Compare commits
No commits in common. "c8" and "c8s" have entirely different histories.
@ -1,231 +0,0 @@
|
||||
From e8705acd69383c13191c9dd4867d5118e58c54ba Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 6 Oct 2022 00:49:10 +0200
|
||||
Subject: [PATCH 1/2] strcase: add Curl_timestrcmp
|
||||
|
||||
This is a strcmp() alternative function for comparing "secrets",
|
||||
designed to take the same time no matter the content to not leak
|
||||
match/non-match info to observers based on how fast it is.
|
||||
|
||||
The time this function takes is only a function of the shortest input
|
||||
string.
|
||||
|
||||
Reported-by: Trail of Bits
|
||||
|
||||
Closes #9658
|
||||
|
||||
Upstream-commit: ed5095ed94281989e103c72e032200b83be37878
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/strcase.c | 22 ++++++++++++++++++++++
|
||||
lib/strcase.h | 1 +
|
||||
2 files changed, 23 insertions(+)
|
||||
|
||||
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||
index f932485..c73907d 100644
|
||||
--- a/lib/strcase.c
|
||||
+++ b/lib/strcase.c
|
||||
@@ -175,6 +175,28 @@ bool Curl_safecmp(char *a, char *b)
|
||||
return !a && !b;
|
||||
}
|
||||
|
||||
+/*
|
||||
+ * Curl_timestrcmp() returns 0 if the two strings are identical. The time this
|
||||
+ * function spends is a function of the shortest string, not of the contents.
|
||||
+ */
|
||||
+int Curl_timestrcmp(const char *a, const char *b)
|
||||
+{
|
||||
+ int match = 0;
|
||||
+ int i = 0;
|
||||
+
|
||||
+ if(a && b) {
|
||||
+ while(1) {
|
||||
+ match |= a[i]^b[i];
|
||||
+ if(!a[i] || !b[i])
|
||||
+ break;
|
||||
+ i++;
|
||||
+ }
|
||||
+ }
|
||||
+ else
|
||||
+ return a || b;
|
||||
+ return match;
|
||||
+}
|
||||
+
|
||||
/* --- public functions --- */
|
||||
|
||||
int curl_strequal(const char *first, const char *second)
|
||||
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||
index d245929..11a67a1 100644
|
||||
--- a/lib/strcase.h
|
||||
+++ b/lib/strcase.h
|
||||
@@ -48,5 +48,6 @@ char Curl_raw_toupper(char in);
|
||||
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||
|
||||
bool Curl_safecmp(char *a, char *b);
|
||||
+int Curl_timestrcmp(const char *first, const char *second);
|
||||
|
||||
#endif /* HEADER_CURL_STRCASE_H */
|
||||
--
|
||||
2.39.2
|
||||
|
||||
|
||||
From 9cfaea212ff347937a38f6b5d6b885ed8ba1b931 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 9 Mar 2023 17:47:06 +0100
|
||||
Subject: [PATCH 2/2] ftp: add more conditions for connection reuse
|
||||
|
||||
Reported-by: Harry Sintonen
|
||||
Closes #10730
|
||||
|
||||
Upstream-commit: 8f4608468b890dce2dad9f91d5607ee7e9c1aba1
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/ftp.c | 28 ++++++++++++++++++++++++++--
|
||||
lib/ftp.h | 5 +++++
|
||||
lib/setopt.c | 2 +-
|
||||
lib/url.c | 13 ++++++++++++-
|
||||
lib/urldata.h | 4 ++--
|
||||
5 files changed, 46 insertions(+), 6 deletions(-)
|
||||
|
||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||
index 9442832..df15bc0 100644
|
||||
--- a/lib/ftp.c
|
||||
+++ b/lib/ftp.c
|
||||
@@ -4080,6 +4080,8 @@ static CURLcode ftp_disconnect(struct connectdata *conn, bool dead_connection)
|
||||
}
|
||||
|
||||
freedirs(ftpc);
|
||||
+ Curl_safefree(ftpc->account);
|
||||
+ Curl_safefree(ftpc->alternative_to_user);
|
||||
free(ftpc->prevpath);
|
||||
ftpc->prevpath = NULL;
|
||||
free(ftpc->server_os);
|
||||
@@ -4391,11 +4393,31 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
|
||||
struct Curl_easy *data = conn->data;
|
||||
char *type;
|
||||
struct FTP *ftp;
|
||||
+ struct ftp_conn *ftpc = &conn->proto.ftpc;
|
||||
|
||||
- conn->data->req.protop = ftp = malloc(sizeof(struct FTP));
|
||||
+ ftp = calloc(sizeof(struct FTP), 1);
|
||||
if(NULL == ftp)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
+ /* clone connection related data that is FTP specific */
|
||||
+ if(data->set.str[STRING_FTP_ACCOUNT]) {
|
||||
+ ftpc->account = strdup(data->set.str[STRING_FTP_ACCOUNT]);
|
||||
+ if(!ftpc->account) {
|
||||
+ free(ftp);
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+ if(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]) {
|
||||
+ ftpc->alternative_to_user =
|
||||
+ strdup(data->set.str[STRING_FTP_ALTERNATIVE_TO_USER]);
|
||||
+ if(!ftpc->alternative_to_user) {
|
||||
+ Curl_safefree(ftpc->account);
|
||||
+ free(ftp);
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+ }
|
||||
+ }
|
||||
+ data->req.protop = ftp;
|
||||
+
|
||||
data->state.path++; /* don't include the initial slash */
|
||||
data->state.slash_removed = TRUE; /* we've skipped the slash */
|
||||
|
||||
@@ -4445,7 +4467,9 @@ static CURLcode ftp_setup_connection(struct connectdata *conn)
|
||||
if(isBadFtpString(ftp->passwd))
|
||||
return CURLE_URL_MALFORMAT;
|
||||
|
||||
- conn->proto.ftpc.known_filesize = -1; /* unknown size for now */
|
||||
+ ftpc->known_filesize = -1; /* unknown size for now */
|
||||
+ ftpc->use_ssl = data->set.use_ssl;
|
||||
+ ftpc->ccc = data->set.ftp_ccc;
|
||||
|
||||
return CURLE_OK;
|
||||
}
|
||||
diff --git a/lib/ftp.h b/lib/ftp.h
|
||||
index 7f6f432..3f33e27 100644
|
||||
--- a/lib/ftp.h
|
||||
+++ b/lib/ftp.h
|
||||
@@ -117,6 +117,8 @@ struct FTP {
|
||||
struct */
|
||||
struct ftp_conn {
|
||||
struct pingpong pp;
|
||||
+ char *account;
|
||||
+ char *alternative_to_user;
|
||||
char *entrypath; /* the PWD reply when we logged on */
|
||||
char **dirs; /* realloc()ed array for path components */
|
||||
int dirdepth; /* number of entries used in the 'dirs' array */
|
||||
@@ -144,6 +146,9 @@ struct ftp_conn {
|
||||
ftpstate state; /* always use ftp.c:state() to change state! */
|
||||
ftpstate state_saved; /* transfer type saved to be reloaded after
|
||||
data connection is established */
|
||||
+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||
+ IMAP or POP3 or others! (type: curl_usessl)*/
|
||||
+ unsigned char ccc; /* ccc level for this connection */
|
||||
curl_off_t retr_size_saved; /* Size of retrieved file saved */
|
||||
char *server_os; /* The target server operating system. */
|
||||
curl_off_t known_filesize; /* file size is different from -1, if wildcard
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index 3339a67..6fc111d 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -2039,7 +2039,7 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option,
|
||||
arg = va_arg(param, long);
|
||||
if((arg < CURLUSESSL_NONE) || (arg > CURLUSESSL_ALL))
|
||||
return CURLE_BAD_FUNCTION_ARGUMENT;
|
||||
- data->set.use_ssl = (curl_usessl)arg;
|
||||
+ data->set.use_ssl = (unsigned char)arg;
|
||||
break;
|
||||
|
||||
case CURLOPT_SSL_OPTIONS:
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index 61ba832..4e21838 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -1309,7 +1309,18 @@ ConnectionExists(struct Curl_easy *data,
|
||||
if(!ssh_config_matches(needle, check))
|
||||
continue;
|
||||
}
|
||||
-
|
||||
+#ifndef CURL_DISABLE_FTP
|
||||
+ if(needle->handler->protocol & (CURLPROTO_FTP|CURLPROTO_FTPS)) {
|
||||
+ /* Also match ACCOUNT, ALTERNATIVE-TO-USER, USE_SSL and CCC options */
|
||||
+ if(Curl_timestrcmp(needle->proto.ftpc.account,
|
||||
+ check->proto.ftpc.account) ||
|
||||
+ Curl_timestrcmp(needle->proto.ftpc.alternative_to_user,
|
||||
+ check->proto.ftpc.alternative_to_user) ||
|
||||
+ (needle->proto.ftpc.use_ssl != check->proto.ftpc.use_ssl) ||
|
||||
+ (needle->proto.ftpc.ccc != check->proto.ftpc.ccc))
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif
|
||||
if(!needle->bits.httpproxy || (needle->handler->flags&PROTOPT_SSL) ||
|
||||
needle->bits.tunnel_proxy) {
|
||||
/* The requested connection does not use a HTTP proxy or it uses SSL or
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index 9d9ca92..4e2f5b9 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -1498,6 +1498,8 @@ struct UserDefined {
|
||||
curl_write_callback fwrite_header; /* function that stores headers */
|
||||
curl_write_callback fwrite_rtp; /* function that stores interleaved RTP */
|
||||
curl_read_callback fread_func_set; /* function that reads the input */
|
||||
+ unsigned char use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||
+ IMAP or POP3 or others! (type: curl_usessl)*/
|
||||
int is_fread_set; /* boolean, has read callback been set to non-NULL? */
|
||||
int is_fwrite_set; /* boolean, has write callback been set to non-NULL? */
|
||||
curl_progress_callback fprogress; /* OLD and deprecated progress callback */
|
||||
@@ -1622,8 +1624,6 @@ struct UserDefined {
|
||||
bool ftp_use_eprt; /* if EPRT is to be attempted or not */
|
||||
bool ftp_use_pret; /* if PRET is to be used before PASV or not */
|
||||
|
||||
- curl_usessl use_ssl; /* if AUTH TLS is to be attempted etc, for FTP or
|
||||
- IMAP or POP3 or others! */
|
||||
curl_ftpauth ftpsslauth; /* what AUTH XXX to be attempted */
|
||||
curl_ftpccc ftp_ccc; /* FTP CCC options */
|
||||
bool no_signal; /* do not use any signal/alarm handler */
|
||||
--
|
||||
2.39.2
|
||||
|
||||
@ -1,55 +0,0 @@
|
||||
From 9d6dd7bc1dea42ae8e710aeae714e2a2c290de61 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Fri, 10 Mar 2023 09:22:43 +0100
|
||||
Subject: [PATCH] url: only reuse connections with same GSS delegation
|
||||
|
||||
Reported-by: Harry Sintonen
|
||||
Closes #10731
|
||||
|
||||
Upstream-commit: cb49e67303dbafbab1cebf4086e3ec15b7d56ee5
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/url.c | 6 ++++++
|
||||
lib/urldata.h | 2 ++
|
||||
2 files changed, 8 insertions(+)
|
||||
|
||||
diff --git a/lib/url.c b/lib/url.c
|
||||
index 3b11b7e..cbbc7f3 100644
|
||||
--- a/lib/url.c
|
||||
+++ b/lib/url.c
|
||||
@@ -1305,6 +1305,11 @@ ConnectionExists(struct Curl_easy *data,
|
||||
}
|
||||
}
|
||||
|
||||
+ /* GSS delegation differences do not actually affect every connection
|
||||
+ and auth method, but this check takes precaution before efficiency */
|
||||
+ if(needle->gssapi_delegation != check->gssapi_delegation)
|
||||
+ continue;
|
||||
+
|
||||
if(needle->handler->protocol & (CURLPROTO_SCP|CURLPROTO_SFTP)) {
|
||||
if(!ssh_config_matches(needle, check))
|
||||
continue;
|
||||
@@ -1949,6 +1954,7 @@ static struct connectdata *allocate_conn(struct Curl_easy *data)
|
||||
it may live on without (this specific) Curl_easy */
|
||||
conn->fclosesocket = data->set.fclosesocket;
|
||||
conn->closesocket_client = data->set.closesocket_client;
|
||||
+ conn->gssapi_delegation = data->set.gssapi_delegation;
|
||||
|
||||
return conn;
|
||||
error:
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index ce90304..9e16f26 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -856,6 +856,8 @@ struct connectdata {
|
||||
int httpversion; /* the HTTP version*10 reported by the server */
|
||||
int rtspversion; /* the RTSP version*10 reported by the server */
|
||||
|
||||
+ unsigned char gssapi_delegation; /* inherited from set.gssapi_delegation */
|
||||
+
|
||||
struct curltime now; /* "current" time */
|
||||
struct curltime created; /* creation time */
|
||||
curl_socket_t sock[2]; /* two sockets, the second is used for the data
|
||||
--
|
||||
2.39.2
|
||||
|
||||
@ -1,34 +0,0 @@
|
||||
From cc52b2d89397ff26b01d791cd1c605cba741aaa4 Mon Sep 17 00:00:00 2001
|
||||
From: =?UTF-8?q?Felix=20H=C3=A4dicke?= <felixhaedicke@web.de>
|
||||
Date: Wed, 24 Jul 2019 11:47:51 +0200
|
||||
Subject: [PATCH] ssh-libssh: do not specify O_APPEND when not in append mode
|
||||
|
||||
Specifying O_APPEND in conjunction with O_TRUNC and O_CREAT does not
|
||||
make much sense. And this combination of flags is not accepted by all
|
||||
SFTP servers (at least not Apache SSHD).
|
||||
|
||||
Fixes #4147
|
||||
Closes #4148
|
||||
|
||||
Upstream-commit: 62617495102c60124db8a909f592f063e38a89aa
|
||||
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
|
||||
---
|
||||
lib/ssh-libssh.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||
index 4110be2..2414173 100644
|
||||
--- a/lib/ssh-libssh.c
|
||||
+++ b/lib/ssh-libssh.c
|
||||
@@ -1112,7 +1112,7 @@ static CURLcode myssh_statemach_act(struct connectdata *conn, bool *block)
|
||||
flags = O_WRONLY|O_APPEND;
|
||||
else
|
||||
/* Clear file before writing (normal behaviour) */
|
||||
- flags = O_WRONLY|O_APPEND|O_CREAT|O_TRUNC;
|
||||
+ flags = O_WRONLY|O_CREAT|O_TRUNC;
|
||||
|
||||
if(sshc->sftp_file)
|
||||
sftp_close(sshc->sftp_file);
|
||||
--
|
||||
2.39.2
|
||||
|
||||
@ -1,307 +0,0 @@
|
||||
From 199f2d440d8659b42670c1b796220792b01a97bf Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 24 Apr 2023 21:07:02 +0200
|
||||
Subject: [PATCH] hostcheck: fix host name wildcard checking
|
||||
|
||||
The leftmost "label" of the host name can now only match against single
|
||||
'*'. Like the browsers have worked for a long time.
|
||||
|
||||
- extended unit test 1397 for this
|
||||
- move some SOURCE variables from unit/Makefile.am to unit/Makefile.inc
|
||||
|
||||
Reported-by: Hiroki Kurosawa
|
||||
Closes #11018
|
||||
---
|
||||
lib/hostcheck.c | 50 +++++++--------
|
||||
tests/data/test1397 | 10 ++-
|
||||
tests/unit/Makefile.am | 94 ----------------------------
|
||||
tests/unit/Makefile.inc | 94 ++++++++++++++++++++++++++++
|
||||
tests/unit/unit1397.c | 134 ++++++++++++++++++++++++----------------
|
||||
5 files changed, 202 insertions(+), 180 deletions(-)
|
||||
|
||||
diff --git a/lib/hostcheck.c b/lib/hostcheck.c
|
||||
index e827dc58f378c..d061c6356f97f 100644
|
||||
--- a/lib/hostcheck.c
|
||||
+++ b/lib/hostcheck.c
|
||||
@@ -43,6 +43,17 @@
|
||||
/* The last #include file should be: */
|
||||
#include "memdebug.h"
|
||||
|
||||
+/* check the two input strings with given length, but do not
|
||||
+ assume they end in nul-bytes */
|
||||
+static int pmatch(const char *hostname, size_t hostlen,
|
||||
+ const char *pattern, size_t patternlen)
|
||||
+{
|
||||
+ if(hostlen != patternlen)
|
||||
+ return CURL_HOST_NOMATCH;
|
||||
+ return strncasecompare(hostname, pattern, hostlen) ?
|
||||
+ CURL_HOST_MATCH : CURL_HOST_NOMATCH;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* Match a hostname against a wildcard pattern.
|
||||
* E.g.
|
||||
@@ -65,26 +76,31 @@
|
||||
|
||||
static int hostmatch(char *hostname, char *pattern)
|
||||
{
|
||||
- const char *pattern_label_end, *pattern_wildcard, *hostname_label_end;
|
||||
- int wildcard_enabled;
|
||||
- size_t prefixlen, suffixlen;
|
||||
+ size_t hostlen, patternlen;
|
||||
+ const char *pattern_label_end;
|
||||
struct in_addr ignored;
|
||||
#ifdef ENABLE_IPV6
|
||||
struct sockaddr_in6 si6;
|
||||
#endif
|
||||
|
||||
+ DEBUGASSERT(pattern);
|
||||
+ DEBUGASSERT(hostname);
|
||||
+
|
||||
+ hostlen = strlen(hostname);
|
||||
+ patternlen = strlen(pattern);
|
||||
+
|
||||
/* normalize pattern and hostname by stripping off trailing dots */
|
||||
- size_t len = strlen(hostname);
|
||||
- if(hostname[len-1]=='.')
|
||||
- hostname[len-1] = 0;
|
||||
- len = strlen(pattern);
|
||||
- if(pattern[len-1]=='.')
|
||||
- pattern[len-1] = 0;
|
||||
-
|
||||
- pattern_wildcard = strchr(pattern, '*');
|
||||
- if(pattern_wildcard == NULL)
|
||||
- return strcasecompare(pattern, hostname) ?
|
||||
- CURL_HOST_MATCH : CURL_HOST_NOMATCH;
|
||||
+ if(hostname[hostlen-1]=='.') {
|
||||
+ hostname[hostlen-1] = 0;
|
||||
+ hostlen--;
|
||||
+ }
|
||||
+ if(pattern[patternlen-1]=='.') {
|
||||
+ pattern[patternlen-1] = 0;
|
||||
+ patternlen--;
|
||||
+ }
|
||||
+
|
||||
+ if(strncmp(pattern, "*.", 2))
|
||||
+ return pmatch(hostname, hostlen, pattern, patternlen);
|
||||
|
||||
/* detect IP address as hostname and fail the match if so */
|
||||
if(Curl_inet_pton(AF_INET, hostname, &ignored) > 0)
|
||||
@@ -96,34 +108,20 @@ static int hostmatch(char *hostname, char *pattern)
|
||||
|
||||
/* We require at least 2 dots in pattern to avoid too wide wildcard
|
||||
match. */
|
||||
- wildcard_enabled = 1;
|
||||
pattern_label_end = strchr(pattern, '.');
|
||||
- if(pattern_label_end == NULL || strchr(pattern_label_end + 1, '.') == NULL ||
|
||||
- pattern_wildcard > pattern_label_end ||
|
||||
- strncasecompare(pattern, "xn--", 4)) {
|
||||
- wildcard_enabled = 0;
|
||||
+ if(pattern_label_end == NULL ||
|
||||
+ (strrchr(pattern, '.') == pattern_label_end))
|
||||
+ return pmatch(pattern, patternlen, hostname, hostlen);
|
||||
+
|
||||
+ const char *hostname_label_end = strchr(hostname, '.');
|
||||
+ if(hostname_label_end != NULL) {
|
||||
+ size_t skiphost = hostname_label_end - hostname;
|
||||
+ size_t skiplen = pattern_label_end - pattern;
|
||||
+ return pmatch(hostname_label_end, hostlen - skiphost,
|
||||
+ pattern_label_end, patternlen - skiplen);
|
||||
}
|
||||
- if(!wildcard_enabled)
|
||||
- return strcasecompare(pattern, hostname) ?
|
||||
- CURL_HOST_MATCH : CURL_HOST_NOMATCH;
|
||||
-
|
||||
- hostname_label_end = strchr(hostname, '.');
|
||||
- if(hostname_label_end == NULL ||
|
||||
- !strcasecompare(pattern_label_end, hostname_label_end))
|
||||
- return CURL_HOST_NOMATCH;
|
||||
|
||||
- /* The wildcard must match at least one character, so the left-most
|
||||
- label of the hostname is at least as large as the left-most label
|
||||
- of the pattern. */
|
||||
- if(hostname_label_end - hostname < pattern_label_end - pattern)
|
||||
- return CURL_HOST_NOMATCH;
|
||||
-
|
||||
- prefixlen = pattern_wildcard - pattern;
|
||||
- suffixlen = pattern_label_end - (pattern_wildcard + 1);
|
||||
- return strncasecompare(pattern, hostname, prefixlen) &&
|
||||
- strncasecompare(pattern_wildcard + 1, hostname_label_end - suffixlen,
|
||||
- suffixlen) ?
|
||||
- CURL_HOST_MATCH : CURL_HOST_NOMATCH;
|
||||
+ return CURL_HOST_NOMATCH;
|
||||
}
|
||||
|
||||
int Curl_cert_hostcheck(const char *match_pattern, const char *hostname)
|
||||
diff --git a/tests/data/test1397 b/tests/data/test1397
|
||||
index 84f962abebee3..f31b2c2a3f330 100644
|
||||
--- a/tests/data/test1397
|
||||
+++ b/tests/data/test1397
|
||||
@@ -2,8 +2,7 @@
|
||||
<info>
|
||||
<keywords>
|
||||
unittest
|
||||
-ssl
|
||||
-wildcard
|
||||
+Curl_cert_hostcheck
|
||||
</keywords>
|
||||
</info>
|
||||
|
||||
@@ -15,10 +14,10 @@ none
|
||||
<features>
|
||||
unittest
|
||||
</features>
|
||||
- <name>
|
||||
-Check wildcard certificate matching function Curl_cert_hostcheck
|
||||
- </name>
|
||||
+<name>
|
||||
+Curl_cert_hostcheck unit tests
|
||||
+</name>
|
||||
<tool>
|
||||
unit1397
|
||||
</tool>
|
||||
</client>
|
||||
diff --git a/tests/unit/unit1397.c b/tests/unit/unit1397.c
|
||||
index 2f3d3aa4d09e1..3ae75618d5d10 100644
|
||||
--- a/tests/unit/unit1397.c
|
||||
+++ b/tests/unit/unit1397.c
|
||||
@@ -21,8 +21,6 @@
|
||||
***************************************************************************/
|
||||
#include "curlcheck.h"
|
||||
|
||||
-#include "hostcheck.h" /* from the lib dir */
|
||||
-
|
||||
static CURLcode unit_setup(void)
|
||||
{
|
||||
return CURLE_OK;
|
||||
@@ -30,50 +28,91 @@ static CURLcode unit_setup(void)
|
||||
|
||||
static void unit_stop(void)
|
||||
{
|
||||
- /* done before shutting down and exiting */
|
||||
}
|
||||
|
||||
-UNITTEST_START
|
||||
-
|
||||
/* only these backends define the tested functions */
|
||||
-#if defined(USE_OPENSSL) || defined(USE_AXTLS) || defined(USE_GSKIT)
|
||||
-
|
||||
- /* here you start doing things and checking that the results are good */
|
||||
+#if defined(USE_OPENSSL) || defined(USE_GSKIT) || defined(USE_SCHANNEL)
|
||||
+#include "hostcheck.h"
|
||||
+struct testcase {
|
||||
+ const char *host;
|
||||
+ const char *pattern;
|
||||
+ bool match;
|
||||
+};
|
||||
|
||||
-fail_unless(Curl_cert_hostcheck("www.example.com", "www.example.com"),
|
||||
- "good 1");
|
||||
-fail_unless(Curl_cert_hostcheck("*.example.com", "www.example.com"),
|
||||
- "good 2");
|
||||
-fail_unless(Curl_cert_hostcheck("xxx*.example.com", "xxxwww.example.com"),
|
||||
- "good 3");
|
||||
-fail_unless(Curl_cert_hostcheck("f*.example.com", "foo.example.com"),
|
||||
- "good 4");
|
||||
-fail_unless(Curl_cert_hostcheck("192.168.0.0", "192.168.0.0"),
|
||||
- "good 5");
|
||||
-
|
||||
-fail_if(Curl_cert_hostcheck("xxx.example.com", "www.example.com"), "bad 1");
|
||||
-fail_if(Curl_cert_hostcheck("*", "www.example.com"), "bad 2");
|
||||
-fail_if(Curl_cert_hostcheck("*.*.com", "www.example.com"), "bad 3");
|
||||
-fail_if(Curl_cert_hostcheck("*.example.com", "baa.foo.example.com"), "bad 4");
|
||||
-fail_if(Curl_cert_hostcheck("f*.example.com", "baa.example.com"), "bad 5");
|
||||
-fail_if(Curl_cert_hostcheck("*.com", "example.com"), "bad 6");
|
||||
-fail_if(Curl_cert_hostcheck("*fail.com", "example.com"), "bad 7");
|
||||
-fail_if(Curl_cert_hostcheck("*.example.", "www.example."), "bad 8");
|
||||
-fail_if(Curl_cert_hostcheck("*.example.", "www.example"), "bad 9");
|
||||
-fail_if(Curl_cert_hostcheck("", "www"), "bad 10");
|
||||
-fail_if(Curl_cert_hostcheck("*", "www"), "bad 11");
|
||||
-fail_if(Curl_cert_hostcheck("*.168.0.0", "192.168.0.0"), "bad 12");
|
||||
-fail_if(Curl_cert_hostcheck("www.example.com", "192.168.0.0"), "bad 13");
|
||||
-
|
||||
-#ifdef ENABLE_IPV6
|
||||
-fail_if(Curl_cert_hostcheck("*::3285:a9ff:fe46:b619",
|
||||
- "fe80::3285:a9ff:fe46:b619"), "bad 14");
|
||||
-fail_unless(Curl_cert_hostcheck("fe80::3285:a9ff:fe46:b619",
|
||||
- "fe80::3285:a9ff:fe46:b619"), "good 6");
|
||||
-#endif
|
||||
+static struct testcase tests[] = {
|
||||
+ {"", "", FALSE},
|
||||
+ {"a", "", FALSE},
|
||||
+ {"", "b", FALSE},
|
||||
+ {"a", "b", FALSE},
|
||||
+ {"aa", "bb", FALSE},
|
||||
+ {"\xff", "\xff", TRUE},
|
||||
+ {"aa.aa.aa", "aa.aa.bb", FALSE},
|
||||
+ {"aa.aa.aa", "aa.aa.aa", TRUE},
|
||||
+ {"aa.aa.aa", "*.aa.bb", FALSE},
|
||||
+ {"aa.aa.aa", "*.aa.aa", TRUE},
|
||||
+ {"192.168.0.1", "192.168.0.1", TRUE},
|
||||
+ {"192.168.0.1", "*.168.0.1", FALSE},
|
||||
+ {"192.168.0.1", "*.0.1", FALSE},
|
||||
+ {"h.ello", "*.ello", FALSE},
|
||||
+ {"h.ello.", "*.ello", FALSE},
|
||||
+ {"h.ello", "*.ello.", FALSE},
|
||||
+ {"h.e.llo", "*.e.llo", TRUE},
|
||||
+ {"h.e.llo", " *.e.llo", FALSE},
|
||||
+ {" h.e.llo", "*.e.llo", TRUE},
|
||||
+ {"h.e.llo.", "*.e.llo", TRUE},
|
||||
+ {"*.e.llo.", "*.e.llo", TRUE},
|
||||
+ {"************.e.llo.", "*.e.llo", TRUE},
|
||||
+ {"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
|
||||
+ "BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB"
|
||||
+ "CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
|
||||
+ "DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD"
|
||||
+ "EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE"
|
||||
+ ".e.llo.", "*.e.llo", TRUE},
|
||||
+ {"\xfe\xfe.e.llo.", "*.e.llo", TRUE},
|
||||
+ {"h.e.llo.", "*.e.llo.", TRUE},
|
||||
+ {"h.e.llo", "*.e.llo.", TRUE},
|
||||
+ {".h.e.llo", "*.e.llo.", FALSE},
|
||||
+ {"h.e.llo", "*.*.llo.", FALSE},
|
||||
+ {"h.e.llo", "h.*.llo", FALSE},
|
||||
+ {"h.e.llo", "h.e.*", FALSE},
|
||||
+ {"hello", "*.ello", FALSE},
|
||||
+ {"hello", "**llo", FALSE},
|
||||
+ {"bar.foo.example.com", "*.example.com", FALSE},
|
||||
+ {"foo.example.com", "*.example.com", TRUE},
|
||||
+ {"baz.example.net", "b*z.example.net", FALSE},
|
||||
+ {"foobaz.example.net", "*baz.example.net", FALSE},
|
||||
+ {"xn--l8j.example.local", "x*.example.local", FALSE},
|
||||
+ {"xn--l8j.example.net", "*.example.net", TRUE},
|
||||
+ {"xn--l8j.example.net", "*j.example.net", FALSE},
|
||||
+ {"xn--l8j.example.net", "xn--l8j.example.net", TRUE},
|
||||
+ {"xn--l8j.example.net", "xn--l8j.*.net", FALSE},
|
||||
+ {"xl8j.example.net", "*.example.net", TRUE},
|
||||
+ {"fe80::3285:a9ff:fe46:b619", "*::3285:a9ff:fe46:b619", FALSE},
|
||||
+ {"fe80::3285:a9ff:fe46:b619", "fe80::3285:a9ff:fe46:b619", TRUE},
|
||||
+ {NULL, NULL, FALSE}
|
||||
+};
|
||||
|
||||
-#endif
|
||||
+UNITTEST_START
|
||||
+{
|
||||
+ int i;
|
||||
+ for(i = 0; tests[i].host; i++) {
|
||||
+ if(tests[i].match != Curl_cert_hostcheck(tests[i].pattern,
|
||||
+ tests[i].host)) {
|
||||
+ fprintf(stderr,
|
||||
+ "HOST: %s\n"
|
||||
+ "PTRN: %s\n"
|
||||
+ "did %sMATCH\n",
|
||||
+ tests[i].host,
|
||||
+ tests[i].pattern,
|
||||
+ tests[i].match ? "NOT ": "");
|
||||
+ unitfail++;
|
||||
+ }
|
||||
+ }
|
||||
+}
|
||||
+UNITTEST_STOP
|
||||
+#else
|
||||
|
||||
- /* you end the test code like this: */
|
||||
+UNITTEST_START
|
||||
|
||||
UNITTEST_STOP
|
||||
+#endif
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,169 +0,0 @@
|
||||
From be17dc9d31e805c03372b690dde67838b3bfc12d Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Wed, 24 May 2023 16:34:11 +0200
|
||||
Subject: [PATCH] libssh: when keyboard-interactive auth fails, try password
|
||||
MIME-Version: 1.0
|
||||
Content-Type: text/plain; charset=UTF-8
|
||||
Content-Transfer-Encoding: 8bit
|
||||
|
||||
The state machine had a mistake in that it would not carry on to that
|
||||
next step.
|
||||
|
||||
This also adds a verbose output what methods that are available from the
|
||||
server and renames the macros that change to the next auth methods to
|
||||
try.
|
||||
|
||||
Reported-by: 左潇峰
|
||||
Fixes #11196
|
||||
Closes #11197
|
||||
---
|
||||
lib/ssh-libssh.c | 43 +++++++++++++++++++++++++++----------------
|
||||
1 file changed, 27 insertions(+), 16 deletions(-)
|
||||
|
||||
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||
index 7ebe61321419f..1cecb649cb623 100644
|
||||
--- a/lib/ssh-libssh.c
|
||||
+++ b/lib/ssh-libssh.c
|
||||
@@ -442,7 +442,7 @@ static int myssh_is_known(struct Curl_easy *data)
|
||||
break; \
|
||||
}
|
||||
|
||||
-#define MOVE_TO_LAST_AUTH \
|
||||
+#define MOVE_TO_PASSWD_AUTH \
|
||||
if(sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD) { \
|
||||
rc = SSH_OK; \
|
||||
state(conn, SSH_AUTH_PASS_INIT); \
|
||||
@@ -452,25 +452,25 @@ static int myssh_is_known(struct Curl_easy *data)
|
||||
MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED); \
|
||||
}
|
||||
|
||||
-#define MOVE_TO_TERTIARY_AUTH \
|
||||
+#define MOVE_TO_KEY_AUTH \
|
||||
if(sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE) { \
|
||||
rc = SSH_OK; \
|
||||
state(conn, SSH_AUTH_KEY_INIT); \
|
||||
break; \
|
||||
} \
|
||||
else { \
|
||||
- MOVE_TO_LAST_AUTH; \
|
||||
+ MOVE_TO_PASSWD_AUTH; \
|
||||
}
|
||||
|
||||
-#define MOVE_TO_SECONDARY_AUTH \
|
||||
+#define MOVE_TO_GSSAPI_AUTH \
|
||||
if(sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC) { \
|
||||
rc = SSH_OK; \
|
||||
state(conn, SSH_AUTH_GSSAPI); \
|
||||
break; \
|
||||
} \
|
||||
else { \
|
||||
- MOVE_TO_TERTIARY_AUTH; \
|
||||
+ MOVE_TO_KEY_AUTH; \
|
||||
}
|
||||
|
||||
static
|
||||
int myssh_auth_interactive(struct connectdata *conn)
|
||||
@@ -617,6 +617,16 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
}
|
||||
|
||||
sshc->auth_methods = ssh_userauth_list(sshc->ssh_session, NULL);
|
||||
+ if(sshc->auth_methods)
|
||||
+ infof(data, "SSH authentication methods available: %s%s%s%s",
|
||||
+ sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY ?
|
||||
+ "public key, ": "",
|
||||
+ sshc->auth_methods & SSH_AUTH_METHOD_GSSAPI_MIC ?
|
||||
+ "GSSAPI, " : "",
|
||||
+ sshc->auth_methods & SSH_AUTH_METHOD_INTERACTIVE ?
|
||||
+ "keyboard-interactive, " : "",
|
||||
+ sshc->auth_methods & SSH_AUTH_METHOD_PASSWORD ?
|
||||
+ "password": "");
|
||||
if(sshc->auth_methods & SSH_AUTH_METHOD_PUBLICKEY) {
|
||||
state(conn, SSH_AUTH_PKEY_INIT);
|
||||
infof(data, "Authentication using SSH public key file\n");
|
||||
@@ -761,8 +761,8 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
}
|
||||
case SSH_AUTH_PKEY_INIT:
|
||||
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PUBLICKEY)) {
|
||||
- MOVE_TO_SECONDARY_AUTH;
|
||||
+ MOVE_TO_GSSAPI_AUTH;
|
||||
}
|
||||
|
||||
/* Two choices, (1) private key was given on CMD,
|
||||
* (2) use the "default" keys. */
|
||||
@@ -776,7 +776,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
}
|
||||
|
||||
if(rc != SSH_OK) {
|
||||
- MOVE_TO_SECONDARY_AUTH;
|
||||
+ MOVE_TO_GSSAPI_AUTH;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -826,7 +836,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
break;
|
||||
}
|
||||
|
||||
- MOVE_TO_SECONDARY_AUTH;
|
||||
+ MOVE_TO_GSSAPI_AUTH;
|
||||
}
|
||||
break;
|
||||
case SSH_AUTH_PKEY:
|
||||
@@ -828,13 +828,13 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
}
|
||||
else {
|
||||
infof(data, "Failed public key authentication (rc: %d)\n", rc);
|
||||
- MOVE_TO_SECONDARY_AUTH;
|
||||
+ MOVE_TO_GSSAPI_AUTH;
|
||||
}
|
||||
break;
|
||||
|
||||
case SSH_AUTH_GSSAPI:
|
||||
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_GSSAPI)) {
|
||||
- MOVE_TO_TERTIARY_AUTH;
|
||||
+ MOVE_TO_KEY_AUTH;
|
||||
}
|
||||
|
||||
rc = ssh_userauth_gssapi(sshc->ssh_session);
|
||||
@@ -851,7 +851,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
break;
|
||||
}
|
||||
|
||||
- MOVE_TO_TERTIARY_AUTH;
|
||||
+ MOVE_TO_KEY_AUTH;
|
||||
break;
|
||||
|
||||
case SSH_AUTH_KEY_INIT:
|
||||
@@ -736,13 +736,12 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
state(conn, SSH_AUTH_KEY);
|
||||
}
|
||||
else {
|
||||
- MOVE_TO_LAST_AUTH;
|
||||
+ MOVE_TO_PASSWD_AUTH;
|
||||
}
|
||||
break;
|
||||
|
||||
case SSH_AUTH_KEY:
|
||||
-
|
||||
- /* Authentication failed. Continue with keyboard-interactive now. */
|
||||
+ /* keyboard-interactive authentication */
|
||||
rc = myssh_auth_interactive(conn);
|
||||
if(rc == SSH_AGAIN) {
|
||||
break;
|
||||
@@ -759,13 +759,15 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
if(rc == SSH_OK) {
|
||||
sshc->authed = TRUE;
|
||||
infof(data, "completed keyboard interactive authentication\n");
|
||||
+ state(conn, SSH_AUTH_DONE);
|
||||
+ }
|
||||
+ else {
|
||||
+ MOVE_TO_PASSWD_AUTH;
|
||||
}
|
||||
- state(conn, SSH_AUTH_DONE);
|
||||
break;
|
||||
|
||||
case SSH_AUTH_PASS_INIT:
|
||||
if(!(data->set.ssh_auth_types & CURLSSH_AUTH_PASSWORD)) {
|
||||
- /* Host key authentication is intentionally not implemented */
|
||||
MOVE_TO_ERROR_STATE(CURLE_LOGIN_DENIED);
|
||||
}
|
||||
state(conn, SSH_AUTH_PASS);
|
||||
@ -1,31 +0,0 @@
|
||||
From 35eb2614d86316ba9f5a6806ce64f56680fa1e97 Mon Sep 17 00:00:00 2001
|
||||
From: Jakub Jelen <jjelen@redhat.com>
|
||||
Date: Tue, 5 Sep 2023 17:33:41 +0200
|
||||
Subject: [PATCH] libssh: cap SFTP packet size sent
|
||||
|
||||
Due to libssh limitations
|
||||
|
||||
Signed-off-by: Jakub Jelen <jjelen@redhat.com>
|
||||
|
||||
Closes #11804
|
||||
---
|
||||
lib/ssh-libssh.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||
index dea0084575859..7c6a2e53f338f 100644
|
||||
--- a/lib/ssh-libssh.c
|
||||
+++ b/lib/ssh-libssh.c
|
||||
@@ -2412,6 +2412,12 @@ static ssize_t sftp_send(struct Curl_easy *data, int sockindex,
|
||||
ssize_t nwrite;
|
||||
(void)sockindex;
|
||||
|
||||
+ /* limit the writes to the maximum specified in Section 3 of
|
||||
+ * https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-02
|
||||
+ */
|
||||
+ if(len > 32768)
|
||||
+ len = 32768;
|
||||
+
|
||||
nwrite = sftp_write(conn->proto.sshc.sftp_file, mem, len);
|
||||
|
||||
myssh_block2waitfor(conn, FALSE);
|
||||
@ -1,388 +0,0 @@
|
||||
From 47f0d37bfc008c088416f3dcca802c9e087d9bf1 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 25 Apr 2023 08:28:01 +0200
|
||||
Subject: [PATCH] lib: unify the upload/method handling
|
||||
|
||||
By making sure we set state.upload based on the set.method value and not
|
||||
independently as set.upload, we reduce confusion and mixup risks, both
|
||||
internally and externally.
|
||||
---
|
||||
lib/curl_rtmp.c | 4 ++--
|
||||
lib/file.c | 4 ++--
|
||||
lib/ftp.c | 8 ++++----
|
||||
lib/http.c | 4 ++--
|
||||
lib/imap.c | 6 +++---
|
||||
lib/rtsp.c | 4 ++--
|
||||
lib/setopt.c | 6 ++----
|
||||
lib/smb.c | 6 +++---
|
||||
lib/smtp.c | 4 ++--
|
||||
lib/tftp.c | 8 ++++----
|
||||
lib/transfer.c | 4 ++--
|
||||
lib/urldata.h | 2 +-
|
||||
lib/ssh-libssh.c | 6 +++---
|
||||
lib/ssh.c | 6 +++---
|
||||
14 files changed, 36 insertions(+), 38 deletions(-)
|
||||
|
||||
diff --git a/lib/curl_rtmp.c b/lib/curl_rtmp.c
|
||||
index 2679a2cdc1afe..406fb42ac0f44 100644
|
||||
--- a/lib/curl_rtmp.c
|
||||
+++ b/lib/curl_rtmp.c
|
||||
@@ -231,7 +231,7 @@ static CURLcode rtmp_connect(struct Curl_easy *data, bool *done)
|
||||
/* We have to know if it's a write before we send the
|
||||
* connect request packet
|
||||
*/
|
||||
- if(conn->data->set.upload)
|
||||
+ if(conn->data->state.upload)
|
||||
r->Link.protocol |= RTMP_FEATURE_WRITE;
|
||||
|
||||
/* For plain streams, use the buffer toggle trick to keep data flowing */
|
||||
@@ -263,7 +263,7 @@ static CURLcode rtmp_do(struct Curl_easy *data, bool *done)
|
||||
if(!RTMP_ConnectStream(r, 0))
|
||||
return CURLE_FAILED_INIT;
|
||||
|
||||
- if(conn->data->set.upload) {
|
||||
+ if(conn->data->state.upload) {
|
||||
Curl_pgrsSetUploadSize(conn->data, conn->data->state.infilesize);
|
||||
Curl_setup_transfer(conn, -1, -1, FALSE, NULL, FIRSTSOCKET, NULL);
|
||||
}
|
||||
diff --git a/lib/file.c b/lib/file.c
|
||||
index 51c5d07ce40ab..c751e8861a99b 100644
|
||||
--- a/lib/file.c
|
||||
+++ b/lib/file.c
|
||||
@@ -240,7 +240,7 @@ static CURLcode file_connect(struct Curl_easy *data, bool *done)
|
||||
file->freepath = real_path; /* free this when done */
|
||||
|
||||
file->fd = fd;
|
||||
- if(!data->set.upload && (fd == -1)) {
|
||||
+ if(!data->state.upload && (fd == -1)) {
|
||||
failf(data, "Couldn't open file %s", data->state.path);
|
||||
file_done(conn, CURLE_FILE_COULDNT_READ_FILE, FALSE);
|
||||
return CURLE_FILE_COULDNT_READ_FILE;
|
||||
@@ -422,7 +422,7 @@ static CURLcode file_do(struct Curl_easy *data, bool *done)
|
||||
|
||||
Curl_pgrsStartNow(data);
|
||||
|
||||
- if(data->set.upload)
|
||||
+ if(data->state.upload)
|
||||
return file_upload(conn);
|
||||
|
||||
file = conn->data->req.protop;
|
||||
diff --git a/lib/ftp.c b/lib/ftp.c
|
||||
index f50d7baf622f8..4ff68cc454cbc 100644
|
||||
--- a/lib/ftp.c
|
||||
+++ b/lib/ftp.c
|
||||
@@ -1381,7 +1381,7 @@ static CURLcode ftp_state_prepare_transfer(struct Curl_easy *data)
|
||||
data->set.str[STRING_CUSTOMREQUEST]:
|
||||
(data->set.ftp_list_only?"NLST":"LIST"));
|
||||
}
|
||||
- else if(data->set.upload) {
|
||||
+ else if(data->state.upload) {
|
||||
PPSENDF(&conn->proto.ftpc.pp, "PRET STOR %s", conn->proto.ftpc.file);
|
||||
}
|
||||
else {
|
||||
@@ -3368,7 +3368,7 @@ static CURLcode ftp_done(struct Curl_easy *data, CURLcode status,
|
||||
/* the response code from the transfer showed an error already so no
|
||||
use checking further */
|
||||
;
|
||||
- else if(data->set.upload) {
|
||||
+ else if(data->state.upload) {
|
||||
if((-1 != data->state.infilesize) &&
|
||||
(data->state.infilesize != *ftp->bytecountp) &&
|
||||
!data->set.crlf &&
|
||||
@@ -3640,7 +3640,7 @@ static CURLcode ftp_do_more(struct Curl_easy *data, int *completep)
|
||||
connected back to us */
|
||||
}
|
||||
}
|
||||
- else if(data->set.upload) {
|
||||
+ else if(data->state.upload) {
|
||||
result = ftp_nb_type(conn, data->set.prefer_ascii, FTP_STOR_TYPE);
|
||||
if(result)
|
||||
return result;
|
||||
@@ -4217,7 +4217,7 @@ CURLcode ftp_parse_url_path(struct Curl_easy *data)
|
||||
ftpc->file = NULL; /* instead of point to a zero byte, we make it a NULL
|
||||
pointer */
|
||||
|
||||
- if(data->set.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
|
||||
+ if(data->state.upload && !ftpc->file && (ftp->transfer == FTPTRANSFER_BODY)) {
|
||||
/* We need a file name when uploading. Return error! */
|
||||
failf(data, "Uploading to a URL without a file name!");
|
||||
return CURLE_URL_MALFORMAT;
|
||||
diff --git a/lib/http.c b/lib/http.c
|
||||
index 80e43f6f361e8..bffdd3468536d 100644
|
||||
--- a/lib/http.c
|
||||
+++ b/lib/http.c
|
||||
@@ -2112,7 +2112,7 @@ void Curl_http_method(struct Curl_easy *data, struct connectdata *conn,
|
||||
http->writebytecount = http->readbytecount = 0;
|
||||
|
||||
if((conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_FTP)) &&
|
||||
- data->set.upload) {
|
||||
+ data->state.upload) {
|
||||
httpreq = HTTPREQ_PUT;
|
||||
}
|
||||
|
||||
@@ -2423,7 +2423,7 @@ CURLcode Curl_http_body(struct Curl_easy *data, struct connectdata *conn,
|
||||
if((conn->handler->protocol & PROTO_FAMILY_HTTP) &&
|
||||
(((httpreq == HTTPREQ_POST_MIME || httpreq == HTTPREQ_POST_FORM) &&
|
||||
http->postsize < 0) ||
|
||||
- (data->set.upload && data->state.infilesize == -1))) {
|
||||
+ (data->state.upload && data->state.infilesize == -1))) {
|
||||
if(conn->bits.authneg)
|
||||
/* don't enable chunked during auth neg */
|
||||
;
|
||||
diff --git a/lib/imap.c b/lib/imap.c
|
||||
index c2f675d4b2618..1952e66a1efcd 100644
|
||||
--- a/lib/imap.c
|
||||
+++ b/lib/imap.c
|
||||
@@ -1511,10 +1511,10 @@ static CURLcode imap_done(struct Curl_easy *data, CURLcode status,
|
||||
result = status; /* use the already set error code */
|
||||
}
|
||||
else if(!data->set.connect_only && !imap->custom &&
|
||||
- (imap->uid || data->set.upload ||
|
||||
+ (imap->uid || data->state.upload ||
|
||||
data->set.mimepost.kind != MIMEKIND_NONE)) {
|
||||
/* Handle responses after FETCH or APPEND transfer has finished */
|
||||
- if(!data->set.upload && data->set.mimepost.kind == MIMEKIND_NONE)
|
||||
+ if(!data->state.upload && data->set.mimepost.kind == MIMEKIND_NONE)
|
||||
state(conn, IMAP_FETCH_FINAL);
|
||||
else {
|
||||
/* End the APPEND command first by sending an empty line */
|
||||
@@ -1581,7 +1581,7 @@ static CURLcode imap_perform(struct Curl_easy *data, bool *connected,
|
||||
selected = TRUE;
|
||||
|
||||
/* Start the first command in the DO phase */
|
||||
- if(conn->data->set.upload || data->set.mimepost.kind != MIMEKIND_NONE)
|
||||
+ if(conn->data->state.upload || data->set.mimepost.kind != MIMEKIND_NONE)
|
||||
/* APPEND can be executed directly */
|
||||
result = imap_perform_append(conn);
|
||||
else if(imap->custom && (selected || !imap->mailbox))
|
||||
index ea99d720ec4eb..ccd7264b00e74 100644
|
||||
--- a/lib/rtsp.c
|
||||
+++ b/lib/rtsp.c
|
||||
@@ -493,7 +493,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
|
||||
rtspreq == RTSPREQ_SET_PARAMETER ||
|
||||
rtspreq == RTSPREQ_GET_PARAMETER) {
|
||||
|
||||
- if(data->set.upload) {
|
||||
+ if(data->state.upload) {
|
||||
putsize = data->state.infilesize;
|
||||
data->set.httpreq = HTTPREQ_PUT;
|
||||
|
||||
@@ -512,7 +512,7 @@ static CURLcode rtsp_do(struct Curl_easy *data, bool *done)
|
||||
if(!Curl_checkheaders(conn, "Content-Length")) {
|
||||
result = Curl_add_bufferf(req_buffer,
|
||||
"Content-Length: %" CURL_FORMAT_CURL_OFF_T"\r\n",
|
||||
- (data->set.upload ? putsize : postsize));
|
||||
+ (data->state.upload ? putsize : postsize));
|
||||
if(result)
|
||||
return result;
|
||||
}
|
||||
diff --git a/lib/setopt.c b/lib/setopt.c
|
||||
index 38f5711e44191..0c3b9634d1192 100644
|
||||
--- a/lib/setopt.c
|
||||
+++ b/lib/setopt.c
|
||||
@@ -333,8 +333,8 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
* We want to sent data to the remote host. If this is HTTP, that equals
|
||||
* using the PUT request.
|
||||
*/
|
||||
- data->set.upload = (0 != va_arg(param, long)) ? TRUE : FALSE;
|
||||
- if(data->set.upload) {
|
||||
+ arg = va_arg(param, long);
|
||||
+ if(arg) {
|
||||
/* If this is HTTP, PUT is what's needed to "upload" */
|
||||
data->set.httpreq = HTTPREQ_PUT;
|
||||
data->set.opt_no_body = FALSE; /* this is implied */
|
||||
@@ -888,7 +887,6 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param)
|
||||
*/
|
||||
if(va_arg(param, long)) {
|
||||
data->set.httpreq = HTTPREQ_GET;
|
||||
- data->set.upload = FALSE; /* switch off upload */
|
||||
data->set.opt_no_body = FALSE; /* this is implied */
|
||||
}
|
||||
break;
|
||||
diff --git a/lib/smb.c b/lib/smb.c
|
||||
index a1e444ee6b97e..d6822213529bc 100644
|
||||
--- a/lib/smb.c
|
||||
+++ b/lib/smb.c
|
||||
@@ -530,7 +530,7 @@ static CURLcode smb_send_open(struct Curl_easy *data)
|
||||
byte_count = strlen(req->path);
|
||||
msg.name_length = smb_swap16((unsigned short)byte_count);
|
||||
msg.share_access = smb_swap32(SMB_FILE_SHARE_ALL);
|
||||
- if(conn->data->set.upload) {
|
||||
+ if(conn->data->state.upload) {
|
||||
msg.access = smb_swap32(SMB_GENERIC_READ | SMB_GENERIC_WRITE);
|
||||
msg.create_disposition = smb_swap32(SMB_FILE_OVERWRITE_IF);
|
||||
}
|
||||
@@ -813,7 +813,7 @@ static CURLcode smb_request_state(struct Curl_easy *data, bool *done)
|
||||
smb_m = (const struct smb_nt_create_response*) msg;
|
||||
req->fid = smb_swap16(smb_m->fid);
|
||||
conn->data->req.offset = 0;
|
||||
- if(conn->data->set.upload) {
|
||||
+ if(conn->data->state.upload) {
|
||||
conn->data->req.size = conn->data->state.infilesize;
|
||||
Curl_pgrsSetUploadSize(conn->data, conn->data->req.size);
|
||||
next_state = SMB_UPLOAD;
|
||||
diff --git a/lib/smtp.c b/lib/smtp.c
|
||||
index 7a030308d4689..c182cace742d7 100644
|
||||
--- a/lib/smtp.c
|
||||
+++ b/lib/smtp.c
|
||||
@@ -1419,7 +1419,7 @@ static CURLcode smtp_done(struct Curl_easy *data, CURLcode status,
|
||||
result = status; /* use the already set error code */
|
||||
}
|
||||
else if(!data->set.connect_only && data->set.mail_rcpt &&
|
||||
- (data->set.upload || data->set.mimepost.kind)) {
|
||||
+ (data->state.upload || data->set.mimepost.kind)) {
|
||||
/* Calculate the EOB taking into account any terminating CRLF from the
|
||||
previous line of the email or the CRLF of the DATA command when there
|
||||
is "no mail data". RFC-5321, sect. 4.1.1.4.
|
||||
@@ -1511,7 +1511,7 @@ static CURLcode smtp_perform(struct Curl_easy *data, bool *connected,
|
||||
smtp->eob = 2;
|
||||
|
||||
/* Start the first command in the DO phase */
|
||||
- if((data->set.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
|
||||
+ if((data->state.upload || data->set.mimepost.kind) && data->set.mail_rcpt)
|
||||
/* MAIL transfer */
|
||||
result = smtp_perform_mail(conn);
|
||||
else
|
||||
diff --git a/lib/tftp.c b/lib/tftp.c
|
||||
index 164d3c723c5b9..8ed1b887b4d21 100644
|
||||
--- a/lib/tftp.c
|
||||
+++ b/lib/tftp.c
|
||||
@@ -370,7 +370,7 @@ static CURLcode tftp_parse_option_ack(struct tftp_state_data *state,
|
||||
|
||||
/* tsize should be ignored on upload: Who cares about the size of the
|
||||
remote file? */
|
||||
- if(!data->set.upload) {
|
||||
+ if(!data->state.upload) {
|
||||
if(!tsize) {
|
||||
failf(data, "invalid tsize -:%s:- value in OACK packet", value);
|
||||
return CURLE_TFTP_ILLEGAL;
|
||||
@@ -451,7 +451,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
|
||||
return result;
|
||||
}
|
||||
|
||||
- if(data->set.upload) {
|
||||
+ if(data->state.upload) {
|
||||
/* If we are uploading, send an WRQ */
|
||||
setpacketevent(&state->spacket, TFTP_EVENT_WRQ);
|
||||
state->conn->data->req.upload_fromhere =
|
||||
@@ -486,7 +486,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
|
||||
if(!data->set.tftp_no_options) {
|
||||
char buf[64];
|
||||
/* add tsize option */
|
||||
- if(data->set.upload && (data->state.infilesize != -1))
|
||||
+ if(data->state.upload && (data->state.infilesize != -1))
|
||||
snprintf(buf, sizeof(buf), "%" CURL_FORMAT_CURL_OFF_T,
|
||||
data->state.infilesize);
|
||||
else
|
||||
@@ -540,7 +540,7 @@ static CURLcode tftp_send_first(struct tftp_state_data *state,
|
||||
break;
|
||||
|
||||
case TFTP_EVENT_OACK:
|
||||
- if(data->set.upload) {
|
||||
+ if(data->state.upload) {
|
||||
result = tftp_connect_for_tx(state, event);
|
||||
}
|
||||
else {
|
||||
diff --git a/lib/transfer.c b/lib/transfer.c
|
||||
index e9ab8fbf09510..cb69f3365855a 100644
|
||||
--- a/lib/transfer.c
|
||||
+++ b/lib/transfer.c
|
||||
@@ -1293,6 +1293,7 @@ void Curl_init_CONNECT(struct Curl_easy *data)
|
||||
{
|
||||
data->state.fread_func = data->set.fread_func_set;
|
||||
data->state.in = data->set.in_set;
|
||||
+ data->state.upload = (data->set.httpreq == HTTPREQ_PUT);
|
||||
}
|
||||
|
||||
/*
|
||||
@@ -1770,7 +1770,7 @@ CURLcode Curl_retry_request(struct Curl_easy *data, char **url)
|
||||
|
||||
/* if we're talking upload, we can't do the checks below, unless the protocol
|
||||
is HTTP as when uploading over HTTP we will still get a response */
|
||||
- if(data->set.upload &&
|
||||
+ if(data->state.upload &&
|
||||
!(conn->handler->protocol&(PROTO_FAMILY_HTTP|CURLPROTO_RTSP)))
|
||||
return CURLE_OK;
|
||||
|
||||
diff --git a/lib/urldata.h b/lib/urldata.h
|
||||
index cca992a0295aa..a8580bdb66fe8 100644
|
||||
--- a/lib/urldata.h
|
||||
+++ b/lib/urldata.h
|
||||
@@ -1494,6 +1494,7 @@ struct UrlState {
|
||||
#ifdef CURLDEBUG
|
||||
bool conncache_lock;
|
||||
#endif
|
||||
+ bool upload; /* upload request */
|
||||
};
|
||||
|
||||
|
||||
@@ -1838,7 +1839,6 @@ struct UserDefined {
|
||||
bool http_set_referer; /* is a custom referer used */
|
||||
bool http_auto_referer; /* set "correct" referer when following location: */
|
||||
bool opt_no_body; /* as set with CURLOPT_NOBODY */
|
||||
- bool upload; /* upload request */
|
||||
enum CURL_NETRC_OPTION
|
||||
use_netrc; /* defined in include/curl.h */
|
||||
bool verbose; /* output verbosity */
|
||||
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||
index b31f741ba9492..d60edaa303642 100644
|
||||
--- a/lib/ssh-libssh.c
|
||||
+++ b/lib/ssh-libssh.c
|
||||
@@ -1209,7 +1209,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
}
|
||||
|
||||
case SSH_SFTP_TRANS_INIT:
|
||||
- if(data->set.upload)
|
||||
+ if(data->state.upload)
|
||||
state(conn, SSH_SFTP_UPLOAD_INIT);
|
||||
else {
|
||||
if(protop->path[strlen(protop->path)-1] == '/')
|
||||
@@ -1802,7 +1802,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
/* Functions from the SCP subsystem cannot handle/return SSH_AGAIN */
|
||||
ssh_set_blocking(sshc->ssh_session, 1);
|
||||
|
||||
- if(data->set.upload) {
|
||||
+ if(data->state.upload) {
|
||||
if(data->state.infilesize < 0) {
|
||||
failf(data, "SCP requires a known file size for upload");
|
||||
sshc->actualcode = CURLE_UPLOAD_FAILED;
|
||||
@@ -1907,7 +1907,7 @@ static CURLcode myssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
break;
|
||||
}
|
||||
case SSH_SCP_DONE:
|
||||
- if(data->set.upload)
|
||||
+ if(data->state.upload)
|
||||
state(conn, SSH_SCP_SEND_EOF);
|
||||
else
|
||||
state(conn, SSH_SCP_CHANNEL_FREE);
|
||||
diff --git a/lib/ssh.c b/lib/ssh.c
|
||||
index f1154dc47a74e..f2e5352d1fd3a 100644
|
||||
--- a/lib/ssh.c
|
||||
+++ b/lib/ssh.c
|
||||
@@ -2019,7 +2019,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
}
|
||||
|
||||
case SSH_SFTP_TRANS_INIT:
|
||||
- if(data->set.upload)
|
||||
+ if(data->state.upload)
|
||||
state(conn, SSH_SFTP_UPLOAD_INIT);
|
||||
else {
|
||||
if(sftp_scp->path[strlen(sftp_scp->path)-1] == '/')
|
||||
@@ -2691,7 +2691,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
break;
|
||||
}
|
||||
|
||||
- if(data->set.upload) {
|
||||
+ if(data->state.upload) {
|
||||
if(data->state.infilesize < 0) {
|
||||
failf(data, "SCP requires a known file size for upload");
|
||||
sshc->actualcode = CURLE_UPLOAD_FAILED;
|
||||
@@ -2831,7 +2831,7 @@ static CURLcode ssh_statemach_act(struct Curl_easy *data, bool *block)
|
||||
break;
|
||||
|
||||
case SSH_SCP_DONE:
|
||||
- if(data->set.upload)
|
||||
+ if(data->state.upload)
|
||||
state(conn, SSH_SCP_SEND_EOF);
|
||||
else
|
||||
state(conn, SSH_SCP_CHANNEL_FREE);
|
||||
@ -1,124 +0,0 @@
|
||||
From 61275672b46d9abb3285740467b882e22ed75da8 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 14 Sep 2023 23:28:32 +0200
|
||||
Subject: [PATCH] cookie: remove unnecessary struct fields
|
||||
|
||||
Plus: reduce the hash table size from 256 to 63. It seems unlikely to
|
||||
make much of a speed difference for most use cases but saves 1.5KB of
|
||||
data per instance.
|
||||
|
||||
Closes #11862
|
||||
---
|
||||
lib/cookie.c | 13 +------------
|
||||
lib/cookie.h | 13 ++++---------
|
||||
lib/easy.c | 4 +---
|
||||
3 files changed, 6 insertions(+), 24 deletions(-)
|
||||
|
||||
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||
index 4345a84c6fd9d..e39c89a94a960 100644
|
||||
--- a/lib/cookie.c
|
||||
+++ b/lib/cookie.c
|
||||
@@ -119,7 +119,6 @@ static void freecookie(struct Cookie *co)
|
||||
free(co->name);
|
||||
free(co->value);
|
||||
free(co->maxage);
|
||||
- free(co->version);
|
||||
free(co);
|
||||
}
|
||||
|
||||
@@ -717,11 +716,7 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||
}
|
||||
}
|
||||
else if(strcasecompare("version", name)) {
|
||||
- strstore(&co->version, whatptr);
|
||||
- if(!co->version) {
|
||||
- badcookie = TRUE;
|
||||
- break;
|
||||
- }
|
||||
+ /* just ignore */
|
||||
}
|
||||
else if(strcasecompare("max-age", name)) {
|
||||
/* Defined in RFC2109:
|
||||
@@ -1159,7 +1154,6 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||
free(clist->path);
|
||||
free(clist->spath);
|
||||
free(clist->expirestr);
|
||||
- free(clist->version);
|
||||
free(clist->maxage);
|
||||
|
||||
*clist = *co; /* then store all the new data */
|
||||
@@ -1223,9 +1217,6 @@ struct CookieInfo *Curl_cookie_init(struct Curl_easy *data,
|
||||
c = calloc(1, sizeof(struct CookieInfo));
|
||||
if(!c)
|
||||
return NULL; /* failed to get memory */
|
||||
- c->filename = strdup(file?file:"none"); /* copy the name just in case */
|
||||
- if(!c->filename)
|
||||
- goto fail; /* failed to get memory */
|
||||
}
|
||||
else {
|
||||
/* we got an already existing one, use that */
|
||||
@@ -1378,7 +1369,6 @@ static struct Cookie *dup_cookie(struct Cookie *src)
|
||||
CLONE(name);
|
||||
CLONE(value);
|
||||
CLONE(maxage);
|
||||
- CLONE(version);
|
||||
d->expires = src->expires;
|
||||
d->tailmatch = src->tailmatch;
|
||||
d->secure = src->secure;
|
||||
@@ -1595,7 +1585,6 @@ void Curl_cookie_cleanup(struct CookieInfo *c)
|
||||
{
|
||||
if(c) {
|
||||
unsigned int i;
|
||||
- free(c->filename);
|
||||
for(i = 0; i < COOKIE_HASH_SIZE; i++)
|
||||
Curl_cookie_freelist(c->cookies[i]);
|
||||
free(c); /* free the base struct as well */
|
||||
diff --git a/lib/cookie.h b/lib/cookie.h
|
||||
index b3c0063b2cfb2..41e9e7a6914e0 100644
|
||||
--- a/lib/cookie.h
|
||||
+++ b/lib/cookie.h
|
||||
@@ -36,11 +36,7 @@ struct Cookie {
|
||||
curl_off_t expires; /* expires = <this> */
|
||||
char *expirestr; /* the plain text version */
|
||||
bool tailmatch; /* whether we do tail-matching of the domain name */
|
||||
-
|
||||
- /* RFC 2109 keywords. Version=1 means 2109-compliant cookie sending */
|
||||
- char *version; /* Version = <value> */
|
||||
char *maxage; /* Max-Age = <value> */
|
||||
-
|
||||
bool secure; /* whether the 'secure' keyword was used */
|
||||
bool livecookie; /* updated from a server, not a stored file */
|
||||
bool httponly; /* true if the httponly directive is present */
|
||||
@@ -56,15 +52,14 @@ struct Cookie {
|
||||
int creationtime; /* time when the cookie was written */
|
||||
};
|
||||
|
||||
-#define COOKIE_HASH_SIZE 256
|
||||
+#define COOKIE_HASH_SIZE 63
|
||||
|
||||
struct CookieInfo {
|
||||
/* linked list of cookies we know of */
|
||||
struct Cookie *cookies[COOKIE_HASH_SIZE];
|
||||
|
||||
- char *filename; /* file we read from/write to */
|
||||
bool running; /* state info, for cookie adding information */
|
||||
- long numcookies; /* number of cookies in the "jar" */
|
||||
+ int numcookies; /* number of cookies in the "jar" */
|
||||
bool newsession; /* new session, discard session cookies on load */
|
||||
int lastct; /* last creation-time used in the jar */
|
||||
};
|
||||
diff --git a/lib/easy.c b/lib/easy.c
|
||||
index 16bbd35251d40..03195481f9780 100644
|
||||
--- a/lib/easy.c
|
||||
+++ b/lib/easy.c
|
||||
@@ -925,9 +925,7 @@ struct Curl_easy *curl_easy_duphandle(struct Curl_easy *data)
|
||||
if(data->cookies) {
|
||||
/* If cookies are enabled in the parent handle, we enable them
|
||||
in the clone as well! */
|
||||
- outcurl->cookies = Curl_cookie_init(data,
|
||||
- data->cookies->filename,
|
||||
- outcurl->cookies,
|
||||
+ outcurl->cookies = Curl_cookie_init(data, NULL, outcurl->cookies,
|
||||
data->set.cookiesession);
|
||||
if(!outcurl->cookies)
|
||||
goto fail;
|
||||
@ -1,193 +0,0 @@
|
||||
diff -up curl-7.61.1/lib/http2.c.25a25f45 curl-7.61.1/lib/http2.c
|
||||
--- curl-7.61.1/lib/http2.c.25a25f45 2023-08-07 14:03:42.043463284 +0200
|
||||
+++ curl-7.61.1/lib/http2.c 2023-08-07 14:10:24.769489855 +0200
|
||||
@@ -1202,7 +1202,7 @@ CURLcode Curl_http2_request_upgrade(Curl
|
||||
binlen = nghttp2_pack_settings_payload(binsettings, H2_BINSETTINGS_LEN,
|
||||
httpc->local_settings,
|
||||
httpc->local_settings_num);
|
||||
- if(!binlen) {
|
||||
+ if(binlen <= 0) {
|
||||
failf(conn->data, "nghttp2 unexpectedly failed on pack_settings_payload");
|
||||
Curl_add_buffer_free(req);
|
||||
return CURLE_FAILED_INIT;
|
||||
@@ -1285,6 +1285,14 @@ static int h2_process_pending_input(stru
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ if(nghttp2_session_check_request_allowed(httpc->h2) == 0) {
|
||||
+ /* No more requests are allowed in the current session, so
|
||||
+ the connection may not be reused. This is set when a
|
||||
+ GOAWAY frame has been received or when the limit of stream
|
||||
+ identifiers has been reached. */
|
||||
+ connclose(conn, "http/2: No new requests allowed");
|
||||
+ }
|
||||
+
|
||||
if(should_close_session(httpc)) {
|
||||
H2BUGF(infof(data,
|
||||
"h2_process_pending_input: nothing to do in this session\n"));
|
||||
@@ -1297,7 +1305,6 @@ static int h2_process_pending_input(stru
|
||||
}
|
||||
return -1;
|
||||
}
|
||||
-
|
||||
return 0;
|
||||
}
|
||||
|
||||
@@ -1455,8 +1462,6 @@ static int h2_session_send(struct Curl_e
|
||||
static ssize_t http2_recv(struct connectdata *conn, int sockindex,
|
||||
char *mem, size_t len, CURLcode *err)
|
||||
{
|
||||
- CURLcode result = CURLE_OK;
|
||||
- ssize_t rv;
|
||||
ssize_t nread;
|
||||
struct http_conn *httpc = &conn->proto.httpc;
|
||||
struct Curl_easy *data = conn->data;
|
||||
@@ -1519,8 +1524,7 @@ static ssize_t http2_recv(struct connect
|
||||
/* We have paused nghttp2, but we have no pause data (see
|
||||
on_data_chunk_recv). */
|
||||
httpc->pause_stream_id = 0;
|
||||
- if(h2_process_pending_input(conn, httpc, &result) != 0) {
|
||||
- *err = result;
|
||||
+ if(h2_process_pending_input(conn, httpc, err) != 0) {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
@@ -1549,8 +1553,7 @@ static ssize_t http2_recv(struct connect
|
||||
frames, then we have to call it again with 0-length data.
|
||||
Without this, on_stream_close callback will not be called,
|
||||
and stream could be hanged. */
|
||||
- if(h2_process_pending_input(conn, httpc, &result) != 0) {
|
||||
- *err = result;
|
||||
+ if(h2_process_pending_input(conn, httpc, err) != 0) {
|
||||
return -1;
|
||||
}
|
||||
}
|
||||
@@ -1573,7 +1576,6 @@ static ssize_t http2_recv(struct connect
|
||||
return -1;
|
||||
}
|
||||
else {
|
||||
- char *inbuf;
|
||||
/* remember where to store incoming data for this stream and how big the
|
||||
buffer is */
|
||||
stream->mem = mem;
|
||||
@@ -1582,16 +1584,15 @@ static ssize_t http2_recv(struct connect
|
||||
|
||||
if(httpc->inbuflen == 0) {
|
||||
nread = ((Curl_recv *)httpc->recv_underlying)(
|
||||
- conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, &result);
|
||||
+ conn, FIRSTSOCKET, httpc->inbuf, H2_BUFSIZE, err);
|
||||
|
||||
if(nread == -1) {
|
||||
- if(result != CURLE_AGAIN)
|
||||
+ if(*err != CURLE_AGAIN)
|
||||
failf(data, "Failed receiving HTTP2 data");
|
||||
else if(stream->closed)
|
||||
/* received when the stream was already closed! */
|
||||
return http2_handle_stream_close(conn, data, stream, err);
|
||||
|
||||
- *err = result;
|
||||
return -1;
|
||||
}
|
||||
|
||||
@@ -1604,47 +1605,17 @@ static ssize_t http2_recv(struct connect
|
||||
H2BUGF(infof(data, "nread=%zd\n", nread));
|
||||
|
||||
httpc->inbuflen = nread;
|
||||
- inbuf = httpc->inbuf;
|
||||
+
|
||||
+ DEBUGASSERT(httpc->nread_inbuf == 0);
|
||||
}
|
||||
else {
|
||||
nread = httpc->inbuflen - httpc->nread_inbuf;
|
||||
- inbuf = httpc->inbuf + httpc->nread_inbuf;
|
||||
-
|
||||
+ (void)nread; /* silence warning, used in debug */
|
||||
H2BUGF(infof(data, "Use data left in connection buffer, nread=%zd\n",
|
||||
nread));
|
||||
}
|
||||
- rv = nghttp2_session_mem_recv(httpc->h2, (const uint8_t *)inbuf, nread);
|
||||
-
|
||||
- if(nghttp2_is_fatal((int)rv)) {
|
||||
- failf(data, "nghttp2_session_mem_recv() returned %zd:%s\n",
|
||||
- rv, nghttp2_strerror((int)rv));
|
||||
- *err = CURLE_RECV_ERROR;
|
||||
- return -1;
|
||||
- }
|
||||
- H2BUGF(infof(data, "nghttp2_session_mem_recv() returns %zd\n", rv));
|
||||
- if(nread == rv) {
|
||||
- H2BUGF(infof(data, "All data in connection buffer processed\n"));
|
||||
- httpc->inbuflen = 0;
|
||||
- httpc->nread_inbuf = 0;
|
||||
- }
|
||||
- else {
|
||||
- httpc->nread_inbuf += rv;
|
||||
- H2BUGF(infof(data, "%zu bytes left in connection buffer\n",
|
||||
- httpc->inbuflen - httpc->nread_inbuf));
|
||||
- }
|
||||
- /* Always send pending frames in nghttp2 session, because
|
||||
- nghttp2_session_mem_recv() may queue new frame */
|
||||
- rv = h2_session_send(data, httpc->h2);
|
||||
- if(rv != 0) {
|
||||
- *err = CURLE_SEND_ERROR;
|
||||
- return -1;
|
||||
- }
|
||||
-
|
||||
- if(should_close_session(httpc)) {
|
||||
- H2BUGF(infof(data, "http2_recv: nothing to do in this session\n"));
|
||||
- *err = CURLE_HTTP2;
|
||||
+ if(h2_process_pending_input(conn, httpc, err) != 0)
|
||||
return -1;
|
||||
- }
|
||||
}
|
||||
if(stream->memlen) {
|
||||
ssize_t retlen = stream->memlen;
|
||||
@@ -2108,7 +2079,6 @@ CURLcode Curl_http2_switched(struct conn
|
||||
CURLcode result;
|
||||
struct http_conn *httpc = &conn->proto.httpc;
|
||||
int rv;
|
||||
- ssize_t nproc;
|
||||
struct Curl_easy *data = conn->data;
|
||||
struct HTTP *stream = conn->data->req.protop;
|
||||
|
||||
@@ -2186,39 +2156,10 @@ CURLcode Curl_http2_switched(struct conn
|
||||
memcpy(httpc->inbuf, mem, nread);
|
||||
httpc->inbuflen = nread;
|
||||
|
||||
- nproc = nghttp2_session_mem_recv(httpc->h2, (const uint8_t *)httpc->inbuf,
|
||||
- httpc->inbuflen);
|
||||
+ DEBUGASSERT(httpc->nread_inbuf == 0);
|
||||
|
||||
- if(nghttp2_is_fatal((int)nproc)) {
|
||||
- failf(data, "nghttp2_session_mem_recv() failed: %s(%d)",
|
||||
- nghttp2_strerror((int)nproc), (int)nproc);
|
||||
+ if(-1 == h2_process_pending_input(conn, httpc, &result))
|
||||
return CURLE_HTTP2;
|
||||
- }
|
||||
-
|
||||
- H2BUGF(infof(data, "nghttp2_session_mem_recv() returns %zd\n", nproc));
|
||||
-
|
||||
- if((ssize_t)nread == nproc) {
|
||||
- httpc->inbuflen = 0;
|
||||
- httpc->nread_inbuf = 0;
|
||||
- }
|
||||
- else {
|
||||
- httpc->nread_inbuf += nproc;
|
||||
- }
|
||||
-
|
||||
- /* Try to send some frames since we may read SETTINGS already. */
|
||||
- rv = h2_session_send(data, httpc->h2);
|
||||
-
|
||||
- if(rv != 0) {
|
||||
- failf(data, "nghttp2_session_send() failed: %s(%d)",
|
||||
- nghttp2_strerror(rv), rv);
|
||||
- return CURLE_HTTP2;
|
||||
- }
|
||||
-
|
||||
- if(should_close_session(httpc)) {
|
||||
- H2BUGF(infof(data,
|
||||
- "nghttp2_session_send(): nothing to do in this session\n"));
|
||||
- return CURLE_HTTP2;
|
||||
- }
|
||||
|
||||
return CURLE_OK;
|
||||
}
|
||||
@ -1,15 +0,0 @@
|
||||
diff -up curl-7.61.1/lib/http2.c.c1b6a384 curl-7.61.1/lib/http2.c
|
||||
--- curl-7.61.1/lib/http2.c.c1b6a384 2023-08-07 13:59:18.482137005 +0200
|
||||
+++ curl-7.61.1/lib/http2.c 2023-08-07 14:03:42.043463284 +0200
|
||||
@@ -1467,6 +1467,11 @@ static ssize_t http2_recv(struct connect
|
||||
if(should_close_session(httpc)) {
|
||||
H2BUGF(infof(data,
|
||||
"http2_recv: nothing to do in this session\n"));
|
||||
+ if(conn->bits.close) {
|
||||
+ /* already marked for closure, return OK and we're done */
|
||||
+ *err = CURLE_OK;
|
||||
+ return 0;
|
||||
+ }
|
||||
*err = CURLE_HTTP2;
|
||||
return -1;
|
||||
}
|
||||
@ -1,48 +0,0 @@
|
||||
From 2b0994c29a721c91c572cff7808c572a24d251eb Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Thu, 23 Nov 2023 08:15:47 +0100
|
||||
Subject: [PATCH] cookie: lowercase the domain names before PSL checks
|
||||
|
||||
Reported-by: Harry Sintonen
|
||||
|
||||
Closes #12387
|
||||
---
|
||||
lib/cookie.c | 24 ++++++++++++++++--------
|
||||
1 file changed, 16 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||
index 568cf537ad1b1f..9095cea3e97f22 100644
|
||||
--- a/lib/cookie.c
|
||||
+++ b/lib/cookie.c
|
||||
@@ -1027,15 +1027,23 @@ Curl_cookie_add(struct Curl_easy *data,
|
||||
#ifdef USE_LIBPSL
|
||||
/* Check if the domain is a Public Suffix and if yes, ignore the cookie. */
|
||||
if(domain && co->domain && !isip(co->domain)) {
|
||||
- const psl_ctx_t *psl = Curl_psl_use(data);
|
||||
- int acceptable;
|
||||
-
|
||||
- if(psl) {
|
||||
- acceptable = psl_is_cookie_domain_acceptable(psl, domain, co->domain);
|
||||
- Curl_psl_release(data);
|
||||
+ bool acceptable = FALSE;
|
||||
+ char lcase[256];
|
||||
+ char lcookie[256];
|
||||
+ size_t dlen = strlen(domain);
|
||||
+ size_t clen = strlen(co->domain);
|
||||
+ if((dlen < sizeof(lcase)) && (clen < sizeof(lcookie))) {
|
||||
+ const psl_ctx_t *psl = Curl_psl_use(data);
|
||||
+ if(psl) {
|
||||
+ /* the PSL check requires lowercase domain name and pattern */
|
||||
+ Curl_strntolower(lcase, domain, dlen + 1);
|
||||
+ Curl_strntolower(lcookie, co->domain, clen + 1);
|
||||
+ acceptable = psl_is_cookie_domain_acceptable(psl, lcase, lcookie);
|
||||
+ Curl_psl_release(data);
|
||||
+ }
|
||||
+ else
|
||||
+ acceptable = !bad_domain(domain);
|
||||
}
|
||||
- else
|
||||
- acceptable = !bad_domain(domain);
|
||||
|
||||
if(!acceptable) {
|
||||
infof(data, "cookie '%s' dropped, domain '%s' must not "
|
||||
@ -1,136 +0,0 @@
|
||||
From 0023fce38d3bd6ee0e9b6ff8708fee1195057846 Mon Sep 17 00:00:00 2001
|
||||
From: Barry Pollard <barry_pollard@hotmail.com>
|
||||
Date: Sun, 22 Sep 2019 21:17:12 +0100
|
||||
Subject: [PATCH] http: lowercase headernames for HTTP/2 and HTTP/3
|
||||
|
||||
Closes #4401
|
||||
Fixes #4400
|
||||
---
|
||||
lib/strcase.c | 84 ++++++++++++++++++++++++++++++++++++++++++++++
|
||||
lib/strcase.h | 2 ++
|
||||
5 files changed, 95 insertions(+), 3 deletions(-)
|
||||
|
||||
diff --git a/lib/strcase.c b/lib/strcase.c
|
||||
index 24bcca932..098cec7a8 100644
|
||||
--- a/lib/strcase.c
|
||||
+++ b/lib/strcase.c
|
||||
@@ -93,6 +93,75 @@ char Curl_raw_toupper(char in)
|
||||
return in;
|
||||
}
|
||||
|
||||
+
|
||||
+/* Portable, consistent tolower (remember EBCDIC). Do not use tolower() because
|
||||
+ its behavior is altered by the current locale. */
|
||||
+char Curl_raw_tolower(char in)
|
||||
+{
|
||||
+#if !defined(CURL_DOES_CONVERSIONS)
|
||||
+ if(in >= 'A' && in <= 'Z')
|
||||
+ return (char)('a' + in - 'A');
|
||||
+#else
|
||||
+ switch(in) {
|
||||
+ case 'A':
|
||||
+ return 'a';
|
||||
+ case 'B':
|
||||
+ return 'b';
|
||||
+ case 'C':
|
||||
+ return 'c';
|
||||
+ case 'D':
|
||||
+ return 'd';
|
||||
+ case 'E':
|
||||
+ return 'e';
|
||||
+ case 'F':
|
||||
+ return 'f';
|
||||
+ case 'G':
|
||||
+ return 'g';
|
||||
+ case 'H':
|
||||
+ return 'h';
|
||||
+ case 'I':
|
||||
+ return 'i';
|
||||
+ case 'J':
|
||||
+ return 'j';
|
||||
+ case 'K':
|
||||
+ return 'k';
|
||||
+ case 'L':
|
||||
+ return 'l';
|
||||
+ case 'M':
|
||||
+ return 'm';
|
||||
+ case 'N':
|
||||
+ return 'n';
|
||||
+ case 'O':
|
||||
+ return 'o';
|
||||
+ case 'P':
|
||||
+ return 'p';
|
||||
+ case 'Q':
|
||||
+ return 'q';
|
||||
+ case 'R':
|
||||
+ return 'r';
|
||||
+ case 'S':
|
||||
+ return 's';
|
||||
+ case 'T':
|
||||
+ return 't';
|
||||
+ case 'U':
|
||||
+ return 'u';
|
||||
+ case 'V':
|
||||
+ return 'v';
|
||||
+ case 'W':
|
||||
+ return 'w';
|
||||
+ case 'X':
|
||||
+ return 'X';
|
||||
+ case 'Y':
|
||||
+ return 'y';
|
||||
+ case 'Z':
|
||||
+ return 'z';
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ return in;
|
||||
+}
|
||||
+
|
||||
+
|
||||
/*
|
||||
* Curl_strcasecompare() is for doing "raw" case insensitive strings. This is
|
||||
* meant to be locale independent and only compare strings we know are safe
|
||||
@@ -234,6 +303,21 @@ void Curl_strntoupper(char *dest, const char *src, size_t n)
|
||||
} while(*src++ && --n);
|
||||
}
|
||||
|
||||
+/* Copy a lower case version of the string from src to dest. The
|
||||
+ * strings may overlap. No more than n characters of the string are copied
|
||||
+ * (including any NUL) and the destination string will NOT be
|
||||
+ * NUL-terminated if that limit is reached.
|
||||
+ */
|
||||
+void Curl_strntolower(char *dest, const char *src, size_t n)
|
||||
+{
|
||||
+ if(n < 1)
|
||||
+ return;
|
||||
+
|
||||
+ do {
|
||||
+ *dest++ = Curl_raw_tolower(*src);
|
||||
+ } while(*src++ && --n);
|
||||
+}
|
||||
+
|
||||
/* Compare case-sensitive NUL-terminated strings, taking care of possible
|
||||
* null pointers. Return true if arguments match.
|
||||
*/
|
||||
diff --git a/lib/strcase.h b/lib/strcase.h
|
||||
index 6fee3840e..2f07a74c9 100644
|
||||
--- a/lib/strcase.h
|
||||
+++ b/lib/strcase.h
|
||||
@@ -40,12 +40,14 @@ int Curl_safe_strcasecompare(const char *first, const char *second);
|
||||
int Curl_strncasecompare(const char *first, const char *second, size_t max);
|
||||
|
||||
char Curl_raw_toupper(char in);
|
||||
+char Curl_raw_tolower(char in);
|
||||
|
||||
/* checkprefix() is a shorter version of the above, used when the first
|
||||
argument is zero-byte terminated */
|
||||
#define checkprefix(a,b) curl_strnequal(a,b,strlen(a))
|
||||
|
||||
void Curl_strntoupper(char *dest, const char *src, size_t n);
|
||||
+void Curl_strntolower(char *dest, const char *src, size_t n);
|
||||
|
||||
bool Curl_safecmp(char *a, char *b);
|
||||
int Curl_timestrcmp(const char *first, const char *second);
|
||||
--
|
||||
2.43.0
|
||||
|
||||
@ -1,80 +0,0 @@
|
||||
From deca8039991886a559b67bcd6701db800a5cf764 Mon Sep 17 00:00:00 2001
|
||||
From: Stefan Eissing <stefan@eissing.org>
|
||||
Date: Wed, 6 Mar 2024 09:36:08 +0100
|
||||
Subject: [PATCH] http2: push headers better cleanup
|
||||
|
||||
- provide common cleanup method for push headers
|
||||
|
||||
Closes #13054
|
||||
---
|
||||
lib/http2.c | 34 +++++++++++++++-------------------
|
||||
1 file changed, 15 insertions(+), 19 deletions(-)
|
||||
|
||||
diff --git a/lib/http2.c b/lib/http2.c
|
||||
index c63ecd38371ab4..96868728a53a1f 100644
|
||||
--- a/lib/http2.c
|
||||
+++ b/lib/http2.c
|
||||
@@ -271,6 +271,15 @@ static CURLcode http2_data_setup(struct Curl_cfilter *cf,
|
||||
return http2_perform_getsock(conn, sock, numsocks);
|
||||
}
|
||||
|
||||
+static void free_push_headers(struct HTTP *http)
|
||||
+{
|
||||
+ size_t i;
|
||||
+ for(i = 0; i<http->push_headers_used; i++)
|
||||
+ free(http->push_headers[i]);
|
||||
+ Curl_safefree(http->push_headers);
|
||||
+ http->push_headers_used = 0;
|
||||
+}
|
||||
+
|
||||
/*
|
||||
* http2_stream_free() free HTTP2 stream related data
|
||||
*/
|
||||
@@ -306,11 +315,7 @@ static void http2_data_done(struct Curl_cfilter *cf,
|
||||
http->header_recvbuf = NULL; /* clear the pointer */
|
||||
Curl_add_buffer_free(http->trailer_recvbuf);
|
||||
http->trailer_recvbuf = NULL; /* clear the pointer */
|
||||
- for(; http->push_headers_used > 0; --http->push_headers_used) {
|
||||
- free(http->push_headers[http->push_headers_used - 1]);
|
||||
- }
|
||||
- free(http->push_headers);
|
||||
- http->push_headers = NULL;
|
||||
+ free_push_headers(http);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -860,7 +861,6 @@ static int push_promise(struct Curl_cfilter *cf,
|
||||
struct curl_pushheaders heads;
|
||||
CURLMcode rc;
|
||||
struct http_conn *httpc;
|
||||
- size_t i;
|
||||
/* clone the parent */
|
||||
struct Curl_easy *newhandle = duphandle(data);
|
||||
if(!newhandle) {
|
||||
@@ -904,11 +904,7 @@ static int push_promise(struct Curl_cfilter *cf,
|
||||
Curl_set_in_callback(data, false);
|
||||
|
||||
/* free the headers again */
|
||||
- for(i = 0; i<stream->push_headers_used; i++)
|
||||
- free(stream->push_headers[i]);
|
||||
- free(stream->push_headers);
|
||||
- stream->push_headers = NULL;
|
||||
- stream->push_headers_used = 0;
|
||||
+ free_push_headers(stream);
|
||||
|
||||
if(rv) {
|
||||
/* denied, kill off the new handle again */
|
||||
@@ -1426,10 +1422,10 @@ static int on_header(nghttp2_session *session, const nghttp2_frame *frame,
|
||||
stream->push_headers_alloc) {
|
||||
char **headp;
|
||||
stream->push_headers_alloc *= 2;
|
||||
- headp = Curl_saferealloc(stream->push_headers,
|
||||
- stream->push_headers_alloc * sizeof(char *));
|
||||
+ headp = realloc(stream->push_headers,
|
||||
+ stream->push_headers_alloc * sizeof(char *));
|
||||
if(!headp) {
|
||||
- stream->push_headers = NULL;
|
||||
+ free_push_headers(stream);
|
||||
return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
|
||||
}
|
||||
stream->push_headers = headp;
|
||||
@ -1,146 +0,0 @@
|
||||
From eb9a604f8d7db859555adc0ddacdabd1ed986106 Mon Sep 17 00:00:00 2001
|
||||
From: amkatyal <amkatyal@cisco.com>
|
||||
Date: Fri, 26 Jul 2019 21:28:41 +0530
|
||||
Subject: [PATCH] asyn-thread: create a socketpair to wait on
|
||||
|
||||
Closes #4157
|
||||
---
|
||||
lib/asyn-thread.c | 76 ++++++++++++++++++++++++++++++++++++++++-------
|
||||
lib/multi.c | 0
|
||||
2 files changed, 65 insertions(+), 11 deletions(-)
|
||||
mode change 100644 => 100755 lib/asyn-thread.c
|
||||
mode change 100644 => 100755 lib/multi.c
|
||||
|
||||
diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
|
||||
old mode 100644
|
||||
new mode 100755
|
||||
index 5f33c9affd0f27..f17638e44e6b18
|
||||
--- a/lib/asyn-thread.c
|
||||
+++ b/lib/asyn-thread.c
|
||||
@@ -163,6 +163,9 @@ struct thread_sync_data {
|
||||
char *hostname; /* hostname to resolve, Curl_async.hostname
|
||||
duplicate */
|
||||
int port;
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ curl_socket_t sock_pair[2]; /* socket pair */
|
||||
+#endif
|
||||
int sock_error;
|
||||
Curl_addrinfo *res;
|
||||
#ifdef HAVE_GETADDRINFO
|
||||
@@ -197,6 +200,16 @@ void destroy_thread_sync_data(struct thread_sync_data * tsd)
|
||||
if(tsd->res)
|
||||
Curl_freeaddrinfo(tsd->res);
|
||||
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ /* close socket pair */
|
||||
+ if(tsd->sock_pair[0] != CURL_SOCKET_BAD) {
|
||||
+ sclose(tsd->sock_pair[0]);
|
||||
+ }
|
||||
+
|
||||
+ if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
|
||||
+ sclose(tsd->sock_pair[1]);
|
||||
+ }
|
||||
+#endif
|
||||
memset(tsd, 0, sizeof(*tsd));
|
||||
}
|
||||
|
||||
@@ -230,6 +243,14 @@ int init_thread_sync_data(struct thread_data * td,
|
||||
|
||||
Curl_mutex_init(tsd->mtx);
|
||||
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ /* create socket pair */
|
||||
+ if(socketpair(AF_LOCAL, SOCK_STREAM, 0, &tsd->sock_pair[0]) < 0) {
|
||||
+ tsd->sock_pair[0] = CURL_SOCKET_BAD;
|
||||
+ tsd->sock_pair[1] = CURL_SOCKET_BAD;
|
||||
+ goto err_exit;
|
||||
+ }
|
||||
+#endif
|
||||
tsd->sock_error = CURL_ASYNC_SUCCESS;
|
||||
|
||||
/* Copying hostname string because original can be destroyed by parent
|
||||
@@ -297,6 +318,9 @@ static unsigned int CURL_STDCALL getaddrinfo_thread(void *arg)
|
||||
struct thread_data *td = tsd->td;
|
||||
char service[12];
|
||||
int rc;
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ char buf[1];
|
||||
+#endif
|
||||
|
||||
snprintf(service, sizeof(service), "%d", tsd->port);
|
||||
|
||||
@@ -298,6 +322,16 @@ static unsigned int CURL_STDCALL getaddrinfo_thread(void *arg)
|
||||
free(td);
|
||||
}
|
||||
else {
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
|
||||
+ /* DNS has been resolved, signal client task */
|
||||
+ buf[0] = 1;
|
||||
+ if(write(tsd->sock_pair[1], buf, sizeof(buf)) < 0) {
|
||||
+ /* update sock_erro to errno */
|
||||
+ tsd->sock_error = SOCKERRNO;
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
tsd->done = 1;
|
||||
Curl_mutex_release(tsd->mtx);
|
||||
}
|
||||
@@ -595,23 +629,43 @@ int Curl_resolver_getsock(struct connectdata *conn,
|
||||
curl_socket_t *socks,
|
||||
int numsocks)
|
||||
{
|
||||
+ int ret_val = 0;
|
||||
time_t milli;
|
||||
timediff_t ms;
|
||||
struct Curl_easy *data = conn->data;
|
||||
struct resdata *reslv = (struct resdata *)data->state.resolver;
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ struct thread_data *td = (struct thread_data*)conn->async.os_specific;
|
||||
+ int loop_idx;
|
||||
+#else
|
||||
(void)socks;
|
||||
(void)numsocks;
|
||||
- ms = Curl_timediff(Curl_now(), reslv->start);
|
||||
- if(ms < 3)
|
||||
- milli = 0;
|
||||
- else if(ms <= 50)
|
||||
- milli = ms/3;
|
||||
- else if(ms <= 250)
|
||||
- milli = 50;
|
||||
- else
|
||||
- milli = 200;
|
||||
- Curl_expire(data, milli, EXPIRE_ASYNC_NAME);
|
||||
- return 0;
|
||||
+#endif
|
||||
+
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ if(td) {
|
||||
+ /* return read fd to client for polling the DNS resolution status */
|
||||
+ socks[0] = td->tsd.sock_pair[0];
|
||||
+ ret_val = GETSOCK_READSOCK(0);
|
||||
+ }
|
||||
+ else {
|
||||
+#endif
|
||||
+ ms = Curl_timediff(Curl_now(), reslv->start);
|
||||
+ if(ms < 3)
|
||||
+ milli = 0;
|
||||
+ else if(ms <= 50)
|
||||
+ milli = ms/3;
|
||||
+ else if(ms <= 250)
|
||||
+ milli = 50;
|
||||
+ else
|
||||
+ milli = 200;
|
||||
+ Curl_expire(data, milli, EXPIRE_ASYNC_NAME);
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+
|
||||
+ return ret_val;
|
||||
}
|
||||
|
||||
#ifndef HAVE_GETADDRINFO
|
||||
diff --git a/lib/multi.c b/lib/multi.c
|
||||
old mode 100644
|
||||
new mode 100755
|
||||
@ -1,279 +0,0 @@
|
||||
diff -up curl-7.61.1/lib/curl_md5.h.RHEL-32335 curl-7.61.1/lib/curl_md5.h
|
||||
--- curl-7.61.1/lib/curl_md5.h.RHEL-32335 2024-04-10 10:09:36.758098940 +0200
|
||||
+++ curl-7.61.1/lib/curl_md5.h 2024-04-10 10:10:22.426370509 +0200
|
||||
@@ -49,8 +49,8 @@ typedef struct {
|
||||
extern const MD5_params Curl_DIGEST_MD5[1];
|
||||
extern const HMAC_params Curl_HMAC_MD5[1];
|
||||
|
||||
-void Curl_md5it(unsigned char *output,
|
||||
- const unsigned char *input);
|
||||
+void Curl_md5it(unsigned char *output, const unsigned char *input,
|
||||
+ const size_t len);
|
||||
|
||||
MD5_context * Curl_MD5_init(const MD5_params *md5params);
|
||||
int Curl_MD5_update(MD5_context *context,
|
||||
diff -up curl-7.61.1/lib/curl_ntlm_core.h.RHEL-32335 curl-7.61.1/lib/curl_ntlm_core.h
|
||||
--- curl-7.61.1/lib/curl_ntlm_core.h.RHEL-32335 2024-04-10 09:52:39.872042425 +0200
|
||||
+++ curl-7.61.1/lib/curl_ntlm_core.h 2024-04-10 09:54:46.230795176 +0200
|
||||
@@ -48,9 +48,9 @@
|
||||
#endif
|
||||
|
||||
/* Define USE_NTLM2SESSION in order to make the type-3 message include the
|
||||
- NTLM2Session response message, requires USE_NTRESPONSES defined to 1 and a
|
||||
- Crypto engine that we have curl_ssl_md5sum() for. */
|
||||
-#if defined(USE_NTRESPONSES) && !defined(USE_WIN32_CRYPTO)
|
||||
+ NTLM2Session response message, requires USE_NTRESPONSES defined to 1 and
|
||||
+ MD5 support */
|
||||
+#if defined(USE_NTRESPONSES) && !defined(CURL_DISABLE_CRYPTO_AUTH)
|
||||
#define USE_NTLM2SESSION
|
||||
#endif
|
||||
|
||||
diff -up curl-7.61.1/lib/curl_sha256.h.RHEL-32335 curl-7.61.1/lib/curl_sha256.h
|
||||
--- curl-7.61.1/lib/curl_sha256.h.RHEL-32335 2024-04-10 10:13:40.975551190 +0200
|
||||
+++ curl-7.61.1/lib/curl_sha256.h 2024-04-10 10:14:00.251665815 +0200
|
||||
@@ -24,8 +24,8 @@
|
||||
|
||||
#ifndef CURL_DISABLE_CRYPTO_AUTH
|
||||
|
||||
-void Curl_sha256it(unsigned char *outbuffer,
|
||||
- const unsigned char *input);
|
||||
+void Curl_sha256it(unsigned char *outbuffer, const unsigned char *input,
|
||||
+ const size_t len);
|
||||
|
||||
#endif
|
||||
|
||||
diff -up curl-7.61.1/lib/md5.c.RHEL-32335 curl-7.61.1/lib/md5.c
|
||||
--- curl-7.61.1/lib/md5.c.RHEL-32335 2024-04-10 10:10:39.831474009 +0200
|
||||
+++ curl-7.61.1/lib/md5.c 2024-04-10 10:13:29.963485706 +0200
|
||||
@@ -519,12 +519,13 @@ const MD5_params Curl_DIGEST_MD5[] = {
|
||||
/*
|
||||
* @unittest: 1601
|
||||
*/
|
||||
-void Curl_md5it(unsigned char *outbuffer, /* 16 bytes */
|
||||
- const unsigned char *input)
|
||||
+void Curl_md5it(unsigned char *outbuffer, const unsigned char *input,
|
||||
+ const size_t len)
|
||||
{
|
||||
MD5_CTX ctx;
|
||||
+
|
||||
MD5_Init(&ctx);
|
||||
- MD5_Update(&ctx, input, curlx_uztoui(strlen((char *)input)));
|
||||
+ MD5_Update(&ctx, input, curlx_uztoui(len));
|
||||
MD5_Final(outbuffer, &ctx);
|
||||
}
|
||||
|
||||
diff -up curl-7.61.1/lib/sha256.c.RHEL-32335 curl-7.61.1/lib/sha256.c
|
||||
--- curl-7.61.1/lib/sha256.c.RHEL-32335 2024-04-10 10:14:32.047854892 +0200
|
||||
+++ curl-7.61.1/lib/sha256.c 2024-04-10 10:15:23.010157942 +0200
|
||||
@@ -255,12 +255,13 @@ static int SHA256_Final(unsigned char *o
|
||||
|
||||
#endif
|
||||
|
||||
-void Curl_sha256it(unsigned char *outbuffer, /* 32 unsigned chars */
|
||||
- const unsigned char *input)
|
||||
+void Curl_sha256it(unsigned char *outbuffer, const unsigned char *input,
|
||||
+ const size_t len)
|
||||
{
|
||||
SHA256_CTX ctx;
|
||||
+
|
||||
SHA256_Init(&ctx);
|
||||
- SHA256_Update(&ctx, input, curlx_uztoui(strlen((char *)input)));
|
||||
+ SHA256_Update(&ctx, input, curlx_uztoui(len));
|
||||
SHA256_Final(outbuffer, &ctx);
|
||||
}
|
||||
|
||||
diff -up curl-7.61.1/lib/vauth/digest.c.RHEL-32335 curl-7.61.1/lib/vauth/digest.c
|
||||
--- curl-7.61.1/lib/vauth/digest.c.RHEL-32335 2024-04-10 10:15:31.737209838 +0200
|
||||
+++ curl-7.61.1/lib/vauth/digest.c 2024-04-10 10:20:11.293872233 +0200
|
||||
@@ -62,7 +62,7 @@
|
||||
what ultimately goes over the network.
|
||||
*/
|
||||
#define CURL_OUTPUT_DIGEST_CONV(a, b) \
|
||||
- result = Curl_convert_to_network(a, (char *)b, strlen((const char *)b)); \
|
||||
+ result = Curl_convert_to_network(a, b, strlen(b)); \
|
||||
if(result) { \
|
||||
free(b); \
|
||||
return result; \
|
||||
@@ -687,12 +687,12 @@ static CURLcode _Curl_auth_create_digest
|
||||
struct digestdata *digest,
|
||||
char **outptr, size_t *outlen,
|
||||
void (*convert_to_ascii)(unsigned char *, unsigned char *),
|
||||
- void (*hash)(unsigned char *, const unsigned char *))
|
||||
+ void (*hash)(unsigned char *, const unsigned char *,
|
||||
+ const size_t))
|
||||
{
|
||||
CURLcode result;
|
||||
unsigned char hashbuf[32]; /* 32 bytes/256 bits */
|
||||
unsigned char request_digest[65];
|
||||
- unsigned char *hashthis;
|
||||
unsigned char ha1[65]; /* 64 digits and 1 zero byte */
|
||||
unsigned char ha2[65]; /* 64 digits and 1 zero byte */
|
||||
char userh[65];
|
||||
@@ -700,6 +700,7 @@ static CURLcode _Curl_auth_create_digest
|
||||
size_t cnonce_sz = 0;
|
||||
char *userp_quoted;
|
||||
char *response = NULL;
|
||||
+ char *hashthis = NULL;
|
||||
char *tmp = NULL;
|
||||
|
||||
if(!digest->nc)
|
||||
@@ -721,12 +722,12 @@ static CURLcode _Curl_auth_create_digest
|
||||
}
|
||||
|
||||
if(digest->userhash) {
|
||||
- hashthis = (unsigned char *) aprintf("%s:%s", userp, digest->realm);
|
||||
+ hashthis = aprintf("%s:%s", userp, digest->realm);
|
||||
if(!hashthis)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
CURL_OUTPUT_DIGEST_CONV(data, hashthis);
|
||||
- hash(hashbuf, hashthis);
|
||||
+ hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
|
||||
free(hashthis);
|
||||
convert_to_ascii(hashbuf, (unsigned char *)userh);
|
||||
}
|
||||
@@ -742,14 +743,13 @@ static CURLcode _Curl_auth_create_digest
|
||||
unq(nonce-value) ":" unq(cnonce-value)
|
||||
*/
|
||||
|
||||
- hashthis = (unsigned char *)
|
||||
- aprintf("%s:%s:%s", digest->userhash ? userh : userp,
|
||||
- digest->realm, passwdp);
|
||||
+ hashthis = aprintf("%s:%s:%s", digest->userhash ? userh : userp,
|
||||
+ digest->realm, passwdp);
|
||||
if(!hashthis)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
CURL_OUTPUT_DIGEST_CONV(data, hashthis); /* convert on non-ASCII machines */
|
||||
- hash(hashbuf, hashthis);
|
||||
+ hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
|
||||
free(hashthis);
|
||||
convert_to_ascii(hashbuf, ha1);
|
||||
|
||||
@@ -762,7 +762,7 @@ static CURLcode _Curl_auth_create_digest
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
CURL_OUTPUT_DIGEST_CONV(data, tmp); /* Convert on non-ASCII machines */
|
||||
- hash(hashbuf, (unsigned char *) tmp);
|
||||
+ hash(hashbuf, (unsigned char *) tmp, strlen(tmp));
|
||||
free(tmp);
|
||||
convert_to_ascii(hashbuf, ha1);
|
||||
}
|
||||
@@ -780,18 +780,18 @@ static CURLcode _Curl_auth_create_digest
|
||||
5.1.1 of RFC 2616)
|
||||
*/
|
||||
|
||||
- hashthis = (unsigned char *) aprintf("%s:%s", request, uripath);
|
||||
+ hashthis = aprintf("%s:%s", request, uripath);
|
||||
|
||||
if(digest->qop && strcasecompare(digest->qop, "auth-int")) {
|
||||
/* We don't support auth-int for PUT or POST at the moment.
|
||||
TODO: replace hash of empty string with entity-body for PUT/POST */
|
||||
char hashed[65];
|
||||
- unsigned char *hashthis2;
|
||||
+ char *hashthis2;
|
||||
|
||||
- hash(hashbuf, (const unsigned char *)"");
|
||||
+ hash(hashbuf, (const unsigned char *)"", 0);
|
||||
convert_to_ascii(hashbuf, (unsigned char *)hashed);
|
||||
|
||||
- hashthis2 = (unsigned char *)aprintf("%s:%s", hashthis, hashed);
|
||||
+ hashthis2 = aprintf("%s:%s", hashthis, hashed);
|
||||
free(hashthis);
|
||||
hashthis = hashthis2;
|
||||
}
|
||||
@@ -800,31 +800,23 @@ static CURLcode _Curl_auth_create_digest
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
CURL_OUTPUT_DIGEST_CONV(data, hashthis); /* convert on non-ASCII machines */
|
||||
- hash(hashbuf, hashthis);
|
||||
+ hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
|
||||
free(hashthis);
|
||||
convert_to_ascii(hashbuf, ha2);
|
||||
|
||||
if(digest->qop) {
|
||||
- hashthis = (unsigned char *) aprintf("%s:%s:%08x:%s:%s:%s",
|
||||
- ha1,
|
||||
- digest->nonce,
|
||||
- digest->nc,
|
||||
- digest->cnonce,
|
||||
- digest->qop,
|
||||
- ha2);
|
||||
+ hashthis = aprintf("%s:%s:%08x:%s:%s:%s", ha1, digest->nonce, digest->nc,
|
||||
+ digest->cnonce, digest->qop, ha2);
|
||||
}
|
||||
else {
|
||||
- hashthis = (unsigned char *) aprintf("%s:%s:%s",
|
||||
- ha1,
|
||||
- digest->nonce,
|
||||
- ha2);
|
||||
+ hashthis = aprintf("%s:%s:%s", ha1, digest->nonce, ha2);
|
||||
}
|
||||
|
||||
if(!hashthis)
|
||||
return CURLE_OUT_OF_MEMORY;
|
||||
|
||||
CURL_OUTPUT_DIGEST_CONV(data, hashthis); /* convert on non-ASCII machines */
|
||||
- hash(hashbuf, hashthis);
|
||||
+ hash(hashbuf, (unsigned char *) hashthis, strlen(hashthis));
|
||||
free(hashthis);
|
||||
convert_to_ascii(hashbuf, request_digest);
|
||||
|
||||
diff -up curl-7.61.1/lib/vauth/ntlm.c.RHEL-32335 curl-7.61.1/lib/vauth/ntlm.c
|
||||
--- curl-7.61.1/lib/vauth/ntlm.c.RHEL-32335 2024-04-10 09:51:15.114537483 +0200
|
||||
+++ curl-7.61.1/lib/vauth/ntlm.c 2024-04-10 09:52:26.411962237 +0200
|
||||
@@ -40,6 +40,7 @@
|
||||
#include "curl_ntlm_core.h"
|
||||
#include "curl_gethostname.h"
|
||||
#include "curl_multibyte.h"
|
||||
+#include "curl_md5.h"
|
||||
#include "warnless.h"
|
||||
#include "rand.h"
|
||||
#include "vtls/vtls.h"
|
||||
@@ -621,11 +622,10 @@ CURLcode Curl_auth_create_ntlm_type3_mes
|
||||
memcpy(tmp, &ntlm->nonce[0], 8);
|
||||
memcpy(tmp + 8, entropy, 8);
|
||||
|
||||
- result = Curl_ssl_md5sum(tmp, 16, md5sum, MD5_DIGEST_LENGTH);
|
||||
- if(!result)
|
||||
- /* We shall only use the first 8 bytes of md5sum, but the des code in
|
||||
- Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */
|
||||
- result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
|
||||
+ Curl_md5it(md5sum, tmp, 16);
|
||||
+ /* We shall only use the first 8 bytes of md5sum, but the des code in
|
||||
+ Curl_ntlm_core_lm_resp only encrypt the first 8 bytes */
|
||||
+ result = Curl_ntlm_core_mk_nt_hash(data, passwdp, ntbuffer);
|
||||
if(result)
|
||||
return result;
|
||||
|
||||
diff -up curl-7.61.1/tests/unit/unit1601.c.RHEL-32335 curl-7.61.1/tests/unit/unit1601.c
|
||||
--- curl-7.61.1/tests/unit/unit1601.c.RHEL-32335 2024-04-10 10:20:19.347920127 +0200
|
||||
+++ curl-7.61.1/tests/unit/unit1601.c 2024-04-10 10:21:53.606480641 +0200
|
||||
@@ -36,18 +36,19 @@ static void unit_stop(void)
|
||||
UNITTEST_START
|
||||
|
||||
#ifndef CURL_DISABLE_CRYPTO_AUTH
|
||||
- unsigned char output[16];
|
||||
+ const char string1[] = "1";
|
||||
+ const char string2[] = "hello-you-fool";
|
||||
+ unsigned char output[MD5_DIGEST_LEN];
|
||||
unsigned char *testp = output;
|
||||
- Curl_md5it(output, (const unsigned char *)"1");
|
||||
|
||||
-/* !checksrc! disable LONGLINE 2 */
|
||||
- verify_memory(testp,
|
||||
- "\xc4\xca\x42\x38\xa0\xb9\x23\x82\x0d\xcc\x50\x9a\x6f\x75\x84\x9b", 16);
|
||||
+ Curl_md5it(output, (const unsigned char *) string1, strlen(string1));
|
||||
+ verify_memory(testp, "\xc4\xca\x42\x38\xa0\xb9\x23\x82\x0d\xcc\x50\x9a\x6f"
|
||||
+ "\x75\x84\x9b", MD5_DIGEST_LEN);
|
||||
|
||||
- Curl_md5it(output, (const unsigned char *)"hello-you-fool");
|
||||
+ Curl_md5it(output, (const unsigned char *) string2, strlen(string2));
|
||||
|
||||
- verify_memory(testp,
|
||||
- "\x88\x67\x0b\x6d\x5d\x74\x2f\xad\xa5\xcd\xf9\xb6\x82\x87\x5f\x22", 16);
|
||||
+ verify_memory(testp, "\x88\x67\x0b\x6d\x5d\x74\x2f\xad\xa5\xcd\xf9\xb6\x82"
|
||||
+ "\x87\x5f\x22", MD5_DIGEST_LEN);
|
||||
#endif
|
||||
|
||||
|
||||
@ -1,283 +0,0 @@
|
||||
From 17d1e27d309f16da960fd3b9933e6e2b1db22b17 Mon Sep 17 00:00:00 2001
|
||||
From: Eric Wong <e@80x24.org>
|
||||
Date: Sat, 10 Aug 2019 21:20:23 +0000
|
||||
Subject: [PATCH] asyn-thread: issue CURL_POLL_REMOVE before closing socket
|
||||
|
||||
This avoids EBADF errors from EPOLL_CTL_DEL operations in the
|
||||
ephiperfifo.c example. EBADF is dangerous in multi-threaded
|
||||
applications where I rely on epoll_ctl to operate on the same
|
||||
epoll description from different threads.
|
||||
|
||||
Follow-up to eb9a604f8d7db8
|
||||
|
||||
Bug: https://curl.haxx.se/mail/lib-2019-08/0026.html
|
||||
Closes #4211
|
||||
---
|
||||
lib/asyn-thread.c | 25 ++++++++++++++++++++-----
|
||||
1 file changed, 20 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
|
||||
index 222e78d98..24da74885 100755
|
||||
--- a/lib/asyn-thread.c
|
||||
+++ b/lib/asyn-thread.c
|
||||
@@ -164,6 +164,7 @@ struct thread_sync_data {
|
||||
duplicate */
|
||||
int port;
|
||||
#ifdef HAVE_SOCKETPAIR
|
||||
+ struct connectdata *conn;
|
||||
curl_socket_t sock_pair[2]; /* socket pair */
|
||||
#endif
|
||||
int sock_error;
|
||||
@@ -201,11 +202,10 @@ void destroy_thread_sync_data(struct thread_sync_data * tsd)
|
||||
Curl_freeaddrinfo(tsd->res);
|
||||
|
||||
#ifdef HAVE_SOCKETPAIR
|
||||
- /* close socket pair */
|
||||
- if(tsd->sock_pair[0] != CURL_SOCKET_BAD) {
|
||||
- sclose(tsd->sock_pair[0]);
|
||||
- }
|
||||
-
|
||||
+ /*
|
||||
+ * close one end of the socket pair (may be done in resolver thread);
|
||||
+ * the other end (for reading) is always closed in the parent thread.
|
||||
+ */
|
||||
if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
|
||||
sclose(tsd->sock_pair[1]);
|
||||
}
|
||||
@@ -382,6 +382,10 @@ static void destroy_async_data(struct Curl_async *async)
|
||||
if(async->os_specific) {
|
||||
struct thread_data *td = (struct thread_data*) async->os_specific;
|
||||
int done;
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ curl_socket_t sock_rd = td->tsd.sock_pair[0];
|
||||
+ struct connectdata *conn = td->tsd.conn;
|
||||
+#endif
|
||||
|
||||
/*
|
||||
* if the thread is still blocking in the resolve syscall, detach it and
|
||||
@@ -403,6 +407,15 @@ static void destroy_async_data(struct Curl_async *async)
|
||||
|
||||
free(async->os_specific);
|
||||
}
|
||||
+#ifdef HAVE_SOCKETPAIR
|
||||
+ /*
|
||||
+ * ensure CURLMOPT_SOCKETFUNCTION fires CURL_POLL_REMOVE
|
||||
+ * before the FD is invalidated to avoid EBADF on EPOLL_CTL_DEL
|
||||
+ */
|
||||
+ if(conn)
|
||||
+ Curl_multi_closed(conn->data, sock_rd);
|
||||
+ sclose(sock_rd);
|
||||
+#endif
|
||||
}
|
||||
async->os_specific = NULL;
|
||||
|
||||
@@ -644,6 +657,8 @@ int Curl_resolver_getsock(struct connectdata *conn,
|
||||
if(td) {
|
||||
/* return read fd to client for polling the DNS resolution status */
|
||||
socks[0] = td->tsd.sock_pair[0];
|
||||
+ DEBUGASSERT(td->tsd.conn == conn || !td->tsd.conn);
|
||||
+ td->tsd.conn = conn;
|
||||
ret_val = GETSOCK_READSOCK(0);
|
||||
}
|
||||
else {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
From 041690aadb1357775ff06c5bf827a98585627c76 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Tue, 30 Jul 2019 10:29:54 +0200
|
||||
Subject: [PATCH] asyn-thread: removed unused variable
|
||||
|
||||
Follow-up to eb9a604f. Mistake caused by me when I edited the commit
|
||||
before push...
|
||||
---
|
||||
lib/asyn-thread.c | 3 +--
|
||||
1 file changed, 1 insertion(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
|
||||
index f17638e44..e323cbe20 100755
|
||||
--- a/lib/asyn-thread.c
|
||||
+++ b/lib/asyn-thread.c
|
||||
@@ -636,11 +636,10 @@ int Curl_resolver_getsock(struct connectdata *conn,
|
||||
struct resdata *reslv = (struct resdata *)data->state.resolver;
|
||||
#ifdef HAVE_SOCKETPAIR
|
||||
struct thread_data *td = (struct thread_data*)conn->async.os_specific;
|
||||
- int loop_idx;
|
||||
#else
|
||||
(void)socks;
|
||||
- (void)numsocks;
|
||||
#endif
|
||||
+ (void)numsocks;
|
||||
|
||||
#ifdef HAVE_SOCKETPAIR
|
||||
if(td) {
|
||||
--
|
||||
2.49.0
|
||||
|
||||
From 060fb84a5a07388f099c7a3422e281ac64d623a5 Mon Sep 17 00:00:00 2001
|
||||
From: Xiang Xiao <xiaoxiang@xiaomi.com>
|
||||
Date: Tue, 24 Dec 2019 21:47:37 +0800
|
||||
Subject: [PATCH] lib: remove erroneous +x file permission on some c files
|
||||
|
||||
Modified by commit eb9a604 accidentally.
|
||||
|
||||
Closes https://github.com/curl/curl/pull/4756
|
||||
---
|
||||
lib/asyn-thread.c | 0
|
||||
lib/multi.c | 0
|
||||
2 files changed, 0 insertions(+), 0 deletions(-)
|
||||
mode change 100755 => 100644 lib/asyn-thread.c
|
||||
mode change 100755 => 100644 lib/multi.c
|
||||
|
||||
diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
diff --git a/lib/multi.c b/lib/multi.c
|
||||
old mode 100755
|
||||
new mode 100644
|
||||
--
|
||||
2.49.0
|
||||
|
||||
From e34ec7de5964baa214555115f5061ed199d0f7b4 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Wed, 11 Sep 2019 23:11:58 +0200
|
||||
Subject: [PATCH] asyn-thread: s/AF_LOCAL/AF_UNIX for Solaris
|
||||
|
||||
Reported-by: Dagobert Michelsen
|
||||
Fixes #4328
|
||||
Closes #4333
|
||||
---
|
||||
lib/asyn-thread.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
|
||||
index 24da74885..fcbf1305e 100755
|
||||
--- a/lib/asyn-thread.c
|
||||
+++ b/lib/asyn-thread.c
|
||||
@@ -244,8 +244,8 @@ int init_thread_sync_data(struct thread_data * td,
|
||||
Curl_mutex_init(tsd->mtx);
|
||||
|
||||
#ifdef HAVE_SOCKETPAIR
|
||||
- /* create socket pair */
|
||||
- if(socketpair(AF_LOCAL, SOCK_STREAM, 0, &tsd->sock_pair[0]) < 0) {
|
||||
+ /* create socket pair, avoid AF_LOCAL since it doesn't build on Solaris */
|
||||
+ if(socketpair(AF_UNIX, SOCK_STREAM, 0, &tsd->sock_pair[0]) < 0) {
|
||||
tsd->sock_pair[0] = CURL_SOCKET_BAD;
|
||||
tsd->sock_pair[1] = CURL_SOCKET_BAD;
|
||||
goto err_exit;
|
||||
--
|
||||
2.49.0
|
||||
|
||||
From 9c76f694de1765152e0b349cd55baad5a501f55b Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Sat, 5 Oct 2019 15:41:09 +0200
|
||||
Subject: [PATCH] asyn-thread: make use of Curl_socketpair() where available
|
||||
|
||||
---
|
||||
lib/asyn-thread.c | 26 ++++++++++++++------------
|
||||
1 file changed, 14 insertions(+), 12 deletions(-)
|
||||
|
||||
diff --git a/lib/asyn-thread.c b/lib/asyn-thread.c
|
||||
index fcbf1305e..8c552baa9 100755
|
||||
--- a/lib/asyn-thread.c
|
||||
+++ b/lib/asyn-thread.c
|
||||
@@ -163,7 +165,7 @@ struct thread_sync_data {
|
||||
char *hostname; /* hostname to resolve, Curl_async.hostname
|
||||
duplicate */
|
||||
int port;
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
struct connectdata *conn;
|
||||
curl_socket_t sock_pair[2]; /* socket pair */
|
||||
#endif
|
||||
@@ -201,7 +203,7 @@ void destroy_thread_sync_data(struct thread_sync_data * tsd)
|
||||
if(tsd->res)
|
||||
Curl_freeaddrinfo(tsd->res);
|
||||
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
/*
|
||||
* close one end of the socket pair (may be done in resolver thread);
|
||||
* the other end (for reading) is always closed in the parent thread.
|
||||
@@ -243,9 +245,9 @@ int init_thread_sync_data(struct thread_data * td,
|
||||
|
||||
Curl_mutex_init(tsd->mtx);
|
||||
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
/* create socket pair, avoid AF_LOCAL since it doesn't build on Solaris */
|
||||
- if(socketpair(AF_UNIX, SOCK_STREAM, 0, &tsd->sock_pair[0]) < 0) {
|
||||
+ if(Curl_socketpair(AF_UNIX, SOCK_STREAM, 0, &tsd->sock_pair[0]) < 0) {
|
||||
tsd->sock_pair[0] = CURL_SOCKET_BAD;
|
||||
tsd->sock_pair[1] = CURL_SOCKET_BAD;
|
||||
goto err_exit;
|
||||
@@ -297,7 +299,7 @@ static unsigned int CURL_STDCALL getaddrinfo_thread(void *arg)
|
||||
struct thread_data *td = tsd->td;
|
||||
char service[12];
|
||||
int rc;
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
char buf[1];
|
||||
#endif
|
||||
|
||||
@@ -322,11 +324,11 @@ static unsigned int CURL_STDCALL getaddrinfo_thread(void *arg)
|
||||
free(td);
|
||||
}
|
||||
else {
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
if(tsd->sock_pair[1] != CURL_SOCKET_BAD) {
|
||||
/* DNS has been resolved, signal client task */
|
||||
buf[0] = 1;
|
||||
- if(write(tsd->sock_pair[1], buf, sizeof(buf)) < 0) {
|
||||
+ if(swrite(tsd->sock_pair[1], buf, sizeof(buf)) < 0) {
|
||||
/* update sock_erro to errno */
|
||||
tsd->sock_error = SOCKERRNO;
|
||||
}
|
||||
@@ -382,7 +384,7 @@ static void destroy_async_data(struct Curl_async *async)
|
||||
if(async->os_specific) {
|
||||
struct thread_data *td = (struct thread_data*) async->os_specific;
|
||||
int done;
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
curl_socket_t sock_rd = td->tsd.sock_pair[0];
|
||||
struct connectdata *conn = td->tsd.conn;
|
||||
#endif
|
||||
@@ -407,7 +409,7 @@ static void destroy_async_data(struct Curl_async *async)
|
||||
|
||||
free(async->os_specific);
|
||||
}
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
/*
|
||||
* ensure CURLMOPT_SOCKETFUNCTION fires CURL_POLL_REMOVE
|
||||
* before the FD is invalidated to avoid EBADF on EPOLL_CTL_DEL
|
||||
@@ -649,14 +651,14 @@ int Curl_resolver_getsock(struct connectdata *conn,
|
||||
timediff_t ms;
|
||||
struct Curl_easy *data = conn->data;
|
||||
struct resdata *reslv = (struct resdata *)data->state.resolver;
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
struct thread_data *td = (struct thread_data*)conn->async.os_specific;
|
||||
#else
|
||||
(void)socks;
|
||||
#endif
|
||||
(void)numsocks;
|
||||
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
if(td) {
|
||||
/* return read fd to client for polling the DNS resolution status */
|
||||
socks[0] = td->tsd.sock_pair[0];
|
||||
@@ -673,7 +675,7 @@ int Curl_resolver_getsock(struct connectdata *conn,
|
||||
else
|
||||
milli = 200;
|
||||
Curl_expire(data, milli, EXPIRE_ASYNC_NAME);
|
||||
-#ifdef HAVE_SOCKETPAIR
|
||||
+#ifdef USE_SOCKETPAIR
|
||||
}
|
||||
#endif
|
||||
|
||||
--
|
||||
2.49.0
|
||||
|
||||
@ -1,338 +0,0 @@
|
||||
From b1a049b4c024ea69ef571da8def3cc13889430f4 Mon Sep 17 00:00:00 2001
|
||||
From: Jay Satiro <raysatiro@yahoo.com>
|
||||
Date: Sun, 23 Feb 2020 18:37:09 -0500
|
||||
Subject: [PATCH] libssh: Fix matching user-specified MD5 hex key
|
||||
|
||||
Prior to this change a match would never be successful because it
|
||||
was mistakenly coded to compare binary data from libssh to a
|
||||
user-specified hex string (ie CURLOPT_SSH_HOST_PUBLIC_KEY_MD5).
|
||||
|
||||
Reported-by: fds242@users.noreply.github.com
|
||||
|
||||
Fixes https://github.com/curl/curl/issues/4971
|
||||
Closes https://github.com/curl/curl/pull/4974
|
||||
(cherry picked from commit 09aa807240b9dcde78a919ff712316a1daf0655e)
|
||||
---
|
||||
lib/ssh-libssh.c | 20 ++++++++++++++++---
|
||||
tests/FILEFORMAT | 1 +
|
||||
tests/data/Makefile.inc | 1 +
|
||||
tests/data/test664 | 44 +++++++++++++++++++++++++++++++++++++++++
|
||||
tests/data/test665 | 44 +++++++++++++++++++++++++++++++++++++++++
|
||||
tests/runtests.pl | 24 ++++++++++++++++++++++
|
||||
tests/sshhelp.pm | 3 +++
|
||||
tests/sshserver.pl | 31 +++++++++++++++++++++++++----
|
||||
8 files changed, 161 insertions(+), 7 deletions(-)
|
||||
create mode 100644 tests/data/test664
|
||||
create mode 100644 tests/data/test665
|
||||
|
||||
diff --git a/lib/ssh-libssh.c b/lib/ssh-libssh.c
|
||||
index 7d590891c..c203d6336 100644
|
||||
--- a/lib/ssh-libssh.c
|
||||
+++ b/lib/ssh-libssh.c
|
||||
@@ -327,13 +327,27 @@ static int myssh_is_known(struct connectdata *conn)
|
||||
return rc;
|
||||
|
||||
if(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) {
|
||||
+ int i;
|
||||
+ char md5buffer[33];
|
||||
+ const char *pubkey_md5 = data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5];
|
||||
+
|
||||
rc = ssh_get_publickey_hash(pubkey, SSH_PUBLICKEY_HASH_MD5,
|
||||
&hash, &hlen);
|
||||
- if(rc != SSH_OK)
|
||||
+ if(rc != SSH_OK || hlen != 16) {
|
||||
+ failf(data,
|
||||
+ "Denied establishing ssh session: md5 fingerprint not available");
|
||||
goto cleanup;
|
||||
+ }
|
||||
+
|
||||
+ for(i = 0; i < 16; i++)
|
||||
+ snprintf(&md5buffer[i*2], 3, "%02x", (unsigned char)hash[i]);
|
||||
+
|
||||
+ infof(data, "SSH MD5 fingerprint: %s\n", md5buffer);
|
||||
|
||||
- if(hlen != strlen(data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5]) ||
|
||||
- memcmp(&data->set.str[STRING_SSH_HOST_PUBLIC_KEY_MD5], hash, hlen)) {
|
||||
+ if(!strcasecompare(md5buffer, pubkey_md5)) {
|
||||
+ failf(data,
|
||||
+ "Denied establishing ssh session: mismatch md5 fingerprint. "
|
||||
+ "Remote %s is not equal to %s", md5buffer, pubkey_md5);
|
||||
rc = SSH_ERROR;
|
||||
goto cleanup;
|
||||
}
|
||||
diff --git a/tests/FILEFORMAT b/tests/FILEFORMAT
|
||||
index 135ded6c1..6b79093ab 100644
|
||||
--- a/tests/FILEFORMAT
|
||||
+++ b/tests/FILEFORMAT
|
||||
@@ -368,6 +368,7 @@ Available substitute variables include:
|
||||
%PWD - Current directory
|
||||
%RTSP6PORT - IPv6 port number of the RTSP server
|
||||
%RTSPPORT - Port number of the RTSP server
|
||||
+%SSHSRVMD5 - MD5 of SSH server's public key
|
||||
%SMTP6PORT - IPv6 port number of the SMTP server
|
||||
%SMTPPORT - Port number of the SMTP server
|
||||
%SOCKSPORT - Port number of the SOCKS4/5 server
|
||||
diff --git a/tests/data/Makefile.inc b/tests/data/Makefile.inc
|
||||
index e0457486b..923b58a63 100644
|
||||
--- a/tests/data/Makefile.inc
|
||||
+++ b/tests/data/Makefile.inc
|
||||
@@ -84,6 +84,7 @@ test626 test627 test628 test629 test630 test631 test632 test633 test634 \
|
||||
test635 test636 test637 test638 test639 test640 test641 test642 \
|
||||
test643 test644 test645 test646 test647 test648 test649 test650 test651 \
|
||||
test652 test653 test654 test655 test656 \
|
||||
+test664 test665 \
|
||||
\
|
||||
test700 test701 test702 test703 test704 test705 test706 test707 test708 \
|
||||
test709 test710 test711 test712 test713 test714 test715 \
|
||||
diff --git a/tests/data/test664 b/tests/data/test664
|
||||
new file mode 100644
|
||||
index 000000000..cb73b248b
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test664
|
||||
@@ -0,0 +1,44 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+SFTP
|
||||
+server key check
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+test
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+sftp
|
||||
+</server>
|
||||
+ <name>
|
||||
+SFTP correct host key
|
||||
+ </name>
|
||||
+ <command>
|
||||
+--hostpubmd5 %SSHSRVMD5 --key curl_client_key --pubkey curl_client_key.pub -u %USER: sftp://%HOSTIP:%SSHPORT%POSIX_PWD/log/file664.txt
|
||||
+</command>
|
||||
+<file name="log/file664.txt">
|
||||
+test
|
||||
+</file>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<errorcode>
|
||||
+0
|
||||
+</errorcode>
|
||||
+<valgrind>
|
||||
+disable
|
||||
+</valgrind>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/data/test665 b/tests/data/test665
|
||||
new file mode 100644
|
||||
index 000000000..830adb8f6
|
||||
--- /dev/null
|
||||
+++ b/tests/data/test665
|
||||
@@ -0,0 +1,44 @@
|
||||
+<testcase>
|
||||
+<info>
|
||||
+<keywords>
|
||||
+SCP
|
||||
+server key check
|
||||
+</keywords>
|
||||
+</info>
|
||||
+
|
||||
+#
|
||||
+# Server-side
|
||||
+<reply>
|
||||
+<data>
|
||||
+test
|
||||
+</data>
|
||||
+</reply>
|
||||
+
|
||||
+#
|
||||
+# Client-side
|
||||
+<client>
|
||||
+<server>
|
||||
+scp
|
||||
+</server>
|
||||
+ <name>
|
||||
+SCP correct host key
|
||||
+ </name>
|
||||
+ <command>
|
||||
+--hostpubmd5 %SSHSRVMD5 --key curl_client_key --pubkey curl_client_key.pub -u %USER: scp://%HOSTIP:%SSHPORT%POSIX_PWD/log/file665.txt
|
||||
+</command>
|
||||
+<file name="log/file665.txt">
|
||||
+test
|
||||
+</file>
|
||||
+</client>
|
||||
+
|
||||
+#
|
||||
+# Verify data after the test has been "shot"
|
||||
+<verify>
|
||||
+<errorcode>
|
||||
+0
|
||||
+</errorcode>
|
||||
+<valgrind>
|
||||
+disable
|
||||
+</valgrind>
|
||||
+</verify>
|
||||
+</testcase>
|
||||
diff --git a/tests/runtests.pl b/tests/runtests.pl
|
||||
index e12c1429a..4e2a19cf2 100755
|
||||
--- a/tests/runtests.pl
|
||||
+++ b/tests/runtests.pl
|
||||
@@ -150,6 +150,8 @@ my $SMBPORT; # SMB server port
|
||||
my $SMBSPORT; # SMBS server port
|
||||
my $NEGTELNETPORT; # TELNET server port with negotiation
|
||||
|
||||
+my $SSHSRVMD5; # MD5 of ssh server public key
|
||||
+
|
||||
my $srcdir = $ENV{'srcdir'} || '.';
|
||||
my $CURL="../src/curl".exe_ext(); # what curl executable to run on the tests
|
||||
my $VCURL=$CURL; # what curl binary to use to verify the servers with
|
||||
@@ -2181,6 +2183,18 @@ sub runsshserver {
|
||||
return (0,0);
|
||||
}
|
||||
|
||||
+ my $hstpubmd5f = "curl_host_rsa_key.pub_md5";
|
||||
+ if(!open(PUBMD5FILE, "<", $hstpubmd5f) ||
|
||||
+ (read(PUBMD5FILE, $SSHSRVMD5, 32) != 32) ||
|
||||
+ !close(PUBMD5FILE) ||
|
||||
+ ($SSHSRVMD5 !~ /^[a-f0-9]{32}$/i))
|
||||
+ {
|
||||
+ my $msg = "Fatal: $srvrname pubkey md5 missing : \"$hstpubmd5f\" : $!";
|
||||
+ logmsg "$msg\n";
|
||||
+ stopservers($verbose);
|
||||
+ die $msg;
|
||||
+ }
|
||||
+
|
||||
if($verbose) {
|
||||
logmsg "RUN: $srvrname server is now running PID $pid2\n";
|
||||
}
|
||||
@@ -3205,6 +3219,16 @@ sub subVariables {
|
||||
$$thing =~ s/%SRCDIR/$srcdir/g;
|
||||
$$thing =~ s/%USER/$USER/g;
|
||||
|
||||
+ if($$thing =~ /%SSHSRVMD5/) {
|
||||
+ if(!$SSHSRVMD5) {
|
||||
+ my $msg = "Fatal: Missing SSH server pubkey MD5. Is server running?";
|
||||
+ logmsg "$msg\n";
|
||||
+ stopservers($verbose);
|
||||
+ die $msg;
|
||||
+ }
|
||||
+ $$thing =~ s/%SSHSRVMD5/$SSHSRVMD5/g;
|
||||
+ }
|
||||
+
|
||||
# The purpose of FTPTIME2 and FTPTIME3 is to provide times that can be
|
||||
# used for time-out tests and that whould work on most hosts as these
|
||||
# adjust for the startup/check time for this particular host. We needed
|
||||
diff --git a/tests/sshhelp.pm b/tests/sshhelp.pm
|
||||
index c5618a109..abdf9c458 100644
|
||||
--- a/tests/sshhelp.pm
|
||||
+++ b/tests/sshhelp.pm
|
||||
@@ -50,6 +50,7 @@ use vars qw(
|
||||
$sftpcmds
|
||||
$hstprvkeyf
|
||||
$hstpubkeyf
|
||||
+ $hstpubmd5f
|
||||
$cliprvkeyf
|
||||
$clipubkeyf
|
||||
@sftppath
|
||||
@@ -82,6 +83,7 @@ use vars qw(
|
||||
$sftpcmds
|
||||
$hstprvkeyf
|
||||
$hstpubkeyf
|
||||
+ $hstpubmd5f
|
||||
$cliprvkeyf
|
||||
$clipubkeyf
|
||||
display_sshdconfig
|
||||
@@ -122,6 +124,7 @@ $sftpcmds = 'curl_sftp_cmds'; # sftp client commands batch file
|
||||
$knownhosts = 'curl_client_knownhosts'; # ssh knownhosts file
|
||||
$hstprvkeyf = 'curl_host_rsa_key'; # host private key file
|
||||
$hstpubkeyf = 'curl_host_rsa_key.pub'; # host public key file
|
||||
+$hstpubmd5f = 'curl_host_rsa_key.pub_md5'; # md5 hash of host public key
|
||||
$cliprvkeyf = 'curl_client_key'; # client private key file
|
||||
$clipubkeyf = 'curl_client_key.pub'; # client public key file
|
||||
|
||||
diff --git a/tests/sshserver.pl b/tests/sshserver.pl
|
||||
index 9b3d122fd..cd92a62c5 100755
|
||||
--- a/tests/sshserver.pl
|
||||
+++ b/tests/sshserver.pl
|
||||
@@ -28,6 +28,9 @@ use strict;
|
||||
use warnings;
|
||||
use Cwd;
|
||||
use Cwd 'abs_path';
|
||||
+use Digest::MD5;
|
||||
+use Digest::MD5 'md5_hex';
|
||||
+use MIME::Base64;
|
||||
|
||||
#***************************************************************************
|
||||
# Variables and subs imported from sshhelp module
|
||||
@@ -48,6 +51,7 @@ use sshhelp qw(
|
||||
$sftpcmds
|
||||
$hstprvkeyf
|
||||
$hstpubkeyf
|
||||
+ $hstpubmd5f
|
||||
$cliprvkeyf
|
||||
$clipubkeyf
|
||||
display_sshdconfig
|
||||
@@ -367,10 +371,11 @@ if((($sshid =~ /OpenSSH/) && ($sshvernum < 299)) ||
|
||||
#
|
||||
if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
|
||||
(! -e $hstpubkeyf) || (! -s $hstpubkeyf) ||
|
||||
+ (! -e $hstpubmd5f) || (! -s $hstpubmd5f) ||
|
||||
(! -e $cliprvkeyf) || (! -s $cliprvkeyf) ||
|
||||
(! -e $clipubkeyf) || (! -s $clipubkeyf)) {
|
||||
# Make sure all files are gone so ssh-keygen doesn't complain
|
||||
- unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf);
|
||||
+ unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f, $cliprvkeyf, $clipubkeyf);
|
||||
logmsg 'generating host keys...' if($verbose);
|
||||
if(system "\"$sshkeygen\" -q -t rsa -f $hstprvkeyf -C 'curl test server' -N ''") {
|
||||
logmsg 'Could not generate host key';
|
||||
@@ -381,6 +386,24 @@ if((! -e $hstprvkeyf) || (! -s $hstprvkeyf) ||
|
||||
logmsg 'Could not generate client key';
|
||||
exit 1;
|
||||
}
|
||||
+ # Make sure that permissions are restricted so openssh doesn't complain
|
||||
+ system "chmod 600 $hstprvkeyf";
|
||||
+ system "chmod 600 $cliprvkeyf";
|
||||
+ # Save md5 hash of public host key
|
||||
+ open(RSAKEYFILE, "<$hstpubkeyf");
|
||||
+ my @rsahostkey = do { local $/ = ' '; <RSAKEYFILE> };
|
||||
+ close(RSAKEYFILE);
|
||||
+ if(!$rsahostkey[1]) {
|
||||
+ logmsg 'Failed parsing base64 encoded RSA host key';
|
||||
+ exit 1;
|
||||
+ }
|
||||
+ open(PUBMD5FILE, ">$hstpubmd5f");
|
||||
+ print PUBMD5FILE md5_hex(decode_base64($rsahostkey[1]));
|
||||
+ close(PUBMD5FILE);
|
||||
+ if((! -e $hstpubmd5f) || (! -s $hstpubmd5f)) {
|
||||
+ logmsg 'Failed writing md5 hash of RSA host key';
|
||||
+ exit 1;
|
||||
+ }
|
||||
}
|
||||
|
||||
|
||||
@@ -1073,8 +1096,8 @@ elsif($verbose && ($rc >> 8)) {
|
||||
#***************************************************************************
|
||||
# Clean up once the server has stopped
|
||||
#
|
||||
-unlink($hstprvkeyf, $hstpubkeyf, $cliprvkeyf, $clipubkeyf, $knownhosts);
|
||||
-unlink($sshdconfig, $sshconfig, $sftpconfig);
|
||||
-
|
||||
+unlink($hstprvkeyf, $hstpubkeyf, $hstpubmd5f,
|
||||
+ $cliprvkeyf, $clipubkeyf, $knownhosts,
|
||||
+ $sshdconfig, $sshconfig, $sftpconfig);
|
||||
|
||||
exit 0;
|
||||
--
|
||||
2.47.1
|
||||
|
||||
@ -1,44 +0,0 @@
|
||||
From a1c1af1b82bf9427b2bd5ad949d24923f995909a Mon Sep 17 00:00:00 2001
|
||||
From: Jacek Migacz <jmigacz@redhat.com>
|
||||
Date: Wed, 9 Jul 2025 14:33:09 +0200
|
||||
Subject: [PATCH] crypto: ensure crypto initialization works
|
||||
|
||||
---
|
||||
lib/vtls/openssl.c | 14 ++++++++++++--
|
||||
1 file changed, 12 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
|
||||
index 161e79e..7c41f54 100644
|
||||
--- a/lib/vtls/openssl.c
|
||||
+++ b/lib/vtls/openssl.c
|
||||
@@ -3802,7 +3802,12 @@ static CURLcode Curl_ossl_md5sum(unsigned char *tmp, /* input */
|
||||
(void) unused;
|
||||
|
||||
mdctx = EVP_MD_CTX_create();
|
||||
- EVP_DigestInit_ex(mdctx, EVP_md5(), NULL);
|
||||
+ if(!mdctx)
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+ if(!EVP_DigestInit_ex(mdctx, EVP_md5(), NULL)) {
|
||||
+ EVP_MD_CTX_destroy(mdctx);
|
||||
+ return CURLE_FAILED_INIT;
|
||||
+ }
|
||||
EVP_DigestUpdate(mdctx, tmp, tmplen);
|
||||
EVP_DigestFinal_ex(mdctx, md5sum, &len);
|
||||
EVP_MD_CTX_destroy(mdctx);
|
||||
@@ -3820,7 +3825,12 @@ static CURLcode Curl_ossl_sha256sum(const unsigned char *tmp, /* input */
|
||||
(void) unused;
|
||||
|
||||
mdctx = EVP_MD_CTX_create();
|
||||
- EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL);
|
||||
+ if(!mdctx)
|
||||
+ return CURLE_OUT_OF_MEMORY;
|
||||
+ if(!EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL)) {
|
||||
+ EVP_MD_CTX_destroy(mdctx);
|
||||
+ return CURLE_FAILED_INIT;
|
||||
+ }
|
||||
EVP_DigestUpdate(mdctx, tmp, tmplen);
|
||||
EVP_DigestFinal_ex(mdctx, sha256sum, &len);
|
||||
EVP_MD_CTX_destroy(mdctx);
|
||||
--
|
||||
2.50.0
|
||||
|
||||
@ -1,42 +0,0 @@
|
||||
From cbea2fd2c74feabeb6f13b3e3df243b225b3b3ab Mon Sep 17 00:00:00 2001
|
||||
From: Johannes Schindelin <johannes.schindelin@gmx.de>
|
||||
Date: Thu, 6 Dec 2018 17:26:13 +0100
|
||||
Subject: [PATCH] NTLM: force the connection to HTTP/1.1
|
||||
|
||||
Since v7.62.0, cURL tries to use HTTP/2 whenever the server announces
|
||||
the capability. However, NTLM authentication only works with HTTP/1.1,
|
||||
and will likely remain in that boat (for details, see
|
||||
https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-10/http2-on-iis#when-is-http2-not-supported).
|
||||
|
||||
When we just found out that we want to use NTLM, and when the current
|
||||
connection runs in HTTP/2 mode, let's force the connection to be closed
|
||||
and to be re-opened using HTTP/1.1.
|
||||
|
||||
Fixes https://github.com/curl/curl/issues/3341.
|
||||
Closes #3345
|
||||
|
||||
Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
|
||||
---
|
||||
lib/http.c | 6 ++++++
|
||||
1 file changed, 6 insertions(+)
|
||||
|
||||
diff --git a/lib/http.c b/lib/http.c
|
||||
index aed7aa80f..7be6f8b92 100644
|
||||
--- a/lib/http.c
|
||||
+++ b/lib/http.c
|
||||
@@ -526,6 +526,12 @@ CURLcode Curl_http_auth_act(struct connectdata *conn)
|
||||
pickhost = pickoneauth(&data->state.authhost, authmask);
|
||||
if(!pickhost)
|
||||
data->state.authproblem = TRUE;
|
||||
+ if(data->state.authhost.picked == CURLAUTH_NTLM &&
|
||||
+ conn->httpversion > 11) {
|
||||
+ infof(data, "Forcing HTTP/1.1 for NTLM");
|
||||
+ connclose(conn, "Force HTTP/1.1 connection");
|
||||
+ conn->data->set.httpversion = CURL_HTTP_VERSION_1_1;
|
||||
+ }
|
||||
}
|
||||
if(conn->bits.proxy_user_passwd &&
|
||||
((data->req.httpcode == 407) ||
|
||||
--
|
||||
2.50.0
|
||||
|
||||
@ -1,29 +0,0 @@
|
||||
From c6ae07c6a541e0e96d0040afb62b45dd37711300 Mon Sep 17 00:00:00 2001
|
||||
From: Daniel Stenberg <daniel@haxx.se>
|
||||
Date: Mon, 11 Aug 2025 20:23:05 +0200
|
||||
Subject: [PATCH] cookie: don't treat the leading slash as trailing
|
||||
|
||||
If there is only a leading slash in the path, keep that. Also add an
|
||||
assert to make sure the path is never blank.
|
||||
|
||||
Reported-by: Google Big Sleep
|
||||
Closes #18266
|
||||
---
|
||||
lib/cookie.c | 11 ++++++-----
|
||||
1 file changed, 6 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/lib/cookie.c b/lib/cookie.c
|
||||
index 914a4aca12ac..b72dd99bce9b 100644
|
||||
--- a/lib/cookie.c
|
||||
+++ b/lib/cookie.c
|
||||
@@ -420,8 +420,9 @@ static char *sanitize_cookie_path(const char *cookie_path)
|
||||
return new_path;
|
||||
}
|
||||
|
||||
+ /* remove trailing slash when path is non-empty (len > 1) */
|
||||
/* convert /hoge/ to /hoge */
|
||||
- if(len && new_path[len - 1] == '/') {
|
||||
+ if(len > 1 && new_path[len - 1] == '/') {
|
||||
new_path[len - 1] = 0x0;
|
||||
}
|
||||
|
||||
@ -1,988 +0,0 @@
|
||||
diff -Naur curl-7.61.1.orig/lib/http_aws_sigv4.c curl-7.61.1/lib/http_aws_sigv4.c
|
||||
--- curl-7.61.1.orig/lib/http_aws_sigv4.c 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ curl-7.61.1/lib/http_aws_sigv4.c 2025-12-02 13:31:38.991776478 +0100
|
||||
@@ -0,0 +1,511 @@
|
||||
+/***************************************************************************
|
||||
+ * _ _ ____ _
|
||||
+ * Project ___| | | | _ \| |
|
||||
+ * / __| | | | |_) | |
|
||||
+ * | (__| |_| | _ <| |___
|
||||
+ * \___|\___/|_| \_\_____|
|
||||
+ *
|
||||
+ * Copyright (C) 1998 - 2021, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+ *
|
||||
+ * This software is licensed as described in the file COPYING, which
|
||||
+ * you should have received as part of this distribution. The terms
|
||||
+ * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||
+ *
|
||||
+ * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||
+ * copies of the Software, and permit persons to whom the Software is
|
||||
+ * furnished to do so, under the terms of the COPYING file.
|
||||
+ *
|
||||
+ * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY
|
||||
+ * KIND, either express or implied.
|
||||
+ *
|
||||
+ ***************************************************************************/
|
||||
+
|
||||
+#include "curl_setup.h"
|
||||
+
|
||||
+#if !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH)
|
||||
+
|
||||
+#define USE_AWS_SIGV4
|
||||
+
|
||||
+#include "urldata.h"
|
||||
+#include "strcase.h"
|
||||
+#include "strdup.h"
|
||||
+#include "vauth/vauth.h"
|
||||
+#include "vauth/digest.h"
|
||||
+#include "http_aws_sigv4.h"
|
||||
+#include "curl_sha256.h"
|
||||
+#include "curl_hmac.h"
|
||||
+#include "warnless.h"
|
||||
+#include "transfer.h"
|
||||
+
|
||||
+#include "strcase.h"
|
||||
+#include "parsedate.h"
|
||||
+#include "sendf.h"
|
||||
+
|
||||
+#include <time.h>
|
||||
+
|
||||
+/* The last 3 #include files should be in this order */
|
||||
+#include "curl_printf.h"
|
||||
+#include "curl_memory.h"
|
||||
+#include "memdebug.h"
|
||||
+
|
||||
+/* SHA256 Init/Update/Final function pointers for HMAC */
|
||||
+#if defined(USE_OPENSSL)
|
||||
+#include <openssl/sha.h>
|
||||
+#include <openssl/opensslv.h>
|
||||
+#if (OPENSSL_VERSION_NUMBER >= 0x0090800fL)
|
||||
+#define USE_OPENSSL_SHA256
|
||||
+#endif
|
||||
+#endif
|
||||
+
|
||||
+#ifdef USE_OPENSSL_SHA256
|
||||
+static void SHA256_Init_Wrapper(void *context)
|
||||
+{
|
||||
+ SHA256_Init((SHA256_CTX *)context);
|
||||
+}
|
||||
+
|
||||
+static void SHA256_Update_Wrapper(void *context,
|
||||
+ const unsigned char *data,
|
||||
+ unsigned int len)
|
||||
+{
|
||||
+ SHA256_Update((SHA256_CTX *)context, data, len);
|
||||
+}
|
||||
+
|
||||
+static void SHA256_Final_Wrapper(unsigned char *result, void *context)
|
||||
+{
|
||||
+ SHA256_Final(result, (SHA256_CTX *)context);
|
||||
+}
|
||||
+#else
|
||||
+/* Use internal SHA256 implementation */
|
||||
+typedef struct sha256_state SHA256_CTX;
|
||||
+
|
||||
+static void SHA256_Init_Wrapper(void *context);
|
||||
+static int SHA256_Update_Wrapper_Internal(void *context,
|
||||
+ const unsigned char *data,
|
||||
+ unsigned int len);
|
||||
+static int SHA256_Final_Wrapper_Internal(unsigned char *result,
|
||||
+ void *context);
|
||||
+
|
||||
+static void SHA256_Update_Wrapper(void *context,
|
||||
+ const unsigned char *data,
|
||||
+ unsigned int len)
|
||||
+{
|
||||
+ SHA256_Update_Wrapper_Internal(context, data, len);
|
||||
+}
|
||||
+
|
||||
+static void SHA256_Final_Wrapper(unsigned char *result, void *context)
|
||||
+{
|
||||
+ SHA256_Final_Wrapper_Internal(result, context);
|
||||
+}
|
||||
+
|
||||
+/* Forward declarations for internal SHA256 functions */
|
||||
+extern void SHA256_Init(SHA256_CTX *ctx);
|
||||
+extern int SHA256_Update(SHA256_CTX *ctx, const unsigned char *data,
|
||||
+ unsigned int len);
|
||||
+extern int SHA256_Final(unsigned char *out, SHA256_CTX *ctx);
|
||||
+
|
||||
+static void SHA256_Init_Wrapper(void *context)
|
||||
+{
|
||||
+ SHA256_Init((SHA256_CTX *)context);
|
||||
+}
|
||||
+
|
||||
+static int SHA256_Update_Wrapper_Internal(void *context,
|
||||
+ const unsigned char *data,
|
||||
+ unsigned int len)
|
||||
+{
|
||||
+ return SHA256_Update((SHA256_CTX *)context, data, len);
|
||||
+}
|
||||
+
|
||||
+static int SHA256_Final_Wrapper_Internal(unsigned char *result,
|
||||
+ void *context)
|
||||
+{
|
||||
+ return SHA256_Final(result, (SHA256_CTX *)context);
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
+/* HMAC-SHA256 parameters for curl 7.61.1 */
|
||||
+static const HMAC_params Curl_HMAC_SHA256[] = {
|
||||
+ {
|
||||
+ CURLX_FUNCTION_CAST(HMAC_hinit_func, SHA256_Init_Wrapper),
|
||||
+ CURLX_FUNCTION_CAST(HMAC_hupdate_func, SHA256_Update_Wrapper),
|
||||
+ CURLX_FUNCTION_CAST(HMAC_hfinal_func, SHA256_Final_Wrapper),
|
||||
+ sizeof(SHA256_CTX),
|
||||
+ 64, /* Maximum key length (block size) */
|
||||
+ 32 /* Result length (SHA256 produces 32 bytes) */
|
||||
+ }
|
||||
+};
|
||||
+
|
||||
+#define HMAC_SHA256(k, kl, d, dl, o) \
|
||||
+ do { \
|
||||
+ HMAC_context *hctx = Curl_HMAC_init(Curl_HMAC_SHA256, \
|
||||
+ (unsigned char *)k, \
|
||||
+ (unsigned int)kl); \
|
||||
+ if(!hctx) { \
|
||||
+ ret = CURLE_OUT_OF_MEMORY; \
|
||||
+ goto fail; \
|
||||
+ } \
|
||||
+ Curl_HMAC_update(hctx, \
|
||||
+ (unsigned char *)d, \
|
||||
+ (unsigned int)dl); \
|
||||
+ Curl_HMAC_final(hctx, o); \
|
||||
+ } while(0)
|
||||
+
|
||||
+static void sha256_to_hex(char *dst, unsigned char *sha, size_t dst_l)
|
||||
+{
|
||||
+ int i;
|
||||
+
|
||||
+ DEBUGASSERT(dst_l >= 65);
|
||||
+ for(i = 0; i < 32; ++i) {
|
||||
+ curl_msnprintf(dst + (i * 2), dst_l - (i * 2), "%02x", sha[i]);
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+CURLcode Curl_output_aws_sigv4(struct connectdata *conn, bool proxy)
|
||||
+{
|
||||
+ CURLcode ret = CURLE_OUT_OF_MEMORY;
|
||||
+ struct Curl_easy *data = conn->data;
|
||||
+ size_t len;
|
||||
+ const char *tmp0;
|
||||
+ const char *tmp1;
|
||||
+ char *provider0_low = NULL;
|
||||
+ char *provider0_up = NULL;
|
||||
+ char *provider1_low = NULL;
|
||||
+ char *provider1_mid = NULL;
|
||||
+ char *region = NULL;
|
||||
+ char *service = NULL;
|
||||
+ const char *hostname = conn->host.name;
|
||||
+#ifdef DEBUGBUILD
|
||||
+ char *force_timestamp;
|
||||
+#endif
|
||||
+ time_t clock;
|
||||
+ struct tm tm;
|
||||
+ char timestamp[17];
|
||||
+ char date[9];
|
||||
+ const char *content_type = Curl_checkheaders(conn, "Content-Type");
|
||||
+ char *canonical_headers = NULL;
|
||||
+ char *signed_headers = NULL;
|
||||
+ Curl_HttpReq httpreq;
|
||||
+ const char *method = NULL;
|
||||
+ const char *post_data = data->set.postfields ? data->set.postfields : "";
|
||||
+ unsigned char sha_hash[32];
|
||||
+ char sha_hex[65];
|
||||
+ char *canonical_request = NULL;
|
||||
+ char *request_type = NULL;
|
||||
+ char *credential_scope = NULL;
|
||||
+ char *str_to_sign = NULL;
|
||||
+ const char *user = data->state.aptr.user ? data->state.aptr.user : "";
|
||||
+ const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : "";
|
||||
+ char *secret = NULL;
|
||||
+ unsigned char tmp_sign0[32] = {0};
|
||||
+ unsigned char tmp_sign1[32] = {0};
|
||||
+ char *auth_headers = NULL;
|
||||
+
|
||||
+ DEBUGASSERT(!proxy);
|
||||
+ (void)proxy;
|
||||
+
|
||||
+ if(Curl_checkheaders(conn, "Authorization")) {
|
||||
+ /* Authorization already present, Bailing out */
|
||||
+ return CURLE_OK;
|
||||
+ }
|
||||
+
|
||||
+ /*
|
||||
+ * Parameters parsing
|
||||
+ * Google and Outscale use the same OSC or GOOG,
|
||||
+ * but Amazon uses AWS and AMZ for header arguments.
|
||||
+ * AWS is the default because most of non-amazon providers
|
||||
+ * are still using aws:amz as a prefix.
|
||||
+ */
|
||||
+ tmp0 = data->set.str[STRING_AWS_SIGV4] ?
|
||||
+ data->set.str[STRING_AWS_SIGV4] : "aws:amz";
|
||||
+ tmp1 = strchr(tmp0, ':');
|
||||
+ len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
|
||||
+ if(len < 1) {
|
||||
+ infof(data, "first provider can't be empty\n");
|
||||
+ ret = CURLE_BAD_FUNCTION_ARGUMENT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ provider0_low = malloc(len + 1);
|
||||
+ provider0_up = malloc(len + 1);
|
||||
+ if(!provider0_low || !provider0_up) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ Curl_strntolower(provider0_low, tmp0, len);
|
||||
+ provider0_low[len] = '\0';
|
||||
+ Curl_strntoupper(provider0_up, tmp0, len);
|
||||
+ provider0_up[len] = '\0';
|
||||
+
|
||||
+ if(tmp1) {
|
||||
+ tmp0 = tmp1 + 1;
|
||||
+ tmp1 = strchr(tmp0, ':');
|
||||
+ len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
|
||||
+ if(len < 1) {
|
||||
+ infof(data, "second provider can't be empty\n");
|
||||
+ ret = CURLE_BAD_FUNCTION_ARGUMENT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ provider1_low = malloc(len + 1);
|
||||
+ provider1_mid = malloc(len + 1);
|
||||
+ if(!provider1_low || !provider1_mid) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ Curl_strntolower(provider1_low, tmp0, len);
|
||||
+ provider1_low[len] = '\0';
|
||||
+ Curl_strntolower(provider1_mid, tmp0, len);
|
||||
+ provider1_mid[0] = Curl_raw_toupper(provider1_mid[0]);
|
||||
+ provider1_mid[len] = '\0';
|
||||
+
|
||||
+ if(tmp1) {
|
||||
+ tmp0 = tmp1 + 1;
|
||||
+ tmp1 = strchr(tmp0, ':');
|
||||
+ len = tmp1 ? (size_t)(tmp1 - tmp0) : strlen(tmp0);
|
||||
+ if(len < 1) {
|
||||
+ infof(data, "region can't be empty\n");
|
||||
+ ret = CURLE_BAD_FUNCTION_ARGUMENT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ region = Curl_memdup(tmp0, len + 1);
|
||||
+ if(!region) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ region[len] = '\0';
|
||||
+
|
||||
+ if(tmp1) {
|
||||
+ tmp0 = tmp1 + 1;
|
||||
+ service = strdup(tmp0);
|
||||
+ if(!service) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ if(strlen(service) < 1) {
|
||||
+ infof(data, "service can't be empty\n");
|
||||
+ ret = CURLE_BAD_FUNCTION_ARGUMENT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ }
|
||||
+ else {
|
||||
+ provider1_low = Curl_memdup(provider0_low, len + 1);
|
||||
+ provider1_mid = Curl_memdup(provider0_low, len + 1);
|
||||
+ if(!provider1_low || !provider1_mid) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ provider1_mid[0] = Curl_raw_toupper(provider1_mid[0]);
|
||||
+ }
|
||||
+
|
||||
+ if(!service) {
|
||||
+ tmp0 = hostname;
|
||||
+ tmp1 = strchr(tmp0, '.');
|
||||
+ len = tmp1 - tmp0;
|
||||
+ if(!tmp1 || len < 1) {
|
||||
+ infof(data, "service missing in parameters or hostname\n");
|
||||
+ ret = CURLE_URL_MALFORMAT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ service = Curl_memdup(tmp0, len + 1);
|
||||
+ if(!service) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ service[len] = '\0';
|
||||
+
|
||||
+ if(!region) {
|
||||
+ tmp0 = tmp1 + 1;
|
||||
+ tmp1 = strchr(tmp0, '.');
|
||||
+ len = tmp1 - tmp0;
|
||||
+ if(!tmp1 || len < 1) {
|
||||
+ infof(data, "region missing in parameters or hostname\n");
|
||||
+ ret = CURLE_URL_MALFORMAT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ region = Curl_memdup(tmp0, len + 1);
|
||||
+ if(!region) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ region[len] = '\0';
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+#ifdef DEBUGBUILD
|
||||
+ force_timestamp = getenv("CURL_FORCETIME");
|
||||
+ if(force_timestamp)
|
||||
+ clock = 0;
|
||||
+ else
|
||||
+ time(&clock);
|
||||
+#else
|
||||
+ time(&clock);
|
||||
+#endif
|
||||
+ ret = Curl_gmtime(clock, &tm);
|
||||
+ if(ret != CURLE_OK) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ if(!strftime(timestamp, sizeof(timestamp), "%Y%m%dT%H%M%SZ", &tm)) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ memcpy(date, timestamp, sizeof(date));
|
||||
+ date[sizeof(date) - 1] = 0;
|
||||
+
|
||||
+ if(content_type) {
|
||||
+ content_type = strchr(content_type, ':');
|
||||
+ if(!content_type) {
|
||||
+ ret = CURLE_FAILED_INIT;
|
||||
+ goto fail;
|
||||
+ }
|
||||
+ content_type++;
|
||||
+ /* Skip whitespace now */
|
||||
+ while(*content_type == ' ' || *content_type == '\t')
|
||||
+ ++content_type;
|
||||
+
|
||||
+ canonical_headers = curl_maprintf("content-type:%s\n"
|
||||
+ "host:%s\n"
|
||||
+ "x-%s-date:%s\n",
|
||||
+ content_type,
|
||||
+ hostname,
|
||||
+ provider1_low, timestamp);
|
||||
+ signed_headers = curl_maprintf("content-type;host;x-%s-date",
|
||||
+ provider1_low);
|
||||
+ }
|
||||
+ else {
|
||||
+ canonical_headers = curl_maprintf("host:%s\n"
|
||||
+ "x-%s-date:%s\n",
|
||||
+ hostname,
|
||||
+ provider1_low, timestamp);
|
||||
+ signed_headers = curl_maprintf("host;x-%s-date", provider1_low);
|
||||
+ }
|
||||
+
|
||||
+ if(!canonical_headers || !signed_headers) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ Curl_sha256it(sha_hash,
|
||||
+ (const unsigned char *) post_data, strlen(post_data));
|
||||
+ sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
|
||||
+
|
||||
+ /* Determine HTTP method - curl 7.61.1 style */
|
||||
+ httpreq = data->set.httpreq;
|
||||
+ switch(httpreq) {
|
||||
+ case HTTPREQ_GET:
|
||||
+ method = "GET";
|
||||
+ break;
|
||||
+ case HTTPREQ_POST:
|
||||
+ case HTTPREQ_POST_FORM:
|
||||
+ case HTTPREQ_POST_MIME:
|
||||
+ method = "POST";
|
||||
+ break;
|
||||
+ case HTTPREQ_PUT:
|
||||
+ method = "PUT";
|
||||
+ break;
|
||||
+ case HTTPREQ_HEAD:
|
||||
+ method = "HEAD";
|
||||
+ break;
|
||||
+ case HTTPREQ_OPTIONS:
|
||||
+ method = "OPTIONS";
|
||||
+ break;
|
||||
+ case HTTPREQ_CUSTOM:
|
||||
+ method = data->set.customrequest;
|
||||
+ break;
|
||||
+ default:
|
||||
+ method = "GET";
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ canonical_request =
|
||||
+ curl_maprintf("%s\n" /* HTTPRequestMethod */
|
||||
+ "%s\n" /* CanonicalURI */
|
||||
+ "%s\n" /* CanonicalQueryString */
|
||||
+ "%s\n" /* CanonicalHeaders */
|
||||
+ "%s\n" /* SignedHeaders */
|
||||
+ "%s", /* HashedRequestPayload in hex */
|
||||
+ method,
|
||||
+ data->state.up.path,
|
||||
+ data->state.up.query ? data->state.up.query : "",
|
||||
+ canonical_headers,
|
||||
+ signed_headers,
|
||||
+ sha_hex);
|
||||
+ if(!canonical_request) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ request_type = curl_maprintf("%s4_request", provider0_low);
|
||||
+ if(!request_type) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ credential_scope = curl_maprintf("%s/%s/%s/%s",
|
||||
+ date, region, service, request_type);
|
||||
+ if(!credential_scope) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ Curl_sha256it(sha_hash, (unsigned char *) canonical_request,
|
||||
+ strlen(canonical_request));
|
||||
+ sha256_to_hex(sha_hex, sha_hash, sizeof(sha_hex));
|
||||
+
|
||||
+ /*
|
||||
+ * Google allow to use rsa key instead of HMAC, so this code might change
|
||||
+ * In the furure, but for now we support only HMAC version
|
||||
+ */
|
||||
+ str_to_sign = curl_maprintf("%s4-HMAC-SHA256\n" /* Algorithm */
|
||||
+ "%s\n" /* RequestDateTime */
|
||||
+ "%s\n" /* CredentialScope */
|
||||
+ "%s", /* HashedCanonicalRequest in hex */
|
||||
+ provider0_up,
|
||||
+ timestamp,
|
||||
+ credential_scope,
|
||||
+ sha_hex);
|
||||
+ if(!str_to_sign) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ secret = curl_maprintf("%s4%s", provider0_up, passwd);
|
||||
+ if(!secret) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ HMAC_SHA256(secret, strlen(secret),
|
||||
+ date, strlen(date), tmp_sign0);
|
||||
+ HMAC_SHA256(tmp_sign0, sizeof(tmp_sign0),
|
||||
+ region, strlen(region), tmp_sign1);
|
||||
+ HMAC_SHA256(tmp_sign1, sizeof(tmp_sign1),
|
||||
+ service, strlen(service), tmp_sign0);
|
||||
+ HMAC_SHA256(tmp_sign0, sizeof(tmp_sign0),
|
||||
+ request_type, strlen(request_type), tmp_sign1);
|
||||
+ HMAC_SHA256(tmp_sign1, sizeof(tmp_sign1),
|
||||
+ str_to_sign, strlen(str_to_sign), tmp_sign0);
|
||||
+
|
||||
+ sha256_to_hex(sha_hex, tmp_sign0, sizeof(sha_hex));
|
||||
+
|
||||
+ auth_headers = curl_maprintf("Authorization: %s4-HMAC-SHA256 "
|
||||
+ "Credential=%s/%s, "
|
||||
+ "SignedHeaders=%s, "
|
||||
+ "Signature=%s\r\n"
|
||||
+ "X-%s-Date: %s\r\n",
|
||||
+ provider0_up,
|
||||
+ user,
|
||||
+ credential_scope,
|
||||
+ signed_headers,
|
||||
+ sha_hex,
|
||||
+ provider1_mid,
|
||||
+ timestamp);
|
||||
+ if(!auth_headers) {
|
||||
+ goto fail;
|
||||
+ }
|
||||
+
|
||||
+ Curl_safefree(data->state.aptr.userpwd);
|
||||
+ data->state.aptr.userpwd = auth_headers;
|
||||
+ data->state.authhost.done = TRUE;
|
||||
+ ret = CURLE_OK;
|
||||
+
|
||||
+fail:
|
||||
+ free(provider0_low);
|
||||
+ free(provider0_up);
|
||||
+ free(provider1_low);
|
||||
+ free(provider1_mid);
|
||||
+ free(region);
|
||||
+ free(service);
|
||||
+ free(canonical_headers);
|
||||
+ free(signed_headers);
|
||||
+ free(canonical_request);
|
||||
+ free(request_type);
|
||||
+ free(credential_scope);
|
||||
+ free(str_to_sign);
|
||||
+ free(secret);
|
||||
+ return ret;
|
||||
+}
|
||||
+
|
||||
+#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */
|
||||
diff -Naur curl-7.61.1.orig/lib/http_aws_sigv4.h curl-7.61.1/lib/http_aws_sigv4.h
|
||||
--- curl-7.61.1.orig/lib/http_aws_sigv4.h 1970-01-01 01:00:00.000000000 +0100
|
||||
+++ curl-7.61.1/lib/http_aws_sigv4.h 2025-12-02 13:31:38.992776500 +0100
|
||||
@@ -0,0 +1,29 @@
|
||||
+#ifndef HEADER_CURL_HTTP_AWS_SIGV4_H
|
||||
+#define HEADER_CURL_HTTP_AWS_SIGV4_H
|
||||
+/***************************************************************************
|
||||
+ * _ _ ____ _
|
||||
+ * Project ___| | | | _ \| |
|
||||
+ * / __| | | | |_) | |
|
||||
+ * | (__| |_| | _ <| |___
|
||||
+ * \___|\___/|_| \_\_____|
|
||||
+ *
|
||||
+ * Copyright (C) 1998 - 2024, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+ *
|
||||
+ * AWS SigV4 Support - Backport to RHEL 8
|
||||
+ *
|
||||
+ ***************************************************************************/
|
||||
+
|
||||
+#include "curl_setup.h"
|
||||
+
|
||||
+#ifdef USE_AWS_SIGV4
|
||||
+
|
||||
+/* AWS SigV4 authentication function */
|
||||
+CURLcode Curl_output_aws_sigv4(struct connectdata *conn, bool proxy);
|
||||
+
|
||||
+#else
|
||||
+
|
||||
+#define Curl_output_aws_sigv4(x,y) CURLE_NOT_BUILT_IN
|
||||
+
|
||||
+#endif /* USE_AWS_SIGV4 */
|
||||
+
|
||||
+#endif /* HEADER_CURL_HTTP_AWS_SIGV4_H */
|
||||
diff -Naur curl-7.61.1.orig/lib/Makefile.inc curl-7.61.1/lib/Makefile.inc
|
||||
--- curl-7.61.1.orig/lib/Makefile.inc 2025-12-02 13:31:37.675747831 +0100
|
||||
+++ curl-7.61.1/lib/Makefile.inc 2025-12-02 13:31:40.198802751 +0100
|
||||
@@ -54,7 +54,7 @@
|
||||
curl_multibyte.c hostcheck.c conncache.c pipeline.c dotdot.c \
|
||||
x509asn1.c http2.c smb.c curl_endian.c curl_des.c system_win32.c \
|
||||
mime.c sha256.c setopt.c curl_path.c curl_ctype.c curl_range.c psl.c \
|
||||
- urlapi.c
|
||||
+ urlapi.c http_aws_sigv4.c
|
||||
|
||||
LIB_HFILES = arpa_telnet.h netrc.h file.h timeval.h hostip.h progress.h \
|
||||
formdata.h cookie.h http.h sendf.h ftp.h url.h dict.h if2ip.h \
|
||||
@@ -74,7 +74,8 @@
|
||||
curl_setup_once.h multihandle.h setup-vms.h pipeline.h dotdot.h \
|
||||
x509asn1.h http2.h sigpipe.h smb.h curl_endian.h curl_des.h \
|
||||
curl_printf.h system_win32.h rand.h mime.h curl_sha256.h setopt.h \
|
||||
- curl_path.h curl_ctype.h curl_range.h psl.h urlapi-int.h
|
||||
+ curl_path.h curl_ctype.h curl_range.h psl.h urlapi-int.h \
|
||||
+ http_aws_sigv4.h
|
||||
|
||||
LIB_RCFILES = libcurl.rc
|
||||
|
||||
diff -Naur curl-7.61.1.orig/lib/openldap.c curl-7.61.1/lib/openldap.c
|
||||
--- curl-7.61.1.orig/lib/openldap.c 2025-12-02 13:31:37.681747962 +0100
|
||||
+++ curl-7.61.1/lib/openldap.c 2025-12-02 13:31:41.175824017 +0100
|
||||
@@ -79,8 +79,8 @@
|
||||
static CURLcode ldap_setup_connection(struct connectdata *conn);
|
||||
static CURLcode ldap_do(struct connectdata *conn, bool *done);
|
||||
static CURLcode ldap_done(struct connectdata *conn, CURLcode, bool);
|
||||
-static CURLcode ldap_connect(struct connectdata *conn, bool *done);
|
||||
-static CURLcode ldap_connecting(struct connectdata *conn, bool *done);
|
||||
+static CURLcode oldap_connect(struct connectdata *conn, bool *done);
|
||||
+static CURLcode ooldap_connecting(struct connectdata *conn, bool *done);
|
||||
static CURLcode ldap_disconnect(struct connectdata *conn, bool dead);
|
||||
|
||||
static Curl_recv ldap_recv;
|
||||
@@ -95,8 +95,8 @@
|
||||
ldap_do, /* do_it */
|
||||
ldap_done, /* done */
|
||||
ZERO_NULL, /* do_more */
|
||||
- ldap_connect, /* connect_it */
|
||||
- ldap_connecting, /* connecting */
|
||||
+ oldap_connect, /* connect_it */
|
||||
+ ooldap_connecting, /* connecting */
|
||||
ZERO_NULL, /* doing */
|
||||
ZERO_NULL, /* proto_getsock */
|
||||
ZERO_NULL, /* doing_getsock */
|
||||
@@ -121,8 +121,8 @@
|
||||
ldap_do, /* do_it */
|
||||
ldap_done, /* done */
|
||||
ZERO_NULL, /* do_more */
|
||||
- ldap_connect, /* connect_it */
|
||||
- ldap_connecting, /* connecting */
|
||||
+ oldap_connect, /* connect_it */
|
||||
+ ooldap_connecting, /* connecting */
|
||||
ZERO_NULL, /* doing */
|
||||
ZERO_NULL, /* proto_getsock */
|
||||
ZERO_NULL, /* doing_getsock */
|
||||
@@ -206,7 +206,7 @@
|
||||
static Sockbuf_IO ldapsb_tls;
|
||||
#endif
|
||||
|
||||
-static CURLcode ldap_connect(struct connectdata *conn, bool *done)
|
||||
+static CURLcode oldap_connect(struct connectdata *conn, bool *done)
|
||||
{
|
||||
ldapconninfo *li = conn->proto.generic;
|
||||
struct Curl_easy *data = conn->data;
|
||||
@@ -253,7 +253,7 @@
|
||||
return CURLE_OK;
|
||||
}
|
||||
|
||||
-static CURLcode ldap_connecting(struct connectdata *conn, bool *done)
|
||||
+static CURLcode ooldap_connecting(struct connectdata *conn, bool *done)
|
||||
{
|
||||
ldapconninfo *li = conn->proto.generic;
|
||||
struct Curl_easy *data = conn->data;
|
||||
diff -Naur curl-7.61.1.orig/lib/http.c curl-7.61.1/lib/http.c
|
||||
--- curl-7.61.1.orig/lib/http.c 2025-12-05 12:00:00.000000000 +0100
|
||||
+++ curl-7.61.1/lib/http.c 2025-12-05 12:30:00.000000000 +0100
|
||||
@@ -60,6 +60,7 @@
|
||||
#include "http_ntlm.h"
|
||||
#include "curl_ntlm_wb.h"
|
||||
#include "http_negotiate.h"
|
||||
+#include "http_aws_sigv4.h"
|
||||
#include "url.h"
|
||||
#include "share.h"
|
||||
#include "hostip.h"
|
||||
@@ -362,6 +363,8 @@
|
||||
pick->picked = CURLAUTH_NTLM_WB;
|
||||
else if(avail & CURLAUTH_BASIC)
|
||||
pick->picked = CURLAUTH_BASIC;
|
||||
+ else if(avail & CURLAUTH_AWS_SIGV4)
|
||||
+ pick->picked = CURLAUTH_AWS_SIGV4;
|
||||
else {
|
||||
pick->picked = CURLAUTH_PICKNONE; /* we select to use nothing */
|
||||
picked = FALSE;
|
||||
@@ -682,6 +685,21 @@
|
||||
functions work that way */
|
||||
authstatus->done = TRUE;
|
||||
}
|
||||
+ if(authstatus->picked == CURLAUTH_AWS_SIGV4) {
|
||||
+ /* AWS SigV4 */
|
||||
+ if((!proxy && data->set.str[STRING_AWS_SIGV4] &&
|
||||
+ !Curl_checkheaders(conn, "Authorization:"))) {
|
||||
+ auth = "AWS_SIGV4";
|
||||
+ result = Curl_output_aws_sigv4(conn, FALSE);
|
||||
+ if(result)
|
||||
+ return result;
|
||||
+ }
|
||||
+
|
||||
+ /* NOTE: this function should set 'done' TRUE, as the other auth
|
||||
+ functions work that way */
|
||||
+ authstatus->done = TRUE;
|
||||
+ }
|
||||
+
|
||||
|
||||
if(auth) {
|
||||
infof(data, "%s auth using %s with user '%s'\n",
|
||||
diff -Naur curl-7.61.1.orig/include/curl/curl.h curl-7.61.1/include/curl/curl.h
|
||||
--- curl-7.61.1.orig/include/curl/curl.h 2018-07-11 07:17:00.000000000 +0200
|
||||
+++ curl-7.61.1/include/curl/curl.h 2025-12-10 14:00:00.000000000 +0100
|
||||
@@ -710,6 +710,7 @@
|
||||
#define CURLAUTH_NTLM (((unsigned long)1)<<3)
|
||||
#define CURLAUTH_DIGEST_IE (((unsigned long)1)<<4)
|
||||
#define CURLAUTH_NTLM_WB (((unsigned long)1)<<5)
|
||||
+#define CURLAUTH_AWS_SIGV4 (((unsigned long)1)<<7)
|
||||
#define CURLAUTH_BEARER (((unsigned long)1)<<6)
|
||||
#define CURLAUTH_ONLY (((unsigned long)1)<<31)
|
||||
#define CURLAUTH_ANY (~CURLAUTH_DIGEST_IE)
|
||||
@@ -1856,6 +1857,9 @@
|
||||
/* Disallow specifying username/login in URL. */
|
||||
CINIT(DISALLOW_USERNAME_IN_URL, LONG, 278),
|
||||
|
||||
+ /* AWS HTTP V4 Signature */
|
||||
+ CINIT(AWS_SIGV4, STRINGPOINT, 279),
|
||||
+
|
||||
CURLOPT_LASTENTRY /* the last unused */
|
||||
} CURLoption;
|
||||
|
||||
--- curl-7.61.1.orig/lib/urldata.h 2018-07-11 07:17:00.000000000 +0200
|
||||
+++ curl-7.61.1/lib/urldata.h 2025-12-09 00:00:00.000000000 +0100
|
||||
@@ -1414,6 +1414,7 @@
|
||||
STRING_TLSAUTH_PASSWORD_PROXY, /* TLS auth <password> */
|
||||
#endif
|
||||
STRING_BEARER, /* <bearer>, if used */
|
||||
+ STRING_AWS_SIGV4, /* <aws-sigv4>, if used */
|
||||
#ifdef USE_UNIX_SOCKETS
|
||||
STRING_UNIX_SOCKET_PATH, /* path to Unix socket, if used */
|
||||
#endif
|
||||
diff -Naur curl-7.61.1.orig/lib/http_aws_sigv4.c curl-7.61.1/lib/http_aws_sigv4.c
|
||||
--- curl-7.61.1.orig/lib/http_aws_sigv4.c 2025-12-09 07:00:00.000000000 +0100
|
||||
+++ curl-7.61.1/lib/http_aws_sigv4.c 2025-12-09 14:30:00.000000000 +0100
|
||||
@@ -192,8 +192,8 @@
|
||||
char *request_type = NULL;
|
||||
char *credential_scope = NULL;
|
||||
char *str_to_sign = NULL;
|
||||
- const char *user = data->state.aptr.user ? data->state.aptr.user : "";
|
||||
- const char *passwd = data->state.aptr.passwd ? data->state.aptr.passwd : "";
|
||||
+ const char *user = conn->user ? conn->user : "";
|
||||
+ const char *passwd = conn->passwd ? conn->passwd : "";
|
||||
char *secret = NULL;
|
||||
unsigned char tmp_sign0[32] = {0};
|
||||
unsigned char tmp_sign1[32] = {0};
|
||||
@@ -399,7 +399,7 @@
|
||||
method = "OPTIONS";
|
||||
break;
|
||||
case HTTPREQ_CUSTOM:
|
||||
- method = data->set.customrequest;
|
||||
+ method = data->set.str[STRING_CUSTOMREQUEST];
|
||||
break;
|
||||
default:
|
||||
method = "GET";
|
||||
@@ -406,6 +406,16 @@
|
||||
break;
|
||||
}
|
||||
|
||||
+ /* Extract query string from path if present */
|
||||
+ const char *query_str = NULL;
|
||||
+ char *question_mark = strchr(data->state.path, '?');
|
||||
+ if(question_mark) {
|
||||
+ query_str = question_mark + 1;
|
||||
+ }
|
||||
+ else {
|
||||
+ query_str = "";
|
||||
+ }
|
||||
+
|
||||
canonical_request =
|
||||
curl_maprintf("%s\n" /* HTTPRequestMethod */
|
||||
"%s\n" /* CanonicalURI */
|
||||
@@ -414,8 +424,8 @@
|
||||
"%s\n" /* SignedHeaders */
|
||||
"%s", /* HashedRequestPayload in hex */
|
||||
method,
|
||||
- data->state.up.path,
|
||||
- data->state.up.query ? data->state.up.query : "",
|
||||
+ data->state.path,
|
||||
+ query_str,
|
||||
canonical_headers,
|
||||
signed_headers,
|
||||
sha_hex);
|
||||
@@ -488,8 +498,8 @@
|
||||
goto fail;
|
||||
}
|
||||
|
||||
- Curl_safefree(data->state.aptr.userpwd);
|
||||
- data->state.aptr.userpwd = auth_headers;
|
||||
+ Curl_safefree(conn->allocptr.userpwd);
|
||||
+ conn->allocptr.userpwd = auth_headers;
|
||||
data->state.authhost.done = TRUE;
|
||||
ret = CURLE_OK;
|
||||
|
||||
@@ -509,3 +519,5 @@
|
||||
free(secret);
|
||||
return ret;
|
||||
}
|
||||
+
|
||||
+#endif /* !defined(CURL_DISABLE_HTTP) && !defined(CURL_DISABLE_CRYPTO_AUTH) */
|
||||
diff -Naur a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
|
||||
--- a/docs/libcurl/symbols-in-versions 2018-09-04 22:48:37.000000000 +0200
|
||||
+++ b/docs/libcurl/symbols-in-versions 2025-12-10 14:23:34.178991689 +0100
|
||||
@@ -15,6 +15,7 @@
|
||||
CURLAUTH_ANY 7.10.6
|
||||
CURLAUTH_ANYSAFE 7.10.6
|
||||
CURLAUTH_BASIC 7.10.6
|
||||
+CURLAUTH_AWS_SIGV4 7.61.1
|
||||
CURLAUTH_BEARER 7.61.0
|
||||
CURLAUTH_DIGEST 7.10.6
|
||||
CURLAUTH_DIGEST_IE 7.19.3
|
||||
@@ -344,6 +345,7 @@
|
||||
CURLOPT_ACCEPT_ENCODING 7.21.6
|
||||
CURLOPT_ADDRESS_SCOPE 7.19.0
|
||||
CURLOPT_APPEND 7.17.0
|
||||
+CURLOPT_AWS_SIGV4 7.61.1
|
||||
CURLOPT_AUTOREFERER 7.1
|
||||
CURLOPT_BUFFERSIZE 7.10
|
||||
CURLOPT_CAINFO 7.4.2
|
||||
diff -Naur a/lib/setopt.c b/lib/setopt.c
|
||||
--- a/lib/setopt.c 2025-12-02 13:31:37.682747984 +0100
|
||||
+++ b/lib/setopt.c 2025-12-10 12:46:02.532544111 +0100
|
||||
@@ -618,6 +618,20 @@
|
||||
data->set.httpreq = HTTPREQ_POST_FORM;
|
||||
data->set.opt_no_body = FALSE; /* this is implied */
|
||||
break;
|
||||
+
|
||||
+ case CURLOPT_AWS_SIGV4:
|
||||
+ /*
|
||||
+ * String that is merged to some authentication
|
||||
+ * parameters are used by the algorithm.
|
||||
+ */
|
||||
+ result = Curl_setstropt(&data->set.str[STRING_AWS_SIGV4],
|
||||
+ va_arg(param, char *));
|
||||
+ /*
|
||||
+ * Basic been set by default it need to be unset here
|
||||
+ */
|
||||
+ if(data->set.str[STRING_AWS_SIGV4])
|
||||
+ data->set.httpauth = CURLAUTH_AWS_SIGV4;
|
||||
+ break;
|
||||
#endif /* CURL_DISABLE_HTTP */
|
||||
|
||||
case CURLOPT_MIMEPOST:
|
||||
diff -Naur a/src/tool_cfgable.c b/src/tool_cfgable.c
|
||||
--- a/src/tool_cfgable.c 2025-12-02 13:31:37.707011250 +0100
|
||||
+++ b/src/tool_cfgable.c 2025-12-10 12:33:54.247212425 +0100
|
||||
@@ -130,6 +130,7 @@
|
||||
Curl_safefree(config->krblevel);
|
||||
|
||||
Curl_safefree(config->oauth_bearer);
|
||||
+ Curl_safefree(config->aws_sigv4);
|
||||
|
||||
Curl_safefree(config->unix_socket_path);
|
||||
Curl_safefree(config->writeout);
|
||||
diff -Naur a/src/tool_cfgable.h b/src/tool_cfgable.h
|
||||
--- a/src/tool_cfgable.h 2025-12-02 13:31:37.707011250 +0100
|
||||
+++ b/src/tool_cfgable.h 2025-12-10 12:33:38.542315604 +0100
|
||||
@@ -240,6 +240,7 @@
|
||||
bool test_event_based;
|
||||
#endif
|
||||
char *oauth_bearer; /* OAuth 2.0 bearer token */
|
||||
+ char *aws_sigv4; /* AWS Signature Version 4 */
|
||||
bool nonpn; /* enable/disable TLS NPN extension */
|
||||
bool noalpn; /* enable/disable TLS ALPN extension */
|
||||
char *unix_socket_path; /* path to Unix domain socket */
|
||||
diff -Naur a/src/tool_getparam.c b/src/tool_getparam.c
|
||||
--- a/src/tool_getparam.c 2025-12-02 13:31:37.711748615 +0100
|
||||
+++ b/src/tool_getparam.c 2025-12-10 12:36:24.374195746 +0100
|
||||
@@ -79,6 +79,7 @@
|
||||
{"*a", "random-file", ARG_FILENAME},
|
||||
{"*b", "egd-file", ARG_STRING},
|
||||
{"*B", "oauth2-bearer", ARG_STRING},
|
||||
+ {"*V", "aws-sigv4", ARG_STRING},
|
||||
{"*c", "connect-timeout", ARG_STRING},
|
||||
{"*d", "ciphers", ARG_STRING},
|
||||
{"*D", "dns-interface", ARG_STRING},
|
||||
@@ -813,6 +814,10 @@
|
||||
config->disable_eprt = toggle;
|
||||
break;
|
||||
case 'Z': /* --eprt */
|
||||
+ case 'V': /* --aws-sigv4 */
|
||||
+ GetStr(&config->aws_sigv4, nextarg);
|
||||
+ config->authtype |= CURLAUTH_AWS_SIGV4;
|
||||
+ break;
|
||||
config->disable_eprt = (!toggle)?TRUE:FALSE;
|
||||
break;
|
||||
case '~': /* --xattr */
|
||||
diff -Naur a/src/tool_help.c b/src/tool_help.c
|
||||
--- a/src/tool_help.c 2025-12-02 13:31:37.709748572 +0100
|
||||
+++ b/src/tool_help.c 2025-12-10 12:39:33.200888878 +0100
|
||||
@@ -52,6 +52,8 @@
|
||||
"Pick any authentication method"},
|
||||
{"-a, --append",
|
||||
"Append to target file when uploading"},
|
||||
+ {" --aws-sigv4 <provider1[:provider2[:region[:service]]]>",
|
||||
+ "Use AWS V4 signature authentication"},
|
||||
{" --basic",
|
||||
"Use HTTP Basic Authentication"},
|
||||
{" --cacert <file>",
|
||||
diff -Naur a/src/tool_operate.c b/src/tool_operate.c
|
||||
--- a/src/tool_operate.c 2025-12-02 13:31:37.711748615 +0100
|
||||
+++ b/src/tool_operate.c 2025-12-10 12:40:10.466140413 +0100
|
||||
@@ -1136,6 +1136,8 @@
|
||||
my_setopt_str(curl, CURLOPT_SSLKEYTYPE, config->key_type);
|
||||
my_setopt_str(curl, CURLOPT_PROXY_SSLKEYTYPE,
|
||||
config->proxy_key_type);
|
||||
+ my_setopt_str(curl, CURLOPT_AWS_SIGV4,
|
||||
+ config->aws_sigv4);
|
||||
|
||||
if(config->insecure_ok) {
|
||||
my_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L);
|
||||
diff -Naur a/docs/curl.1 b/docs/curl.1
|
||||
--- a/docs/curl.1 2018-09-05 08:15:48.000000000 +0200
|
||||
+++ b/docs/curl.1 2025-12-10 12:00:00.000000000 +0100
|
||||
@@ -163,6 +163,12 @@
|
||||
See also \fI--proxy-anyauth\fP and \fI--basic\fP and \fI--digest\fP.
|
||||
.IP "-a, --append"
|
||||
(FTP SFTP) When used in an upload, this makes curl append to the target file instead of
|
||||
+.IP "--aws-sigv4 <service:region>"
|
||||
+(HTTP) Use AWS Signature Version 4 authentication for the specified service and region.
|
||||
+The service is the AWS service name (such as s3) and the region is the geographical
|
||||
+AWS region (such as us-east-1). The credentials must be provided via \fI-u, --user\fP.
|
||||
+
|
||||
+If this option is used several times, the last one will be used.
|
||||
overwriting it. If the remote file doesn't exist, it will be created. Note
|
||||
that this flag is ignored by some SFTP servers (including OpenSSH).
|
||||
.IP "--basic"
|
||||
diff -Naur a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3
|
||||
--- a/docs/libcurl/curl_easy_setopt.3 2018-09-05 08:15:48.000000000 +0200
|
||||
+++ b/docs/libcurl/curl_easy_setopt.3 2025-12-10 12:00:00.000000000 +0100
|
||||
@@ -262,6 +262,8 @@
|
||||
.IP CURLOPT_DISALLOW_USERNAME_IN_URL
|
||||
Don't allow username in URL. See \fICURLOPT_DISALLOW_USERNAME_IN_URL(3)\fP
|
||||
.SH HTTP OPTIONS
|
||||
+.IP CURLOPT_AWS_SIGV4
|
||||
+Set AWS Signature Version 4 authentication. See \fICURLOPT_AWS_SIGV4(3)\fP
|
||||
.IP CURLOPT_AUTOREFERER
|
||||
Automatically set Referer: header. See \fICURLOPT_AUTOREFERER(3)\fP
|
||||
.IP CURLOPT_ACCEPT_ENCODING
|
||||
diff -Naur a/docs/libcurl/opts/CURLOPT_AWS_SIGV4.3 b/docs/libcurl/opts/CURLOPT_AWS_SIGV4.3
|
||||
--- a/docs/libcurl/opts/CURLOPT_AWS_SIGV4.3 1970-01-01 00:00:00.000000000 +0000
|
||||
+++ b/docs/libcurl/opts/CURLOPT_AWS_SIGV4.3 2025-12-10 12:00:00.000000000 +0100
|
||||
@@ -0,0 +1,78 @@
|
||||
+.\" **************************************************************************
|
||||
+.\" * _ _ ____ _
|
||||
+.\" * Project ___| | | | _ \| |
|
||||
+.\" * / __| | | | |_) | |
|
||||
+.\" * | (__| |_| | _ <| |___
|
||||
+.\" * \___\|\___/|_| \_\_____|
|
||||
+.\" *
|
||||
+.\" * Copyright (C) 1998 - 2018, Daniel Stenberg, <daniel@haxx.se>, et al.
|
||||
+.\" *
|
||||
+.\" * This software is licensed as described in the file COPYING, which
|
||||
+.\" * you should have received as part of this distribution. The terms
|
||||
+.\" * are also available at https://curl.haxx.se/docs/copyright.html.
|
||||
+.\" *
|
||||
+.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell
|
||||
+.\" * copies of the Software, and permit persons to whom the Software is
|
||||
+.\" * furnished to do so, under the terms of the COPYING file.
|
||||
+.\" *
|
||||
+.\" * This software is distributed on an AS IS basis, WITHOUT WARRANTY OF ANY
|
||||
+.\" * KIND, either express or implied.
|
||||
+.\" *
|
||||
+.\" **************************************************************************
|
||||
+.\"
|
||||
+.TH CURLOPT_AWS_SIGV4 3 "December 10, 2025" "libcurl 7.61.1" "curl_easy_setopt options"
|
||||
+
|
||||
+.SH NAME
|
||||
+CURLOPT_AWS_SIGV4 \- set AWS Signature Version 4 authentication
|
||||
+.SH SYNOPSIS
|
||||
+.nf
|
||||
+#include <curl/curl.h>
|
||||
+
|
||||
+CURLcode curl_easy_setopt(CURL *handle, CURLOPT_AWS_SIGV4, char *param);
|
||||
+.SH DESCRIPTION
|
||||
+Pass a char * that is the collection of service and region parameters that
|
||||
+are used to authorize and sign requests.
|
||||
+
|
||||
+The format is:
|
||||
+.B service:region
|
||||
+where the
|
||||
+.B service
|
||||
+is the AWS service (for example,
|
||||
+.B s3
|
||||
+) and the
|
||||
+.B region
|
||||
+is the geographical AWS region (for example,
|
||||
+.B us-east-1
|
||||
+).
|
||||
+
|
||||
+When this option is set, the HTTP request will be signed using AWS Signature
|
||||
+Version 4. The request is signed using the credentials provided in the
|
||||
+\fICURLOPT_USERNAME(3)\fP and \fICURLOPT_PASSWORD(3)\fP options, which
|
||||
+correspond to the AWS Access Key ID and Secret Access Key, respectively.
|
||||
+
|
||||
+The application does not have to keep the string around after setting this
|
||||
+option.
|
||||
+.SH DEFAULT
|
||||
+NULL
|
||||
+.SH PROTOCOLS
|
||||
+HTTP
|
||||
+.SH EXAMPLE
|
||||
+.nf
|
||||
+CURL *curl = curl_easy_init();
|
||||
+if(curl) {
|
||||
+ curl_easy_setopt(curl, CURLOPT_URL,
|
||||
+ "https://s3.us-east-1.amazonaws.com/bucket/file");
|
||||
+ curl_easy_setopt(curl, CURLOPT_AWS_SIGV4, "s3:us-east-1");
|
||||
+ curl_easy_setopt(curl, CURLOPT_USERNAME, "AKIAIOSFODNN7EXAMPLE");
|
||||
+ curl_easy_setopt(curl, CURLOPT_PASSWORD,
|
||||
+ "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY");
|
||||
+ curl_easy_perform(curl);
|
||||
+}
|
||||
+.SH AVAILABILITY
|
||||
+Added in 7.61.1
|
||||
+.SH RETURN VALUE
|
||||
+Returns CURLE_OK if the option is supported, and CURLE_UNKNOWN_OPTION if not.
|
||||
+.SH "SEE ALSO"
|
||||
+.BR CURLOPT_HTTPAUTH "(3), "
|
||||
+.BR CURLOPT_USERNAME "(3), "
|
||||
+.BR CURLOPT_PASSWORD "(3), "
|
||||
236
SPECS/curl.spec
236
SPECS/curl.spec
@ -1,7 +1,7 @@
|
||||
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
|
||||
Name: curl
|
||||
Version: 7.61.1
|
||||
Release: 34%{?dist}.10
|
||||
Release: 30%{?dist}
|
||||
License: MIT
|
||||
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
|
||||
|
||||
@ -136,72 +136,6 @@ Patch46: 0046-curl-7.61.1-h2-window-size.patch
|
||||
# fix HTTP multi-header compression denial of service (CVE-2023-23916)
|
||||
Patch47: 0047-curl-7.61.1-CVE-2023-23916.patch
|
||||
|
||||
# fix FTP too eager connection reuse (CVE-2023-27535)
|
||||
Patch48: 0048-curl-7.61.1-CVE-2023-27535.patch
|
||||
|
||||
# fix GSS delegation too eager connection re-use (CVE-2023-27536)
|
||||
Patch49: 0049-curl-7.61.1-CVE-2023-27536.patch
|
||||
|
||||
# sftp: do not specify O_APPEND when not in append mode (#2187717)
|
||||
Patch50: 0050-curl-7.61.1-sftp-upload-flags.patch
|
||||
|
||||
# fix host name wildcard checking (CVE-2023-28321)
|
||||
Patch51: 0051-curl-7.61.1-CVE-2023-28321.patch
|
||||
|
||||
# rebuild certs with 2048-bit RSA keys
|
||||
Patch52: 0052-curl-7.61.1-certs.patch
|
||||
|
||||
# when keyboard-interactive auth fails, try password
|
||||
Patch53: 0053-curl-7.61.1-password-when-keyboard-interactive-fails.patch
|
||||
|
||||
# cap SFTP packet size sent
|
||||
Patch54: 0054-curl-7.61.1-64K-sftp.patch
|
||||
|
||||
# unify the upload/method handling (CVE-2023-28322)
|
||||
Patch55: 0055-curl-7.61.1-CVE-2023-28322.patch
|
||||
|
||||
# fix cookie injection with none file (CVE-2023-38546)
|
||||
Patch56: 0056-curl-7.61.1-CVE-2023-38546.patch
|
||||
|
||||
# consolidate nghttp2_session_mem_recv() call paths
|
||||
Patch57: 0057-curl-7.61.1-consolidate-nghttp2-session-mem-recv.patch
|
||||
|
||||
# when marked for closure and wanted to close == OK
|
||||
Patch58: 0058-curl-7.61.1-error-in-the-HTTP2-framing-layer.patch
|
||||
|
||||
# lowercase the domain names before PSL checks (CVE-2023-46218)
|
||||
Patch59: 0059-curl-7.61.1-CVE-2023-46218.patch
|
||||
|
||||
# lowercase headernames
|
||||
Patch60: 0060-curl-7.61.1-lowercase-headernames.patch
|
||||
|
||||
# provide common cleanup method for push headers (CVE-2024-2398)
|
||||
Patch61: 0061-curl-7.61.1-CVE-2024-2398.patch
|
||||
|
||||
# asyn-thread: create a socketpair to wait on
|
||||
Patch62: 0062-curl-7.61.1-socketpair-to-wait-on.patch
|
||||
|
||||
# fix crash, when talking to a NTLM proxy in FIPS mode
|
||||
Patch63: 0063-curl-7.61.1-native-md5.patch
|
||||
|
||||
# asyn-thread: issue CURL_POLL_REMOVE before closing socket
|
||||
Patch64: 0064-curl-7.61.1-EBADF.patch
|
||||
|
||||
# libssh: Fix matching user-specified MD5 hex key
|
||||
Patch65: 0065-md5-hex-key.patch
|
||||
|
||||
# crypto: ensure crypto initialization works
|
||||
Patch66: 0066-crypto-initialization.patch
|
||||
|
||||
# NTLM: force the connection to HTTP/1.1
|
||||
Patch67: 0067-curl-7.61.1-ntlm-force-http-1-1.patch
|
||||
|
||||
# cookie: don't treat the leading slash as trailing (CVE-2025-9086)
|
||||
Patch68: 0068-curl-7.61.1-CVE-2025-9086.patch
|
||||
|
||||
# AWS Signature Version 4 authentication support
|
||||
Patch69: 0069-curl-7.61.1-aws-sigv4.patch
|
||||
|
||||
# patch making libcurl multilib ready
|
||||
Patch101: 0101-curl-7.32.0-multilib.patch
|
||||
|
||||
@ -362,88 +296,66 @@ be installed.
|
||||
%setup -q
|
||||
|
||||
# upstream patches
|
||||
%patch -P 1 -p1
|
||||
%patch -P 2 -p1
|
||||
%patch -P 3 -p1
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
git init
|
||||
git apply %{PATCH4}
|
||||
%patch -P 5 -p1
|
||||
%patch -P 6 -p1
|
||||
%patch -P 7 -p1
|
||||
%patch -P 8 -p1
|
||||
%patch -P 9 -p1
|
||||
%patch -P 10 -p1
|
||||
%patch -P 11 -p1
|
||||
%patch -P 14 -p1
|
||||
%patch5 -p1
|
||||
%patch6 -p1
|
||||
%patch7 -p1
|
||||
%patch8 -p1
|
||||
%patch9 -p1
|
||||
%patch10 -p1
|
||||
%patch11 -p1
|
||||
%patch14 -p1
|
||||
|
||||
# Fedora patches
|
||||
%patch -P 101 -p1
|
||||
%patch -P 102 -p1
|
||||
%patch -P 103 -p1
|
||||
%patch -P 104 -p1
|
||||
%patch101 -p1
|
||||
%patch102 -p1
|
||||
%patch103 -p1
|
||||
%patch104 -p1
|
||||
|
||||
# use different port range for 32bit and 64bit builds, thus make it possible
|
||||
# to run both the builds in parallel on the same machine
|
||||
%patch -P 105 -p1
|
||||
%patch105 -p1
|
||||
sed -e 's|%%HTTPPORT|%{?__isa_bits}90|g' -i tests/data/test1448
|
||||
|
||||
# upstream patches
|
||||
%patch -P 17 -p1
|
||||
%patch -P 18 -p1
|
||||
%patch -P 19 -p1
|
||||
%patch -P 20 -p1
|
||||
%patch -P 21 -p1
|
||||
%patch -P 22 -p1
|
||||
%patch -P 23 -p1
|
||||
%patch -P 24 -p1
|
||||
%patch -P 25 -p1
|
||||
%patch -P 26 -p1
|
||||
%patch -P 27 -p1
|
||||
%patch -P 28 -p1
|
||||
%patch -P 29 -p1
|
||||
%patch -P 30 -p1
|
||||
%patch -P 31 -p1
|
||||
%patch -P 32 -p1
|
||||
%patch -P 33 -p1
|
||||
%patch -P 34 -p1
|
||||
%patch -P 35 -p1
|
||||
%patch -P 36 -p1
|
||||
%patch -P 37 -p1
|
||||
%patch17 -p1
|
||||
%patch18 -p1
|
||||
%patch19 -p1
|
||||
%patch20 -p1
|
||||
%patch21 -p1
|
||||
%patch22 -p1
|
||||
%patch23 -p1
|
||||
%patch24 -p1
|
||||
%patch25 -p1
|
||||
%patch26 -p1
|
||||
%patch27 -p1
|
||||
%patch28 -p1
|
||||
%patch29 -p1
|
||||
%patch30 -p1
|
||||
%patch31 -p1
|
||||
%patch32 -p1
|
||||
%patch33 -p1
|
||||
%patch34 -p1
|
||||
%patch35 -p1
|
||||
%patch36 -p1
|
||||
%patch37 -p1
|
||||
|
||||
%patch -P 38 -p1
|
||||
%patch38 -p1
|
||||
sed -e 's|:8992/|:%{?__isa_bits}92/|g' -i tests/data/test97{3..6}
|
||||
|
||||
%patch -P 39 -p1
|
||||
%patch -P 40 -p1
|
||||
%patch -P 41 -p1
|
||||
%patch -P 42 -p1
|
||||
%patch -P 43 -p1
|
||||
%patch -P 44 -p1
|
||||
%patch -P 45 -p1
|
||||
%patch -P 46 -p1
|
||||
%patch -P 47 -p1
|
||||
%patch -P 48 -p1
|
||||
%patch -P 49 -p1
|
||||
%patch -P 50 -p1
|
||||
%patch -P 51 -p1
|
||||
git apply %{PATCH52}
|
||||
%patch -P 53 -p1
|
||||
%patch -P 54 -p1
|
||||
%patch -P 55 -p1
|
||||
%patch -P 56 -p1
|
||||
%patch -P 57 -p1
|
||||
%patch -P 58 -p1
|
||||
%patch -P 59 -p1
|
||||
%patch -P 60 -p1
|
||||
%patch -P 61 -p1
|
||||
%patch -P 62 -p1
|
||||
%patch -P 63 -p1
|
||||
%patch -P 64 -p1
|
||||
%patch -P 65 -p1
|
||||
%patch -P 66 -p1
|
||||
%patch -P 67 -p1
|
||||
%patch -P 68 -p1
|
||||
%patch -P 69 -p1
|
||||
%patch39 -p1
|
||||
%patch40 -p1
|
||||
%patch41 -p1
|
||||
%patch42 -p1
|
||||
%patch43 -p1
|
||||
%patch44 -p1
|
||||
%patch45 -p1
|
||||
%patch46 -p1
|
||||
%patch47 -p1
|
||||
|
||||
# make tests/*.py use Python 3
|
||||
sed -e '1 s|^#!/.*python|#!%{__python3}|' -i tests/*.py
|
||||
@ -606,58 +518,6 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
|
||||
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
|
||||
|
||||
%changelog
|
||||
* Wed Dec 03 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.10
|
||||
- AWS Signature Version 4 authentication support (RHEL-116183)
|
||||
|
||||
* Fri Oct 24 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.9
|
||||
- cookie: don't treat the leading slash as trailing (CVE-2025-9086)
|
||||
Resolves: RHEL-121655
|
||||
|
||||
* Mon Jul 21 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.8
|
||||
- NTLM: force the connection to HTTP/1.1 (RHEL-73788)
|
||||
|
||||
* Wed Jul 09 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.7
|
||||
* crypto: ensure crypto initialization works (RHEL-102601)
|
||||
|
||||
* Thu May 29 2025 Carlos Santos <casantos@redhat.com> - 7.61.1-34.el8_10.6
|
||||
- libssh: Fix matching user-specified MD5 hex key (RHEL-94574)
|
||||
|
||||
* Wed Jan 08 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.5
|
||||
- asyn-thread: fix EBADF regression (RHEL-85602)
|
||||
|
||||
* Wed Jan 08 2025 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.4
|
||||
- make up incomplete patch for host name wildcard checking (RHEL-5680)
|
||||
- asyn-thread: issue CURL_POLL_REMOVE before closing socket (RHEL-85602)
|
||||
|
||||
* Wed Oct 30 2024 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.3
|
||||
- asyn-thread: create a socketpair to wait on (RHEL-34906)
|
||||
- fix crash, when talking to a NTLM proxy in FIPS mode (RHEL-32641)
|
||||
|
||||
* Wed Aug 14 2024 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.2
|
||||
- provide common cleanup method for push headers (CVE-2024-2398)
|
||||
|
||||
* Tue Jun 25 2024 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34.el8_10.1
|
||||
- fix incorrect backport of bz2229800 (RHEL-44684)
|
||||
|
||||
* Tue Sep 19 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-34
|
||||
- when keyboard-interactive auth fails, try password (#2229800)
|
||||
- cap SFTP packet size sent (RHEL-5311)
|
||||
- unify the upload/method handling (CVE-2023-28322)
|
||||
- fix cookie injection with none file (CVE-2023-38546)
|
||||
- fix HTTP2 connection failure with HTTP2 framing layer (RHEL-5657)
|
||||
- lowercase the domain names before PSL checks (CVE-2023-46218)
|
||||
|
||||
* Tue Jun 27 2023 Jacek Migacz <jmigacz@redhat.com> - 7.61.1-33
|
||||
- fix host name wildcard checking (CVE-2023-28321)
|
||||
- rebuild certs with 2048-bit RSA keys
|
||||
|
||||
* Thu Apr 20 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-32
|
||||
- sftp: do not specify O_APPEND when not in append mode (#2187717)
|
||||
|
||||
* Fri Mar 24 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-31
|
||||
- fix GSS delegation too eager connection re-use (CVE-2023-27536)
|
||||
- fix FTP too eager connection reuse (CVE-2023-27535)
|
||||
|
||||
* Wed Feb 15 2023 Kamil Dudka <kdudka@redhat.com> - 7.61.1-30
|
||||
- fix HTTP multi-header compression denial of service (CVE-2023-23916)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user