new upstream release - 8.18.0

Related: #2408809

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1,2 +1,6 @@
 /curl-[0-9.]*.tar.lzma
+/curl-[0-9.]*.tar.lzma.asc
 /curl-[0-9.]*.tar.xz
+/curl-[0-9.]*.tar.xz.asc
+/curl-[0-9]*.[0-9]*.[0-9]*/
+/*.src.rpm

0001-curl-7.71.1-tool-krb-opt.patch

@@ -1,65 +0,0 @@
-From a58654cbc5bea608b9c8729703a6d866ffaae8d8 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Thu, 2 Jul 2020 17:41:37 +0200
-Subject: [PATCH 1/2] tool_getparam: make --krb option work again
-
-It was disabled by mistake in commit curl-7_37_1-23-ge38ba4301.
-
-Bug: https://bugzilla.redhat.com/1833193
-Closes #5640
-
-Upstream-commit: d2fd845c35922ca73b89c617597dd5c59772e16a
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- src/tool_getparam.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/tool_getparam.c b/src/tool_getparam.c
-index 3409621..9c6bc8a 100644
---- a/src/tool_getparam.c
-+++ b/src/tool_getparam.c
-@@ -813,7 +813,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */
-         break;
-       case 'x': /* --krb */
-         /* kerberos level string */
--        if(curlinfo->features & CURL_VERSION_KERBEROS4)
-+        if(curlinfo->features & CURL_VERSION_SPNEGO)
-           GetStr(&config->krblevel, nextarg);
-         else
-           return PARAM_LIBCURL_DOESNT_SUPPORT;
--- 
-2.21.3
-
-
-From 0be44560dfe3597a12b21b95798f69714ff0459a Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 2 Jul 2020 23:46:40 +0200
-Subject: [PATCH 2/2] curl_version_info.3: CURL_VERSION_KERBEROS4 is deprecated
-
-This came up in #5640. It make sense to clarify this in the docs!
-
-Reminded-by: Kamil Dudka
-Closes #5642
-
-Upstream-commit: 54f21be2e3a64b9e57130cf6d1eb4f17c44d7967
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- docs/libcurl/curl_version_info.3 | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/docs/libcurl/curl_version_info.3 b/docs/libcurl/curl_version_info.3
-index 2d21dfb..0d26e87 100644
---- a/docs/libcurl/curl_version_info.3
-+++ b/docs/libcurl/curl_version_info.3
-@@ -151,7 +151,7 @@ letters. (Added in 7.12.0)
- .IP CURL_VERSION_IPV6
- supports IPv6
- .IP CURL_VERSION_KERBEROS4
--supports Kerberos V4 (when using FTP)
-+supports Kerberos V4 (when using FTP). Legacy bit. Deprecated since 7.33.0.
- .IP CURL_VERSION_KERBEROS5
- supports Kerberos V5 authentication for FTP, IMAP, POP3, SMTP and SOCKSv5 proxy
- (Added in 7.40.0)
--- 
-2.21.3
-

0002-curl-7.71.1-unset-nobody.patch

@@ -1,148 +0,0 @@
-From 750188fc8eb239f51255d6f3510f544377e78ecd Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jul 2020 11:44:01 +0200
-Subject: [PATCH 1/3] setopt: unset NOBODY switches to GET if still HEAD
-
-Unsetting CURLOPT_NOBODY with 0L when doing HTTP has no documented
-action but before 7.71.0 that used to switch back to GET and with this
-change (assuming the method is still set to HEAD) this behavior is
-brought back.
-
-Reported-by: causal-agent on github
-Fixes #5725
-Closes #5728
-
-Upstream-commit: 91cb16b21faa556d4467399781379ad3abafd3fe
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/setopt.c | 2 ++
- 1 file changed, 2 insertions(+)
-
-diff --git a/lib/setopt.c b/lib/setopt.c
-index 90edf6a..d621335 100644
---- a/lib/setopt.c
-+++ b/lib/setopt.c
-@@ -274,6 +274,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     if(data->set.opt_no_body)
-       /* in HTTP lingo, no body means using the HEAD request... */
-       data->set.method = HTTPREQ_HEAD;
-+    else if(data->set.method == HTTPREQ_HEAD)
-+      data->set.method = HTTPREQ_GET;
-     break;
-   case CURLOPT_FAILONERROR:
-     /*
--- 
-2.25.4
-
-
-From 44add6f66c7ddec9f002fb52ce8e893a8ca9165d Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jul 2020 11:54:29 +0200
-Subject: [PATCH 2/3] CURLOPT_NOBODY.3: clarify what setting to 0 means
-
-... and mention that HTTP with other methods than HEAD might get a body and
-there's no option available to stop that.
-
-Closes #5729
-
-Upstream-commit: e1bac81cc815f3fe968e009eb69b8e0236dcd82c
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- docs/libcurl/opts/CURLOPT_NOBODY.3 | 22 ++++++++++++++++------
- 1 file changed, 16 insertions(+), 6 deletions(-)
-
-diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
-index f720f49..3674dde 100644
---- a/docs/libcurl/opts/CURLOPT_NOBODY.3
-+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
-@@ -5,7 +5,7 @@
- .\" *                            | (__| |_| |  _ <| |___
- .\" *                             \___|\___/|_| \_\_____|
- .\" *
--.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
-+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
- .\" *
- .\" * This software is licensed as described in the file COPYING, which
- .\" * you should have received as part of this distribution. The terms
-@@ -34,7 +34,17 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
- libcurl do a HEAD request. For most other protocols it means just not asking
- to transfer the body data.
- 
--Enabling this option means asking for a download but without a body.
-+For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
-+option (with 0) will make it a GET again - only if the method is still set to
-+be HEAD. The proper way to get back to a GET request is to set
-+\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
-+options.
-+
-+Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
-+
-+If you do a transfer with HTTP that involves a method other than HEAD, you
-+will get a body (unless the resource and server sends a zero byte body for the
-+specific URL you request).
- .SH DEFAULT
- 0, the body is transferred
- .SH PROTOCOLS
-@@ -43,9 +53,9 @@ Most
- .nf
- curl = curl_easy_init();
- if(curl) {
--  curl_easy_setopt(curl, CURLOPT_URL, "http://example.com");
-+  curl_easy_setopt(curl, CURLOPT_URL, "https://example.com");
- 
--  /* get us the resource without a body! */
-+  /* get us the resource without a body - use HEAD! */
-   curl_easy_setopt(curl, CURLOPT_NOBODY, 1L);
- 
-   /* Perform the request */
-@@ -57,5 +67,5 @@ Always
- .SH RETURN VALUE
- Returns CURLE_OK
- .SH "SEE ALSO"
--.BR CURLOPT_HTTPGET "(3), " CURLOPT_POST "(3), "
--.BR CURLOPT_REQUEST_TARGET "(3), "
-+.BR CURLOPT_HTTPGET "(3), " CURLOPT_POSTFIELDS "(3), " CURLOPT_UPLOAD "(3), "
-+.BR CURLOPT_REQUEST_TARGET "(3), " CURLOPT_MIMEPOST "(3), "
--- 
-2.25.4
-
-
-From cc8e488c83254013a0ad1149a77565723aee870b Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Mon, 27 Jul 2020 23:59:00 +0200
-Subject: [PATCH 3/3] CURLOPT_NOBODY.3: fix the syntax for referring to options
-
-As test 1140 fails otherwise!
-
-Follow-up to e1bac81cc815
-
-Upstream-commit: 34e5ad21d2cb98475acdbf7a3a6ea973d8c12249
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- docs/libcurl/opts/CURLOPT_NOBODY.3 | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/docs/libcurl/opts/CURLOPT_NOBODY.3 b/docs/libcurl/opts/CURLOPT_NOBODY.3
-index 3674dde..112fb1a 100644
---- a/docs/libcurl/opts/CURLOPT_NOBODY.3
-+++ b/docs/libcurl/opts/CURLOPT_NOBODY.3
-@@ -34,13 +34,13 @@ output when doing what would otherwise be a download. For HTTP(S), this makes
- libcurl do a HEAD request. For most other protocols it means just not asking
- to transfer the body data.
- 
--For HTTP operations when \fBCURLOPT_NOBODY(3)\fP has been set, unsetting the
-+For HTTP operations when \fICURLOPT_NOBODY(3)\fP has been set, unsetting the
- option (with 0) will make it a GET again - only if the method is still set to
- be HEAD. The proper way to get back to a GET request is to set
--\fBCURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
-+\fICURLOPT_HTTPGET(3)\fP and for other methods, use the POST ur UPLOAD
- options.
- 
--Enabling \fBCURLOPT_NOBODY(3)\fP means asking for a download without a body.
-+Enabling \fICURLOPT_NOBODY(3)\fP means asking for a download without a body.
- 
- If you do a transfer with HTTP that involves a method other than HEAD, you
- will get a body (unless the resource and server sends a zero byte body for the
--- 
-2.25.4
-

0004-curl-7.71.1-CVE-2020-8231.patch

@@ -1,281 +0,0 @@
-From 6830828c9eecd9ab14404f2f49f19b56dec62130 Mon Sep 17 00:00:00 2001
-From: Marc Aldorasi <marc@groundctl.com>
-Date: Thu, 30 Jul 2020 14:16:17 -0400
-Subject: [PATCH 1/2] multi_remove_handle: close unused connect-only
- connections
-
-Previously any connect-only connections in a multi handle would be kept
-alive until the multi handle was closed.  Since these connections cannot
-be re-used, they can be marked for closure when the associated easy
-handle is removed from the multi handle.
-
-Closes #5749
-
-Upstream-commit: d5bb459ccf1fc5980ae4b95c05b4ecf6454a7599
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/multi.c         | 34 ++++++++++++++++++++++++++++++----
- tests/data/test1554 |  6 ++++++
- 2 files changed, 36 insertions(+), 4 deletions(-)
-
-diff --git a/lib/multi.c b/lib/multi.c
-index 249e360..f1371bd 100644
---- a/lib/multi.c
-+++ b/lib/multi.c
-@@ -689,6 +689,26 @@ static CURLcode multi_done(struct Curl_easy *data,
-   return result;
- }
- 
-+static int close_connect_only(struct connectdata *conn, void *param)
-+{
-+  struct Curl_easy *data = param;
-+
-+  if(data->state.lastconnect != conn)
-+    return 0;
-+
-+  if(conn->data != data)
-+    return 1;
-+  conn->data = NULL;
-+
-+  if(!conn->bits.connect_only)
-+    return 1;
-+
-+  connclose(conn, "Removing connect-only easy handle");
-+  conn->bits.connect_only = FALSE;
-+
-+  return 1;
-+}
-+
- CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
-                                    struct Curl_easy *data)
- {
-@@ -776,10 +796,6 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
-      multi_done() as that may actually call Curl_expire that uses this */
-   Curl_llist_destroy(&data->state.timeoutlist, NULL);
- 
--  /* as this was using a shared connection cache we clear the pointer to that
--     since we're not part of that multi handle anymore */
--  data->state.conn_cache = NULL;
--
-   /* change state without using multistate(), only to make singlesocket() do
-      what we want */
-   data->mstate = CURLM_STATE_COMPLETED;
-@@ -789,12 +805,22 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
-   /* Remove the association between the connection and the handle */
-   Curl_detach_connnection(data);
- 
-+  if(data->state.lastconnect) {
-+    /* Mark any connect-only connection for closure */
-+    Curl_conncache_foreach(data, data->state.conn_cache,
-+                           data, &close_connect_only);
-+  }
-+
- #ifdef USE_LIBPSL
-   /* Remove the PSL association. */
-   if(data->psl == &multi->psl)
-     data->psl = NULL;
- #endif
- 
-+  /* as this was using a shared connection cache we clear the pointer to that
-+     since we're not part of that multi handle anymore */
-+  data->state.conn_cache = NULL;
-+
-   data->multi = NULL; /* clear the association to this multi handle */
- 
-   /* make sure there's no pending message in the queue sent from this easy
-diff --git a/tests/data/test1554 b/tests/data/test1554
-index d3926d9..fffa6ad 100644
---- a/tests/data/test1554
-+++ b/tests/data/test1554
-@@ -50,6 +50,8 @@ run 1: foobar and so on fun!
- <- Mutex unlock
- -> Mutex lock
- <- Mutex unlock
-+-> Mutex lock
-+<- Mutex unlock
- run 1: foobar and so on fun!
- -> Mutex lock
- <- Mutex unlock
-@@ -65,6 +67,8 @@ run 1: foobar and so on fun!
- <- Mutex unlock
- -> Mutex lock
- <- Mutex unlock
-+-> Mutex lock
-+<- Mutex unlock
- run 1: foobar and so on fun!
- -> Mutex lock
- <- Mutex unlock
-@@ -74,6 +78,8 @@ run 1: foobar and so on fun!
- <- Mutex unlock
- -> Mutex lock
- <- Mutex unlock
-+-> Mutex lock
-+<- Mutex unlock
- </datacheck>
- </reply>
- 
--- 
-2.25.4
-
-
-From 01148ee40dd913a169435b0f9ea90e6393821e70 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sun, 16 Aug 2020 11:34:35 +0200
-Subject: [PATCH 2/2] Curl_easy: remember last connection by id, not by pointer
-
-CVE-2020-8231
-
-Bug: https://curl.haxx.se/docs/CVE-2020-8231.html
-
-Reported-by: Marc Aldorasi
-Closes #5824
-
-Upstream-commit: 3c9e021f86872baae412a427e807fbfa2f3e8a22
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/connect.c | 19 ++++++++++---------
- lib/easy.c    |  3 +--
- lib/multi.c   |  9 +++++----
- lib/url.c     |  2 +-
- lib/urldata.h |  2 +-
- 5 files changed, 18 insertions(+), 17 deletions(-)
-
-diff --git a/lib/connect.c b/lib/connect.c
-index 29293f0..e1c5662 100644
---- a/lib/connect.c
-+++ b/lib/connect.c
-@@ -1363,15 +1363,15 @@ CURLcode Curl_connecthost(struct connectdata *conn,  /* context */
- }
- 
- struct connfind {
--  struct connectdata *tofind;
--  bool found;
-+  long id_tofind;
-+  struct connectdata *found;
- };
- 
- static int conn_is_conn(struct connectdata *conn, void *param)
- {
-   struct connfind *f = (struct connfind *)param;
--  if(conn == f->tofind) {
--    f->found = TRUE;
-+  if(conn->connection_id == f->id_tofind) {
-+    f->found = conn;
-     return 1;
-   }
-   return 0;
-@@ -1393,21 +1393,22 @@ curl_socket_t Curl_getconnectinfo(struct Curl_easy *data,
-    * - that is associated with a multi handle, and whose connection
-    *   was detached with CURLOPT_CONNECT_ONLY
-    */
--  if(data->state.lastconnect && (data->multi_easy || data->multi)) {
--    struct connectdata *c = data->state.lastconnect;
-+  if((data->state.lastconnect_id != -1) && (data->multi_easy || data->multi)) {
-+    struct connectdata *c;
-     struct connfind find;
--    find.tofind = data->state.lastconnect;
--    find.found = FALSE;
-+    find.id_tofind = data->state.lastconnect_id;
-+    find.found = NULL;
- 
-     Curl_conncache_foreach(data, data->multi_easy?
-                            &data->multi_easy->conn_cache:
-                            &data->multi->conn_cache, &find, conn_is_conn);
- 
-     if(!find.found) {
--      data->state.lastconnect = NULL;
-+      data->state.lastconnect_id = -1;
-       return CURL_SOCKET_BAD;
-     }
- 
-+    c = find.found;
-     if(connp) {
-       /* only store this if the caller cares for it */
-       *connp = c;
-diff --git a/lib/easy.c b/lib/easy.c
-index 292cca7..a69eb9e 100644
---- a/lib/easy.c
-+++ b/lib/easy.c
-@@ -838,8 +838,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
- 
-   /* the connection cache is setup on demand */
-   outcurl->state.conn_cache = NULL;
--
--  outcurl->state.lastconnect = NULL;
-+  outcurl->state.lastconnect_id = -1;
- 
-   outcurl->progress.flags    = data->progress.flags;
-   outcurl->progress.callback = data->progress.callback;
-diff --git a/lib/multi.c b/lib/multi.c
-index f1371bd..778c537 100644
---- a/lib/multi.c
-+++ b/lib/multi.c
-@@ -455,6 +455,7 @@ CURLMcode curl_multi_add_handle(struct Curl_multi *multi,
-     data->state.conn_cache = &data->share->conn_cache;
-   else
-     data->state.conn_cache = &multi->conn_cache;
-+  data->state.lastconnect_id = -1;
- 
- #ifdef USE_LIBPSL
-   /* Do the same for PSL. */
-@@ -677,11 +678,11 @@ static CURLcode multi_done(struct Curl_easy *data,
-     CONNCACHE_UNLOCK(data);
-     if(Curl_conncache_return_conn(data, conn)) {
-       /* remember the most recently used connection */
--      data->state.lastconnect = conn;
-+      data->state.lastconnect_id = conn->connection_id;
-       infof(data, "%s\n", buffer);
-     }
-     else
--      data->state.lastconnect = NULL;
-+      data->state.lastconnect_id = -1;
-   }
- 
-   Curl_safefree(data->state.buffer);
-@@ -693,7 +694,7 @@ static int close_connect_only(struct connectdata *conn, void *param)
- {
-   struct Curl_easy *data = param;
- 
--  if(data->state.lastconnect != conn)
-+  if(data->state.lastconnect_id != conn->connection_id)
-     return 0;
- 
-   if(conn->data != data)
-@@ -805,7 +806,7 @@ CURLMcode curl_multi_remove_handle(struct Curl_multi *multi,
-   /* Remove the association between the connection and the handle */
-   Curl_detach_connnection(data);
- 
--  if(data->state.lastconnect) {
-+  if(data->state.lastconnect_id != -1) {
-     /* Mark any connect-only connection for closure */
-     Curl_conncache_foreach(data, data->state.conn_cache,
-                            data, &close_connect_only);
-diff --git a/lib/url.c b/lib/url.c
-index a1a6b69..2919a3d 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -630,7 +630,7 @@ CURLcode Curl_open(struct Curl_easy **curl)
-     Curl_initinfo(data);
- 
-     /* most recent connection is not yet defined */
--    data->state.lastconnect = NULL;
-+    data->state.lastconnect_id = -1;
- 
-     data->progress.flags |= PGRS_HIDE;
-     data->state.current_speed = -1; /* init to negative == impossible */
-diff --git a/lib/urldata.h b/lib/urldata.h
-index f80a02d..6d8eb69 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1300,7 +1300,7 @@ struct UrlState {
-   /* buffers to store authentication data in, as parsed from input options */
-   struct curltime keeps_speed; /* for the progress meter really */
- 
--  struct connectdata *lastconnect; /* The last connection, NULL if undefined */
-+  long lastconnect_id; /* The last connection, -1 if undefined */
-   struct dynbuf headerb; /* buffer to store headers in */
- 
-   char *buffer; /* download buffer */
--- 
-2.25.4
-

0005-curl-7.71.1-CVE-2020-8284.patch

@@ -1,208 +0,0 @@
-From c7cc15980d50a51857de66b701b7762789139b46 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Tue, 24 Nov 2020 14:56:57 +0100
-Subject: [PATCH] ftp: CURLOPT_FTP_SKIP_PASV_IP by default
-
-The command line tool also independently sets --ftp-skip-pasv-ip by
-default.
-
-Ten test cases updated to adapt the modified --libcurl output.
-
-Bug: https://curl.se/docs/CVE-2020-8284.html
-CVE-2020-8284
-
-Reported-by: Varnavas Papaioannou
-
-Upstream-commit: ec9cc725d598ac77de7b6df8afeec292b3c8ad46
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- docs/cmdline-opts/ftp-skip-pasv-ip.d         | 2 ++
- docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 | 8 +++++---
- lib/url.c                                    | 1 +
- src/tool_cfgable.c                           | 1 +
- tests/data/test1400                          | 1 +
- tests/data/test1401                          | 1 +
- tests/data/test1402                          | 1 +
- tests/data/test1403                          | 1 +
- tests/data/test1404                          | 1 +
- tests/data/test1405                          | 1 +
- tests/data/test1406                          | 1 +
- tests/data/test1407                          | 1 +
- tests/data/test1420                          | 1 +
- 13 files changed, 18 insertions(+), 3 deletions(-)
-
-diff --git a/docs/cmdline-opts/ftp-skip-pasv-ip.d b/docs/cmdline-opts/ftp-skip-pasv-ip.d
-index da6ab11..4be8b43 100644
---- a/docs/cmdline-opts/ftp-skip-pasv-ip.d
-+++ b/docs/cmdline-opts/ftp-skip-pasv-ip.d
-@@ -9,4 +9,6 @@ to curl's PASV command when curl connects the data connection. Instead curl
- will re-use the same IP address it already uses for the control
- connection.
- 
-+Since curl 7.74.0 this option is enabled by default.
-+
- This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
-diff --git a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3 b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
-index e68d2e7..29bc672 100644
---- a/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
-+++ b/docs/libcurl/opts/CURLOPT_FTP_SKIP_PASV_IP.3
-@@ -5,7 +5,7 @@
- .\" *                            | (__| |_| |  _ <| |___
- .\" *                             \___|\___/|_| \_\_____|
- .\" *
--.\" * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
-+.\" * Copyright (C) 1998 - 2020, Daniel Stenberg, <daniel@haxx.se>, et al.
- .\" *
- .\" * This software is licensed as described in the file COPYING, which
- .\" * you should have received as part of this distribution. The terms
-@@ -36,11 +36,13 @@ address it already uses for the control connection. But it will use the port
- number from the 227-response.
- 
- This option thus allows libcurl to work around broken server installations
--that due to NATs, firewalls or incompetence report the wrong IP address back.
-+that due to NATs, firewalls or incompetence report the wrong IP address
-+back. Setting the option also reduces the risk for various sorts of client
-+abuse by malicious servers.
- 
- This option has no effect if PORT, EPRT or EPSV is used instead of PASV.
- .SH DEFAULT
--0
-+1 since 7.74.0, was 0 before then.
- .SH PROTOCOLS
- FTP
- .SH EXAMPLE
-diff --git a/lib/url.c b/lib/url.c
-index 2919a3d..41029d6 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -480,6 +480,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
-   set->ftp_use_eprt = TRUE;   /* FTP defaults to EPRT operations */
-   set->ftp_use_pret = FALSE;  /* mainly useful for drftpd servers */
-   set->ftp_filemethod = FTPFILE_MULTICWD;
-+  set->ftp_skip_ip = TRUE;    /* skip PASV IP by default */
- #endif
-   set->dns_cache_timeout = 60; /* Timeout every 60 seconds by default */
- 
-diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c
-index 63bdeaa..22770c4 100644
---- a/src/tool_cfgable.c
-+++ b/src/tool_cfgable.c
-@@ -44,6 +44,7 @@ void config_init(struct OperationConfig *config)
-   config->tcp_nodelay = TRUE; /* enabled by default */
-   config->happy_eyeballs_timeout_ms = CURL_HET_DEFAULT;
-   config->http09_allowed = FALSE;
-+  config->ftp_skip_ip = TRUE;
- }
- 
- static void free_config_fields(struct OperationConfig *config)
-diff --git a/tests/data/test1400 b/tests/data/test1400
-index c0d409b..ade50d4 100644
---- a/tests/data/test1400
-+++ b/tests/data/test1400
-@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
-   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
- 
-   /* Here is a list of options the curl code used that cannot get generated
-diff --git a/tests/data/test1401 b/tests/data/test1401
-index ec3b25c..a2e9ef2 100644
---- a/tests/data/test1401
-+++ b/tests/data/test1401
-@@ -90,6 +90,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
-   curl_easy_setopt(hnd, CURLOPT_COOKIE, "chocolate=chip");
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
-   curl_easy_setopt(hnd, CURLOPT_PROTOCOLS, (long)CURLPROTO_FILE |
-                                            (long)CURLPROTO_FTP |
-diff --git a/tests/data/test1402 b/tests/data/test1402
-index bf7eb7b..99d4b70 100644
---- a/tests/data/test1402
-+++ b/tests/data/test1402
-@@ -81,6 +81,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
-   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
- 
-   /* Here is a list of options the curl code used that cannot get generated
-diff --git a/tests/data/test1403 b/tests/data/test1403
-index 731d274..90f9b4e 100644
---- a/tests/data/test1403
-+++ b/tests/data/test1403
-@@ -76,6 +76,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
-   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
- 
-   /* Here is a list of options the curl code used that cannot get generated
-diff --git a/tests/data/test1404 b/tests/data/test1404
-index d3c66a9..d351c3e 100644
---- a/tests/data/test1404
-+++ b/tests/data/test1404
-@@ -147,6 +147,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_USERAGENT, "stripped");
-   curl_easy_setopt(hnd, CURLOPT_MAXREDIRS, 50L);
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
- 
-   /* Here is a list of options the curl code used that cannot get generated
-diff --git a/tests/data/test1405 b/tests/data/test1405
-index dcc8f80..d1ebb7c 100644
---- a/tests/data/test1405
-+++ b/tests/data/test1405
-@@ -89,6 +89,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_POSTQUOTE, slist2);
-   curl_easy_setopt(hnd, CURLOPT_PREQUOTE, slist3);
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
- 
-   /* Here is a list of options the curl code used that cannot get generated
-diff --git a/tests/data/test1406 b/tests/data/test1406
-index 8803c84..31db82a 100644
---- a/tests/data/test1406
-+++ b/tests/data/test1406
-@@ -79,6 +79,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_URL, "smtp://%HOSTIP:%SMTPPORT/1406");
-   curl_easy_setopt(hnd, CURLOPT_UPLOAD, 1L);
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
-   curl_easy_setopt(hnd, CURLOPT_MAIL_FROM, "sender@example.com");
-   curl_easy_setopt(hnd, CURLOPT_MAIL_RCPT, slist1);
-diff --git a/tests/data/test1407 b/tests/data/test1407
-index 917a5de..d329509 100644
---- a/tests/data/test1407
-+++ b/tests/data/test1407
-@@ -62,6 +62,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_DIRLISTONLY, 1L);
-   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
- 
-   /* Here is a list of options the curl code used that cannot get generated
-diff --git a/tests/data/test1420 b/tests/data/test1420
-index 03c4584..c1ba190 100644
---- a/tests/data/test1420
-+++ b/tests/data/test1420
-@@ -67,6 +67,7 @@ int main(int argc, char *argv[])
-   curl_easy_setopt(hnd, CURLOPT_URL, "imap://%HOSTIP:%IMAPPORT/1420/;MAILINDEX=1");
-   curl_easy_setopt(hnd, CURLOPT_USERPWD, "user:secret");
-   curl_easy_setopt(hnd, CURLOPT_VERBOSE, 1L);
-+  curl_easy_setopt(hnd, CURLOPT_FTP_SKIP_PASV_IP, 1L);
-   curl_easy_setopt(hnd, CURLOPT_TCP_KEEPALIVE, 1L);
- 
-   /* Here is a list of options the curl code used that cannot get generated
--- 
-2.26.2
-

0007-curl-7.71.1-CVE-2020-8286.patch

@@ -1,129 +0,0 @@
-From 2ad3b3d39e45a9eeaf6845f393928ef0095893e7 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Wed, 2 Dec 2020 23:01:11 +0100
-Subject: [PATCH] openssl: make the OCSP verification verify the certificate id
-
-CVE-2020-8286
-
-Reported by anonymous
-
-Bug: https://curl.se/docs/CVE-2020-8286.html
-
-Upstream-commit: d9d01672785b8ac04aab1abb6de95fe3072ae199
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/vtls/openssl.c | 83 ++++++++++++++++++++++++++++++----------------
- 1 file changed, 54 insertions(+), 29 deletions(-)
-
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 2e9f900..5803fd1 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -1775,6 +1775,11 @@ static CURLcode verifystatus(struct connectdata *conn,
-   X509_STORE     *st = NULL;
-   STACK_OF(X509) *ch = NULL;
-   struct ssl_backend_data *backend = connssl->backend;
-+  X509 *cert;
-+  OCSP_CERTID *id = NULL;
-+  int cert_status, crl_reason;
-+  ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
-+  int ret;
- 
-   long len = SSL_get_tlsext_status_ocsp_resp(backend->handle, &status);
- 
-@@ -1843,43 +1848,63 @@ static CURLcode verifystatus(struct connectdata *conn,
-     goto end;
-   }
- 
--  for(i = 0; i < OCSP_resp_count(br); i++) {
--    int cert_status, crl_reason;
--    OCSP_SINGLERESP *single = NULL;
--
--    ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
-+  /* Compute the certificate's ID */
-+  cert = SSL_get_peer_certificate(backend->handle);
-+  if(!cert) {
-+    failf(data, "Error getting peer certficate");
-+    result = CURLE_SSL_INVALIDCERTSTATUS;
-+    goto end;
-+  }
- 
--    single = OCSP_resp_get0(br, i);
--    if(!single)
--      continue;
-+  for(i = 0; i < sk_X509_num(ch); i++) {
-+    X509 *issuer = sk_X509_value(ch, i);
-+    if(X509_check_issued(issuer, cert) == X509_V_OK) {
-+      id = OCSP_cert_to_id(EVP_sha1(), cert, issuer);
-+      break;
-+    }
-+  }
-+  X509_free(cert);
- 
--    cert_status = OCSP_single_get0_status(single, &crl_reason, &rev,
--                                          &thisupd, &nextupd);
-+  if(!id) {
-+    failf(data, "Error computing OCSP ID");
-+    result = CURLE_SSL_INVALIDCERTSTATUS;
-+    goto end;
-+  }
- 
--    if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
--      failf(data, "OCSP response has expired");
--      result = CURLE_SSL_INVALIDCERTSTATUS;
--      goto end;
--    }
-+  /* Find the single OCSP response corresponding to the certificate ID */
-+  ret = OCSP_resp_find_status(br, id, &cert_status, &crl_reason, &rev,
-+                              &thisupd, &nextupd);
-+  OCSP_CERTID_free(id);
-+  if(ret != 1) {
-+    failf(data, "Could not find certificate ID in OCSP response");
-+    result = CURLE_SSL_INVALIDCERTSTATUS;
-+    goto end;
-+  }
- 
--    infof(data, "SSL certificate status: %s (%d)\n",
--          OCSP_cert_status_str(cert_status), cert_status);
-+  /* Validate the corresponding single OCSP response */
-+  if(!OCSP_check_validity(thisupd, nextupd, 300L, -1L)) {
-+    failf(data, "OCSP response has expired");
-+    result = CURLE_SSL_INVALIDCERTSTATUS;
-+    goto end;
-+  }
- 
--    switch(cert_status) {
--      case V_OCSP_CERTSTATUS_GOOD:
--        break;
-+  infof(data, "SSL certificate status: %s (%d)\n",
-+        OCSP_cert_status_str(cert_status), cert_status);
- 
--      case V_OCSP_CERTSTATUS_REVOKED:
--        result = CURLE_SSL_INVALIDCERTSTATUS;
-+  switch(cert_status) {
-+  case V_OCSP_CERTSTATUS_GOOD:
-+    break;
- 
--        failf(data, "SSL certificate revocation reason: %s (%d)",
--              OCSP_crl_reason_str(crl_reason), crl_reason);
--        goto end;
-+  case V_OCSP_CERTSTATUS_REVOKED:
-+    result = CURLE_SSL_INVALIDCERTSTATUS;
-+    failf(data, "SSL certificate revocation reason: %s (%d)",
-+          OCSP_crl_reason_str(crl_reason), crl_reason);
-+    goto end;
- 
--      case V_OCSP_CERTSTATUS_UNKNOWN:
--        result = CURLE_SSL_INVALIDCERTSTATUS;
--        goto end;
--    }
-+  case V_OCSP_CERTSTATUS_UNKNOWN:
-+  default:
-+    result = CURLE_SSL_INVALIDCERTSTATUS;
-+    goto end;
-   }
- 
- end:
--- 
-2.26.2
-

0008-curl-7.71.1-CVE-2021-22876.patch

@@ -1,64 +0,0 @@
-From 1c875f3e08124c32205a7d33b5c10256ff9352cc Mon Sep 17 00:00:00 2001
-From: Viktor Szakats <commit@vsz.me>
-Date: Tue, 23 Feb 2021 14:54:46 +0100
-Subject: [PATCH] transfer: strip credentials from the auto-referer header
- field
-
-Added test 2081 to verify.
-
-CVE-2021-22876
-
-Bug: https://curl.se/docs/CVE-2021-22876.html
-
-Upstream-commit: 7214288898f5625a6cc196e22a74232eada7861c
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/transfer.c | 24 ++++++++++++++++++++++--
- 1 file changed, 22 insertions(+), 2 deletions(-)
-
-diff --git a/lib/transfer.c b/lib/transfer.c
-index 44104ab..3325a0e 100644
---- a/lib/transfer.c
-+++ b/lib/transfer.c
-@@ -1582,6 +1582,9 @@ CURLcode Curl_follow(struct Curl_easy *data,
-       data->set.followlocation++; /* count location-followers */
- 
-       if(data->set.http_auto_referer) {
-+        CURLU *u;
-+        char *referer;
-+
-         /* We are asked to automatically set the previous URL as the referer
-            when we get the next URL. We pick the ->url field, which may or may
-            not be 100% correct */
-@@ -1591,9 +1594,26 @@ CURLcode Curl_follow(struct Curl_easy *data,
-           data->change.referer_alloc = FALSE;
-         }
- 
--        data->change.referer = strdup(data->change.url);
--        if(!data->change.referer)
-+        /* Make a copy of the URL without crenditals and fragment */
-+        u = curl_url();
-+        if(!u)
-+          return CURLE_OUT_OF_MEMORY;
-+
-+        uc = curl_url_set(u, CURLUPART_URL, data->change.url, 0);
-+        if(!uc)
-+          uc = curl_url_set(u, CURLUPART_FRAGMENT, NULL, 0);
-+        if(!uc)
-+          uc = curl_url_set(u, CURLUPART_USER, NULL, 0);
-+        if(!uc)
-+          uc = curl_url_set(u, CURLUPART_PASSWORD, NULL, 0);
-+        if(!uc)
-+          uc = curl_url_get(u, CURLUPART_URL, &referer, 0);
-+
-+        curl_url_cleanup(u);
-+
-+        if(uc || referer == NULL)
-           return CURLE_OUT_OF_MEMORY;
-+        data->change.referer = referer;
-         data->change.referer_alloc = TRUE; /* yes, free this later */
-       }
-     }
--- 
-2.26.3
-

0009-curl-7.71.1-CVE-2021-22890.patch

@@ -1,217 +0,0 @@
-From 840011af52fcdac15a749f14f19b00401a49dc51 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Fri, 19 Mar 2021 12:38:49 +0100
-Subject: [PATCH] vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid()
-
-To make sure we set and extract the correct session.
-
-Reported-by: Mingtao Yang
-Bug: https://curl.se/docs/CVE-2021-22890.html
-
-CVE-2021-22890
-
-Upstream-commit: b09c8ee15771c614c4bf3ddac893cdb12187c844
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/vtls/openssl.c | 52 +++++++++++++++++++++++++++++++++++-----------
- lib/vtls/vtls.c    | 12 ++++++++---
- lib/vtls/vtls.h    |  2 ++
- 3 files changed, 51 insertions(+), 15 deletions(-)
-
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 5803fd1..16276f3 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -360,12 +360,23 @@ static int ossl_get_ssl_conn_index(void)
-  */
- static int ossl_get_ssl_sockindex_index(void)
- {
--  static int ssl_ex_data_sockindex_index = -1;
--  if(ssl_ex_data_sockindex_index < 0) {
--    ssl_ex_data_sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL,
--        NULL);
-+  static int sockindex_index = -1;
-+  if(sockindex_index < 0) {
-+    sockindex_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
-   }
--  return ssl_ex_data_sockindex_index;
-+  return sockindex_index;
-+}
-+
-+/* Return an extra data index for proxy boolean.
-+ * This index can be used with SSL_get_ex_data() and SSL_set_ex_data().
-+ */
-+static int ossl_get_proxy_index(void)
-+{
-+  static int proxy_index = -1;
-+  if(proxy_index < 0) {
-+    proxy_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
-+  }
-+  return proxy_index;
- }
- 
- static int passwd_callback(char *buf, int num, int encrypting,
-@@ -1133,7 +1144,8 @@ static int Curl_ossl_init(void)
-   Curl_tls_keylog_open();
- 
-   /* Initialize the extra data indexes */
--  if(ossl_get_ssl_conn_index() < 0 || ossl_get_ssl_sockindex_index() < 0)
-+  if(ossl_get_ssl_conn_index() < 0 ||
-+     ossl_get_ssl_sockindex_index() < 0 || ossl_get_proxy_index() < 0)
-     return 0;
- 
-   return 1;
-@@ -2425,8 +2437,10 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
-   curl_socket_t *sockindex_ptr;
-   int connectdata_idx = ossl_get_ssl_conn_index();
-   int sockindex_idx = ossl_get_ssl_sockindex_index();
-+  int proxy_idx = ossl_get_proxy_index();
-+  bool isproxy;
- 
--  if(connectdata_idx < 0 || sockindex_idx < 0)
-+  if(connectdata_idx < 0 || sockindex_idx < 0 || proxy_idx < 0)
-     return 0;
- 
-   conn = (struct connectdata*) SSL_get_ex_data(ssl, connectdata_idx);
-@@ -2439,13 +2453,18 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
-   sockindex_ptr = (curl_socket_t*) SSL_get_ex_data(ssl, sockindex_idx);
-   sockindex = (int)(sockindex_ptr - conn->sock);
- 
-+  isproxy = SSL_get_ex_data(ssl, proxy_idx) ? TRUE : FALSE;
-+
-   if(SSL_SET_OPTION(primary.sessionid)) {
-     bool incache;
-     void *old_ssl_sessionid = NULL;
- 
-     Curl_ssl_sessionid_lock(conn);
--    incache = !(Curl_ssl_getsessionid(conn, &old_ssl_sessionid, NULL,
--                                      sockindex));
-+    if(isproxy)
-+      incache = FALSE;
-+    else
-+      incache = !(Curl_ssl_getsessionid(conn, isproxy,
-+                                        &old_ssl_sessionid, NULL, sockindex));
-     if(incache) {
-       if(old_ssl_sessionid != ssl_sessionid) {
-         infof(data, "old SSL session ID is stale, removing\n");
-@@ -2455,7 +2474,7 @@ static int ossl_new_session_cb(SSL *ssl, SSL_SESSION *ssl_sessionid)
-     }
- 
-     if(!incache) {
--      if(!Curl_ssl_addsessionid(conn, ssl_sessionid,
-+      if(!Curl_ssl_addsessionid(conn, isproxy, ssl_sessionid,
-                                       0 /* unknown size */, sockindex)) {
-         /* the session has been put into the session cache */
-         res = 1;
-@@ -3170,16 +3189,25 @@ static CURLcode ossl_connect_step1(struct connectdata *conn, int sockindex)
-     void *ssl_sessionid = NULL;
-     int connectdata_idx = ossl_get_ssl_conn_index();
-     int sockindex_idx = ossl_get_ssl_sockindex_index();
-+    int proxy_idx = ossl_get_proxy_index();
- 
--    if(connectdata_idx >= 0 && sockindex_idx >= 0) {
-+    if(connectdata_idx >= 0 && sockindex_idx >= 0 && proxy_idx >= 0) {
-       /* Store the data needed for the "new session" callback.
-        * The sockindex is stored as a pointer to an array element. */
-       SSL_set_ex_data(backend->handle, connectdata_idx, conn);
-       SSL_set_ex_data(backend->handle, sockindex_idx, conn->sock + sockindex);
-+#ifndef CURL_DISABLE_PROXY
-+      SSL_set_ex_data(backend->handle, proxy_idx, SSL_IS_PROXY() ? (void *) 1:
-+                      NULL);
-+#else
-+      SSL_set_ex_data(backend->handle, proxy_idx, NULL);
-+#endif
-+
-     }
- 
-     Curl_ssl_sessionid_lock(conn);
--    if(!Curl_ssl_getsessionid(conn, &ssl_sessionid, NULL, sockindex)) {
-+    if(!Curl_ssl_getsessionid(conn, SSL_IS_PROXY() ? TRUE : FALSE,
-+                              &ssl_sessionid, NULL, sockindex)) {
-       /* we got a session id, use it! */
-       if(!SSL_set_session(backend->handle, ssl_sessionid)) {
-         Curl_ssl_sessionid_unlock(conn);
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index c3a55fb..e50fdd2 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -358,6 +358,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn)
-  * there's one suitable, it is provided. Returns TRUE when no entry matched.
-  */
- bool Curl_ssl_getsessionid(struct connectdata *conn,
-+                           const bool isProxy,
-                            void **ssl_sessionid,
-                            size_t *idsize, /* set 0 if unknown */
-                            int sockindex)
-@@ -369,7 +370,6 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
-   bool no_match = TRUE;
- 
- #ifndef CURL_DISABLE_PROXY
--  const bool isProxy = CONNECT_PROXY_SSL();
-   struct ssl_primary_config * const ssl_config = isProxy ?
-     &conn->proxy_ssl_config :
-     &conn->ssl_config;
-@@ -381,10 +381,15 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
-   struct ssl_primary_config * const ssl_config = &conn->ssl_config;
-   const char * const name = conn->host.name;
-   int port = conn->remote_port;
--  (void)sockindex;
- #endif
-+  (void)sockindex;
-   *ssl_sessionid = NULL;
- 
-+#ifdef CURL_DISABLE_PROXY
-+  if(isProxy)
-+    return TRUE;
-+#endif
-+
-   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
- 
-   if(!SSL_SET_OPTION(primary.sessionid))
-@@ -472,6 +477,7 @@ void Curl_ssl_delsessionid(struct connectdata *conn, void *ssl_sessionid)
-  * later on.
-  */
- CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
-+                               bool isProxy,
-                                void *ssl_sessionid,
-                                size_t idsize,
-                                int sockindex)
-@@ -485,7 +491,6 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
-   int conn_to_port;
-   long *general_age;
- #ifndef CURL_DISABLE_PROXY
--  const bool isProxy = CONNECT_PROXY_SSL();
-   struct ssl_primary_config * const ssl_config = isProxy ?
-     &conn->proxy_ssl_config :
-     &conn->ssl_config;
-@@ -498,6 +503,7 @@ CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
-   const char *hostname = conn->host.name;
-   (void)sockindex;
- #endif
-+  (void)sockindex;
-   DEBUGASSERT(SSL_SET_OPTION(primary.sessionid));
- 
-   clone_host = strdup(hostname);
-diff --git a/lib/vtls/vtls.h b/lib/vtls/vtls.h
-index bcc8444..343cad0 100644
---- a/lib/vtls/vtls.h
-+++ b/lib/vtls/vtls.h
-@@ -203,6 +203,7 @@ void Curl_ssl_sessionid_unlock(struct connectdata *conn);
-  * under sessionid mutex).
-  */
- bool Curl_ssl_getsessionid(struct connectdata *conn,
-+                           const bool isproxy,
-                            void **ssl_sessionid,
-                            size_t *idsize, /* set 0 if unknown */
-                            int sockindex);
-@@ -212,6 +213,7 @@ bool Curl_ssl_getsessionid(struct connectdata *conn,
-  * object with cache (e.g. incrementing refcount on success)
-  */
- CURLcode Curl_ssl_addsessionid(struct connectdata *conn,
-+                               const bool isProxy,
-                                void *ssl_sessionid,
-                                size_t idsize,
-                                int sockindex);
--- 
-2.26.3
-

0010-curl-7.71.1-CVE-2021-22924.patch

@@ -1,788 +0,0 @@
-From c3e2c52593b94bd93775b50063e1d54bc7b1b911 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Thu, 18 Feb 2021 10:13:56 +0100
-Subject: [PATCH 1/2] urldata: remove the _ORIG suffix from string names
-
-It doesn't provide any useful info but only makes the names longer.
-
-Closes #6624
-
-Upstream-commit: 70472a44deaff387cf8c8c197e04f3add2a96e2e
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/doh.c            | 12 ++++++------
- lib/setopt.c         | 38 +++++++++++++++++++-------------------
- lib/url.c            | 42 +++++++++++++++++++++---------------------
- lib/urldata.h        | 34 +++++++++++++++++-----------------
- lib/vtls/gskit.c     |  2 +-
- lib/vtls/gtls.c      |  2 +-
- lib/vtls/mbedtls.c   |  4 ++--
- lib/vtls/nss.c       |  2 +-
- lib/vtls/openssl.c   |  2 +-
- lib/vtls/schannel.c  |  2 +-
- lib/vtls/sectransp.c |  7 ++++---
- lib/vtls/wolfssl.c   |  4 ++--
- 12 files changed, 76 insertions(+), 75 deletions(-)
-
-diff --git a/lib/doh.c b/lib/doh.c
-index ebb2c24..cbd34f6 100644
---- a/lib/doh.c
-+++ b/lib/doh.c
-@@ -318,17 +318,17 @@ static CURLcode dohprobe(struct Curl_easy *data,
-       ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYPEER, 1L);
-     if(data->set.ssl.primary.verifystatus)
-       ERROR_CHECK_SETOPT(CURLOPT_SSL_VERIFYSTATUS, 1L);
--    if(data->set.str[STRING_SSL_CAFILE_ORIG]) {
-+    if(data->set.str[STRING_SSL_CAFILE]) {
-       ERROR_CHECK_SETOPT(CURLOPT_CAINFO,
--        data->set.str[STRING_SSL_CAFILE_ORIG]);
-+        data->set.str[STRING_SSL_CAFILE]);
-     }
--    if(data->set.str[STRING_SSL_CAPATH_ORIG]) {
-+    if(data->set.str[STRING_SSL_CAPATH]) {
-       ERROR_CHECK_SETOPT(CURLOPT_CAPATH,
--        data->set.str[STRING_SSL_CAPATH_ORIG]);
-+        data->set.str[STRING_SSL_CAPATH]);
-     }
--    if(data->set.str[STRING_SSL_CRLFILE_ORIG]) {
-+    if(data->set.str[STRING_SSL_CRLFILE]) {
-       ERROR_CHECK_SETOPT(CURLOPT_CRLFILE,
--        data->set.str[STRING_SSL_CRLFILE_ORIG]);
-+        data->set.str[STRING_SSL_CRLFILE]);
-     }
-     if(data->set.ssl.certinfo)
-       ERROR_CHECK_SETOPT(CURLOPT_CERTINFO, 1L);
-diff --git a/lib/setopt.c b/lib/setopt.c
-index d621335..58d92e2 100644
---- a/lib/setopt.c
-+++ b/lib/setopt.c
-@@ -174,7 +174,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     break;
-   case CURLOPT_SSL_CIPHER_LIST:
-     /* set a list of cipher we want to use in the SSL connection */
--    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER_LIST],
-                             va_arg(param, char *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -187,7 +187,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-   case CURLOPT_TLS13_CIPHERS:
-     if(Curl_ssl_tls13_ciphersuites()) {
-       /* set preferred list of TLS 1.3 cipher suites */
--      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST_ORIG],
-+      result = Curl_setstropt(&data->set.str[STRING_SSL_CIPHER13_LIST],
-                               va_arg(param, char *));
-     }
-     else
-@@ -1643,14 +1643,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     /*
-      * String that holds file name of the SSL certificate to use
-      */
--    result = Curl_setstropt(&data->set.str[STRING_CERT_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_CERT],
-                             va_arg(param, char *));
-     break;
-   case CURLOPT_SSLCERT_BLOB:
-     /*
-      * Blob that holds file name of the SSL certificate to use
-      */
--    result = Curl_setblobopt(&data->set.blobs[BLOB_CERT_ORIG],
-+    result = Curl_setblobopt(&data->set.blobs[BLOB_CERT],
-                              va_arg(param, struct curl_blob *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -1673,7 +1673,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     /*
-      * String that holds file type of the SSL certificate to use
-      */
--    result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_CERT_TYPE],
-                             va_arg(param, char *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -1689,14 +1689,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     /*
-      * String that holds file name of the SSL key to use
-      */
--    result = Curl_setstropt(&data->set.str[STRING_KEY_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_KEY],
-                             va_arg(param, char *));
-     break;
-   case CURLOPT_SSLKEY_BLOB:
-     /*
-      * Blob that holds file name of the SSL key to use
-      */
--    result = Curl_setblobopt(&data->set.blobs[BLOB_KEY_ORIG],
-+    result = Curl_setblobopt(&data->set.blobs[BLOB_KEY],
-                              va_arg(param, struct curl_blob *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -1719,7 +1719,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     /*
-      * String that holds file type of the SSL key to use
-      */
--    result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_KEY_TYPE],
-                             va_arg(param, char *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -1735,7 +1735,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     /*
-      * String that holds the SSL or SSH private key password.
-      */
--    result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_KEY_PASSWD],
-                             va_arg(param, char *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -1944,7 +1944,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-      */
- #ifdef USE_SSL
-     if(Curl_ssl->supports & SSLSUPP_PINNEDPUBKEY)
--      result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG],
-+      result = Curl_setstropt(&data->set.str[STRING_SSL_PINNEDPUBLICKEY],
-                               va_arg(param, char *));
-     else
- #endif
-@@ -1969,7 +1969,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-     /*
-      * Set CA info for SSL connection. Specify file name of the CA certificate
-      */
--    result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_SSL_CAFILE],
-                             va_arg(param, char *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -1990,7 +1990,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
- #ifdef USE_SSL
-     if(Curl_ssl->supports & SSLSUPP_CA_PATH)
-       /* This does not work on windows. */
--      result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH_ORIG],
-+      result = Curl_setstropt(&data->set.str[STRING_SSL_CAPATH],
-                               va_arg(param, char *));
-     else
- #endif
-@@ -2017,7 +2017,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-      * Set CRL file info for SSL connection. Specify file name of the CRL
-      * to check certificates revocation
-      */
--    result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_SSL_CRLFILE],
-                             va_arg(param, char *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -2035,14 +2035,14 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
-      * Set Issuer certificate file
-      * to check certificates issuer
-      */
--    result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_SSL_ISSUERCERT],
-                             va_arg(param, char *));
-     break;
-   case CURLOPT_ISSUERCERT_BLOB:
-     /*
-      * Blob that holds Issuer certificate to check certificates issuer
-      */
--    result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG],
-+    result = Curl_setblobopt(&data->set.blobs[BLOB_SSL_ISSUERCERT],
-                              va_arg(param, struct curl_blob *));
-     break;
- #ifndef CURL_DISABLE_PROXY
-@@ -2638,9 +2638,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
- #endif
- #ifdef USE_TLS_SRP
-   case CURLOPT_TLSAUTH_USERNAME:
--    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_USERNAME],
-                             va_arg(param, char *));
--    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
-+    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
-       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-     break;
-   case CURLOPT_PROXY_TLSAUTH_USERNAME:
-@@ -2653,9 +2653,9 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
- #endif
-     break;
-   case CURLOPT_TLSAUTH_PASSWORD:
--    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD_ORIG],
-+    result = Curl_setstropt(&data->set.str[STRING_TLSAUTH_PASSWORD],
-                             va_arg(param, char *));
--    if(data->set.str[STRING_TLSAUTH_USERNAME_ORIG] && !data->set.ssl.authtype)
-+    if(data->set.str[STRING_TLSAUTH_USERNAME] && !data->set.ssl.authtype)
-       data->set.ssl.authtype = CURL_TLSAUTH_SRP; /* default to SRP */
-     break;
-   case CURLOPT_PROXY_TLSAUTH_PASSWORD:
-diff --git a/lib/url.c b/lib/url.c
-index 307b66e..dd18c63 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -543,7 +543,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
-    */
-   if(Curl_ssl_backend() != CURLSSLBACKEND_SCHANNEL) {
- #if defined(CURL_CA_BUNDLE)
--    result = Curl_setstropt(&set->str[STRING_SSL_CAFILE_ORIG], CURL_CA_BUNDLE);
-+    result = Curl_setstropt(&set->str[STRING_SSL_CAFILE], CURL_CA_BUNDLE);
-     if(result)
-       return result;
- 
-@@ -553,7 +553,7 @@ CURLcode Curl_init_userdefined(struct Curl_easy *data)
-       return result;
- #endif
- #if defined(CURL_CA_PATH)
--    result = Curl_setstropt(&set->str[STRING_SSL_CAPATH_ORIG], CURL_CA_PATH);
-+    result = Curl_setstropt(&set->str[STRING_SSL_CAPATH], CURL_CA_PATH);
-     if(result)
-       return result;
- 
-@@ -3600,17 +3600,17 @@ static CURLcode create_conn(struct Curl_easy *data,
-      that will be freed as part of the Curl_easy struct, but all cloned
-      copies will be separately allocated.
-   */
--  data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_ORIG];
--  data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE_ORIG];
-+  data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
-+  data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
-   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
-   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
-   data->set.ssl.primary.cipher_list =
--    data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
-+    data->set.str[STRING_SSL_CIPHER_LIST];
-   data->set.ssl.primary.cipher_list13 =
--    data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
-+    data->set.str[STRING_SSL_CIPHER13_LIST];
-   data->set.ssl.primary.pinned_key =
--    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
--  data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
-+  data->set.ssl.primary.cert_blob = data->set.blobs[BLOB_CERT];
- 
- #ifndef CURL_DISABLE_PROXY
-   data->set.proxy_ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH_PROXY];
-@@ -3636,26 +3636,26 @@ static CURLcode create_conn(struct Curl_easy *data,
-   data->set.proxy_ssl.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
-   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
- #endif
--  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
--  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_ORIG];
--  data->set.ssl.cert = data->set.str[STRING_CERT_ORIG];
--  data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE_ORIG];
--  data->set.ssl.key = data->set.str[STRING_KEY_ORIG];
--  data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE_ORIG];
--  data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD_ORIG];
--  data->set.ssl.primary.clientcert = data->set.str[STRING_CERT_ORIG];
-+  data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
-+  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
-+  data->set.ssl.cert = data->set.str[STRING_CERT];
-+  data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
-+  data->set.ssl.key = data->set.str[STRING_KEY];
-+  data->set.ssl.key_type = data->set.str[STRING_KEY_TYPE];
-+  data->set.ssl.key_passwd = data->set.str[STRING_KEY_PASSWD];
-+  data->set.ssl.primary.clientcert = data->set.str[STRING_CERT];
- #ifdef USE_TLS_SRP
--  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_ORIG];
--  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_ORIG];
-+  data->set.ssl.username = data->set.str[STRING_TLSAUTH_USERNAME];
-+  data->set.ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD];
- #ifndef CURL_DISABLE_PROXY
-   data->set.proxy_ssl.username = data->set.str[STRING_TLSAUTH_USERNAME_PROXY];
-   data->set.proxy_ssl.password = data->set.str[STRING_TLSAUTH_PASSWORD_PROXY];
- #endif
- #endif
- 
--  data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT_ORIG];
--  data->set.ssl.key_blob = data->set.blobs[BLOB_KEY_ORIG];
--  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT_ORIG];
-+  data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT];
-+  data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
-+  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
- 
-   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
-                                     &conn->ssl_config)) {
-diff --git a/lib/urldata.h b/lib/urldata.h
-index df9d998..0fb046f 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -1491,9 +1491,9 @@ struct Curl_multi;    /* declared and used only in multi.c */
-  * are catered for in curl_easy_setopt_ccsid()
-  */
- enum dupstring {
--  STRING_CERT_ORIG,       /* client certificate file name */
-+  STRING_CERT,            /* client certificate file name */
-   STRING_CERT_PROXY,      /* client certificate file name */
--  STRING_CERT_TYPE_ORIG,  /* format for certificate (default: PEM)*/
-+  STRING_CERT_TYPE,       /* format for certificate (default: PEM)*/
-   STRING_CERT_TYPE_PROXY, /* format for certificate (default: PEM)*/
-   STRING_COOKIE,          /* HTTP cookie string to send */
-   STRING_COOKIEJAR,       /* dump all cookies to this file */
-@@ -1504,11 +1504,11 @@ enum dupstring {
-   STRING_FTP_ACCOUNT,     /* ftp account data */
-   STRING_FTP_ALTERNATIVE_TO_USER, /* command to send if USER/PASS fails */
-   STRING_FTPPORT,         /* port to send with the FTP PORT command */
--  STRING_KEY_ORIG,        /* private key file name */
-+  STRING_KEY,             /* private key file name */
-   STRING_KEY_PROXY,       /* private key file name */
--  STRING_KEY_PASSWD_ORIG, /* plain text private key password */
-+  STRING_KEY_PASSWD,      /* plain text private key password */
-   STRING_KEY_PASSWD_PROXY, /* plain text private key password */
--  STRING_KEY_TYPE_ORIG,   /* format for private key (default: PEM) */
-+  STRING_KEY_TYPE,        /* format for private key (default: PEM) */
-   STRING_KEY_TYPE_PROXY,  /* format for private key (default: PEM) */
-   STRING_KRB_LEVEL,       /* krb security level */
-   STRING_NETRC_FILE,      /* if not NULL, use this instead of trying to find
-@@ -1518,22 +1518,22 @@ enum dupstring {
-   STRING_SET_RANGE,       /* range, if used */
-   STRING_SET_REFERER,     /* custom string for the HTTP referer field */
-   STRING_SET_URL,         /* what original URL to work on */
--  STRING_SSL_CAPATH_ORIG, /* CA directory name (doesn't work on windows) */
-+  STRING_SSL_CAPATH,      /* CA directory name (doesn't work on windows) */
-   STRING_SSL_CAPATH_PROXY, /* CA directory name (doesn't work on windows) */
--  STRING_SSL_CAFILE_ORIG, /* certificate file to verify peer against */
-+  STRING_SSL_CAFILE,      /* certificate file to verify peer against */
-   STRING_SSL_CAFILE_PROXY, /* certificate file to verify peer against */
--  STRING_SSL_PINNEDPUBLICKEY_ORIG, /* public key file to verify peer against */
-+  STRING_SSL_PINNEDPUBLICKEY, /* public key file to verify peer against */
-   STRING_SSL_PINNEDPUBLICKEY_PROXY, /* public key file to verify proxy */
--  STRING_SSL_CIPHER_LIST_ORIG, /* list of ciphers to use */
-+  STRING_SSL_CIPHER_LIST, /* list of ciphers to use */
-   STRING_SSL_CIPHER_LIST_PROXY, /* list of ciphers to use */
--  STRING_SSL_CIPHER13_LIST_ORIG, /* list of TLS 1.3 ciphers to use */
-+  STRING_SSL_CIPHER13_LIST, /* list of TLS 1.3 ciphers to use */
-   STRING_SSL_CIPHER13_LIST_PROXY, /* list of TLS 1.3 ciphers to use */
-   STRING_SSL_EGDSOCKET,   /* path to file containing the EGD daemon socket */
-   STRING_SSL_RANDOM_FILE, /* path to file containing "random" data */
-   STRING_USERAGENT,       /* User-Agent string */
--  STRING_SSL_CRLFILE_ORIG, /* crl file to check certificate */
-+  STRING_SSL_CRLFILE,     /* crl file to check certificate */
-   STRING_SSL_CRLFILE_PROXY, /* crl file to check certificate */
--  STRING_SSL_ISSUERCERT_ORIG, /* issuer cert file to check certificate */
-+  STRING_SSL_ISSUERCERT, /* issuer cert file to check certificate */
-   STRING_SSL_ISSUERCERT_PROXY, /* issuer cert file to check certificate */
-   STRING_SSL_ENGINE,      /* name of ssl engine */
-   STRING_USERNAME,        /* <username>, if used */
-@@ -1557,9 +1557,9 @@ enum dupstring {
-   STRING_MAIL_FROM,
-   STRING_MAIL_AUTH,
- 
--  STRING_TLSAUTH_USERNAME_ORIG,  /* TLS auth <username> */
-+  STRING_TLSAUTH_USERNAME,  /* TLS auth <username> */
-   STRING_TLSAUTH_USERNAME_PROXY, /* TLS auth <username> */
--  STRING_TLSAUTH_PASSWORD_ORIG,  /* TLS auth <password> */
-+  STRING_TLSAUTH_PASSWORD,  /* TLS auth <password> */
-   STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth <password> */
- 
-   STRING_BEARER,                /* <bearer>, if used */
-@@ -1593,11 +1593,11 @@ enum dupstring {
- };
- 
- enum dupblob {
--  BLOB_CERT_ORIG,
-+  BLOB_CERT,
-   BLOB_CERT_PROXY,
--  BLOB_KEY_ORIG,
-+  BLOB_KEY,
-   BLOB_KEY_PROXY,
--  BLOB_SSL_ISSUERCERT_ORIG,
-+  BLOB_SSL_ISSUERCERT,
-   BLOB_SSL_ISSUERCERT_PROXY,
-   BLOB_LAST
- };
-diff --git a/lib/vtls/gskit.c b/lib/vtls/gskit.c
-index 0538e4a..de9a9db 100644
---- a/lib/vtls/gskit.c
-+++ b/lib/vtls/gskit.c
-@@ -1039,7 +1039,7 @@ static CURLcode gskit_connect_step3(struct connectdata *conn, int sockindex)
- 
-   /* Check pinned public key. */
-   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
--                         data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
-   if(!result && ptr) {
-     curl_X509certificate x509;
-     curl_asn1Element *p;
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 9b4c365..2ce5749 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -1184,7 +1184,7 @@ gtls_connect_step3(struct connectdata *conn,
-   }
- 
-   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
--        data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
-   if(ptr) {
-     result = pkp_pin_peer_pubkey(data, x509_cert, ptr);
-     if(result != CURLE_OK) {
-diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
-index 545f824..bf3683d 100644
---- a/lib/vtls/mbedtls.c
-+++ b/lib/vtls/mbedtls.c
-@@ -546,10 +546,10 @@ mbed_connect_step2(struct connectdata *conn,
- #ifndef CURL_DISABLE_PROXY
-   const char * const pinnedpubkey = SSL_IS_PROXY() ?
-     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
--    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
- #else
-   const char * const pinnedpubkey =
--    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
- #endif
- 
-   conn->recv[sockindex] = mbed_recv;
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index fca2926..9dad33f 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -2131,7 +2131,7 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
-     &data->set.proxy_ssl.certverifyresult : &data->set.ssl.certverifyresult;
-   const char * const pinnedpubkey = SSL_IS_PROXY() ?
-               data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
--              data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+              data->set.str[STRING_SSL_PINNEDPUBLICKEY];
- 
- 
-   /* check timeout situation */
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index 16276f3..acf6577 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -3965,7 +3965,7 @@ static CURLcode servercert(struct connectdata *conn,
-     result = CURLE_OK;
- 
-   ptr = SSL_IS_PROXY() ? data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
--                         data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
-   if(!result && ptr) {
-     result = pkp_pin_peer_pubkey(data, backend->server_cert, ptr);
-     if(result)
-diff --git a/lib/vtls/schannel.c b/lib/vtls/schannel.c
-index 1996526..ba82513 100644
---- a/lib/vtls/schannel.c
-+++ b/lib/vtls/schannel.c
-@@ -1243,7 +1243,7 @@ schannel_connect_step2(struct connectdata *conn, int sockindex)
- 
-   pubkey_ptr = SSL_IS_PROXY() ?
-     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
--    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
-   if(pubkey_ptr) {
-     result = pkp_pin_peer_pubkey(conn, sockindex, pubkey_ptr);
-     if(result) {
-diff --git a/lib/vtls/sectransp.c b/lib/vtls/sectransp.c
-index 2627aff..120df3a 100644
---- a/lib/vtls/sectransp.c
-+++ b/lib/vtls/sectransp.c
-@@ -2609,9 +2609,10 @@ sectransp_connect_step2(struct connectdata *conn, int sockindex)
-     connssl->connecting_state = ssl_connect_3;
- 
- #ifdef SECTRANSP_PINNEDPUBKEY
--    if(data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]) {
--      CURLcode result = pkp_pin_peer_pubkey(data, backend->ssl_ctx,
--                            data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG]);
-+    if(data->set.str[STRING_SSL_PINNEDPUBLICKEY]) {
-+      CURLcode result =
-+        pkp_pin_peer_pubkey(data, backend->ssl_ctx,
-+                            data->set.str[STRING_SSL_PINNEDPUBLICKEY]);
-       if(result) {
-         failf(data, "SSL: public key does not match pinned public key!");
-         return result;
-diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c
-index 7b2a124..fc41748 100644
---- a/lib/vtls/wolfssl.c
-+++ b/lib/vtls/wolfssl.c
-@@ -549,12 +549,12 @@ wolfssl_connect_step2(struct connectdata *conn,
-     conn->http_proxy.host.dispname : conn->host.dispname;
-   const char * const pinnedpubkey = SSL_IS_PROXY() ?
-     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY] :
--    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
- #else
-   const char * const hostname = conn->host.name;
-   const char * const dispname = conn->host.dispname;
-   const char * const pinnedpubkey =
--    data->set.str[STRING_SSL_PINNEDPUBLICKEY_ORIG];
-+    data->set.str[STRING_SSL_PINNEDPUBLICKEY];
- #endif
- 
-   conn->recv[sockindex] = wolfssl_recv;
--- 
-2.31.1
-
-
-From fea46e2ddc6050b0aa008033325afbb0606d2b55 Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sat, 19 Jun 2021 00:42:28 +0200
-Subject: [PATCH 2/2] vtls: fix connection reuse checks for issuer cert and
- case sensitivity
-
-CVE-2021-22924
-
-Reported-by: Harry Sintonen
-Bug: https://curl.se/docs/CVE-2021-22924.html
-
-Upstream-commit: 5ea3145850ebff1dc2b13d17440300a01ca38161
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/url.c          |  9 ++++++---
- lib/urldata.h      |  4 ++--
- lib/vtls/gtls.c    | 10 +++++-----
- lib/vtls/nss.c     |  4 ++--
- lib/vtls/openssl.c | 18 +++++++++---------
- lib/vtls/vtls.c    | 26 +++++++++++++++++++++-----
- 6 files changed, 45 insertions(+), 26 deletions(-)
-
-diff --git a/lib/url.c b/lib/url.c
-index dd18c63..71e226e 100644
---- a/lib/url.c
-+++ b/lib/url.c
-@@ -3602,6 +3602,8 @@ static CURLcode create_conn(struct Curl_easy *data,
-   */
-   data->set.ssl.primary.CApath = data->set.str[STRING_SSL_CAPATH];
-   data->set.ssl.primary.CAfile = data->set.str[STRING_SSL_CAFILE];
-+  data->set.ssl.primary.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
-+  data->set.ssl.primary.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
-   data->set.ssl.primary.random_file = data->set.str[STRING_SSL_RANDOM_FILE];
-   data->set.ssl.primary.egdsocket = data->set.str[STRING_SSL_EGDSOCKET];
-   data->set.ssl.primary.cipher_list =
-@@ -3625,8 +3627,11 @@ static CURLcode create_conn(struct Curl_easy *data,
-   data->set.proxy_ssl.primary.pinned_key =
-     data->set.str[STRING_SSL_PINNEDPUBLICKEY_PROXY];
-   data->set.proxy_ssl.primary.cert_blob = data->set.blobs[BLOB_CERT_PROXY];
-+  data->set.proxy_ssl.primary.issuercert =
-+    data->set.str[STRING_SSL_ISSUERCERT_PROXY];
-+  data->set.proxy_ssl.primary.issuercert_blob =
-+    data->set.blobs[BLOB_SSL_ISSUERCERT_PROXY];
-   data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
--  data->set.proxy_ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT_PROXY];
-   data->set.proxy_ssl.cert = data->set.str[STRING_CERT_PROXY];
-   data->set.proxy_ssl.cert_type = data->set.str[STRING_CERT_TYPE_PROXY];
-   data->set.proxy_ssl.key = data->set.str[STRING_KEY_PROXY];
-@@ -3637,7 +3642,6 @@ static CURLcode create_conn(struct Curl_easy *data,
-   data->set.proxy_ssl.key_blob = data->set.blobs[BLOB_KEY_PROXY];
- #endif
-   data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE];
--  data->set.ssl.issuercert = data->set.str[STRING_SSL_ISSUERCERT];
-   data->set.ssl.cert = data->set.str[STRING_CERT];
-   data->set.ssl.cert_type = data->set.str[STRING_CERT_TYPE];
-   data->set.ssl.key = data->set.str[STRING_KEY];
-@@ -3655,7 +3659,6 @@ static CURLcode create_conn(struct Curl_easy *data,
- 
-   data->set.ssl.cert_blob = data->set.blobs[BLOB_CERT];
-   data->set.ssl.key_blob = data->set.blobs[BLOB_KEY];
--  data->set.ssl.issuercert_blob = data->set.blobs[BLOB_SSL_ISSUERCERT];
- 
-   if(!Curl_clone_primary_ssl_config(&data->set.ssl.primary,
-                                     &conn->ssl_config)) {
-diff --git a/lib/urldata.h b/lib/urldata.h
-index 0fb046f..8b5b597 100644
---- a/lib/urldata.h
-+++ b/lib/urldata.h
-@@ -223,6 +223,7 @@ struct ssl_primary_config {
-   long version_max;      /* max supported version the client wants to use*/
-   char *CApath;          /* certificate dir (doesn't work on windows) */
-   char *CAfile;          /* certificate to verify peer against */
-+  char *issuercert;      /* optional issuer certificate filename */
-   char *clientcert;
-   char *random_file;     /* path to file containing "random" data */
-   char *egdsocket;       /* path to file containing the EGD daemon socket */
-@@ -230,6 +231,7 @@ struct ssl_primary_config {
-   char *cipher_list13;   /* list of TLS 1.3 cipher suites to use */
-   char *pinned_key;
-   struct curl_blob *cert_blob;
-+  struct curl_blob *issuercert_blob;
-   BIT(verifypeer);       /* set TRUE if this is desired */
-   BIT(verifyhost);       /* set TRUE if CN/SAN must match hostname */
-   BIT(verifystatus);     /* set TRUE if certificate status must be checked */
-@@ -240,8 +242,6 @@ struct ssl_config_data {
-   struct ssl_primary_config primary;
-   long certverifyresult; /* result from the certificate verification */
-   char *CRLfile;   /* CRL to check certificate revocation */
--  char *issuercert;/* optional issuer certificate filename */
--  struct curl_blob *issuercert_blob;
-   curl_ssl_ctx_callback fsslctx; /* function to initialize ssl ctx */
-   void *fsslctxp;        /* parameter for call back */
-   char *cert; /* client certificate file name */
-diff --git a/lib/vtls/gtls.c b/lib/vtls/gtls.c
-index 2ce5749..1b87085 100644
---- a/lib/vtls/gtls.c
-+++ b/lib/vtls/gtls.c
-@@ -851,7 +851,7 @@ gtls_connect_step3(struct connectdata *conn,
-   if(!chainp) {
-     if(SSL_CONN_CONFIG(verifypeer) ||
-        SSL_CONN_CONFIG(verifyhost) ||
--       SSL_SET_OPTION(issuercert)) {
-+       SSL_CONN_CONFIG(issuercert)) {
- #ifdef USE_TLS_SRP
-       if(SSL_SET_OPTION(authtype) == CURL_TLSAUTH_SRP
-          && SSL_SET_OPTION(username) != NULL
-@@ -1035,21 +1035,21 @@ gtls_connect_step3(struct connectdata *conn,
-        gnutls_x509_crt_t format */
-     gnutls_x509_crt_import(x509_cert, chainp, GNUTLS_X509_FMT_DER);
- 
--  if(SSL_SET_OPTION(issuercert)) {
-+  if(SSL_CONN_CONFIG(issuercert)) {
-     gnutls_x509_crt_init(&x509_issuer);
--    issuerp = load_file(SSL_SET_OPTION(issuercert));
-+    issuerp = load_file(SSL_CONN_CONFIG(issuercert));
-     gnutls_x509_crt_import(x509_issuer, &issuerp, GNUTLS_X509_FMT_PEM);
-     rc = gnutls_x509_crt_check_issuer(x509_cert, x509_issuer);
-     gnutls_x509_crt_deinit(x509_issuer);
-     unload_file(issuerp);
-     if(rc <= 0) {
-       failf(data, "server certificate issuer check failed (IssuerCert: %s)",
--            SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
-+            SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
-       gnutls_x509_crt_deinit(x509_cert);
-       return CURLE_SSL_ISSUER_ERROR;
-     }
-     infof(data, "\t server certificate issuer check OK (Issuer Cert: %s)\n",
--          SSL_SET_OPTION(issuercert)?SSL_SET_OPTION(issuercert):"none");
-+          SSL_CONN_CONFIG(issuercert)?SSL_CONN_CONFIG(issuercert):"none");
-   }
- 
-   size = sizeof(certname);
-diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
-index 9dad33f..d1b0016 100644
---- a/lib/vtls/nss.c
-+++ b/lib/vtls/nss.c
-@@ -2159,9 +2159,9 @@ static CURLcode nss_do_connect(struct connectdata *conn, int sockindex)
-   if(result)
-     goto error;
- 
--  if(SSL_SET_OPTION(issuercert)) {
-+  if(SSL_CONN_CONFIG(issuercert)) {
-     SECStatus ret = SECFailure;
--    char *nickname = dup_nickname(data, SSL_SET_OPTION(issuercert));
-+    char *nickname = dup_nickname(data, SSL_CONN_CONFIG(issuercert));
-     if(nickname) {
-       /* we support only nicknames in case of issuercert for now */
-       ret = check_issuer_cert(backend->handle, nickname);
-diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
-index acf6577..56171ae 100644
---- a/lib/vtls/openssl.c
-+++ b/lib/vtls/openssl.c
-@@ -3871,10 +3871,10 @@ static CURLcode servercert(struct connectdata *conn,
-        deallocating the certificate. */
- 
-     /* e.g. match issuer name with provided issuer certificate */
--    if(SSL_SET_OPTION(issuercert) || SSL_SET_OPTION(issuercert_blob)) {
--      if(SSL_SET_OPTION(issuercert_blob))
--        fp = BIO_new_mem_buf(SSL_SET_OPTION(issuercert_blob)->data,
--                             (int)SSL_SET_OPTION(issuercert_blob)->len);
-+    if(SSL_CONN_CONFIG(issuercert) || SSL_CONN_CONFIG(issuercert_blob)) {
-+      if(SSL_CONN_CONFIG(issuercert_blob))
-+        fp = BIO_new_mem_buf(SSL_CONN_CONFIG(issuercert_blob)->data,
-+                             (int)SSL_CONN_CONFIG(issuercert_blob)->len);
-       else {
-         fp = BIO_new(BIO_s_file());
-         if(fp == NULL) {
-@@ -3888,10 +3888,10 @@ static CURLcode servercert(struct connectdata *conn,
-           return CURLE_OUT_OF_MEMORY;
-         }
- 
--        if(BIO_read_filename(fp, SSL_SET_OPTION(issuercert)) <= 0) {
-+        if(BIO_read_filename(fp, SSL_CONN_CONFIG(issuercert)) <= 0) {
-           if(strict)
-             failf(data, "SSL: Unable to open issuer cert (%s)",
--                  SSL_SET_OPTION(issuercert));
-+                  SSL_CONN_CONFIG(issuercert));
-           BIO_free(fp);
-           X509_free(backend->server_cert);
-           backend->server_cert = NULL;
-@@ -3903,7 +3903,7 @@ static CURLcode servercert(struct connectdata *conn,
-       if(!issuer) {
-         if(strict)
-           failf(data, "SSL: Unable to read issuer cert (%s)",
--                SSL_SET_OPTION(issuercert));
-+                SSL_CONN_CONFIG(issuercert));
-         BIO_free(fp);
-         X509_free(issuer);
-         X509_free(backend->server_cert);
-@@ -3914,7 +3914,7 @@ static CURLcode servercert(struct connectdata *conn,
-       if(X509_check_issued(issuer, backend->server_cert) != X509_V_OK) {
-         if(strict)
-           failf(data, "SSL: Certificate issuer check failed (%s)",
--                SSL_SET_OPTION(issuercert));
-+                SSL_CONN_CONFIG(issuercert));
-         BIO_free(fp);
-         X509_free(issuer);
-         X509_free(backend->server_cert);
-@@ -3923,7 +3923,7 @@ static CURLcode servercert(struct connectdata *conn,
-       }
- 
-       infof(data, " SSL certificate issuer check ok (%s)\n",
--            SSL_SET_OPTION(issuercert));
-+            SSL_CONN_CONFIG(issuercert));
-       BIO_free(fp);
-       X509_free(issuer);
-     }
-diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
-index e50fdd2..855ee66 100644
---- a/lib/vtls/vtls.c
-+++ b/lib/vtls/vtls.c
-@@ -121,6 +121,16 @@ static bool blobcmp(struct curl_blob *first, struct curl_blob *second)
-   return !memcmp(first->data, second->data, first->len); /* same data */
- }
- 
-+static bool safecmp(char *a, char *b)
-+{
-+  if(a && b)
-+    return !strcmp(a, b);
-+  else if(!a && !b)
-+    return TRUE; /* match */
-+  return FALSE; /* no match */
-+}
-+
-+
- bool
- Curl_ssl_config_matches(struct ssl_primary_config *data,
-                         struct ssl_primary_config *needle)
-@@ -131,11 +141,13 @@ Curl_ssl_config_matches(struct ssl_primary_config *data,
-      (data->verifyhost == needle->verifyhost) &&
-      (data->verifystatus == needle->verifystatus) &&
-      blobcmp(data->cert_blob, needle->cert_blob) &&
--     Curl_safe_strcasecompare(data->CApath, needle->CApath) &&
--     Curl_safe_strcasecompare(data->CAfile, needle->CAfile) &&
--     Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
--     Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
--     Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
-+     blobcmp(data->issuercert_blob, needle->issuercert_blob) &&
-+     safecmp(data->CApath, needle->CApath) &&
-+     safecmp(data->CAfile, needle->CAfile) &&
-+     safecmp(data->issuercert, needle->issuercert) &&
-+     safecmp(data->clientcert, needle->clientcert) &&
-+     safecmp(data->random_file, needle->random_file) &&
-+     safecmp(data->egdsocket, needle->egdsocket) &&
-      Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
-      Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13) &&
-      Curl_safe_strcasecompare(data->pinned_key, needle->pinned_key))
-@@ -156,8 +168,10 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
-   dest->sessionid = source->sessionid;
- 
-   CLONE_BLOB(cert_blob);
-+  CLONE_BLOB(issuercert_blob);
-   CLONE_STRING(CApath);
-   CLONE_STRING(CAfile);
-+  CLONE_STRING(issuercert);
-   CLONE_STRING(clientcert);
-   CLONE_STRING(random_file);
-   CLONE_STRING(egdsocket);
-@@ -172,6 +186,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
- {
-   Curl_safefree(sslc->CApath);
-   Curl_safefree(sslc->CAfile);
-+  Curl_safefree(sslc->issuercert);
-   Curl_safefree(sslc->clientcert);
-   Curl_safefree(sslc->random_file);
-   Curl_safefree(sslc->egdsocket);
-@@ -179,6 +194,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config *sslc)
-   Curl_safefree(sslc->cipher_list13);
-   Curl_safefree(sslc->pinned_key);
-   Curl_safefree(sslc->cert_blob);
-+  Curl_safefree(sslc->issuercert_blob);
- }
- 
- #ifdef USE_SSL
--- 
-2.31.1
-

0011-curl-7.71.1-CVE-2021-22898.patch

@@ -1,31 +0,0 @@
-From ae2dc830fb37e9243dbdaf8b92e41df91f43b3f2 Mon Sep 17 00:00:00 2001
-From: Harry Sintonen <sintonen@iki.fi>
-Date: Fri, 7 May 2021 13:09:57 +0200
-Subject: [PATCH] telnet: check sscanf() for correct number of matches
-
-CVE-2021-22898
-
-Bug: https://curl.se/docs/CVE-2021-22898.html
-
-Upstream-commit: 39ce47f219b09c380b81f89fe54ac586c8db6bde
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/telnet.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/lib/telnet.c b/lib/telnet.c
-index 1fc5af1..ea6bc71 100644
---- a/lib/telnet.c
-+++ b/lib/telnet.c
-@@ -967,7 +967,7 @@ static void suboption(struct connectdata *conn)
-         size_t tmplen = (strlen(v->data) + 1);
-         /* Add the variable only if it fits */
-         if(len + tmplen < (int)sizeof(temp)-6) {
--          if(sscanf(v->data, "%127[^,],%127s", varname, varval)) {
-+          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
-             msnprintf((char *)&temp[len], sizeof(temp) - len,
-                       "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
-                       CURL_NEW_ENV_VALUE, varval);
--- 
-2.31.1
-

0012-curl-7.71.1-CVE-2021-22925.patch

@@ -1,47 +0,0 @@
-From 2fbbf282e42ae476459f7efe68a88dcb63dcc43b Mon Sep 17 00:00:00 2001
-From: Daniel Stenberg <daniel@haxx.se>
-Date: Sat, 12 Jun 2021 18:25:15 +0200
-Subject: [PATCH] telnet: fix option parser to not send uninitialized contents
-
-CVE-2021-22925
-
-Reported-by: Red Hat Product Security
-Bug: https://curl.se/docs/CVE-2021-22925.html
-
-Upstream-commit: 894f6ec730597eb243618d33cc84d71add8d6a8a
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/telnet.c | 17 +++++++++++------
- 1 file changed, 11 insertions(+), 6 deletions(-)
-
-diff --git a/lib/telnet.c b/lib/telnet.c
-index ea6bc71..f8428b8 100644
---- a/lib/telnet.c
-+++ b/lib/telnet.c
-@@ -967,12 +967,17 @@ static void suboption(struct connectdata *conn)
-         size_t tmplen = (strlen(v->data) + 1);
-         /* Add the variable only if it fits */
-         if(len + tmplen < (int)sizeof(temp)-6) {
--          if(sscanf(v->data, "%127[^,],%127s", varname, varval) == 2) {
--            msnprintf((char *)&temp[len], sizeof(temp) - len,
--                      "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
--                      CURL_NEW_ENV_VALUE, varval);
--            len += tmplen;
--          }
-+          int rv;
-+          char sep[2] = "";
-+          varval[0] = 0;
-+          rv = sscanf(v->data, "%127[^,]%1[,]%127s", varname, sep, varval);
-+          if(rv == 1)
-+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
-+                             "%c%s", CURL_NEW_ENV_VAR, varname);
-+          else if(rv >= 2)
-+            len += msnprintf((char *)&temp[len], sizeof(temp) - len,
-+                             "%c%s%c%s", CURL_NEW_ENV_VAR, varname,
-+                             CURL_NEW_ENV_VALUE, varval);
-         }
-       }
-       msnprintf((char *)&temp[len], sizeof(temp) - len,
--- 
-2.31.1
-

0013-curl-7.71.1-CVE-2021-22945.patch

@@ -1,33 +0,0 @@
-From bb7619897e53ed424e0712ca5a4c93d5fae99715 Mon Sep 17 00:00:00 2001
-From: z2_ on hackerone <>
-Date: Tue, 24 Aug 2021 09:50:33 +0200
-Subject: [PATCH] mqtt: clear the leftovers pointer when sending succeeds
-
-CVE-2021-22945
-
-Bug: https://curl.se/docs/CVE-2021-22945.html
-
-Upstream-commit: 43157490a5054bd24256fe12876931e8abc9df49
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/mqtt.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/lib/mqtt.c b/lib/mqtt.c
-index d88fa73..f3fc045 100644
---- a/lib/mqtt.c
-+++ b/lib/mqtt.c
-@@ -123,6 +123,10 @@ static CURLcode mqtt_send(struct connectdata *conn,
-     mq->sendleftovers = sendleftovers;
-     mq->nsend = nsend;
-   }
-+  else {
-+    mq->sendleftovers = NULL;
-+    mq->nsend = 0;
-+  }
-   return result;
- }
- 
--- 
-2.31.1
-

0014-curl-7.71.1-CVE-2021-22946.patch

@@ -1,331 +0,0 @@
-From 03ca8c6faca7de6628f9cbec3001ec6466c88d07 Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Wed, 8 Sep 2021 11:56:22 +0200
-Subject: [PATCH] ftp,imap,pop3: do not ignore --ssl-reqd
-
-In imap and pop3, check if TLS is required even when capabilities
-request has failed.
-
-In ftp, ignore preauthentication (230 status of server greeting) if TLS
-is required.
-
-Bug: https://curl.se/docs/CVE-2021-22946.html
-
-CVE-2021-22946
-
-Upstream-commit: 364f174724ef115c63d5e5dc1d3342c8a43b1cca
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/ftp.c               |  9 ++++---
- lib/imap.c              | 24 ++++++++----------
- lib/pop3.c              | 33 +++++++++++-------------
- tests/data/Makefile.inc |  2 ++
- tests/data/test984      | 56 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test985      | 54 +++++++++++++++++++++++++++++++++++++++
- tests/data/test986      | 53 ++++++++++++++++++++++++++++++++++++++
- 7 files changed, 195 insertions(+), 36 deletions(-)
- create mode 100644 tests/data/test984
- create mode 100644 tests/data/test985
- create mode 100644 tests/data/test986
-
-diff --git a/lib/ftp.c b/lib/ftp.c
-index 71c9642..30ebeaa 100644
---- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2622,9 +2622,12 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
-     /* we have now received a full FTP server response */
-     switch(ftpc->state) {
-     case FTP_WAIT220:
--      if(ftpcode == 230)
--        /* 230 User logged in - already! */
--        return ftp_state_user_resp(conn, ftpcode, ftpc->state);
-+      if(ftpcode == 230) {
-+        /* 230 User logged in - already! Take as 220 if TLS required. */
-+        if(data->set.use_ssl <= CURLUSESSL_TRY ||
-+           conn->ssl[FIRSTSOCKET].use)
-+          return ftp_state_user_resp(conn, ftpcode, ftpc->state);
-+      }
-       else if(ftpcode != 220) {
-         failf(data, "Got a %03d ftp-server response when 220 was expected",
-               ftpcode);
-diff --git a/lib/imap.c b/lib/imap.c
-index bda23a5..7e159d4 100644
---- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -917,22 +917,18 @@ static CURLcode imap_state_capability_resp(struct connectdata *conn,
-       line += wordlen;
-     }
-   }
--  else if(imapcode == IMAP_RESP_OK) {
--    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
--      /* We don't have a SSL/TLS connection yet, but SSL is requested */
--      if(imapc->tls_supported)
--        /* Switch to TLS connection now */
--        result = imap_perform_starttls(conn);
--      else if(data->set.use_ssl == CURLUSESSL_TRY)
--        /* Fallback and carry on with authentication */
--        result = imap_perform_authentication(conn);
--      else {
--        failf(data, "STARTTLS not supported.");
--        result = CURLE_USE_SSL_FAILED;
--      }
-+  else if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
-+    /* PREAUTH is not compatible with STARTTLS. */
-+    if(imapcode == IMAP_RESP_OK && imapc->tls_supported && !imapc->preauth) {
-+      /* Switch to TLS connection now */
-+      result = imap_perform_starttls(conn);
-     }
--    else
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-       result = imap_perform_authentication(conn);
-+    else {
-+      failf(data, "STARTTLS not available.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
-   else
-     result = imap_perform_authentication(conn);
-diff --git a/lib/pop3.c b/lib/pop3.c
-index 04cc887..3e916ce 100644
---- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -721,28 +721,23 @@ static CURLcode pop3_state_capa_resp(struct connectdata *conn, int pop3code,
-       }
-     }
-   }
--  else if(pop3code == '+') {
--    if(data->set.use_ssl && !conn->ssl[FIRSTSOCKET].use) {
--      /* We don't have a SSL/TLS connection yet, but SSL is requested */
--      if(pop3c->tls_supported)
--        /* Switch to TLS connection now */
--        result = pop3_perform_starttls(conn);
--      else if(data->set.use_ssl == CURLUSESSL_TRY)
--        /* Fallback and carry on with authentication */
--        result = pop3_perform_authentication(conn);
--      else {
--        failf(data, "STLS not supported.");
--        result = CURLE_USE_SSL_FAILED;
--      }
--    }
--    else
--      result = pop3_perform_authentication(conn);
--  }
-   else {
-     /* Clear text is supported when CAPA isn't recognised */
--    pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
-+    if(pop3code != '+')
-+      pop3c->authtypes |= POP3_TYPE_CLEARTEXT;
- 
--    result = pop3_perform_authentication(conn);
-+    if(!data->set.use_ssl || conn->ssl[FIRSTSOCKET].use)
-+      result = pop3_perform_authentication(conn);
-+    else if(pop3code == '+' && pop3c->tls_supported)
-+      /* Switch to TLS connection now */
-+      result = pop3_perform_starttls(conn);
-+    else if(data->set.use_ssl <= CURLUSESSL_TRY)
-+      /* Fallback and carry on with authentication */
-+      result = pop3_perform_authentication(conn);
-+    else {
-+      failf(data, "STLS not supported.");
-+      result = CURLE_USE_SSL_FAILED;
-+    }
-   }
- 
-   return result;
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index ef9252b..1ba482b 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -115,6 +115,8 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
- test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
- \
-+test984 test985 test986 \
-+\
- test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
- test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
- test1016 test1017 test1018 test1019 test1020 test1021 test1022 test1023 \
-diff --git a/tests/data/test984 b/tests/data/test984
-new file mode 100644
-index 0000000..e573f23
---- /dev/null
-+++ b/tests/data/test984
-@@ -0,0 +1,56 @@
-+<testcase>
-+<info>
-+<keywords>
-+IMAP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPABILITY A001 BAD Not implemented
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+imap
-+</server>
-+ <name>
-+IMAP require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl-reqd
-+</command>
-+<file name="log/upload%TESTNUMBER">
-+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
-+From: Fred Foobar <foobar@example.COM>
-+Subject: afternoon meeting
-+To: joe@example.com
-+Message-Id: <B27397-0100000@example.COM>
-+MIME-Version: 1.0
-+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
-+
-+Hello Joe, do you think we can meet at 3:30 tomorrow?
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+A001 CAPABILITY
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test985 b/tests/data/test985
-new file mode 100644
-index 0000000..d0db4aa
---- /dev/null
-+++ b/tests/data/test985
-@@ -0,0 +1,54 @@
-+<testcase>
-+<info>
-+<keywords>
-+POP3
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY CAPA -ERR Not implemented
-+</servercmd>
-+<data nocheck="yes">
-+From: me@somewhere
-+To: fake@nowhere
-+
-+body
-+
-+--
-+  yours sincerely
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+pop3
-+</server>
-+ <name>
-+POP3 require STARTTLS with failing capabilities
-+ </name>
-+ <command>
-+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl-reqd
-+ </command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+CAPA
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test986 b/tests/data/test986
-new file mode 100644
-index 0000000..a709437
---- /dev/null
-+++ b/tests/data/test986
-@@ -0,0 +1,53 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY welcome 230 Welcome
-+REPLY AUTH 500 unknown command
-+</servercmd>
-+</reply>
-+
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+ftp
-+</server>
-+ <name>
-+FTP require STARTTLS while preauthenticated
-+ </name>
-+<file name="log/test%TESTNUMBER.txt">
-+data
-+    to
-+      see
-+that FTPS
-+works
-+  so does it?
-+</file>
-+ <command>
-+--ssl-reqd --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret
-+</command>
-+</client>
-+
-+# Verify data after the test has been "shot"
-+<verify>
-+# 64 is CURLE_USE_SSL_FAILED
-+<errorcode>
-+64
-+</errorcode>
-+<protocol>
-+AUTH SSL
-+AUTH TLS
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.31.1
-

0015-curl-7.71.1-CVE-2021-22947.patch

@@ -1,354 +0,0 @@
-From a1ec463c8207bde97b3575d12e396e999a55a8d0 Mon Sep 17 00:00:00 2001
-From: Patrick Monnerat <patrick@monnerat.net>
-Date: Tue, 7 Sep 2021 13:26:42 +0200
-Subject: [PATCH] ftp,imap,pop3,smtp: reject STARTTLS server response
- pipelining
-
-If a server pipelines future responses within the STARTTLS response, the
-former are preserved in the pingpong cache across TLS negotiation and
-used as responses to the encrypted commands.
-
-This fix detects pipelined STARTTLS responses and rejects them with an
-error.
-
-CVE-2021-22947
-
-Bug: https://curl.se/docs/CVE-2021-22947.html
-
-Upstream-commit: 8ef147c43646e91fdaad5d0e7b60351f842e5c68
-Signed-off-by: Kamil Dudka <kdudka@redhat.com>
----
- lib/ftp.c               |  3 +++
- lib/imap.c              |  4 +++
- lib/pop3.c              |  4 +++
- lib/smtp.c              |  4 +++
- tests/data/Makefile.inc |  2 +-
- tests/data/test980      | 52 ++++++++++++++++++++++++++++++++++++
- tests/data/test981      | 59 +++++++++++++++++++++++++++++++++++++++++
- tests/data/test982      | 57 +++++++++++++++++++++++++++++++++++++++
- tests/data/test983      | 52 ++++++++++++++++++++++++++++++++++++
- 9 files changed, 236 insertions(+), 1 deletion(-)
- create mode 100644 tests/data/test980
- create mode 100644 tests/data/test981
- create mode 100644 tests/data/test982
- create mode 100644 tests/data/test983
-
-diff --git a/lib/ftp.c b/lib/ftp.c
-index 71f998e..e920138 100644
---- a/lib/ftp.c
-+++ b/lib/ftp.c
-@@ -2692,6 +2692,9 @@ static CURLcode ftp_statemach_act(struct connectdata *conn)
-     case FTP_AUTH:
-       /* we have gotten the response to a previous AUTH command */
- 
-+      if(pp->cache_size)
-+        return CURLE_WEIRD_SERVER_REPLY; /* Forbid pipelining in response. */
-+
-       /* RFC2228 (page 5) says:
-        *
-        * If the server is willing to accept the named security mechanism,
-diff --git a/lib/imap.c b/lib/imap.c
-index feb7445..09bc5d6 100644
---- a/lib/imap.c
-+++ b/lib/imap.c
-@@ -946,6 +946,10 @@ static CURLcode imap_state_starttls_resp(struct connectdata *conn,
- 
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.imapc.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(imapcode != IMAP_RESP_OK) {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied");
-diff --git a/lib/pop3.c b/lib/pop3.c
-index 7698d1c..dccfced 100644
---- a/lib/pop3.c
-+++ b/lib/pop3.c
-@@ -753,6 +753,10 @@ static CURLcode pop3_state_starttls_resp(struct connectdata *conn,
- 
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.pop3c.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(pop3code != '+') {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied");
-diff --git a/lib/smtp.c b/lib/smtp.c
-index 1defb25..1f89777 100644
---- a/lib/smtp.c
-+++ b/lib/smtp.c
-@@ -817,6 +817,10 @@ static CURLcode smtp_state_starttls_resp(struct connectdata *conn,
- 
-   (void)instate; /* no use for this yet */
- 
-+  /* Pipelining in response is forbidden. */
-+  if(data->conn->proto.smtpc.pp.cache_size)
-+    return CURLE_WEIRD_SERVER_REPLY;
-+
-   if(smtpcode != 220) {
-     if(data->set.use_ssl != CURLUSESSL_TRY) {
-       failf(data, "STARTTLS denied, code %d", smtpcode);
-diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
-index 163ce59..42b0569 100644
---- a/tests/data/Makefile.inc
-+++ b/tests/data/Makefile.inc
-@@ -115,7 +115,7 @@ test945 test946 test947 test948 test949 test950 test951 test952 test953 \
- test954 test955 test956 test957 test958 test959 test960 test961 test962 \
- test963 test964 test965 test966 test967 test968 test969 test970 test971 \
- \
--test984 test985 test986 \
-+test980 test981 test982 test983 test984 test985 test986 \
- \
- test1000 test1001 test1002 test1003 test1004 test1005 test1006 test1007 \
- test1008 test1009 test1010 test1011 test1012 test1013 test1014 test1015 \
-diff --git a/tests/data/test980 b/tests/data/test980
-new file mode 100644
-index 0000000..97567f8
---- /dev/null
-+++ b/tests/data/test980
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+SMTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STARTTLS
-+AUTH PLAIN
-+REPLY STARTTLS 454 currently unavailable\r\n235 Authenticated\r\n250 2.1.0 Sender ok\r\n250 2.1.5 Recipient ok\r\n354 Enter mail\r\n250 2.0.0 Accepted
-+REPLY AUTH 535 5.7.8 Authentication credentials invalid
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+smtp
-+</server>
-+ <name>
-+SMTP STARTTLS pipelined server response
-+ </name>
-+<stdin>
-+mail body
-+</stdin>
-+ <command>
-+smtp://%HOSTIP:%SMTPPORT/%TESTNUMBER --mail-rcpt recipient@example.com --mail-from sender@example.com -u user:secret --ssl --sasl-ir -T -
-+</command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+EHLO %TESTNUMBER
-+STARTTLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test981 b/tests/data/test981
-new file mode 100644
-index 0000000..2b98ce4
---- /dev/null
-+++ b/tests/data/test981
-@@ -0,0 +1,59 @@
-+<testcase>
-+<info>
-+<keywords>
-+IMAP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STARTTLS
-+REPLY STARTTLS A002 BAD currently unavailable\r\nA003 OK Authenticated\r\nA004 OK Accepted
-+REPLY LOGIN A003 BAD Authentication credentials invalid
-+</servercmd>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+imap
-+</server>
-+ <name>
-+IMAP STARTTLS pipelined server response
-+ </name>
-+ <command>
-+imap://%HOSTIP:%IMAPPORT/%TESTNUMBER -T log/upload%TESTNUMBER -u user:secret --ssl
-+</command>
-+<file name="log/upload%TESTNUMBER">
-+Date: Mon, 7 Feb 1994 21:52:25 -0800 (PST)
-+From: Fred Foobar <foobar@example.COM>
-+Subject: afternoon meeting
-+To: joe@example.com
-+Message-Id: <B27397-0100000@example.COM>
-+MIME-Version: 1.0
-+Content-Type: TEXT/PLAIN; CHARSET=US-ASCII
-+
-+Hello Joe, do you think we can meet at 3:30 tomorrow?
-+</file>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+A001 CAPABILITY
-+A002 STARTTLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test982 b/tests/data/test982
-new file mode 100644
-index 0000000..9e07cc0
---- /dev/null
-+++ b/tests/data/test982
-@@ -0,0 +1,57 @@
-+<testcase>
-+<info>
-+<keywords>
-+POP3
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+CAPA STLS USER
-+REPLY STLS -ERR currently unavailable\r\n+OK user accepted\r\n+OK authenticated
-+REPLY PASS -ERR Authentication credentials invalid
-+</servercmd>
-+<data nocheck="yes">
-+From: me@somewhere
-+To: fake@nowhere
-+
-+body
-+
-+--
-+  yours sincerely
-+</data>
-+</reply>
-+
-+#
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+pop3
-+</server>
-+ <name>
-+POP3 STARTTLS pipelined server response
-+ </name>
-+ <command>
-+pop3://%HOSTIP:%POP3PORT/%TESTNUMBER -u user:secret --ssl
-+ </command>
-+</client>
-+
-+#
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+CAPA
-+STLS
-+</protocol>
-+</verify>
-+</testcase>
-diff --git a/tests/data/test983 b/tests/data/test983
-new file mode 100644
-index 0000000..300ec45
---- /dev/null
-+++ b/tests/data/test983
-@@ -0,0 +1,52 @@
-+<testcase>
-+<info>
-+<keywords>
-+FTP
-+STARTTLS
-+</keywords>
-+</info>
-+
-+#
-+# Server-side
-+<reply>
-+<servercmd>
-+REPLY AUTH 500 unknown command\r\n500 unknown command\r\n331 give password\r\n230 Authenticated\r\n257 "/"\r\n200 OK\r\n200 OK\r\n200 OK\r\n226 Transfer complete
-+REPLY PASS 530 Login incorrect
-+</servercmd>
-+</reply>
-+
-+# Client-side
-+<client>
-+<features>
-+SSL
-+</features>
-+<server>
-+ftp
-+</server>
-+ <name>
-+FTP STARTTLS pipelined server response
-+ </name>
-+<file name="log/test%TESTNUMBER.txt">
-+data
-+    to
-+      see
-+that FTPS
-+works
-+  so does it?
-+</file>
-+ <command>
-+--ssl --ftp-ssl-control ftp://%HOSTIP:%FTPPORT/%TESTNUMBER -T log/test%TESTNUMBER.txt -u user:secret -P %CLIENTIP
-+</command>
-+</client>
-+
-+# Verify data after the test has been "shot"
-+<verify>
-+# 8 is CURLE_WEIRD_SERVER_REPLY
-+<errorcode>
-+8
-+</errorcode>
-+<protocol>
-+AUTH SSL
-+</protocol>
-+</verify>
-+</testcase>
--- 
-2.31.1
-

0101-curl-7.32.0-multilib.patch

@@ -1,91 +1,92 @@
-From 2a4754a3a7cf60ecc36d83cbe50b8c337cb87632 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Fri, 12 Apr 2013 12:04:05 +0200
+From 6bb4e674cdc953f5c0048aa84172539900725166 Mon Sep 17 00:00:00 2001
+From: Jan Macku <jamacku@redhat.com>
+Date: Tue, 16 Dec 2025 10:04:40 +0100
 Subject: [PATCH] prevent multilib conflicts on the curl-config script
 
 ---
- curl-config.in     | 23 +++++------------------
- docs/curl-config.1 |  4 +++-
- libcurl.pc.in      |  1 +
+ curl-config.in      | 23 +++++------------------
+ docs/curl-config.md |  4 +++-
+ libcurl.pc.in       |  1 +
  3 files changed, 9 insertions(+), 19 deletions(-)
 
 diff --git a/curl-config.in b/curl-config.in
-index 150004d..95d0759 100644
+index a1c8185875..bb43ca8335 100644
 --- a/curl-config.in
 +++ b/curl-config.in
-@@ -76,7 +76,7 @@ while test $# -gt 0; do
-         ;;
+@@ -74,7 +74,7 @@ while test "$#" -gt 0; do
+     ;;
  
-     --cc)
--        echo "@CC@"
-+        echo "gcc"
-         ;;
+   --cc)
+-    echo '@CC@'
++    echo 'gcc'
+     ;;
  
-     --prefix)
-@@ -155,32 +155,19 @@ while test $# -gt 0; do
-         ;;
+   --prefix)
+@@ -149,16 +149,7 @@ while test "$#" -gt 0; do
+     ;;
  
-     --libs)
--        if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then
--           CURLLIBDIR="-L@libdir@ "
--        else
--           CURLLIBDIR=""
--        fi
--        if test "X@ENABLE_SHARED@" = "Xno" -o "X@REQUIRE_LIB_DEPS@" = "Xyes"; then
--          echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@
--        else
--          echo ${CURLLIBDIR}-lcurl
--        fi
-+        echo -lcurl
-         ;;
-     --ssl-backends)
-         echo "@SSL_BACKENDS@"
-         ;;
+   --libs)
+-    if test "@libdir@" != '/usr/lib' && test "@libdir@" != '/usr/lib64'; then
+-      curllibdir="-L@libdir@ "
+-    else
+-      curllibdir=''
+-    fi
+-    if test '@ENABLE_SHARED@' = 'no'; then
+-      echo "${curllibdir}-lcurl @LIBCURL_PC_LIBS_PRIVATE@"
+-    else
+-      echo "${curllibdir}-lcurl"
+-    fi
++    echo '-lcurl'
+     ;;
  
-     --static-libs)
--        if test "X@ENABLE_STATIC@" != "Xno" ; then
--          echo @libdir@/libcurl.@libext@ @LDFLAGS@ @LIBCURL_LIBS@
--        else
--          echo "curl was built with static libraries disabled" >&2
--          exit 1
--        fi
-+        echo "curl was built with static libraries disabled" >&2
-+        exit 1
-         ;;
+   --ssl-backends)
+@@ -166,16 +157,12 @@ while test "$#" -gt 0; do
+     ;;
  
-     --configure)
--        echo @CONFIGURE_OPTIONS@
-+        pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
-         ;;
+   --static-libs)
+-    if test '@ENABLE_STATIC@' != 'no'; then
+-      echo "@libdir@/libcurl.@libext@ @LIBCURL_PC_LDFLAGS_PRIVATE@ @LIBCURL_PC_LIBS_PRIVATE@"
+-    else
+-      echo 'curl was built with static libraries disabled' >&2
+-      exit 1
+-    fi
++    echo 'curl was built with static libraries disabled' >&2
++    exit 1
+     ;;
  
-     *)
-diff --git a/docs/curl-config.1 b/docs/curl-config.1
-index 14a9d2b..ffcc004 100644
---- a/docs/curl-config.1
-+++ b/docs/curl-config.1
-@@ -70,7 +70,9 @@ no, one or several names. If more than one name, they will appear
- comma-separated. (Added in 7.58.0)
- .IP "--static-libs"
- Shows the complete set of libs and other linker options you will need in order
--to link your application with libcurl statically. (Added in 7.17.1)
-+to link your application with libcurl statically. Note that Fedora/RHEL libcurl
+   --configure)
+-    echo @CONFIGURE_OPTIONS@
++    pkg-config libcurl --variable=configure_options | sed 's/^"//;s/"$//'
+     ;;
+ 
+   *)
+diff --git a/docs/curl-config.md b/docs/curl-config.md
+index 12ad245b79..fa0e03d273 100644
+--- a/docs/curl-config.md
++++ b/docs/curl-config.md
+@@ -87,7 +87,9 @@ no, one or several names. If more than one name, they appear comma-separated.
+ ## `--static-libs`
+ 
+ Shows the complete set of libs and other linker options you need in order to
+-link your application with libcurl statically. (Added in 7.17.1)
++link your application with libcurl statically. Note that Fedora/RHEL libcurl
 +packages do not provide any static libraries, thus cannot be linked statically.
 +(Added in 7.17.1)
- .IP "--version"
- Outputs version information about the installed libcurl.
- .IP "--vernum"
+ 
+ ## `--version`
+ 
 diff --git a/libcurl.pc.in b/libcurl.pc.in
-index 2ba9c39..f8f8b00 100644
+index c0ba5244a8..f3645e1748 100644
 --- a/libcurl.pc.in
 +++ b/libcurl.pc.in
-@@ -29,6 +29,7 @@ libdir=@libdir@
+@@ -28,6 +28,7 @@ libdir=@libdir@
  includedir=@includedir@
  supported_protocols="@SUPPORT_PROTOCOLS@"
  supported_features="@SUPPORT_FEATURES@"
 +configure_options=@CONFIGURE_OPTIONS@
  
  Name: libcurl
- URL: https://curl.haxx.se/
+ URL: https://curl.se/
 -- 
-2.5.0
+2.52.0
 

0102-curl-7.36.0-debug.patch

@@ -1,61 +0,0 @@
-From 3602ee9dcc74683f91fe4f9ca228aa17a6474403 Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Wed, 31 Oct 2012 11:38:30 +0100
-Subject: [PATCH] prevent configure script from discarding -g in CFLAGS
- (#496778)
-
----
- m4/curl-compilers.m4 | 26 ++++++--------------------
- 1 file changed, 6 insertions(+), 20 deletions(-)
-
-diff --git a/m4/curl-compilers.m4 b/m4/curl-compilers.m4
-index c64db4bc6..d115a4aed 100644
---- a/m4/curl-compilers.m4
-+++ b/m4/curl-compilers.m4
-@@ -106,18 +106,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_CLANG], [
-     clangvhi=`echo $clangver | cut -d . -f1`
-     clangvlo=`echo $clangver | cut -d . -f2`
-     compiler_num=`(expr $clangvhi "*" 100 + $clangvlo) 2>/dev/null`
--    flags_dbg_all="-g -g0 -g1 -g2 -g3"
--    flags_dbg_all="$flags_dbg_all -ggdb"
--    flags_dbg_all="$flags_dbg_all -gstabs"
--    flags_dbg_all="$flags_dbg_all -gstabs+"
--    flags_dbg_all="$flags_dbg_all -gcoff"
--    flags_dbg_all="$flags_dbg_all -gxcoff"
--    flags_dbg_all="$flags_dbg_all -gdwarf-2"
--    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -Os -O3 -O4"
--    flags_opt_yes="-Os"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
-   else
-     AC_MSG_RESULT([no])
-@@ -175,18 +168,11 @@ AC_DEFUN([CURL_CHECK_COMPILER_GNU_C], [
-     gccvhi=`echo $gccver | cut -d . -f1`
-     gccvlo=`echo $gccver | cut -d . -f2`
-     compiler_num=`(expr $gccvhi "*" 100 + $gccvlo) 2>/dev/null`
--    flags_dbg_all="-g -g0 -g1 -g2 -g3"
--    flags_dbg_all="$flags_dbg_all -ggdb"
--    flags_dbg_all="$flags_dbg_all -gstabs"
--    flags_dbg_all="$flags_dbg_all -gstabs+"
--    flags_dbg_all="$flags_dbg_all -gcoff"
--    flags_dbg_all="$flags_dbg_all -gxcoff"
--    flags_dbg_all="$flags_dbg_all -gdwarf-2"
--    flags_dbg_all="$flags_dbg_all -gvms"
-+    flags_dbg_all=""
-     flags_dbg_yes="-g"
-     flags_dbg_off=""
--    flags_opt_all="-O -O0 -O1 -O2 -O3 -Os -Og -Ofast"
--    flags_opt_yes="-O2"
-+    flags_opt_all=""
-+    flags_opt_yes=""
-     flags_opt_off="-O0"
-     CURL_CHECK_DEF([_WIN32], [], [silent])
-   else
--- 
-1.7.1
-

0104-curl-7.19.7-localhost6.patch

@@ -1,51 +0,0 @@
-diff --git a/tests/data/test1083 b/tests/data/test1083
-index e441278..b0958b6 100644
---- a/tests/data/test1083
-+++ b/tests/data/test1083
-@@ -33,13 +33,13 @@ ipv6
- http-ipv6
- </server>
-  <name>
--HTTP-IPv6 GET with ip6-localhost --interface
-+HTTP-IPv6 GET with localhost6 --interface
-  </name>
-  <command>
---g "http://%HOST6IP:%HTTP6PORT/1083" --interface ip6-localhost
-+-g "http://%HOST6IP:%HTTP6PORT/1083" --interface localhost6
- </command>
- <precheck>
--perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 ip6-localhost'; print 'Cannot run precheck resolve';}"
-+perl -e "if ('%CLIENT6IP' ne '[::1]') {print 'Test requires default test client host address';} else {exec './server/resolve --ipv6 localhost6'; print 'Cannot run precheck resolve';}"
- </precheck>
- </client>
- 
-diff --git a/tests/data/test241 b/tests/data/test241
-index 46eae1f..4e1632c 100644
---- a/tests/data/test241
-+++ b/tests/data/test241
-@@ -30,13 +30,13 @@ ipv6
- http-ipv6
- </server>
-  <name>
--HTTP-IPv6 GET (using ip6-localhost)
-+HTTP-IPv6 GET (using localhost6)
-  </name>
-  <command>
---g "http://ip6-localhost:%HTTP6PORT/241"
-+-g "http://localhost6:%HTTP6PORT/241"
- </command>
- <precheck>
--./server/resolve --ipv6 ip6-localhost
-+./server/resolve --ipv6 localhost6
- </precheck>
- </client>
- 
-@@ -48,7 +48,7 @@ HTTP-IPv6 GET (using ip6-localhost)
- </strip>
- <protocol>
- GET /241 HTTP/1.1
--Host: ip6-localhost:%HTTP6PORT
-+Host: localhost6:%HTTP6PORT
- Accept: */*
- 
- </protocol>

0105-curl-7.63.0-lib1560-valgrind.patch

@@ -1,39 +0,0 @@
-From f55cca0e86f59ec11ffafd5c0503c39ca3723e2e Mon Sep 17 00:00:00 2001
-From: Kamil Dudka <kdudka@redhat.com>
-Date: Mon, 4 Feb 2019 17:32:56 +0100
-Subject: [PATCH] libtest: compile lib1560.c with -fno-builtin-strcmp
-
-... to prevent valgrind from reporting false positives on x86_64:
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCAA: part2id (lib1560.c:489)
-   by 0x10BCAA: updateurl (lib1560.c:521)
-   by 0x10BCAA: set_parts (lib1560.c:630)
-   by 0x10BCAA: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
-
-Conditional jump or move depends on uninitialised value(s)
-   at 0x10BCC3: part2id (lib1560.c:491)
-   by 0x10BCC3: updateurl (lib1560.c:521)
-   by 0x10BCC3: set_parts (lib1560.c:630)
-   by 0x10BCC3: test (lib1560.c:802)
-   by 0x4923412: (below main) (in /usr/lib64/libc-2.28.9000.so)
----
- tests/libtest/Makefile.inc | 1 +
- 1 file changed, 1 insertion(+)
-
-diff --git a/tests/libtest/Makefile.inc b/tests/libtest/Makefile.inc
-index 080421b..ea3b806 100644
---- a/tests/libtest/Makefile.inc
-+++ b/tests/libtest/Makefile.inc
-@@ -590,6 +590,7 @@ lib1559_SOURCES = lib1559.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
- lib1559_LDADD = $(TESTUTIL_LIBS)
- 
- lib1560_SOURCES = lib1560.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
-+lib1560_CFLAGS = $(AM_CFLAGS) -fno-builtin-strcmp
- lib1560_LDADD = $(TESTUTIL_LIBS)
- 
- lib1564_SOURCES = lib1564.c $(SUPPORTFILES) $(TESTUTIL) $(WARNLESS)
--- 
-2.17.2
-

ci.fmf

@@ -0,0 +1,9 @@
+discover:
+  how: fmf
+prepare:
+  how: install
+  exclude:
+    - libcurl-minimal
+    - curl-minimal
+execute:
+  how: tmt

curl-7.71.1.tar.xz.asc

@@ -1,11 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQEzBAABCgAdFiEEJ+3q8i86vOtQ25oSXMkI/bceEsIFAl78MUgACgkQXMkI/bce
-EsJkEgf/ZDR7QKw9aPQoT2dOyqoCTKip1fLCtJBEOmctjS86zF+1caPABYLV1kq6
-9baz7L2qWOmDdHkxF4poTpPH9CkcG3Krq6lHFjbFQ0GxMC+MEnnFYKfDVrRopaKq
-ioBUnZrRSIytgwbiwxB+uxxa4ItzV6tZNVKIiIZOuuVSAZ9azA/swpezet8x2kxg
-yp1Y3oe0R1VCYiCJ2EOB/rMs0ndPHSRuWiCCIBK7uPXA0jJsL4rjhmY5l2qAadfy
-6iDpk85CJvQcGcC8nZMmpbivniOjIjEefjeXviLvg5dZi7f3M028QyGpkkUVzf27
-FiWCDZuZkp9ed2eLIBGWo/wy70f2pw==
-=0YwO
------END PGP SIGNATURE-----

curl.rpmlintrc

@@ -0,0 +1,15 @@
+# Intentional stuff we're not concerned about
+addFilter("unversioned-explicit-provides webclient")
+addFilter("package-with-huge-docs")
+addFilter("crypto-policy-non-compliance-openssl /usr/lib(64)?/libcurl.so.4")
+
+# This is just plain wrong (%_configure redefinition)
+addFilter("configure-without-libdir-spec")
+
+# Technical term
+addFilter("E: spelling-error \('kerberos',")
+
+# Artefacts of RemovePathPostfixes: .minimal
+addFilter("W: dangling-relative-symlink /usr/lib/.build-id/.* ../../../../.*curl.*\.minimal")
+#addFilter("W: dangling-relative-symlink /usr/lib.*/libcurl.so.4 libcurl.so.4.*.minimal")
+#addFilter("E: invalid-ldconfig-symlink /usr/lib.*/libcurl.so.4.* libcurl.so.4.*.minimal")

mykey.asc

@@ -0,0 +1,77 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2
+
+mQGiBD6tnnoRBACRPnFBVoapBrTpPrCNZ2rq3DcmW6n/soQJW47+zP+vcrcxQ1WJ
+QiWSzLGO+QOIUZSYfnliR22r8HkFX9EUSW3IAcRMJMsaO3wMJ0a+78a9QqWLp6RV
+0arcQkuuCvG79h+yJ6NnoAXe1geRt8vNGsaWtsS91CtYlTSs6JVtaRLnYwCg/Ly1
+EFgvNZ6SJRc/8I5rRv0lrz8D/0goih2kZ5z4SI+r2hgABNcN7g565YwGKaQDbIch
+soh3OBzgETWc3wuAZqmCzQXPXMpMx+ziqX6XDzDKNiGL1CdrBJQd0II8UutWVDje
+f9UxLfo02YQ8diGYeq0u9k1RezC13w4TVUmQfg0Uqn4xM6DNzO1O6yCK8rlNwsvL
+gHNJA/9m1pfzjpvdxtmJNKRU3C4cRCjXhxNdM7laSEj0/wOGaR2QWWEge51orWwo
+SLQUIe4BDPvtRStQHC+tI7qr7d12rMMEBXviJC5EkGBOzlgWr9virjM/u/pkGMc2
+m5r3pVuWH/JSsHsV952y2kWP64uP4zdLXOpVzX/xs0sYJ9nOPLQnRGFuaWVsIFN0
+ZW5iZXJnIChIYXh4KSA8ZGFuaWVsQGhheHguc2U+iF4EExECAB4CHgECF4AFAlQU
+ki4FCwkIBwMFFQoJCAsFFgIDAQAACgkQeOEcayedXJEOOwCggCsNHdAQPAlPte3w
+i2IZEekkM0YAoOXXPFAWjUwIHjZY41l7WgzACbANiFkEExECABkFAj6tnnoECwcD
+AgMVAgMDFgIBAh4BAheAAAoJEHjhHGsnnVyRjngAoO1y3LoSOEgD8vR062cdYDmv
+jLvVAJ0dmp1UiuQp+oMyq2VbWyw8LXN1XLkBDQQ+rZ59EAQAmYsA8gPjJ75gOIPb
+XNg9Z31QzIz65qS9XdNsFNAdKxnY4b72nhc0oaS9/7Dcdf2Q+1mDa2p72DWk+9iz
+7knmBL++csBP2z9eMe5h8oV53prqNOHDHyL3WLOa25ga9381gZnzWoQME74iSBBM
+wDw8vbLEgIZ34JaQ7Oe+9N3+6n8AAwcD/Av+Ms+3gCc5pLp4nx36qqi36fodaG9+
+dwIcMbr9bivEtjmDHeuPsD6X1J9+Y/ikUBIDpMPv33lJxLoubOtpLhEuN2XN/ojT
+rueVPDKA1f+GyfHnyfpf/78IgX1hGVqu/3RBWKPpXFwSZA4q8vFR+FaPC5WbU68t
+FLJpYuC9ZO/LiEYEGBECAAYFAj6tnn0ACgkQeOEcayedXJGtPQCgxrbd59afemZ9
+OIadZD8kUGC29dUAoJ94aGUkWCwoEiPyEZRGXv9XRlfxmQENBFcGhyIBCAC79AIx
+5hHixKmNtqbryuZTDwlt9XXkEn/QSrQD3pzgbsbBiWyqOV4hfscvtmoqA7koOw4h
+zZ/b8pJPA36eNzqMFIbkWpIit/BwA5bTKRkKXeD2kBFkjIN+iDuXawwhv7eNKH9O
+poAUe0K/esK/kvbMO721q24IgkOjB1Vtr/Y4Xkg7+VWVP0LFh7C/2Nwq6n2bktsA
+Ey9uCDD1hl8BdckN/XxpuUqSfxbF85GvYzzON67zOxxo6jqRXXcJ2PdPq0o9Ak0d
+6Fe7g9ZxOAeuYEbFTCZHBBccx84K0Bhn5tpqoq8Mq3f3mZfGBoe4J6wr17cxEDC8
+tTHUpDqk0CoLERUxABEBAAG0IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHgu
+c2U+iQE3BBMBCgAhBQJXBociAhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJ
+EPn+r/nTShvbHoAIAJDwb7dcAX4VGPa2oSuQqVnHsjDE7g8ATmcZq2IAzAG6bZg1
+svuhNyPQnL7kNrsz6Ew+yE4vH8mOjDUbc3feY4MzmtEMaB6VS0Xlna6cdtWkv4Y+
+Us4TuYSdftPZuZgI3nN/sXLlxWJCZgCPJJaGM6dXgyTFatk2P1LE98Qif7+ZMqfv
++BA5L6cy2cAwJ5qbvLtuT25rTxooN54JETfwdhUD1NEIqTQxeC4E5lFvwedjAjLh
+Gswau8WMCdM/HzGbuQ9Gp3/RafYoAvMV6r6sskvUrWubCHj0u+uNgOpUHvlrwcFg
+rBirzQdElumCWqbJVCH0V5NcP/zSz1U1W8wSRqS5AQ0EVwaHIgEIALyCqpnax0cL
+y7EK3UiU2Kkryb7LPsZkia9hTcIZjNg0B8XAdqDYpHiquYtX0cz5I1sSZMBJ/xJP
+BF2ce/bmOTJtyW3GaF9a+M2zboZSzx9nlv9xx0o3bXBrBlL2vaG2TW+x2G53GA0/
+0chbj35PR+fvJx8ob/fHwCkfzGb1qCzwovhwGVUNHqI5bxK/xVwXfiycbllE3Hmf
+09BGeXKR7gQtaal8byKKlqCtayteEaPNQt6czYxZkVAOvY4ZDQKSZJUNwGFog3bG
+6rHr1J/0un6nAvX+wMuvRkUDiQxZZCel7e0Qcg3gPrYh+adlr0Tn7wyCP7/BULz8
+67fQfzc2ENkAEQEAAYkBHwQYAQoACQUCVwaHIgIbDAAKCRD5/q/500ob27KaB/9H
+a+iDip6mxFdoqy7TAefBy7KgbMQxxT926IcFqf70aJDzeVQI3lGCqN9GW03d+wPr
+LoyeQBQKNxxfQ9fEOvp1AXGWFIYYtEZIvQBpIqaSaA7W5IzqfDuO9xG89DNn8zKK
+nh/mbYJov/fywhBU6JH7bqdFSHbqoG9TY64s0BkV6shIVOubXLSG5G7LxXhw+xrb
+0zl4ie2wCeCBOLdbGHc+o2sKo1rBEz6UBK2DesPfkzxBO7lfa9HTcN03UJPHXmzb
+2mCbeFV8yPsTAoaGv4qZH1+FX+9Lv374xTSXa4CjQzSxd0dkZGG+YQjocoPftgsC
+OVsiqW0WhRVIEJ+hBAMUmQENBFcGiPEBCAC7sCnaZqWxfXNgBC7P28BSDUs9w4y/
+PEFsOv9bpgbgZagX1FnhG0eV71nm0p8v9T8Bft1eXaBd977Dq9pgk5qKO0xZo8fC
+8prFqB5db7fMUvPZCuJTTb6lGMz4OdfT6aHqUvJ+LFF1mKn8Eqt1Q4snHGSL1PI3
+/+435qDRQsU15GdYrj1waNJKk79aes9oguaI2/OTQqzIcOFK5tJjlSOD1ryOIH1e
+8vD+5MMpGvsRxv3sQHeTZkfZbkzSLFg/LKpoiQkyql1+BLNhBYq8oaE/jlvQrTEk
+bAyKpMScdyHwmkWWKjyZtXTrAtlComnki4yC2lAV9MXINHHvNJBcIXvVABEBAAG0
+IERhbmllbCBTdGVuYmVyZyA8ZGFuaWVsQGhheHguc2U+iQE3BBMBCgAhBQJXBojx
+AhsDBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEFzJCP23HhLCOKkH/1CyoKiN
+2PCgTlWoYQspv/AAmsj+cFwZobI167KowA+o3zxQqxg0MV3ds8G+iig9OIuYurlQ
+L5Jr3CbDltaiXdWtVteRh/VKp61EwyXq77vjJbx81hvOuaXWWLSlU0KB3w7Hj6aD
+/mt16DpOcY9Aw90mKyvafRTqMF7TcT7J5HeGn2NL45dPkAhiMDEgEnw9yBTxK/x6
+UoQGPgiOWxSSN7Foj3mhUOflp8W0rnkLbJ4icpym6WuLKRMKAefDvk8GVlAWuXAb
+9gloL1P6u3uNHllq/IODR2bZUBI0QNKhvt0iSj7WKsc/kaqscl+AE9jd/6kXd6vh
+TNFWdzeco/2mGlaIRgQQEQoABgUCVwaJ/AAKCRB44RxrJ51ckWcaAKCJ6+arS/3k
+IMcO14Jz8dVf2BH3OACgwTenVSsK66qi+VfGCoALpzpiLDO5AQ0EVwaI8QEIAOxQ
+AEvF3idxcn80tbUhJg1J98fAS7Hx3WhlFG74uAikZQl1KZrprBu70RWTb7Nm1tvZ
+eXW65IlY7kk42bhfYDs1JrIPWOWKvVwKWDxoEbYgW/yvy1TOuXH276zbxLl5OEE8
+sQuOfXZsFSX2IPF9hsgNGaNzor8Ke7Y5BuCQLcGZWW5dLFbbKRKjXG8CaWmsJVoI
+c2nyXCAss2q9oCJ13X/5z+Ei392rwi1d3NxAYkSiDQan+fkWkCvZH+dHmFjQ1AND
+KielxcW1VfilK1hu9ziBBDf8TCEud/q0woIAH7rvIft4i3CqjymonByE4/OjfH8j
+4EteQ8qoknMCjjwNVqkAEQEAAYkBHwQYAQoACQUCVwaI8QIbDAAKCRBcyQj9tx4S
+wupjB/9TV4anbZK58bN7QJ5qGnU3GNjlvWFZXMw1u1xVc7abDJyqmFeJcJ4qLUkv
+BA0OsvlVnMWmeCmzsXhlQVM4Bv6IWyr7JBWgkK5q2CWVB59V7v7znf5kWnMGFhDF
+PlLsGbxDWLMoZGH+Iy84whMJFgferwCJy1dND/bHXPztfhvFXi8NNlJUFJa8Xtmu
+gm78C+nwNHcFpVC70HPr3oa8U1ODXMp7L8W/dL3eLYXmRCNd0urHgYrzDt6V/zf5
+ymvPk5w4HBocn2oRCJj/FXKhFAUptmpTE3g1yvYULmuFcNGAnPAExmAmd6NqsCmb
+j/qx4ytjt5uxt6Jm6IXV9cry8i6x
+=Phs/
+-----END PGP PUBLIC KEY BLOCK-----

sources

@@ -1 +1,2 @@
-SHA512 (curl-7.71.1.tar.xz) = 631e0ee8562e5029fe022bfab4222836a3e6d666e82e2bfbd78311fe5985105218a36d1ea68c93472fc57a12b713957a3bcca6e385eda4e58a47ca8d5d50265b
+SHA512 (curl-8.18.0.tar.xz) = 50c7a7b0528e0019697b0c59b3e56abb2578c71d77e4c085b56797276094b5611718c0a9cb2b14db7f8ab502fcf8f42a364297a3387fae3870a4d281484ba21c
+SHA512 (curl-8.18.0.tar.xz.asc) = 07e08d1bb3f8bf20b3d22f37fbc19c49c0d9ee4ea9d92da76fa8a9de343023e1b5d416ccc6535a4ff98b08b30eb9334fd856227e37564f6bcd542aa81bced152

tests/non-root-user-download/Makefile

@@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/curl/Sanity/non-root-user-download
-#   Description: various download methods with non-root user
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2013 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/curl/Sanity/non-root-user-download
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     various download methods with non-root user" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        5m" >> $(METADATA)
-	@echo "RunFor:          curl" >> $(METADATA)
-	@echo "Requires:        curl" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/non-root-user-download/PURPOSE

@@ -1,3 +0,0 @@
-PURPOSE of /CoreOS/curl/Sanity/non-root-user-download
-Description: various download methods with non-root user
-Author: Karel Srot <ksrot@redhat.com>

tests/non-root-user-download/main.fmf

@@ -0,0 +1,18 @@
+summary: various download methods with non-root user
+description: ''
+contact: Daniel Rusek <drusek@redhat.com>
+component:
+  - curl
+require:
+  - findutils
+  - libselinux-utils
+  - openssh-clients
+  - openssh-server
+  - passwd
+test: ./runtest.sh
+framework: beakerlib
+duration: 5m
+enabled: true
+tier: '1'
+link:
+  - relates: https://bugzilla.redhat.com/show_bug.cgi?id=1049921

tests/non-root-user-download/runtest.sh

@@ -27,14 +27,13 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include Beaker environment
-. /usr/bin/rhts-environment.sh || exit 1
 . /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="curl"
 
-FTP_URL=ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-HTTP_URL=https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM
-CONTENT=a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed
+FTP_URL=ftp://ftp.fi.muni.cz/pub/linux/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
+HTTP_URL=https://archives.fedoraproject.org/pub/fedora/linux/releases/42/Everything/x86_64/iso/Fedora-Everything-42-1.1-x86_64-CHECKSUM
+CONTENT=1bd6ab4798983c2fe4a210f9c4ca135fed453d6142ba852c1f8d5fba22e113ab
 PASSWORD=pAssw0rd
 OPTIONS=""
 rlIsRHEL 7 && OPTIONS="--insecure"
@@ -47,9 +46,11 @@ rlJournalStart
         rlRun "useradd -m curltester" 0 "Adding the test user"
         rlRun "echo $PASSWORD | passwd --stdin curltester" 0 "Setting the password for the test user"
         rlRun "su - curltester -c 'echo $CONTENT > ~/testfile'" 0 "Creating ~curltester/testfile"
+        rlFileBackup --clean --missing-ok $HOME/.ssh /etc/hosts
+        rlRun "rm -f $HOME/.ssh/*"
         [ -d $HOME/.ssh ] || ( mkdir $HOME/.ssh && restorecon HOME/.ssh )
-        rlFileBackup $HOME/.ssh/known_hosts /etc/hosts
-        ssh-keygen -F localhost -f $HOME/.ssh/known_hosts || rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
+        rlRun "rlServiceStart sshd"
+        rlRun "ssh-keyscan localhost >> $HOME/.ssh/known_hosts"
     rlPhaseEnd
 
     rlPhaseStartTest "http download"
@@ -82,7 +83,7 @@ if ! rlIsRHEL 5; then
 fi
 
     rlPhaseStartCleanup
-        rlRun "rm -f $HOME/.ssh/known_hosts"
+        rlRun "rlServiceRestore"
         rlFileRestore
         rlRun "popd"
         rlRun "rm -r $TmpDir" 0 "Removing tmp directory"

tests/non-root-user-download/runtest.yml

@@ -1,64 +0,0 @@
-- hosts: '{{ hosts | default("localhost") }}'
-  vars:
-    package: "curl"
-  tasks:
-    - name: "Set Content variables"
-      set_fact:
-        content: "a276e06d244e04b765f0a35532d9036ad84f340b0bdcc32e0233a8fbc31d5bed"
-        password: "pAssw0rd"
-        crypt_password: "$6$/5GE87XLYLLfB3qx$w84Kct34UZG/4buTSXWkaaVIsw2xGXSAdmnS2QYdG8TtRgTsBnHdFdSkhoy.tKIE6A6LKlxczIZjQbpB19k7B1"
-    - name: "Create user curltester"
-      user: 
-        name: "curltester"
-        password: "{{ crypt_password }}"
-    - name: "Copy testfile"
-      copy:
-          dest: "/home/curltester/testfile"
-          content: "{{ content }}"
-    - block:
-      - name: "http download"
-        command: "curl https://archives.fedoraproject.org/pub/archive/fedora/linux/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
-        args:
-            warn: false
-        register: http
-        become: yes
-        become_user: curltester
-      - name: "Compare http output"
-        fail:
-            msg: "{{ content }} not in {{ http.stdout }}"
-        when: content not in http.stdout
-      - name: "ftp download"
-        command: "curl ftp://ftp.scientificlinux.org/linux/fedora/releases/18/Live/x86_64/Fedora-18-x86_64-Live-CHECKSUM"
-        args:
-            warn: false
-        register: ftp
-        become: yes
-        become_user: curltester
-      - name: "Compare ftp output"
-        fail:
-            msg: "{{ content }} not in {{ ftp.stdout }}"
-        when: content not in ftp.stdout
-      - name: "scp download"
-        command: "curl -u curltester:{{ password }} --insecure scp://localhost/home/curltester/testfile"
-        args:
-            warn: false
-        register: scp
-      - name: "Compare scp output"
-        fail:
-            msg: "{{ content }} not in {{ scp.stdout }}"
-        when: content not in scp.stdout
-      - name: "sftp download"
-        command: "curl -u curltester:{{ password }} --insecure sftp://localhost/home/curltester/testfile"
-        args:
-            warn: false
-        register: sftp
-      - name: "Compare sftp output"
-        fail:
-            msg: "{{ content }} not in {{ sftp.stdout }}"
-        when: content not in sftp.stdout
-      always:
-      - name: "Remove user curltester"
-        user: 
-            name: "curltester"
-            remove: yes
-            state: absent

tests/scp-and-sftp-download-test/Makefile

@@ -1,63 +0,0 @@
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Makefile of /CoreOS/curl/Sanity/scp-and-sftp-download-test
-#   Description: downloads test file through scp and sftp
-#   Author: Karel Srot <ksrot@redhat.com>
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-#
-#   Copyright (c) 2012 Red Hat, Inc. All rights reserved.
-#
-#   This copyrighted material is made available to anyone wishing
-#   to use, modify, copy, or redistribute it subject to the terms
-#   and conditions of the GNU General Public License version 2.
-#
-#   This program is distributed in the hope that it will be
-#   useful, but WITHOUT ANY WARRANTY; without even the implied
-#   warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
-#   PURPOSE. See the GNU General Public License for more details.
-#
-#   You should have received a copy of the GNU General Public
-#   License along with this program; if not, write to the Free
-#   Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
-#   Boston, MA 02110-1301, USA.
-#
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-export TEST=/CoreOS/curl/Sanity/scp-and-sftp-download-test
-export TESTVERSION=1.0
-
-BUILT_FILES=
-
-FILES=$(METADATA) runtest.sh Makefile PURPOSE
-
-.PHONY: all install download clean
-
-run: $(FILES) build
-	./runtest.sh
-
-build: $(BUILT_FILES)
-	test -x runtest.sh || chmod a+x runtest.sh
-
-clean:
-	rm -f *~ $(BUILT_FILES)
-
-
-include /usr/share/rhts/lib/rhts-make.include
-
-$(METADATA): Makefile
-	@echo "Owner:           Karel Srot <ksrot@redhat.com>" > $(METADATA)
-	@echo "Name:            $(TEST)" >> $(METADATA)
-	@echo "TestVersion:     $(TESTVERSION)" >> $(METADATA)
-	@echo "Path:            $(TEST_DIR)" >> $(METADATA)
-	@echo "Description:     downloads test file through scp and sftp" >> $(METADATA)
-	@echo "Type:            Sanity" >> $(METADATA)
-	@echo "TestTime:        10m" >> $(METADATA)
-	@echo "RunFor:          curl" >> $(METADATA)
-	@echo "Requires:        curl openssh" >> $(METADATA)
-	@echo "Priority:        Normal" >> $(METADATA)
-	@echo "License:         GPLv2" >> $(METADATA)
-	@echo "Confidential:    no" >> $(METADATA)
-	@echo "Destructive:     no" >> $(METADATA)
-
-	rhts-lint $(METADATA)

tests/scp-and-sftp-download-test/PURPOSE

@@ -1,12 +0,0 @@
-PURPOSE of /CoreOS/curl/Sanity/scp-and-sftp-download-test
-Description: downloads test file through scp and sftp
-Author: Karel Srot <ksrot@redhat.com>
-
-Test scenario:
-- scp download
-- sftp download
-- scp upload
-- sftp upload
-
-When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
-with empty --pubkey parameter (--pubkey "") or with the paramiter omitted

tests/scp-and-sftp-download-test/main.fmf

@@ -0,0 +1,20 @@
+summary: downloads test file through scp and sftp
+description: |
+    Test scenario:
+    - scp download
+    - sftp download
+    - scp upload
+    - sftp upload
+
+    When PUBKEY_PARAM global variable is set to 'empty' or 'none', scenarios are executed
+    with empty --pubkey parameter (--pubkey "") or with the paramiter omitted
+contact: Daniel Rusek <drusek@redhat.com>
+require:
+  - findutils
+component:
+  - curl
+test: ./runtest.sh
+path: /tests/scp-and-sftp-download-test
+framework: beakerlib
+duration: 10m
+enabled: true

tests/scp-and-sftp-download-test/runtest.sh

@@ -27,8 +27,7 @@
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
 # Include Beaker environment
-. /usr/bin/rhts-environment.sh
-. /usr/lib/beakerlib/beakerlib.sh
+. /usr/share/beakerlib/beakerlib.sh || exit 1
 
 PACKAGE="curl"
 

tests/tests.yml

@@ -1,26 +0,0 @@
----
-# Tests for Classic
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - classic
-    tests:
-    - scp-and-sftp-download-test
-    - non-root-user-download
-    required_packages:
-    - findutils         # non-root-user-download needs find command
-                        # scp-and-sftp-download-test needs find command
-    - passwd            # non-root-user-download needs passwd command
-    - openssh-clients   # non-root-user-download needs ssh-keyscan command
-
-# Tests for Atomic
-- hosts: localhost
-  roles:
-  - role: standard-test-beakerlib
-    tags:
-    - atomic
-    tests:
-    - scp-and-sftp-download-test
-    - non-root-user-download
-