost6.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff --git a/tests/data/test1083 b/tests/data/test1083 -index e441278..b0958b6 100644 ---- a/tests/data/test1083 -+++ b/tests/data/test1083 -@@ -33,13 +33,13 @@ ipv6 - http-ipv6 - - --HTTP-IPv6 GET with ip6-localhost --interface -+HTTP-IPv6 GET with localhost6 --interface - - ---g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost -+-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6 - - --perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}" -+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}" - - - -diff --git a/tests/data/test241 b/tests/data/test241 -index 46eae1f..4e1632c 100644 ---- a/tests/data/test241 -+++ b/tests/data/test241 -@@ -30,13 +30,13 @@ ipv6 - http-ipv6 - - --HTTP-IPv6 GET (using ip6-localhost) -+HTTP-IPv6 GET (using localhost6) - - ---g "http://ip6-localhost:%HTTP6PORT/241" -+-g "http://localhost6:%HTTP6PORT/241" - - --./server/resolve --ipv6 ip6-localhost -+./server/resolve --ipv6 localhost6 - - - -@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost) - - - GET /241 HTTP/1.1 --Host: ip6-localhost:%HTTP6PORT -+Host: localhost6:%HTTP6PORT - Accept: */* - - diff --git a/0105-curl-7.63.0-lib1560-valgrind.patch b/0105-curl-7.63.0-lib1560-valgrind.patch deleted file mode 100644 index 76018a7..0000000 --- a/0105-curl-7.63.0-lib1560-valgrind.patch +++ /dev/null @@ -1,39 +0,0 @@ -From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001 -From: Kamil Dudka -Date: Mon, 4 Feb 2019 17:32:56 +0100 -Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp - -... to prevent valgrind from reporting false positives on x86_64: - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCAA: part2id (lib1560.c:489) - by 0x10BCAA: updateurl (lib1560.c:521) - by 0x10BCAA: set_parts (lib1560.c:630) - by 0x10BCAA: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) - -Conditional jump or move depends on uninitialised value(s) - at 0x10BCC3: part2id (lib1560.c:491) - by 0x10BCC3: updateurl (lib1560.c:521) - by 0x10BCC3: set_parts (lib1560.c:630) - by 0x10BCC3: test (lib1560.c:802) - by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so) ---- - tests/libtest/Makefile.inc | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc -index 080421b..ea3b806 100644 ---- a/tests/libtest/Makefile.inc -+++ b/tests/libtest/Makefile.inc -@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) - lib1559_LDADD = $(TESTUTIL_LIBS) - - lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) -+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp - lib1560_LDADD = $(TESTUTIL_LIBS) - - lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS) --- -2.17.2 - diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..d3546e9 --- /dev/null +++ b/ci.fmf @@ -0,0 +1,9 @@ +discover: + how: fmf +prepare: + how: install + exclude: + - libcurl-minimal + - curl-minimal +execute: + how: tmt diff --git a/curl-7.71.1.tar.xz.asc b/curl-7.71.1.tar.xz.asc deleted file mode 100644 index 5954fb7..0000000 --- a/curl-7.71.1.tar.xz.asc +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce -EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6 -9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq -ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg -yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy -6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27 -FiWCDZuZkp9ed2eLIBGWo/wy70f2pw== -=0YwO ------END PGP SIGNATURE----- diff --git a/curl.rpmlintrc b/curl.rpmlintrc new file mode 100644 index 0000000..022a98e --- /dev/null +++ b/curl.rpmlintrc @@ -0,0 +1,15 @@ +# Intentional stuff we're not concerned about +addFilter("unversioned-explicit-provides webclient") +addFilter("package-with-huge-docs") +addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4") + +# This is just plain wrong (%_configure redefinition) +addFilter("configure-without-libdir-spec") + +# Technical term +addFilter("E: spelling-error \('kerberos',") + +# Artefacts of RemovePathPostfixes: .minimal +addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal") +#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal") +#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal") diff --git a/curl.spec b/curl.spec index 9291da5..c0ad4db 100644 --- a/curl.spec +++ b/curl.spec @@ -1,67 +1,45 @@ +# OpenSSL ENGINE support +# This is deprecated by OpenSSL since OpenSSL 3.0 and by Fedora since Fedora 41 +# https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +# Change the bcond to 0 to turn off ENGINE support by default +%bcond openssl_engine_support %[%{defined fedora} || 0%{?rhel} < 10] + +# HTTP/3 support +# This is using ngtcp2 with OpenSSL 3.5 QUIC support instead of curl's +# experimental native OpenSSL 3.5 support. +%bcond http3 %[0%{?fedora} >= 43] + Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.71.1 -Release: 11%{?dist} -License: MIT -Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz - -# curl: make the --krb option work again (#1833193) -Patch1: 0001-curl-7.71.1-tool-krb-opt.patch - -# setopt: unset NOBODY switches to GET if still HEAD -Patch2: 0002-curl-7.71.1-unset-nobody.patch - -# libcurl: wrong connect-only connection (CVE-2020-8231) -Patch4: 0004-curl-7.71.1-CVE-2020-8231.patch - -# curl: trusting FTP PASV responses (CVE-2020-8284) -Patch5: 0005-curl-7.71.1-CVE-2020-8284.patch - -# libcurl: FTP wildcard stack overflow (CVE-2020-8285) -Patch6: 0006-curl-7.71.1-CVE-2020-8285.patch - -# curl: Inferior OCSP verification (CVE-2020-8286) -Patch7: 0007-curl-7.71.1-CVE-2020-8286.patch - -# prevent automatic referer from leaking credentials (CVE-2021-22876) -Patch8: 0008-curl-7.71.1-CVE-2021-22876.patch - -# fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) -Patch9: 0009-curl-7.71.1-CVE-2021-22890.patch - -# fix bad connection reuse due to flawed path name checks (CVE-2021-22924) -Patch10: 0010-curl-7.71.1-CVE-2021-22924.patch - -# fix TELNET stack contents disclosure (CVE-2021-22898) -Patch11: 0011-curl-7.71.1-CVE-2021-22898.patch - -# fix TELNET stack contents disclosure again (CVE-2021-22925) -Patch12: 0012-curl-7.71.1-CVE-2021-22925.patch - -# fix use-after-free and double-free in MQTT sending (CVE-2021-22945) -Patch13: 0013-curl-7.71.1-CVE-2021-22945.patch - -# fix protocol downgrade required TLS bypass (CVE-2021-22946) -Patch14: 0014-curl-7.71.1-CVE-2021-22946.patch - -# fix STARTTLS protocol injection via MITM (CVE-2021-22947) -Patch15: 0015-curl-7.71.1-CVE-2021-22947.patch +Version: 8.18.0 +Release: 1%{?dist} +License: curl +Source0: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz +Source1: https://curl.se/download/%{name}-%{version_no_tilde}.tar.xz.asc +# The curl download page ( https://curl.se/download.html ) links +# to Daniel's address page https://daniel.haxx.se/address.html for the GPG Key, +# which points to the GPG key as of April 7th 2016 of https://daniel.haxx.se/mykey.asc +Source2: mykey.asc # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch -# prevent configure script from discarding -g in CFLAGS (#496778) -Patch102: 0102-curl-7.36.0-debug.patch - -# use localhost6 instead of ip6-localhost in the curl test-suite -Patch104: 0104-curl-7.19.7-localhost6.patch - -# prevent valgrind from reporting false positives on x86_64 -Patch105: 0105-curl-7.63.0-lib1560-valgrind.patch - Provides: curl-full = %{version}-%{release} +# do not fail when trying to install curl-minimal after drop +Provides: curl-minimal = %{version}-%{release} Provides: webclient -URL: https://curl.haxx.se/ +URL: https://curl.se/ + +%if 0%{?fedora} +# instead of bundled wcurl utility, recommend wcurl package +Recommends: wcurl +%endif + +# The reason for maintaining two separate packages for curl is no longer valid. +# The curl-minimal is currently almost identical to curl-full, so let's drop curl-minimal. +# For more details, see https://bugzilla.redhat.com/show_bug.cgi?id=2262096 +Obsoletes: curl-minimal < 8.6.0-4 + BuildRequires: automake BuildRequires: brotli-devel BuildRequires: coreutils @@ -70,21 +48,34 @@ BuildRequires: groff BuildRequires: krb5-devel BuildRequires: libidn2-devel BuildRequires: libnghttp2-devel +%if %{with http3} +BuildRequires: libnghttp3-devel +%endif BuildRequires: libpsl-devel BuildRequires: libssh-devel BuildRequires: libtool BuildRequires: make +%if %{with http3} +BuildRequires: ngtcp2-crypto-ossl-devel +%endif BuildRequires: openldap-devel BuildRequires: openssh-clients BuildRequires: openssh-server +BuildRequires: openssl BuildRequires: openssl-devel +%if %{with openssl_engine_support} && 0%{?fedora} >= 41 +BuildRequires: openssl-devel-engine +%endif BuildRequires: perl-interpreter BuildRequires: pkgconfig +BuildRequires: python-unversioned-command BuildRequires: python3-devel BuildRequires: sed -BuildRequires: stunnel BuildRequires: zlib-devel +# For gpg verification of source tarball +BuildRequires: gnupg2 + # needed to compress content of tool_hugehelp.c after changing curl.1 man page BuildRequires: perl(IO::Compress::Gzip) @@ -94,6 +85,9 @@ BuildRequires: perl(Pod::Usage) BuildRequires: perl(strict) BuildRequires: perl(warnings) +# needed for test1560 to succeed +BuildRequires: glibc-langpack-en + # gnutls-serv is used by the upstream test-suite BuildRequires: gnutls-utils @@ -104,18 +98,32 @@ BuildRequires: hostname BuildRequires: nghttp2 # perl modules used in the test suite +BuildRequires: perl(B) +BuildRequires: perl(base) +BuildRequires: perl(constant) BuildRequires: perl(Cwd) BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Digest::SHA) BuildRequires: perl(Exporter) BuildRequires: perl(File::Basename) BuildRequires: perl(File::Copy) BuildRequires: perl(File::Spec) +BuildRequires: perl(I18N::Langinfo) BuildRequires: perl(IPC::Open2) +BuildRequires: perl(List::Util) +BuildRequires: perl(Memoize) BuildRequires: perl(MIME::Base64) -BuildRequires: perl(Time::Local) +BuildRequires: perl(POSIX) +BuildRequires: perl(Storable) BuildRequires: perl(Time::HiRes) +BuildRequires: perl(Time::Local) BuildRequires: perl(vars) +%if 0%{?fedora} +# needed for upstream test 1451 +BuildRequires: python3-impacket +%endif + # The test-suite runs automatically through valgrind if valgrind is available # on the system. By not installing valgrind into mock's chroot, we disable # this feature for production builds on architectures where valgrind is known @@ -126,9 +134,28 @@ BuildRequires: perl(vars) BuildRequires: valgrind %endif +# stunnel is used by upstream tests but it does not seem to work reliably +# on aarch64/s390x and occasionally breaks some tests (mainly 1561 and 1562) +%ifnarch aarch64 s390x +BuildRequires: stunnel +%endif + # using an older version of libcurl could result in CURLE_UNKNOWN_OPTION Requires: libcurl%{?_isa} >= %{version}-%{release} +# Define OPENSSL_NO_ENGINE to avoid inclusion of +%if %{without openssl_engine_support} +%global _preprocessor_defines %{?_preprocessor_defines} -DOPENSSL_NO_ENGINE +%endif + +# require at least the version of libnghttp2 that we were built against, +# to ensure that we have the necessary symbols available (#2144277) +%global libnghttp2_version %(pkg-config --modversion libnghttp2 2>/dev/null || echo 0) + +# require at least the version of libnghttp3 that we were built against, +# to ensure that we have the necessary symbols available +%global libnghttp3_version %(pkg-config --modversion libnghttp3 2>/dev/null || echo 0) + # require at least the version of libpsl that we were built against, # to ensure that we have the necessary symbols available (#1631804) %global libpsl_version %(pkg-config --modversion libpsl 2>/dev/null || echo 0) @@ -137,9 +164,14 @@ Requires: libcurl%{?_isa} >= %{version}-%{release} # to ensure that we have the necessary symbols available (#525002, #642796) %global libssh_version %(pkg-config --modversion libssh 2>/dev/null || echo 0) +# require at least the version of ngtcp2 that we were built against, +# to ensure that we have the necessary symbols available +%global ngtcp2_version %(pkg-config --modversion libngtcp2 2>/dev/null || echo 0) + # require at least the version of openssl-libs that we were built against, # to ensure that we have the necessary symbols available (#1462184, #1462211) -%global openssl_version %(pkg-config --modversion openssl 2>/dev/null || echo 0) +# (we need to translate 3.0.0-alpha16 -> 3.0.0-0.alpha16 and 3.0.0-beta1 -> 3.0.0-0.beta1 though) +%global openssl_version %({ pkg-config --modversion openssl 2>/dev/null || echo 0;} | sed 's|-|-0.|') %description curl is a command line tool for transferring data with URL syntax, supporting @@ -151,8 +183,15 @@ resume, proxy tunneling and a busload of other useful tricks. %package -n libcurl Summary: A library for getting files from web servers +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} +%if %{with http3} +Requires: libnghttp3%{?_isa} >= %{libnghttp3_version} +%endif Requires: libpsl%{?_isa} >= %{libpsl_version} Requires: libssh%{?_isa} >= %{libssh_version} +%if %{with http3} +Requires: ngtcp2%{?_isa} >= %{ngtcp2_version} +%endif Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl-full = %{version}-%{release} Provides: libcurl-full%{?_isa} = %{version}-%{release} @@ -178,23 +217,9 @@ The libcurl-devel package includes header files and libraries necessary for developing programs which use the libcurl library. It contains the API documentation of the library, too. -%package -n curl-minimal -Summary: Conservatively configured build of curl for minimal installations -Provides: curl = %{version}-%{release} -Conflicts: curl -RemovePathPostfixes: .minimal - -# using an older version of libcurl could result in CURLE_UNKNOWN_OPTION -Requires: libcurl%{?_isa} >= %{version}-%{release} - -%description -n curl-minimal -This is a replacement of the 'curl' package for minimal installations. It -comes with a limited set of features compared to the 'curl' package. On the -other hand, the package is smaller and requires fewer run-time dependencies to -be installed. - %package -n libcurl-minimal Summary: Conservatively configured build of libcurl for minimal installations +Requires: libnghttp2%{?_isa} >= %{libnghttp2_version} Requires: openssl-libs%{?_isa} >= 1:%{openssl_version} Provides: libcurl = %{version}-%{release} Provides: libcurl%{?_isa} = %{version}-%{release} @@ -210,100 +235,107 @@ other hand, the package is smaller and requires fewer run-time dependencies to be installed. %prep -%setup -q +%{gpgverify} --keyring='%{SOURCE2}' --signature='%{SOURCE1}' --data='%{SOURCE0}' +%autosetup -n %{name}-%{version_no_tilde} -p1 -# upstream patches -%patch1 -p1 -%patch2 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 -%patch7 -p1 -%patch8 -p1 -%patch9 -p1 -%patch10 -p1 -%patch11 -p1 -%patch12 -p1 -%patch13 -p1 -%patch14 -p1 -%patch15 -p1 - -# Fedora patches -%patch101 -p1 -%patch102 -p1 -%patch104 -p1 -%patch105 -p1 - -# make tests/*.py use Python 3 -sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py - -# regenerate the configure script and Makefile.in files -autoreconf -fiv - -# disable test 1112 (#565305), test 1455 (occasionally fails with 'bind failed -# with errno 98: Address already in use' in Koji environment), and test 1801 +# disable test 1801 # -# and test 1900, which is flaky and covers a deprecated feature of libcurl -# -printf "1112\n1455\n1801\n1900\n" >> tests/data/DISABLED +printf "1801\n" >>tests/data/DISABLED -# disable test 1319 on ppc64 (server times out) -%ifarch ppc64 -echo "1319" >> tests/data/DISABLED -%endif - -# temporarily disable test 582 on s390x (client times out) -%ifarch s390x -echo "582" >> tests/data/DISABLED -%endif - -# temporarily disable tests 702 703 716 on armv7hl (#1829180) -%ifarch armv7hl -printf "702\n703\n716\n" >> tests/data/DISABLED +# test3026: avoid pthread_create() failure due to resource exhaustion on i386 +%ifarch %{ix86} +sed -e 's|NUM_THREADS 1000$|NUM_THREADS 256|' \ + -i tests/libtest/lib3026.c %endif # adapt test 323 for updated OpenSSL -sed -e 's/^35$/35,52/' -i tests/data/test323 +sed -e 's|^35$|35,52|' -i tests/data/test323 + +# use localhost6 instead of ip6-localhost in the curl test-suite +( + # avoid glob expansion in the trace output of `bash -x` + { set +x; } 2>/dev/null + cmd="sed -e 's|ip6-localhost|localhost6|' -i tests/data/test[0-9]*" + printf "+ %s\n" "$cmd" >&2 + eval "$cmd" +) + +# avoid unnecessary arch-dependent line in the processed file +sed -e '/# Used in @libdir@/d' \ + -i curl-config.in %build +# regenerate the configure script and Makefile.in files +autoreconf -fiv + mkdir build-{full,minimal} -export common_configure_opts=" \ - --cache-file=../config.cache \ - --disable-static \ - --enable-symbol-hiding \ - --enable-ipv6 \ - --enable-threaded-resolver \ - --without-libmetalink \ - --with-gssapi \ - --with-nghttp2 \ - --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt" +export common_configure_opts=" \ + --cache-file=../config.cache \ + --disable-manual \ + --disable-static \ + --enable-hsts \ + --enable-ipv6 \ + --enable-symbol-hiding \ + --enable-threaded-resolver \ + --without-zstd \ + --with-gssapi \ + --with-libidn2 \ + --with-nghttp2 \ + --with-ssl --with-ca-bundle=%{_sysconfdir}/pki/ca-trust/extracted/pem/tls-ca-bundle.pem \ + --with-zsh-functions-dir" %global _configure ../configure # configure minimal build ( cd build-minimal - %configure $common_configure_opts \ - --disable-ldap \ - --disable-ldaps \ - --disable-manual \ - --without-brotli \ - --without-libidn2 \ - --without-libpsl \ + %configure $common_configure_opts \ + --disable-dict \ + --disable-gopher \ + --disable-imap \ + --disable-ldap \ + --disable-ldaps \ + --disable-mqtt \ + --disable-ntlm \ + --disable-pop3 \ + --disable-rtsp \ + --disable-smb \ + --disable-smtp \ + --disable-telnet \ + --disable-tftp \ + --disable-tls-srp \ + --disable-websockets \ + --without-brotli \ + --without-libpsl \ --without-libssh ) # configure full build ( cd build-full - %configure $common_configure_opts \ - --enable-ldap \ - --enable-ldaps \ - --enable-manual \ - --with-brotli \ - --with-libidn2 \ - --with-libpsl \ - --with-libssh + %configure $common_configure_opts \ + --enable-dict \ + --enable-gopher \ + --enable-imap \ + --enable-ldap \ + --enable-ldaps \ + --enable-mqtt \ + --enable-ntlm \ + --enable-pop3 \ + --enable-rtsp \ + --enable-smb \ + --enable-smtp \ + --enable-telnet \ + --enable-tftp \ + --enable-tls-srp \ + --enable-websockets \ + --with-brotli \ + --with-libpsl \ + --with-libssh \ +%if %{with http3} + --with-nghttp3 \ + --with-ngtcp2 \ +%endif ) # avoid using rpath @@ -315,20 +347,33 @@ sed -e 's/^runpath_var=.*/runpath_var=/' \ %make_build V=1 -C build-full %check -# we have to override LD_LIBRARY_PATH because we eliminated rpath -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" -export LD_LIBRARY_PATH - # compile upstream test-cases -cd build-full/tests -%make_build V=1 +%make_build V=1 -C build-minimal/tests +%make_build V=1 -C build-full/tests # relax crypto policy for the test-suite to make it pass again (#1610888) export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=XXX export OPENSSL_CONF= -# run the upstream test-suite -srcdir=../../tests perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +# make runtests.pl work for out-of-tree builds +export srcdir=../../tests + +# prevent valgrind from being extremely slow (#1662656) +# https://fedoraproject.org/wiki/Changes/DebuginfodByDefault +unset DEBUGINFOD_URLS + +# run the upstream test-suite for both curl-minimal and curl-full +for size in minimal full; do ( + cd build-${size} + + # we have to override LD_LIBRARY_PATH because we eliminated rpath + export LD_LIBRARY_PATH="${PWD}/lib/.libs" + + cd tests + perl -I../../tests ../../tests/runtests.pl -a -p -v '!flaky' +) +done + %install # install and rename the library that will be packaged as libcurl-minimal @@ -338,10 +383,6 @@ for i in ${RPM_BUILD_ROOT}%{_libdir}/*; do mv -v $i $i.minimal done -# install and rename the executable that will be packaged as curl-minimal -%make_install -C build-minimal/src -mv -v ${RPM_BUILD_ROOT}%{_bindir}/curl{,.minimal} - # install libcurl.m4 install -d $RPM_BUILD_ROOT%{_datadir}/aclocal install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal @@ -350,30 +391,31 @@ install -m 644 docs/libcurl/libcurl.m4 $RPM_BUILD_ROOT%{_datadir}/aclocal cd build-full %make_install -# install zsh completion for curl -# (we have to override LD_LIBRARY_PATH because we eliminated rpath) -LD_LIBRARY_PATH="$RPM_BUILD_ROOT%{_libdir}:$LD_LIBRARY_PATH" \ - %make_install -C scripts - # do not install /usr/share/fish/completions/curl.fish which is also installed # by fish-3.0.2-1.module_f31+3716+57207597 and would trigger a conflict rm -rf ${RPM_BUILD_ROOT}%{_datadir}/fish rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la +# do not install bundled wcurl utility +# it is provided by the wcurl package +rm -f ${RPM_BUILD_ROOT}%{_bindir}/wcurl +rm -f ${RPM_BUILD_ROOT}%{_mandir}/man1/wcurl.1* + %ldconfig_scriptlets -n libcurl %ldconfig_scriptlets -n libcurl-minimal %files -%doc CHANGES +%doc CHANGES.md %doc README -%doc docs/BUGS -%doc docs/FAQ -%doc docs/FEATURES -%doc docs/RESOURCES -%doc docs/TODO -%doc docs/TheArtOfHttpScripting +%doc docs/BUGS.md +%doc docs/DISTROS.md +%doc docs/FAQ.md +%doc docs/FEATURES.md +%doc docs/KNOWN_BUGS.md +%doc docs/TODO.md +%doc docs/TheArtOfHttpScripting.md %{_bindir}/curl %{_mandir}/man1/curl.1* %{_datadir}/zsh @@ -394,43 +436,460 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la %{_mandir}/man3/* %{_datadir}/aclocal/libcurl.m4 -%files -n curl-minimal -%{_bindir}/curl.minimal -%{_mandir}/man1/curl.1* - %files -n libcurl-minimal %license COPYING %{_libdir}/libcurl.so.4.minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %changelog -* Fri Sep 17 2021 Kamil Dudka - 7.71.1-11 -- fix STARTTLS protocol injection via MITM (CVE-2021-22947) -- fix protocol downgrade required TLS bypass (CVE-2021-22946) -- fix use-after-free and double-free in MQTT sending (CVE-2021-22945) +* Wed Jan 07 2026 Jan Macku - 8.18.0-1 +- new upstream release -* Wed Jul 21 2021 Kamil Dudka - 7.71.1-10 -- fix TELNET stack contents disclosure again (CVE-2021-22925) -- fix TELNET stack contents disclosure (CVE-2021-22898) -- fix bad connection reuse due to flawed path name checks (CVE-2021-22924) -- disable metalink support to fix the following vulnerabilities +* Mon Jan 05 2026 Jan Macku - 8.18.0~rc3-1 +- new upstream release candidate + +* Tue Dec 16 2025 Jan Macku - 8.18.0~rc2-1 +- new upstream release candidate +- reenable valgrind on test 616 + +* Tue Dec 09 2025 Jan Macku - 8.18.0~rc1-1 +- new upstream release candidate +- drop upstreamed patches + +* Sun Dec 07 2025 Aleksei Bavshin - 8.17.0-5 +- Enable HTTP/3 support with ngtcp2 + +* Thu Dec 04 2025 Jan Macku - 8.17.0-4 +- apply upstream patches for valgrind issues in HTTP/3 (#2408809) + +* Thu Nov 13 2025 Jan Macku - 8.17.0-3 +- recommend wcurl package instead of bundled wcurl utility + +* Thu Nov 13 2025 Jan Macku - 8.17.0-2 +- remove bundled wcurl utility that was added in 8.14.0~rc1, use wcurl package instead + +* Mon Nov 10 2025 Jan Macku - 8.17.0-1 +- new upstream release + +* Thu Oct 30 2025 Jan Macku - 8.17.0~rc3-1 +- new upstream release candidate + +* Tue Oct 21 2025 Jan Macku - 8.17.0~rc2-1 +- new upstream release candidate + +* Mon Oct 13 2025 Jan Macku - 8.17.0~rc1-1 +- new upstream release candidate + +* Wed Sep 10 2025 Jan Macku - 8.16.0-1 +- new upstream release + +* Wed Sep 03 2025 Jan Macku - 8.16.0~rc3-1 +- new upstream release candidate + +* Tue Aug 26 2025 Jan Macku - 8.16.0~rc2-1 +- new upstream release candidate + +* Wed Jul 23 2025 Fedora Release Engineering - 8.15.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_43_Mass_Rebuild + +* Wed Jul 16 2025 Jan Macku - 8.15.0-1 +- new upstream release + +* Thu Jul 10 2025 Jan Macku - 8.15.0~rc3-1 +- new upstream release candidate + +* Mon Jun 30 2025 Jan Macku - 8.15.0~rc2-1 +- new upstream release candidate + +* Mon Jun 23 2025 Jan Macku - 8.15.0~rc1-1 +- new upstream release candidate + +* Wed Jun 04 2025 Jan Macku - 8.14.1-1 +- new upstream release +- drop: 0001-curl-8.14.0-multi-fix-add_handle-resizing.patch (no longer needed) + +* Wed May 28 2025 Jan Macku - 8.14.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-5025 - No QUIC certificate pinning with wolfSSL + CVE-2025-4947 - QUIC certificate check skip with wolfSSL +- fix regression: curl_multi_add_handle() returning OOM when using more than 400 handles + +* Fri May 02 2025 Jan Macku - 8.14.0~rc1-1 +- new upstream release candidate +- new utility: wcurl which lets you download URLs without having to remember any parameters + +* Wed Apr 02 2025 Jan Macku - 8.13.0-1 +- new upstream release +- add build time dependency on openssl (required by tests) + +* Wed Mar 26 2025 Jan Macku - 8.13.0~rc3-1 +- new upstream release candidate +- drop: 0102-curl-7.84.0-test3026.patch (no longer needed) + +* Tue Mar 18 2025 Jan Macku - 8.13.0~rc2-1 +- new upstream release candidate + +* Thu Mar 13 2025 Jan Macku - 8.13.0~rc1-2 +- fix --cert parameter (#2351531) + +* Mon Mar 10 2025 Jan Macku - 8.13.0~rc1-1 +- new upstream release candidate + +* Wed Feb 05 2025 Jan Macku - 8.12.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2025-0725 - gzip integer overflow + CVE-2025-0665 - eventfd double close + CVE-2025-0167 - netrc and default credential leak +- drop upstreamed patches + +* Fri Jan 31 2025 Jan Macku - 8.11.1-4 +- TLS: check connection for SSL use, not handler (#2324130#c7) + +* Thu Jan 16 2025 Fedora Release Engineering - 8.11.1-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_42_Mass_Rebuild + +* Sun Dec 15 2024 Paul Howarth - 8.11.1-2 +- Fix crash with Unexpected error 9 on netlink descriptor 10 (rhbz#2332350) + - https://github.com/curl/curl/issues/15725 + - https://github.com/curl/curl/pull/15727 + +* Wed Dec 11 2024 Jan Macku - 8.11.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-11053 - netrc and redirect credential leak + +* Wed Nov 06 2024 Yaakov Selkowitz - 8.11.0-2 +- Disable engine support on RHEL 10+ + +* Wed Nov 06 2024 Jan Macku - 8.11.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-9681 - HSTS subdomain overwrites parent cache entry + +* Tue Sep 24 2024 Jan Macku - 8.10.1-2 +- Use tls-ca-bundle.pem instead of ca-bundle.crt (OpenSSL specific) (#2313564) + +* Wed Sep 18 2024 Jan Macku - 8.10.1-1 +- new upstream release + +* Wed Sep 11 2024 Jan Macku - 8.10.0-1 +- new upstream release + +* Wed Aug 21 2024 Jacek Migacz - 8.9.1-3 +- Retire deprecated ntlm-wb configure option + +* Mon Aug 5 2024 voidanix - 8.9.1-2 +- Apply SIGPIPE-related patch due to upstream regression + +* Wed Jul 24 2024 Jan Macku - 8.9.1-1 +- new upstream release + +* Wed Jul 24 2024 Jan Macku - 8.9.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-6874 - macidn punycode buffer overread + CVE-2024-6197 - freeing stack buffer in utf8asn1str +- drop upstreamed patches + +* Wed Jul 17 2024 Fedora Release Engineering - 8.8.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_41_Mass_Rebuild + +* Fri Jul 12 2024 Paul Howarth - 8.8.0-2 +- adapt for https://fedoraproject.org/wiki/Changes/OpensslDeprecateEngine +- added build condition for openssl_engine_support, true by default so as to + not change the resulting built package (yet) +- with openssl_engine_support true, BR: openssl-devel-engine +- with openssl_engine_support false, build with -DOPENSSL_NO_ENGINE + +* Wed May 22 2024 Jan Macku - 8.8.0-1 +- new upstream release +- drop upstreamed patches + +* Wed Mar 27 2024 Jan Macku - 8.7.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-2004 - Usage of disabled protocol + CVE-2024-2379 - QUIC certificate check bypass with wolfSSL + CVE-2024-2398 - HTTP/2 push headers memory-leak + CVE-2024-2466 - TLS certificate check bypass with mbedTLS +- drop upstreamed patches +- reenable test 0313 +- fix zsh completions, use --with-zsh-functions-dir +- apply upstream patches for 8.7.1 issues and regressions + +* Mon Feb 19 2024 Jan Macku - 8.6.0-7 +- Fix: Leftovers after chunking should not be part of the curl buffer output (#2264220) + +* Mon Feb 12 2024 Jan Macku - 8.6.0-6 +- revert "receive max buffer" + add test case +- temporarily disable test 0313 +- remove suggests of libcurl-minimal in curl-full + +* Mon Feb 12 2024 Jan Macku - 8.6.0-5 +- add Provides to curl-minimal + +* Wed Feb 07 2024 Jan Macku - 8.6.0-4 +- drop curl-minimal subpackage in favor of curl-full (#2262096) + +* Mon Feb 05 2024 Jan Macku - 8.6.0-3 +- ignore response body to HEAD requests + +* Fri Feb 02 2024 Jan Macku - 8.6.0-2 +- don't build manual for curl-full - use man 1 curl instead (#2262373) + +* Thu Feb 01 2024 Jan Macku - 8.6.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2024-0853 - OCSP verification bypass with TLS session reuse +- drop 001-dist-add-tests-errorcodes.pl-to-the-tarball.patch (replaced by upstream fix) +- remove accidentally included mk-ca-bundle.1 man page (upstream bug #12843) + +* Fri Jan 19 2024 Fedora Release Engineering - 8.5.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Dec 06 2023 Jan Macku - 8.5.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-46218 - cookie mixed case PSL bypass + CVE-2023-46219 - HSTS long file name clears contents + +* Wed Oct 11 2023 Jan Macku - 8.4.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38545 - SOCKS5 heap buffer overflow + CVE-2023-38546 - cookie injection with none file + +* Wed Sep 13 2023 Jan Macku - 8.3.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-38039 - HTTP headers eat all memory + +* Wed Aug 02 2023 Jan Macku - 8.2.1-2 +- enable websockets (#2224651) + +* Wed Jul 26 2023 Lukáš Zaoral - 8.2.1-1 +- new upstream release (rhbz#2226659) + +* Wed Jul 19 2023 Jan Macku - 8.2.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-32001 - fopen race condition + +* Tue May 30 2023 Jan Macku - 8.1.2-1 +- new upstream release, with small bugfixes and improvements + +* Tue May 23 2023 Jan Macku - 8.1.1-1 +- new upstream release, with small bugfixes and improvements + +* Wed May 17 2023 Kamil Dudka - 8.1.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-28321 - IDN wildcard match + CVE-2023-28322 - more POST-after-PUT confusion + +* Fri Apr 21 2023 Kamil Dudka - 8.0.1-3 +- tests: re-enable temporarily disabled test-cases +- tests: attempt to fix a conflict on port numbers +- apply patches automatically + +* Tue Mar 21 2023 Lukáš Zaoral - 8.0.1-2 +- migrated to SPDX license + +* Mon Mar 20 2023 Kamil Dudka - 8.0.1-1 +- new upstream release + +* Mon Mar 20 2023 Kamil Dudka - 8.0.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-27538 - SSH connection too eager reuse still + CVE-2023-27537 - HSTS double-free + CVE-2023-27536 - GSS delegation too eager connection re-use + CVE-2023-27535 - FTP too eager connection reuse + CVE-2023-27534 - SFTP path ~ resolving discrepancy + CVE-2023-27533 - TELNET option IAC injection + +* Mon Feb 20 2023 Kamil Dudka - 7.88.1-1 +- new upstream release + +* Fri Feb 17 2023 Kamil Dudka - 7.88.0-2 +- http2: set drain on stream end + +* Wed Feb 15 2023 Kamil Dudka - 7.88.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2023-23916 - HTTP multi-header compression denial of service + CVE-2023-23915 - HSTS amnesia with --parallel + CVE-2023-23914 - HSTS ignored on multiple requests + +* Fri Jan 20 2023 Kamil Dudka - 7.87.0-4 +- fix regression in a public header file (#2162716) + +* Thu Jan 19 2023 Fedora Release Engineering - 7.87.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Wed Jan 11 2023 Kamil Dudka - 7.87.0-2 +- test3012: temporarily disable valgrind (#2143040) + +* Wed Dec 21 2022 Kamil Dudka - 7.87.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-43552 - HTTP Proxy deny use-after-free + CVE-2022-43551 - Another HSTS bypass via IDN + +* Tue Nov 29 2022 Kamil Dudka - 7.86.0-4 +- noproxy: tailmatch like in 7.85.0 and earlier (#2149224) + +* Thu Nov 24 2022 Kamil Dudka - 7.86.0-3 +- enforce versioned libnghttp2 dependency for libcurl (#2144277) + +* Mon Oct 31 2022 Kamil Dudka - 7.86.0-2 +- fix regression in noproxy matching + +* Wed Oct 26 2022 Kamil Dudka - 7.86.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-42916 - HSTS bypass via IDN + CVE-2022-42915 - HTTP proxy double-free + CVE-2022-35260 - .netrc parser out-of-bounds access + CVE-2022-32221 - POST following PUT confusion + +* Thu Sep 01 2022 Kamil Dudka - 7.85.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2022-35252 - control code in cookie denial of service + +* Thu Aug 25 2022 Kamil Dudka - 7.84.0-3 +- tests: fix http2 tests to use CRLF headers to make it work with nghttp2-1.49.0 + +* Wed Jul 20 2022 Fedora Release Engineering - 7.84.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Mon Jun 27 2022 Kamil Dudka - 7.84.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-32207 - Unpreserved file permissions + CVE-2022-32205 - Set-Cookie denial of service + CVE-2022-32206 - HTTP compression denial of service + CVE-2022-32208 - FTP-KRB bad message verification + +* Wed May 11 2022 Kamil Dudka - 7.83.1-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27782 - fix too eager reuse of TLS and SSH connections + CVE-2022-27779 - do not accept cookies for TLD with trailing dot + CVE-2022-27778 - do not remove wrong file on error + CVE-2022-30115 - hsts: ignore trailing dots when comparing hosts names + CVE-2022-27780 - reject percent-encoded path separator in URL host + +* Wed Apr 27 2022 Kamil Dudka - 7.83.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2022-27774 - curl credential leak on redirect + CVE-2022-27776 - curl auth/cookie leak on redirect + CVE-2022-27775 - curl bad local IPv6 connection reuse + CVE-2022-22576 - curl OAUTH2 bearer bypass in connection re-use + +* Tue Mar 15 2022 Kamil Dudka - 7.82.0-2 +- openssl: fix incorrect CURLE_OUT_OF_MEMORY error on CN check failure + +* Sat Mar 05 2022 Kamil Dudka - 7.82.0-1 +- new upstream release + +* Thu Feb 24 2022 Kamil Dudka - 7.81.0-4 +- enable IDN support also in libcurl-minimal + +* Thu Feb 10 2022 Zbigniew Jędrzejewski-Szmek - 7.81.0-3 +- Suggest libcurl-minimal in curl-minimal + +* Thu Jan 20 2022 Fedora Release Engineering - 7.81.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Wed Jan 05 2022 Kamil Dudka - 7.81.0-1 +- new upstream release + +* Sun Nov 14 2021 Paul Howarth - 7.80.0-2 +- sshserver.pl (used in test suite) now requires the Digest::SHA perl module + +* Wed Nov 10 2021 Kamil Dudka - 7.80.0-1 +- new upstream release + +* Tue Oct 26 2021 Kamil Dudka - 7.79.1-3 +- re-enable HSTS in libcurl-minimal as a security feature (#2005874) + +* Mon Oct 04 2021 Kamil Dudka - 7.79.1-2 +- disable more protocols and features in libcurl-minimal (#2005874) + +* Wed Sep 22 2021 Kamil Dudka - 7.79.1-1 +- new upstream release + +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-4 +- fix regression in http2 implementation introduced in the last release + +* Thu Sep 16 2021 Sahana Prasad - 7.79.0-3 +- Rebuilt with OpenSSL 3.0.0 + +* Thu Sep 16 2021 Kamil Dudka - 7.79.0-2 +- make SCP/SFTP tests work with openssh-8.7p1 + +* Wed Sep 15 2021 Kamil Dudka - 7.79.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22947 - STARTTLS protocol injection via MITM + CVE-2021-22946 - protocol downgrade required TLS bypassed + CVE-2021-22945 - use-after-free and double-free in MQTT sending + +* Tue Sep 14 2021 Sahana Prasad - 7.78.0-4 +- Rebuilt with OpenSSL 3.0.0 + +* Fri Jul 23 2021 Kamil Dudka - 7.78.0-3 +- make explicit dependency on openssl work with alpha/beta builds of openssl + +* Wed Jul 21 2021 Fedora Release Engineering - 7.78.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild + +* Wed Jul 21 2021 Kamil Dudka - 7.78.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22925 - TELNET stack contents disclosure again + CVE-2021-22924 - bad connection reuse due to flawed path name checks CVE-2021-22923 - metalink download sends credentials CVE-2021-22922 - wrong content via metalink not discarded -* Wed Mar 31 2021 Kamil Dudka - 7.71.1-9 -- fix TLS 1.3 session ticket proxy host mixup (CVE-2021-22890) -- prevent automatic referer from leaking credentials (CVE-2021-22876) +* Wed Jun 02 2021 Kamil Dudka - 7.77.0-2 +- build the curl tool without metalink support (#1967213) -* Wed Dec 09 2020 Kamil Dudka - 7.71.1-8 -- curl: Inferior OCSP verification (CVE-2020-8286) -- libcurl: FTP wildcard stack overflow (CVE-2020-8285) -- curl: trusting FTP PASV responses (CVE-2020-8284) +* Wed May 26 2021 Kamil Dudka - 7.77.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22901 - TLS session caching disaster + CVE-2021-22898 - TELNET stack contents disclosure -* Thu Sep 10 2020 Jinoh Kang - 7.71.1-7 +* Mon May 03 2021 Kamil Dudka - 7.76.1-2 +- http2: fix resource leaks detected by Coverity + +* Wed Apr 14 2021 Kamil Dudka - 7.76.1-1 +- new upstream release + +* Wed Mar 31 2021 Kamil Dudka - 7.76.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2021-22890 - TLS 1.3 session ticket proxy host mixup + CVE-2021-22876 - Automatic referer leaks credentials + +* Wed Mar 24 2021 Kamil Dudka - 7.75.0-3 +- fix SIGSEGV upon disconnect of a ldaps:// transfer + +* Tue Feb 23 2021 Kamil Dudka - 7.75.0-2 +- build-require python3-impacket only on Fedora + +* Wed Feb 03 2021 Kamil Dudka - 7.75.0-1 +- new upstream release + +* Tue Jan 26 2021 Kamil Dudka - 7.74.0-4 +- do not use stunnel for tests on s390x builds to avoid spurious failures + +* Tue Jan 26 2021 Fedora Release Engineering - 7.74.0-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild + +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-2 +- do not rewrite shebangs in test-suite to use python3 explicitly + +* Wed Dec 09 2020 Kamil Dudka - 7.74.0-1 +- new upstream release, which fixes the following vulnerabilities + CVE-2020-8286 - curl: Inferior OCSP verification + CVE-2020-8285 - libcurl: FTP wildcard stack overflow + CVE-2020-8284 - curl: trusting FTP PASV responses + +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-2 +- prevent upstream test 1451 from being skipped + +* Wed Oct 14 2020 Kamil Dudka - 7.73.0-1 +- new upstream release + +* Thu Sep 10 2020 Jinoh Kang - 7.72.0-2 - fix multiarch conflicts in libcurl-minimal (#1877671) -* Wed Aug 19 2020 Kamil Dudka - 7.71.1-6 -- libcurl: wrong connect-only connection (CVE-2020-8231) +* Wed Aug 19 2020 Kamil Dudka - 7.72.0-1 +- new upstream release, which fixes the following vulnerability + CVE-2020-8231 - libcurl: wrong connect-only connection * Thu Aug 06 2020 Kamil Dudka - 7.71.1-5 - setopt: unset NOBODY switches to GET if still HEAD @@ -1023,881 +1482,3 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la * Wed Feb 06 2013 Kamil Dudka 7.29.0-1 - new upstream release (fixes CVE-2013-0249) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-3 -- require valgrind for build only on i386 and x86_64 (#886891) - -* Tue Jan 15 2013 Kamil Dudka 7.28.1-2 -- prevent NSS from crashing on client auth hook failure -- clear session cache if a client cert from file is used -- fix error messages for CURLE_SSL_{CACERT,CRL}_BADFILE - -* Tue Nov 20 2012 Kamil Dudka 7.28.1-1 -- new upstream release - -* Wed Oct 31 2012 Kamil Dudka 7.28.0-1 -- new upstream release - -* Mon Oct 01 2012 Kamil Dudka 7.27.0-3 -- use the upstream facility to disable problematic tests -- do not crash if MD5 fingerprint is not provided by libssh2 - -* Wed Aug 01 2012 Kamil Dudka 7.27.0-2 -- eliminate unnecessary inotify events on upload via file protocol (#844385) - -* Sat Jul 28 2012 Kamil Dudka 7.27.0-1 -- new upstream release - -* Mon Jul 23 2012 Kamil Dudka 7.26.0-6 -- print reason phrase from HTTP status line on error (#676596) - -* Wed Jul 18 2012 Fedora Release Engineering - 7.26.0-5 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild - -* Sat Jun 09 2012 Kamil Dudka 7.26.0-4 -- fix duplicated SSL handshake with multi interface and proxy (#788526) - -* Wed May 30 2012 Karsten Hopp 7.26.0-3 -- disable test 1319 on ppc64, server times out - -* Mon May 28 2012 Kamil Dudka 7.26.0-2 -- use human-readable error messages provided by NSS (upstream commit 72f4b534) - -* Fri May 25 2012 Kamil Dudka 7.26.0-1 -- new upstream release - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- valgrind on ppc64 works fine, disable ppc32 only - -* Wed Apr 25 2012 Karsten Hopp 7.25.0-3 -- drop BR valgrind on PPC(64) until bugzilla #810992 gets fixed - -* Fri Apr 13 2012 Kamil Dudka 7.25.0-2 -- use NSS_InitContext() to initialize NSS if available (#738456) -- provide human-readable names for NSS errors (upstream commit a60edcc6) - -* Fri Mar 23 2012 Paul Howarth 7.25.0-1 -- new upstream release (#806264) -- fix character encoding of docs with a patch rather than just iconv -- update debug and multilib patches -- don't use macros for commands -- reduce size of %%prep output for readability - -* Tue Jan 24 2012 Kamil Dudka 7.24.0-1 -- new upstream release (fixes CVE-2012-0036) - -* Thu Jan 05 2012 Paul Howarth 7.23.0-6 -- rebuild for gcc 4.7 - -* Mon Jan 02 2012 Kamil Dudka 7.23.0-5 -- upstream patch that allows to run FTPS tests with nss-3.13 (#760060) - -* Tue Dec 27 2011 Kamil Dudka 7.23.0-4 -- allow to run FTPS tests with nss-3.13 (#760060) - -* Sun Dec 25 2011 Kamil Dudka 7.23.0-3 -- avoid unnecessary timeout event when waiting for 100-continue (#767490) - -* Mon Nov 21 2011 Kamil Dudka 7.23.0-2 -- curl -JO now uses -O name if no C-D header comes (upstream commit c532604) - -* Wed Nov 16 2011 Kamil Dudka 7.23.0-1 -- new upstream release (#754391) - -* Mon Sep 19 2011 Kamil Dudka 7.22.0-2 -- nss: select client certificates by DER (#733657) - -* Tue Sep 13 2011 Kamil Dudka 7.22.0-1 -- new upstream release -- curl-config now provides dummy --static-libs option (#733956) - -* Sun Aug 21 2011 Paul Howarth 7.21.7-4 -- actually fix SIGSEGV of curl -O -J given more than one URL (#723075) - -* Mon Aug 15 2011 Kamil Dudka 7.21.7-3 -- fix SIGSEGV of curl -O -J given more than one URL (#723075) -- introduce the --delegation option of curl (#730444) -- initialize NSS with no database if the selected database is broken (#728562) - -* Wed Aug 03 2011 Kamil Dudka 7.21.7-2 -- add a new option CURLOPT_GSSAPI_DELEGATION (#719939) - -* Thu Jun 23 2011 Kamil Dudka 7.21.7-1 -- new upstream release (fixes CVE-2011-2192) - -* Wed Jun 08 2011 Kamil Dudka 7.21.6-2 -- avoid an invalid timeout event on a reused handle (#679709) - -* Sat Apr 23 2011 Paul Howarth 7.21.6-1 -- new upstream release - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-2 -- fix the output of curl-config --version (upstream commit 82ecc85) - -* Mon Apr 18 2011 Kamil Dudka 7.21.5-1 -- new upstream release - -* Sat Apr 16 2011 Peter Robinson 7.21.4-4 -- no valgrind on ARMv5 arches - -* Sat Mar 05 2011 Dennis Gilmore 7.21.4-3 -- no valgrind on sparc arches - -* Tue Feb 22 2011 Kamil Dudka 7.21.4-2 -- do not ignore failure of SSL handshake (upstream commit 7aa2d10) - -* Fri Feb 18 2011 Kamil Dudka 7.21.4-1 -- new upstream release -- avoid memory leak on SSL connection failure (upstream commit a40f58d) -- work around valgrind bug (#678518) - -* Tue Feb 08 2011 Fedora Release Engineering - 7.21.3-3 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild - -* Wed Jan 12 2011 Kamil Dudka 7.21.3-2 -- build libcurl with --enable-hidden-symbols - -* Thu Dec 16 2010 Paul Howarth 7.21.3-1 -- update to 7.21.3: - - added --noconfigure switch to testcurl.pl - - added --xattr option - - added CURLOPT_RESOLVE and --resolve - - added CURLAUTH_ONLY - - added version-check.pl to the examples dir - - check for libcurl features for some command line options - - Curl_setopt: disallow CURLOPT_USE_SSL without SSL support - - http_chunks: remove debug output - - URL-parsing: consider ? a divider - - SSH: avoid using the libssh2_ prefix - - SSH: use libssh2_session_handshake() to work on win64 - - ftp: prevent server from hanging on closed data connection when stopping - a transfer before the end of the full transfer (ranges) - - LDAP: detect non-binary attributes properly - - ftp: treat server's response 421 as CURLE_OPERATION_TIMEDOUT - - gnutls->handshake: improved timeout handling - - security: pass the right parameter to init - - krb5: use GSS_ERROR to check for error - - TFTP: resend the correct data - - configure: fix autoconf 2.68 warning: no AC_LANG_SOURCE call detected - - GnuTLS: now detects socket errors on Windows - - symbols-in-versions: updated en masse - - added a couple of examples that were missing from the tarball - - Curl_send/recv_plain: return errno on failure - - Curl_wait_for_resolv (for c-ares): correct timeout - - ossl_connect_common: detect connection re-use - - configure: prevent link errors with --librtmp - - openldap: use remote port in URL passed to ldap_init_fd() - - url: provide dead_connection flag in Curl_handler::disconnect - - lots of compiler warning fixes - - ssh: fix a download resume point calculation - - fix getinfo CURLINFO_LOCAL* for reused connections - - multi: the returned running handles counter could turn negative - - multi: only ever consider pipelining for connections doing HTTP(S) -- drop upstream patches now in tarball -- update bz650255 and disable-test1112 patches to apply against new codebase -- add workaround for false-positive glibc-detected buffer overflow in tftpd - test server with FORTIFY_SOURCE (similar to #515361) - -* Fri Nov 12 2010 Kamil Dudka 7.21.2-5 -- do not send QUIT to a dead FTP control connection (#650255) -- pull back glibc's implementation of str[n]casecmp(), #626470 appears fixed - -* Tue Nov 09 2010 Kamil Dudka 7.21.2-4 -- prevent FTP client from hanging on unrecognized ABOR response (#649347) -- return more appropriate error code in case FTP server session idle - timeout has exceeded (#650255) - -* Fri Oct 29 2010 Kamil Dudka 7.21.2-3 -- prevent FTP server from hanging on closed data connection (#643656) - -* Thu Oct 14 2010 Paul Howarth 7.21.2-2 -- enforce versioned libssh2 dependency for libcurl (#642796) - -* Wed Oct 13 2010 Kamil Dudka 7.21.2-1 -- new upstream release, drop applied patches -- make 0102-curl-7.21.2-debug.patch less intrusive - -* Wed Sep 29 2010 jkeating - 7.21.1-6 -- Rebuilt for gcc bug 634757 - -* Sat Sep 11 2010 Kamil Dudka 7.21.1-5 -- make it possible to run SCP/SFTP tests on x86_64 (#632914) - -* Tue Sep 07 2010 Kamil Dudka 7.21.1-4 -- work around glibc/valgrind problem on x86_64 (#631449) - -* Tue Aug 24 2010 Paul Howarth 7.21.1-3 -- fix up patches so there's no need to run autotools in the rpm build -- drop buildreq automake -- drop dependency on automake for devel package from F-14, where - %%{_datadir}/aclocal is included in the filesystem package -- drop dependency on pkgconfig for devel package from F-11, where - pkgconfig dependencies are auto-generated - -* Mon Aug 23 2010 Kamil Dudka 7.21.1-2 -- re-enable test575 on s390(x), already fixed (upstream commit d63bdba) -- modify system headers to work around gcc bug (#617757) -- curl -T now ignores file size of special files (#622520) -- fix kerberos proxy authentication for https (#625676) -- work around glibc/valgrind problem on x86_64 (#626470) - -* Thu Aug 12 2010 Kamil Dudka 7.21.1-1 -- new upstream release - -* Mon Jul 12 2010 Dan Horák 7.21.0-3 -- disable test 575 on s390(x) - -* Mon Jun 28 2010 Kamil Dudka 7.21.0-2 -- add support for NTLM authentication (#603783) - -* Wed Jun 16 2010 Kamil Dudka 7.21.0-1 -- new upstream release, drop applied patches -- update of %%description -- disable valgrind for certain test-cases (libssh2 problem) - -* Tue May 25 2010 Kamil Dudka 7.20.1-6 -- fix -J/--remote-header-name to strip CR-LF (upstream patch) - -* Wed Apr 28 2010 Kamil Dudka 7.20.1-5 -- CRL support now works again (#581926) -- make it possible to start a testing OpenSSH server when building with SELinux - in the enforcing mode (#521087) - -* Sat Apr 24 2010 Kamil Dudka 7.20.1-4 -- upstream patch preventing failure of test536 with threaded DNS resolver -- upstream patch preventing SSL handshake timeout underflow - -* Thu Apr 22 2010 Paul Howarth 7.20.1-3 -- replace Rawhide s390-sleep patch with a more targeted patch adding a - delay after tests 513 and 514 rather than after all tests - -* Wed Apr 21 2010 Kamil Dudka 7.20.1-2 -- experimentally enabled threaded DNS lookup -- make curl-config multilib ready again (#584107) - -* Mon Apr 19 2010 Kamil Dudka 7.20.1-1 -- new upstream release - -* Tue Mar 23 2010 Kamil Dudka 7.20.0-4 -- add missing quote in libcurl.m4 (#576252) - -* Fri Mar 19 2010 Kamil Dudka 7.20.0-3 -- throw CURLE_SSL_CERTPROBLEM in case peer rejects a certificate (#565972) -- valgrind temporarily disabled (#574889) -- kerberos installation prefix has been changed - -* Wed Feb 24 2010 Kamil Dudka 7.20.0-2 -- exclude test1112 from the test suite (#565305) - -* Thu Feb 11 2010 Kamil Dudka 7.20.0-1 -- new upstream release - added support for IMAP(S), POP3(S), SMTP(S) and RTSP -- dropped patches applied upstream -- dropped curl-7.16.0-privlibs.patch no longer useful -- a new patch forcing -lrt when linking the curl tool and test-cases - -* Fri Jan 29 2010 Kamil Dudka 7.19.7-11 -- upstream patch adding a new option -J/--remote-header-name -- dropped temporary workaround for #545779 - -* Thu Jan 14 2010 Chris Weyl 7.19.7-10 -- bump for libssh2 rebuild - -* Sun Dec 20 2009 Kamil Dudka 7.19.7-9 -- temporary workaround for #548269 - (restored behavior of 7.19.7-4) - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-8 -- replace hard wired port numbers in the test suite - -* Wed Dec 09 2009 Kamil Dudka 7.19.7-7 -- use different port numbers for 32bit and 64bit builds -- temporary workaround for #545779 - -* Tue Dec 08 2009 Kamil Dudka 7.19.7-6 -- make it possible to run test241 -- re-enable SCP/SFTP tests (#539444) - -* Sat Dec 05 2009 Kamil Dudka 7.19.7-5 -- avoid use of uninitialized value in lib/nss.c -- suppress failure of test513 on s390 - -* Tue Dec 01 2009 Kamil Dudka 7.19.7-4 -- do not require valgrind on s390 and s390x -- temporarily disabled SCP/SFTP test-suite (#539444) - -* Thu Nov 12 2009 Kamil Dudka 7.19.7-3 -- fix crash on doubly closed NSPR descriptor, patch contributed - by Kevin Baughman (#534176) -- new version of patch for broken TLS servers (#525496, #527771) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-2 -- increased release number (CVS problem) - -* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 -- new upstream release, dropped applied patches -- workaround for broken TLS servers (#525496, #527771) - -* Wed Oct 14 2009 Kamil Dudka 7.19.6-13 -- fix timeout issues and gcc warnings within lib/nss.c - -* Tue Oct 06 2009 Kamil Dudka 7.19.6-12 -- upstream patch for NSS support written by Guenter Knauf - -* Wed Sep 30 2009 Kamil Dudka 7.19.6-11 -- build libcurl with c-ares support (#514771) - -* Sun Sep 27 2009 Kamil Dudka 7.19.6-10 -- require libssh2>=1.2 properly (#525002) - -* Sat Sep 26 2009 Kamil Dudka 7.19.6-9 -- let curl test-suite use valgrind -- require libssh2>=1.2 (#525002) - -* Mon Sep 21 2009 Chris Weyl - 7.19.6-8 -- rebuild for libssh2 1.2 - -* Thu Sep 17 2009 Kamil Dudka 7.19.6-7 -- make curl test-suite more verbose - -* Wed Sep 16 2009 Kamil Dudka 7.19.6-6 -- update polling patch to the latest upstream version - -* Thu Sep 03 2009 Kamil Dudka 7.19.6-5 -- cover ssh and stunnel support by the test-suite - -* Wed Sep 02 2009 Kamil Dudka 7.19.6-4 -- use pkg-config to find nss and libssh2 if possible -- better patch (not only) for SCP/SFTP polling -- improve error message for not matching common name (#516056) - -* Fri Aug 21 2009 Kamil Dudka 7.19.6-3 -- avoid tight loop during a sftp upload -- http://permalink.gmane.org/gmane.comp.web.curl.library/24744 - -* Tue Aug 18 2009 Kamil Dudka 7.19.6-2 -- let curl package depend on the same version of libcurl - -* Fri Aug 14 2009 Kamil Dudka 7.19.6-1 -- new upstream release, dropped applied patches -- changed NSS code to not ignore the value of ssl.verifyhost and produce more - verbose error messages (#516056) - -* Wed Aug 12 2009 Ville Skyttä - 7.19.5-10 -- Use lzma compressed upstream tarball. - -* Fri Jul 24 2009 Fedora Release Engineering - 7.19.5-9 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild - -* Wed Jul 22 2009 Kamil Dudka 7.19.5-8 -- do not pre-login to all PKCS11 slots, it causes problems with HW tokens -- try to select client certificate automatically when not specified, thanks - to Claes Jakobsson - -* Fri Jul 10 2009 Kamil Dudka 7.19.5-7 -- fix SIGSEGV when using NSS client certificates, thanks to Claes Jakobsson - -* Sun Jul 05 2009 Kamil Dudka 7.19.5-6 -- force test suite to use the just built libcurl, thanks to Paul Howarth - -* Thu Jul 02 2009 Kamil Dudka 7.19.5-5 -- run test suite after build -- enable built-in manual - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-4 -- fix bug introduced by the last build (#504857) - -* Wed Jun 24 2009 Kamil Dudka 7.19.5-3 -- exclude curlbuild.h content from spec (#504857) - -* Wed Jun 10 2009 Kamil Dudka 7.19.5-2 -- avoid unguarded comparison in the spec file, thanks to R P Herrold (#504857) - -* Tue May 19 2009 Kamil Dudka 7.19.5-1 -- update to 7.19.5, dropped applied patches - -* Mon May 11 2009 Kamil Dudka 7.19.4-11 -- fix infinite loop while loading a private key, thanks to Michael Cronenworth - (#453612) - -* Mon Apr 27 2009 Kamil Dudka 7.19.4-10 -- fix curl/nss memory leaks while using client certificate (#453612, accepted - by upstream) - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-9 -- add missing BuildRequire for autoconf - -* Wed Apr 22 2009 Kamil Dudka 7.19.4-8 -- fix configure.ac to not discard -g in CFLAGS (#496778) - -* Tue Apr 21 2009 Debarshi Ray 7.19.4-7 -- Fixed configure to respect the environment's CFLAGS and CPPFLAGS settings. - -* Tue Apr 14 2009 Kamil Dudka 7.19.4-6 -- upstream patch fixing memory leak in lib/nss.c (#453612) -- remove redundant dependency of libcurl-devel on libssh2-devel - -* Wed Mar 18 2009 Kamil Dudka 7.19.4-5 -- enable 6 additional crypto algorithms by default (#436781, - accepted by upstream) - -* Thu Mar 12 2009 Kamil Dudka 7.19.4-4 -- fix memory leak in src/main.c (accepted by upstream) -- avoid using %%ifarch - -* Wed Mar 11 2009 Kamil Dudka 7.19.4-3 -- make libcurl-devel multilib-ready (bug #488922) - -* Fri Mar 06 2009 Jindrich Novy 7.19.4-2 -- drop .easy-leak patch, causes problems in pycurl (#488791) -- fix libcurl-devel dependencies (#488895) - -* Tue Mar 03 2009 Jindrich Novy 7.19.4-1 -- update to 7.19.4 (fixes CVE-2009-0037) -- fix leak in curl_easy* functions, thanks to Kamil Dudka -- drop nss-fix patch, applied upstream - -* Tue Feb 24 2009 Fedora Release Engineering - 7.19.3-2 -- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild - -* Tue Feb 17 2009 Kamil Dudka 7.19.3-1 -- update to 7.19.3, dropped applied nss patches -- add patch fixing 7.19.3 curl/nss bugs - -* Mon Dec 15 2008 Jindrich Novy 7.18.2-9 -- rebuild for f10/rawhide cvs tag clashes - -* Sat Dec 06 2008 Jindrich Novy 7.18.2-8 -- use improved NSS patch, thanks to Rob Crittenden (#472489) - -* Tue Sep 09 2008 Jindrich Novy 7.18.2-7 -- update the thread safety patch, thanks to Rob Crittenden (#462217) - -* Wed Sep 03 2008 Warren Togami 7.18.2-6 -- add thread safety to libcurl NSS cleanup() functions (#459297) - -* Fri Aug 22 2008 Tom "spot" Callaway 7.18.2-5 -- undo mini libcurl.so.3 - -* Mon Aug 11 2008 Tom "spot" Callaway 7.18.2-4 -- make miniature library for libcurl.so.3 - -* Fri Jul 4 2008 Jindrich Novy 7.18.2-3 -- enable support for libssh2 (#453958) - -* Wed Jun 18 2008 Jindrich Novy 7.18.2-2 -- fix curl_multi_perform() over a proxy (#450140), thanks to - Rob Crittenden - -* Wed Jun 4 2008 Jindrich Novy 7.18.2-1 -- update to 7.18.2 - -* Wed May 7 2008 Jindrich Novy 7.18.1-2 -- spec cleanup, thanks to Paul Howarth (#225671) - - drop BR: libtool - - convert CHANGES and README to UTF-8 - - _GNU_SOURCE in CFLAGS is no more needed - - remove bogus rpath - -* Mon Mar 31 2008 Jindrich Novy 7.18.1-1 -- update to curl 7.18.1 (fixes #397911) -- add ABI docs for libcurl -- remove --static-libs from curl-config -- drop curl-config patch, obsoleted by @SSL_ENABLED@ autoconf - substitution (#432667) - -* Fri Feb 15 2008 Jindrich Novy 7.18.0-2 -- define _GNU_SOURCE so that NI_MAXHOST gets defined from glibc - -* Mon Jan 28 2008 Jindrich Novy 7.18.0-1 -- update to curl-7.18.0 -- drop sslgen patch -> applied upstream -- fix typo in description - -* Tue Jan 22 2008 Jindrich Novy 7.17.1-6 -- fix curl-devel obsoletes so that we don't break F8->F9 upgrade - path (#429612) - -* Tue Jan 8 2008 Jindrich Novy 7.17.1-5 -- do not attempt to close a bad socket (#427966), - thanks to Caolan McNamara - -* Tue Dec 4 2007 Jindrich Novy 7.17.1-4 -- rebuild because of the openldap soname bump -- remove old nsspem patch - -* Fri Nov 30 2007 Jindrich Novy 7.17.1-3 -- drop useless ldap library detection since curl doesn't - dlopen()s it but links to it -> BR: openldap-devel -- enable LDAPS support (#225671), thanks to Paul Howarth -- BR: krb5-devel to reenable GSSAPI support -- simplify build process -- update description - -* Wed Nov 21 2007 Jindrich Novy 7.17.1-2 -- update description to contain complete supported servers list (#393861) - -* Sat Nov 17 2007 Jindrich Novy 7.17.1-1 -- update to curl 7.17.1 -- include patch to enable SSL usage in NSS when a socket is opened - nonblocking, thanks to Rob Crittenden (rcritten@redhat.com) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-10 -- correctly provide/obsolete curl-devel (#130251) - -* Wed Oct 24 2007 Jindrich Novy 7.16.4-9 -- create libcurl and libcurl-devel subpackages (#130251) - -* Thu Oct 11 2007 Jindrich Novy 7.16.4-8 -- list features correctly when curl is compiled against NSS (#316191) - -* Mon Sep 17 2007 Jindrich Novy 7.16.4-7 -- add zlib-devel BR to enable gzip compressed transfers in curl (#292211) - -* Mon Sep 10 2007 Jindrich Novy 7.16.4-6 -- provide webclient (#225671) - -* Thu Sep 6 2007 Jindrich Novy 7.16.4-5 -- add support for the NSS PKCS#11 pem reader so the command-line is the - same for both OpenSSL and NSS by Rob Crittenden (rcritten@redhat.com) -- switch to NSS again - -* Mon Sep 3 2007 Jindrich Novy 7.16.4-4 -- revert back to use OpenSSL (#266021) - -* Mon Aug 27 2007 Jindrich Novy 7.16.4-3 -- don't use openssl, use nss instead - -* Fri Aug 10 2007 Jindrich Novy 7.16.4-2 -- fix anonymous ftp login (#251570), thanks to David Cantrell - -* Wed Jul 11 2007 Jindrich Novy 7.16.4-1 -- update to 7.16.4 - -* Mon Jun 25 2007 Jindrich Novy 7.16.3-1 -- update to 7.16.3 -- drop .print patch, applied upstream -- next series of merge review fixes by Paul Howarth -- remove aclocal stuff, no more needed -- simplify makefile arguments -- don't reference standard library paths in libcurl.pc -- include docs/CONTRIBUTE - -* Mon Jun 18 2007 Jindrich Novy 7.16.2-5 -- don't print like crazy (#236981), backported from upstream CVS - -* Fri Jun 15 2007 Jindrich Novy 7.16.2-4 -- another series of review fixes (#225671), - thanks to Paul Howarth -- check version of ldap library automatically -- don't use %%makeinstall and preserve timestamps -- drop useless patches - -* Fri May 11 2007 Jindrich Novy 7.16.2-3 -- add automake BR to curl-devel to fix aclocal dir. ownership, - thanks to Patrice Dumas - -* Thu May 10 2007 Jindrich Novy 7.16.2-2 -- package libcurl.m4 in curl-devel (#239664), thanks to Quy Tonthat - -* Wed Apr 11 2007 Jindrich Novy 7.16.2-1 -- update to 7.16.2 - -* Mon Feb 19 2007 Jindrich Novy 7.16.1-3 -- don't create/ship static libraries (#225671) - -* Mon Feb 5 2007 Jindrich Novy 7.16.1-2 -- merge review related spec fixes (#225671) - -* Mon Jan 29 2007 Jindrich Novy 7.16.1-1 -- update to 7.16.1 - -* Tue Jan 16 2007 Jindrich Novy 7.16.0-5 -- don't package generated makefiles for docs/examples to avoid - multilib conflicts - -* Mon Dec 18 2006 Jindrich Novy 7.16.0-4 -- convert spec to UTF-8 -- don't delete BuildRoot in %%prep phase -- rpmlint fixes - -* Thu Nov 16 2006 Jindrich Novy -7.16.0-3 -- prevent curl from dlopen()ing missing ldap libraries so that - ldap:// requests work (#215928) - -* Tue Oct 31 2006 Jindrich Novy - 7.16.0-2 -- fix BuildRoot -- add Requires: pkgconfig for curl-devel -- move LDFLAGS and LIBS to Libs.private in libcurl.pc.in (#213278) - -* Mon Oct 30 2006 Jindrich Novy - 7.16.0-1 -- update to curl-7.16.0 - -* Thu Aug 24 2006 Jindrich Novy - 7.15.5-1.fc6 -- update to curl-7.15.5 -- use %%{?dist} - -* Fri Jun 30 2006 Ivana Varekova - 7.15.4-1 -- update to 7.15.4 - -* Mon Mar 20 2006 Ivana Varekova - 7.15.3-1 -- fix multilib problem using pkg-config -- update to 7.15.3 - -* Thu Feb 23 2006 Ivana Varekova - 7.15.1-2 -- fix multilib problem - #181290 - - curl-devel.i386 not installable together with curl-devel.x86-64 - -* Fri Feb 10 2006 Jesse Keating - 7.15.1-1.2.1 -- bump again for double-long bug on ppc(64) - -* Tue Feb 07 2006 Jesse Keating - 7.15.1-1.2 -- rebuilt for new gcc4.1 snapshot and glibc changes - -* Fri Dec 09 2005 Jesse Keating -- rebuilt - -* Thu Dec 8 2005 Ivana Varekova 7.15.1-1 -- update to 7.15.1 (bug 175191) - -* Wed Nov 30 2005 Ivana Varekova 7.15.0-3 -- fix curl-config bug 174556 - missing vernum value - -* Wed Nov 9 2005 Ivana Varekova 7.15.0-2 -- rebuilt - -* Tue Oct 18 2005 Ivana Varekova 7.15.0-1 -- update to 7.15.0 - -* Thu Oct 13 2005 Ivana Varekova 7.14.1-1 -- update to 7.14.1 - -* Thu Jun 16 2005 Ivana Varekova 7.14.0-1 -- rebuild new version - -* Tue May 03 2005 Ivana Varekova 7.13.1-3 -- fix bug 150768 - curl-7.12.3-2 breaks basic authentication - used Daniel Stenberg patch - -* Mon Apr 25 2005 Joe Orton 7.13.1-2 -- update to use ca-bundle in /etc/pki -- mark License as MIT not MPL - -* Wed Mar 9 2005 Ivana Varekova 7.13.1-1 -- rebuilt (7.13.1) - -* Tue Mar 1 2005 Tomas Mraz 7.13.0-2 -- rebuild with openssl-0.9.7e - -* Sun Feb 13 2005 Florian La Roche -- 7.13.0 - -* Wed Feb 9 2005 Joe Orton 7.12.3-3 -- don't pass /usr to --with-libidn to remove "-L/usr/lib" from - 'curl-config --libs' output on x86_64. - -* Fri Jan 28 2005 Adrian Havill 7.12.3-1 -- Upgrade to 7.12.3, which uses poll() for FDSETSIZE limit (#134794) -- require libidn-devel for devel subpkg (#141341) -- remove proftpd kludge; included upstream - -* Wed Oct 06 2004 Adrian Havill 7.12.1-1 -- upgrade to 7.12.1 -- enable GSSAPI auth (#129353) -- enable I18N domain names (#134595) -- workaround for broken ProFTPD SSL auth (#134133). Thanks to - Aleksandar Milivojevic - -* Wed Sep 29 2004 Adrian Havill 7.12.0-4 -- move new docs position so defattr gets applied - -* Mon Sep 27 2004 Warren Togami 7.12.0-3 -- remove INSTALL, move libcurl docs to -devel - -* Mon Jul 26 2004 Jindrich Novy -- updated to 7.12.0 -- updated nousr patch - -* Tue Jun 15 2004 Elliot Lee -- rebuilt - -* Wed Apr 07 2004 Adrian Havill 7.11.1-1 -- upgraded; updated nousr patch -- added COPYING (#115956) -- - -* Tue Mar 02 2004 Elliot Lee -- rebuilt - -* Fri Feb 13 2004 Elliot Lee -- rebuilt - -* Sat Jan 31 2004 Florian La Roche -- update to 7.10.8 -- remove patch2, already upstream - -* Wed Oct 15 2003 Adrian Havill 7.10.6-7 -- aclocal before libtoolize -- move OpenLDAP license so it's present as a doc file, present in - both the source and binary as per conditions - -* Mon Oct 13 2003 Adrian Havill 7.10.6-6 -- add OpenLDAP copyright notice for usage of code, add OpenLDAP - license for this code - -* Tue Oct 07 2003 Adrian Havill 7.10.6-5 -- match serverAltName certs with SSL (#106168) - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4.1 -- bump n-v-r for RHEL - -* Tue Sep 16 2003 Adrian Havill 7.10.6-4 -- restore ca cert bundle (#104400) -- require openssl, we want to use its ca-cert bundle - -* Sun Sep 7 2003 Joe Orton 7.10.6-3 -- rebuild - -* Fri Sep 5 2003 Joe Orton 7.10.6-2.2 -- fix to include libcurl.so - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2.1 -- bump n-v-r for RHEL - -* Mon Aug 25 2003 Adrian Havill 7.10.6-2 -- devel subpkg needs openssl-devel as a Require (#102963) - -* Mon Jul 28 2003 Adrian Havill 7.10.6-1 -- bumped version - -* Tue Jul 01 2003 Adrian Havill 7.10.5-1 -- bumped version - -* Wed Jun 04 2003 Elliot Lee -- rebuilt - -* Sat Apr 12 2003 Florian La Roche -- update to 7.10.4 -- adapt nousr patch - -* Wed Jan 22 2003 Tim Powers -- rebuilt - -* Tue Jan 21 2003 Joe Orton 7.9.8-4 -- don't add -L/usr/lib to 'curl-config --libs' output - -* Tue Jan 7 2003 Nalin Dahyabhai 7.9.8-3 -- rebuild - -* Wed Nov 6 2002 Joe Orton 7.9.8-2 -- fix `curl-config --libs` output for libdir!=/usr/lib -- remove docs/LIBCURL from docs list; remove unpackaged libcurl.la -- libtoolize and reconf - -* Mon Jul 22 2002 Trond Eivind Glomsrød 7.9.8-1 -- 7.9.8 (# 69473) - -* Fri Jun 21 2002 Tim Powers -- automated rebuild - -* Sun May 26 2002 Tim Powers -- automated rebuild - -* Thu May 16 2002 Trond Eivind Glomsrød 7.9.7-1 -- 7.9.7 - -* Wed Apr 24 2002 Trond Eivind Glomsrød 7.9.6-1 -- 7.9.6 - -* Thu Mar 21 2002 Trond Eivind Glomsrød 7.9.5-2 -- Stop the curl-config script from printing -I/usr/include - and -L/usr/lib (#59497) - -* Fri Mar 8 2002 Trond Eivind Glomsrød 7.9.5-1 -- 7.9.5 - -* Tue Feb 26 2002 Trond Eivind Glomsrød 7.9.3-2 -- Rebuild - -* Wed Jan 23 2002 Nalin Dahyabhai 7.9.3-1 -- update to 7.9.3 - -* Wed Jan 09 2002 Tim Powers 7.9.2-2 -- automated rebuild - -* Wed Jan 9 2002 Trond Eivind Glomsrød 7.9.2-1 -- 7.9.2 - -* Fri Aug 17 2001 Nalin Dahyabhai -- include curl-config in curl-devel -- update to 7.8 to fix memory leak and strlcat() symbol pollution from libcurl - -* Wed Jul 18 2001 Crutcher Dunnavant -- added openssl-devel build req - -* Mon May 21 2001 Tim Powers -- built for the distro - -* Tue Apr 24 2001 Jeff Johnson -- upgrade to curl-7.7.2. -- enable IPv6. - -* Fri Mar 2 2001 Tim Powers -- rebuilt against openssl-0.9.6-1 - -* Thu Jan 4 2001 Tim Powers -- fixed mising ldconfigs -- updated to 7.5.2, bug fixes - -* Mon Dec 11 2000 Tim Powers -- updated to 7.5.1 - -* Mon Nov 6 2000 Tim Powers -- update to 7.4.1 to fix bug #20337, problems with curl -c -- not using patch anymore, it's included in the new source. Keeping - for reference - -* Fri Oct 20 2000 Nalin Dahyabhai -- fix bogus req in -devel package - -* Fri Oct 20 2000 Tim Powers -- devel package needed defattr so that root owns the files - -* Mon Oct 16 2000 Nalin Dahyabhai -- update to 7.3 -- apply vsprintf/vsnprintf patch from Colin Phipps via Debian - -* Mon Aug 21 2000 Nalin Dahyabhai -- enable SSL support -- fix packager tag -- move buildroot to %%{_tmppath} - -* Tue Aug 1 2000 Tim Powers -- fixed vendor tag for bug #15028 - -* Mon Jul 24 2000 Prospector -- rebuilt - -* Tue Jul 11 2000 Tim Powers -- workaround alpha build problems with optimizations - -* Mon Jul 10 2000 Tim Powers -- rebuilt - -* Mon Jun 5 2000 Tim Powers -- put man pages in correct place -- use %%makeinstall - -* Mon Apr 24 2000 Tim Powers -- updated to 6.5.2 - -* Wed Nov 3 1999 Tim Powers -- updated sources to 6.2 -- gzip man page - -* Mon Aug 30 1999 Tim Powers -- changed group - -* Thu Aug 26 1999 Tim Powers -- changelog started -- general cleanups, changed prefix to /usr, added manpage to files section -- including in Powertools diff --git a/mykey.asc b/mykey.asc new file mode 100644 index 0000000..0c77721 --- /dev/null +++ b/mykey.asc @@ -0,0 +1,77 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2 + +mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ +QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV +0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1 +EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch +soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje +f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL +gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo +SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2 +m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0 +ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU +ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w +i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD +AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv +jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb +XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz +7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM +wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+ +dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT +rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t +FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9 +OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx +5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h +zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O +poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA +Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d +6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8 +tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu +c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ +EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1 +svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+ +Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv ++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh +Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg +rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL +y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP +BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/ +0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf +09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG +6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8 +67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H +a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr +LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK +nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb +0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb +2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC +OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/ +PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC +8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3 +/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e +8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk +bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0 +IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx +AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN +2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ +L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD +/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6 +UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb +9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh +TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k +IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ +AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ +eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8 +sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI +c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND +KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j +4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S +wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv +BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF +PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu +gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5 +ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb +j/qx4ytjt5uxt6Jm6IXV9cry8i6x +=Phs/ +-----END PGP PUBLIC KEY BLOCK----- diff --git a/sources b/sources index 9983b9e..002e494 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ -SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b +SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c +SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152 diff --git a/tests/non-root-user-download/Makefile b/tests/non-root-user-download/Makefile deleted file mode 100644 index 9746b63..0000000 --- a/tests/non-root-user-download/Makefile +++ /dev/null @@ -1,63 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/curl/Sanity/non-root-user-download -# Description: various download methods with non-root user -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2013 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/curl/Sanity/non-root-user-download -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: various download methods with non-root user" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 5m" >> $(METADATA) - @echo "RunFor: curl" >> $(METADATA) - @echo "Requires: curl" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/non-root-user-download/PURPOSE b/tests/non-root-user-download/PURPOSE deleted file mode 100644 index 048ed68..0000000 --- a/tests/non-root-user-download/PURPOSE +++ /dev/null @@ -1,3 +0,0 @@ -PURPOSE of /CoreOS/curl/Sanity/non-root-user-download -Description: various download methods with non-root user -Author: Karel Srot diff --git a/tests/non-root-user-download/main.fmf b/tests/non-root-user-download/main.fmf new file mode 100644 index 0000000..2e3980f --- /dev/null +++ b/tests/non-root-user-download/main.fmf @@ -0,0 +1,18 @@ +summary: various download methods with non-root user +description: '' +contact: Daniel Rusek +component: + - curl +require: + - findutils + - libselinux-utils + - openssh-clients + - openssh-server + - passwd +test: ./runtest.sh +framework: beakerlib +duration: 5m +enabled: true +tier: '1' +link: + - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921 diff --git a/tests/non-root-user-download/runtest.sh b/tests/non-root-user-download/runtest.sh old mode 100644 new mode 100755 index 1b5f8f1..0d72276 --- a/tests/non-root-user-download/runtest.sh +++ b/tests/non-root-user-download/runtest.sh @@ -27,14 +27,13 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include Beaker environment -. /usr/bin/rhts-environment.sh || exit 1 . /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="curl" -FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM -CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed +FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM +CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab PASSWORD=pAssw0rd OPTIONS="" rlIsRHEL 7 && OPTIONS="--insecure" @@ -47,9 +46,11 @@ rlJournalStart rlRun "useradd -m curltester" 0 "Adding the test user" rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user" rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile" + rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts + rlRun "rm -f $HOME/.ssh/*" [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh ) - rlFileBackup $HOME/.ssh/known_hosts /etc/hosts - ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" + rlRun "rlServiceStart sshd" + rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts" rlPhaseEnd rlPhaseStartTest "http download" @@ -82,7 +83,7 @@ if ! rlIsRHEL 5; then fi rlPhaseStartCleanup - rlRun "rm -f $HOME/.ssh/known_hosts" + rlRun "rlServiceRestore" rlFileRestore rlRun "popd" rlRun "rm -r $TmpDir" 0 "Removing tmp directory" diff --git a/tests/non-root-user-download/runtest.yml b/tests/non-root-user-download/runtest.yml deleted file mode 100644 index c03e729..0000000 --- a/tests/non-root-user-download/runtest.yml +++ /dev/null @@ -1,64 +0,0 @@ -- hosts: '{{ hosts | default("localhost") }}' - vars: - package: "curl" - tasks: - - name: "Set Content variables" - set_fact: - content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed" - password: "pAssw0rd" - crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1" - - name: "Create user curltester" - user: - name: "curltester" - password: "{{ crypt_password }}" - - name: "Copy testfile" - copy: - dest: "/home/curltester/testfile" - content: "{{ content }}" - - block: - - name: "http download" - command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM" - args: - warn: false - register: http - become: yes - become_user: curltester - - name: "Compare http output" - fail: - msg: "{{ content }} not in {{ http.stdout }}" - when: content not in http.stdout - - name: "ftp download" - command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM" - args: - warn: false - register: ftp - become: yes - become_user: curltester - - name: "Compare ftp output" - fail: - msg: "{{ content }} not in {{ ftp.stdout }}" - when: content not in ftp.stdout - - name: "scp download" - command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile" - args: - warn: false - register: scp - - name: "Compare scp output" - fail: - msg: "{{ content }} not in {{ scp.stdout }}" - when: content not in scp.stdout - - name: "sftp download" - command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile" - args: - warn: false - register: sftp - - name: "Compare sftp output" - fail: - msg: "{{ content }} not in {{ sftp.stdout }}" - when: content not in sftp.stdout - always: - - name: "Remove user curltester" - user: - name: "curltester" - remove: yes - state: absent diff --git a/tests/scp-and-sftp-download-test/Makefile b/tests/scp-and-sftp-download-test/Makefile deleted file mode 100644 index b4d1c52..0000000 --- a/tests/scp-and-sftp-download-test/Makefile +++ /dev/null @@ -1,63 +0,0 @@ -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test -# Description: downloads test file through scp and sftp -# Author: Karel Srot -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -# -# Copyright (c) 2012 Red Hat, Inc. All rights reserved. -# -# This copyrighted material is made available to anyone wishing -# to use, modify, copy, or redistribute it subject to the terms -# and conditions of the GNU General Public License version 2. -# -# This program is distributed in the hope that it will be -# useful, but WITHOUT ANY WARRANTY; without even the implied -# warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR -# PURPOSE. See the GNU General Public License for more details. -# -# You should have received a copy of the GNU General Public -# License along with this program; if not, write to the Free -# Software Foundation, Inc., 51 Franklin Street, Fifth Floor, -# Boston, MA 02110-1301, USA. -# -# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test -export TESTVERSION=1.0 - -BUILT_FILES= - -FILES=$(METADATA) runtest.sh Makefile PURPOSE - -.PHONY: all install download clean - -run: $(FILES) build - ./runtest.sh - -build: $(BUILT_FILES) - test -x runtest.sh || chmod a+x runtest.sh - -clean: - rm -f *~ $(BUILT_FILES) - - -include /usr/share/rhts/lib/rhts-make.include - -$(METADATA): Makefile - @echo "Owner: Karel Srot " > $(METADATA) - @echo "Name: $(TEST)" >> $(METADATA) - @echo "TestVersion: $(TESTVERSION)" >> $(METADATA) - @echo "Path: $(TEST_DIR)" >> $(METADATA) - @echo "Description: downloads test file through scp and sftp" >> $(METADATA) - @echo "Type: Sanity" >> $(METADATA) - @echo "TestTime: 10m" >> $(METADATA) - @echo "RunFor: curl" >> $(METADATA) - @echo "Requires: curl openssh" >> $(METADATA) - @echo "Priority: Normal" >> $(METADATA) - @echo "License: GPLv2" >> $(METADATA) - @echo "Confidential: no" >> $(METADATA) - @echo "Destructive: no" >> $(METADATA) - - rhts-lint $(METADATA) diff --git a/tests/scp-and-sftp-download-test/PURPOSE b/tests/scp-and-sftp-download-test/PURPOSE deleted file mode 100644 index 03adc4c..0000000 --- a/tests/scp-and-sftp-download-test/PURPOSE +++ /dev/null @@ -1,12 +0,0 @@ -PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test -Description: downloads test file through scp and sftp -Author: Karel Srot - -Test scenario: -- scp download -- sftp download -- scp upload -- sftp upload - -When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed -with empty --pubkey parameter (--pubkey "") or with the paramiter omitted diff --git a/tests/scp-and-sftp-download-test/main.fmf b/tests/scp-and-sftp-download-test/main.fmf new file mode 100644 index 0000000..b69aff6 --- /dev/null +++ b/tests/scp-and-sftp-download-test/main.fmf @@ -0,0 +1,20 @@ +summary: downloads test file through scp and sftp +description: | + Test scenario: + - scp download + - sftp download + - scp upload + - sftp upload + + When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed + with empty --pubkey parameter (--pubkey "") or with the paramiter omitted +contact: Daniel Rusek +require: + - findutils +component: + - curl +test: ./runtest.sh +path: /tests/scp-and-sftp-download-test +framework: beakerlib +duration: 10m +enabled: true diff --git a/tests/scp-and-sftp-download-test/runtest.sh b/tests/scp-and-sftp-download-test/runtest.sh old mode 100644 new mode 100755 index 6e5d748..9cf9a2c --- a/tests/scp-and-sftp-download-test/runtest.sh +++ b/tests/scp-and-sftp-download-test/runtest.sh @@ -27,8 +27,7 @@ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Include Beaker environment -. /usr/bin/rhts-environment.sh -. /usr/lib/beakerlib/beakerlib.sh +. /usr/share/beakerlib/beakerlib.sh || exit 1 PACKAGE="curl" diff --git a/tests/tests.yml b/tests/tests.yml deleted file mode 100644 index 819d636..0000000 --- a/tests/tests.yml +++ /dev/null @@ -1,26 +0,0 @@ ---- -# Tests for Classic -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - classic - tests: - - scp-and-sftp-download-test - - non-root-user-download - required_packages: - - findutils # non-root-user-download needs find command - # scp-and-sftp-download-test needs find command - - passwd # non-root-user-download needs passwd command - - openssh-clients # non-root-user-download needs ssh-keyscan command - -# Tests for Atomic -- hosts: localhost - roles: - - role: standard-test-beakerlib - tags: - - atomic - tests: - - scp-and-sftp-download-test - - non-root-user-download -