New patches from Fedora.

diff --git a/curl/curl-7.17.1-badsocket.patch b/curl/curl-7.17.1-badsocket.patch
index 7f092ae..86cdab4 100644 (file)
--- a/curl/curl-7.17.1-badsocket.patch
+++ b/curl/curl-7.17.1-badsocket.patch
@@ -1,13 +1,13 @@
-diff -up curl-7.17.1/lib/ftp.c.badsocket curl-7.17.1/lib/ftp.c
---- curl-7.17.1/lib/ftp.c.badsocket    2007-10-27 00:25:19.000000000 +0200
-+++ curl-7.17.1/lib/ftp.c      2008-01-08 15:09:03.000000000 +0100
-@@ -3228,7 +3228,8 @@ static CURLcode Curl_ftp_done(struct con
-     /* Note that we keep "use" set to TRUE since that (next) connection is
-        still requested to use SSL */
-   }
--  sclose(conn->sock[SECONDARYSOCKET]);
-+  if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])
-+    sclose(conn->sock[SECONDARYSOCKET]);
- 
-   conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD;
+diff -ruNp curl-7.19.3.orig/lib/ftp.c curl-7.19.3/lib/ftp.c
+--- curl-7.19.3.orig/lib/ftp.c 2009-02-11 10:57:33.334280000 +0100
++++ curl-7.19.3/lib/ftp.c      2009-02-11 10:59:43.957585266 +0100
+@@ -3222,7 +3222,8 @@ static CURLcode ftp_done(struct connectd
+       /* Note that we keep "use" set to TRUE since that (next) connection is
+          still requested to use SSL */
+     }
+-    sclose(conn->sock[SECONDARYSOCKET]);
++    if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET])
++      sclose(conn->sock[SECONDARYSOCKET]);
  
+     conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD;
+   }

diff --git a/curl/curl-7.19.4-enable-aes.patch b/curl/curl-7.19.4-enable-aes.patch
new file mode 100644 (file)
index 0000000..06351d8
--- /dev/null
+++ b/curl/curl-7.19.4-enable-aes.patch
@@ -0,0 +1,47 @@
+diff -ruNp curl.orig/lib/nss.c curl/lib/nss.c
+--- curl.orig/lib/nss.c        2009-03-04 17:54:28.459240000 +0100
++++ curl/lib/nss.c     2009-03-18 11:38:34.245797020 +0100
+@@ -162,6 +162,18 @@ static const cipher_s cipherlist[] = {
+ #endif
+ };
+ 
++/* following ciphers are new in NSS 3.4 and not enabled by default, therefor
++   they are enabled explicitly */
++static const int enable_ciphers_by_default[] = {
++  TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
++  TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
++  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
++  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++  TLS_RSA_WITH_AES_128_CBC_SHA,
++  TLS_RSA_WITH_AES_256_CBC_SHA,
++  SSL_NULL_WITH_NULL_NULL
++};
++
+ #ifdef HAVE_PK11_CREATEGENERICOBJECT
+ static const char* pem_library = "libnsspem.so";
+ #endif
+@@ -954,6 +966,7 @@ CURLcode Curl_nss_connect(struct connect
+ #endif
+   char *certDir = NULL;
+   int curlerr;
++  const int *cipher_to_enable;
+ 
+   curlerr = CURLE_SSL_CONNECT_ERROR;
+ 
+@@ -1057,6 +1070,16 @@ CURLcode Curl_nss_connect(struct connect
+   if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+     goto error;
+ 
++  /* enable all ciphers from enable_ciphers_by_default */
++  cipher_to_enable = enable_ciphers_by_default;
++  while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
++    if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
++      curlerr = CURLE_SSL_CIPHER;
++      goto error;
++    }
++    cipher_to_enable++;
++  }
++
+   if(data->set.ssl.cipher_list) {
+     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
+       curlerr = CURLE_SSL_CIPHER;

diff --git a/curl/curl-7.19.4-nss-leak.patch b/curl/curl-7.19.4-nss-leak.patch
new file mode 100644 (file)
index 0000000..5c98cf2
--- /dev/null
+++ b/curl/curl-7.19.4-nss-leak.patch
@@ -0,0 +1,171 @@
+diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c
+--- curl-7.19.4.orig/lib/nss.c 2009-04-10 12:51:24.940363000 +0200
++++ curl-7.19.4/lib/nss.c      2009-04-10 12:51:59.268700902 +0200
+@@ -282,13 +282,12 @@ static int is_file(const char *filename)
+   return 0;
+ }
+ 
+-static int
+-nss_load_cert(const char *filename, PRBool cacert)
++static int nss_load_cert(struct ssl_connect_data *ssl,
++                         const char *filename, PRBool cacert)
+ {
+ #ifdef HAVE_PK11_CREATEGENERICOBJECT
+   CK_SLOT_ID slotID;
+   PK11SlotInfo * slot = NULL;
+-  PK11GenericObject *rv;
+   CK_ATTRIBUTE *attrs;
+   CK_ATTRIBUTE theTemplate[20];
+   CK_BBOOL cktrue = CK_TRUE;
+@@ -363,11 +362,12 @@ nss_load_cert(const char *filename, PRBo
+   /* This load the certificate in our PEM module into the appropriate
+    * slot.
+    */
+-  rv = PK11_CreateGenericObject(slot, theTemplate, 4, PR_FALSE /* isPerm */);
++  ssl->cacert[slotID] = PK11_CreateGenericObject(slot, theTemplate, 4,
++                                                 PR_FALSE /* isPerm */);
+ 
+   PK11_FreeSlot(slot);
+ 
+-  if(rv == NULL) {
++  if(ssl->cacert[slotID] == NULL) {
+     free(nickname);
+     return 0;
+   }
+@@ -474,11 +474,10 @@ static int nss_load_crl(const char* crlf
+   return 1;
+ }
+ 
+-static int nss_load_key(struct connectdata *conn, char *key_file)
++static int nss_load_key(struct connectdata *conn, int sockindex, char *key_file)
+ {
+ #ifdef HAVE_PK11_CREATEGENERICOBJECT
+   PK11SlotInfo * slot = NULL;
+-  PK11GenericObject *rv;
+   CK_ATTRIBUTE *attrs;
+   CK_ATTRIBUTE theTemplate[20];
+   CK_BBOOL cktrue = CK_TRUE;
+@@ -486,6 +485,7 @@ static int nss_load_key(struct connectda
+   CK_SLOT_ID slotID;
+   pphrase_arg_t *parg = NULL;
+   char slotname[SLOTSIZE];
++  struct ssl_connect_data *sslconn = &conn->ssl[sockindex];
+ 
+   attrs = theTemplate;
+ 
+@@ -505,8 +505,9 @@ static int nss_load_key(struct connectda
+                 strlen(key_file)+1); attrs++;
+ 
+   /* When adding an encrypted key the PKCS#11 will be set as removed */
+-  rv = PK11_CreateGenericObject(slot, theTemplate, 3, PR_FALSE /* isPerm */);
+-  if(rv == NULL) {
++  sslconn->key = PK11_CreateGenericObject(slot, theTemplate, 3,
++                                          PR_FALSE /* isPerm */);
++  if(sslconn->key == NULL) {
+     PR_SetError(SEC_ERROR_BAD_KEY, 0);
+     return 0;
+   }
+@@ -554,13 +555,14 @@ static int display_error(struct connectd
+   return 0; /* The caller will print a generic error */
+ }
+ 
+-static int cert_stuff(struct connectdata *conn, char *cert_file, char *key_file)
++static int cert_stuff(struct connectdata *conn,
++                      int sockindex, char *cert_file, char *key_file)
+ {
+   struct SessionHandle *data = conn->data;
+   int rv = 0;
+ 
+   if(cert_file) {
+-    rv = nss_load_cert(cert_file, PR_FALSE);
++    rv = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE);
+     if(!rv) {
+       if(!display_error(conn, PR_GetError(), cert_file))
+         failf(data, "Unable to load client cert %d.", PR_GetError());
+@@ -569,10 +571,10 @@ static int cert_stuff(struct connectdata
+   }
+   if(key_file || (is_file(cert_file))) {
+     if(key_file)
+-      rv = nss_load_key(conn, key_file);
++      rv = nss_load_key(conn, sockindex, key_file);
+     else
+       /* In case the cert file also has the key */
+-      rv = nss_load_key(conn, cert_file);
++      rv = nss_load_key(conn, sockindex, cert_file);
+     if(!rv) {
+       if(!display_error(conn, PR_GetError(), key_file))
+         failf(data, "Unable to load client key %d.", PR_GetError());
+@@ -938,6 +940,12 @@ void Curl_nss_close(struct connectdata *
+       free(connssl->client_nickname);
+       connssl->client_nickname = NULL;
+     }
++    if(connssl->key)
++      (void)PK11_DestroyGenericObject(connssl->key);
++    if(connssl->cacert[1])
++      (void)PK11_DestroyGenericObject(connssl->cacert[1]);
++    if(connssl->cacert[0])
++      (void)PK11_DestroyGenericObject(connssl->cacert[0]);
+     connssl->handle = NULL;
+   }
+ }
+@@ -973,6 +981,10 @@ CURLcode Curl_nss_connect(struct connect
+   if (connssl->state == ssl_connection_complete)
+     return CURLE_OK;
+ 
++  connssl->cacert[0] = NULL;
++  connssl->cacert[1] = NULL;
++  connssl->key = NULL;
++
+   /* FIXME. NSS doesn't support multiple databases open at the same time. */
+   PR_Lock(nss_initlock);
+   if(!initialized) {
+@@ -1100,7 +1112,8 @@ CURLcode Curl_nss_connect(struct connect
+     /* skip the verifying of the peer */
+     ;
+   else if(data->set.ssl.CAfile) {
+-    int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE);
++    int rc = nss_load_cert(&conn->ssl[sockindex], data->set.ssl.CAfile,
++                           PR_TRUE);
+     if(!rc) {
+       curlerr = CURLE_SSL_CACERT_BADFILE;
+       goto error;
+@@ -1128,7 +1141,7 @@ CURLcode Curl_nss_connect(struct connect
+ 
+           snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath,
+                    entry->name);
+-          rc = nss_load_cert(fullpath, PR_TRUE);
++          rc = nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE);
+           /* FIXME: check this return value! */
+         }
+         /* This is purposefully tolerant of errors so non-PEM files
+@@ -1178,7 +1191,7 @@ CURLcode Curl_nss_connect(struct connect
+         free(nickname);
+       goto error;
+     }
+-    if(!cert_stuff(conn, data->set.str[STRING_CERT],
++    if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT],
+                     data->set.str[STRING_KEY])) {
+       /* failf() is already done in cert_stuff() */
+       if(nickname_alloc)
+diff -ruNp curl-7.19.4.orig/lib/urldata.h curl-7.19.4/lib/urldata.h
+--- curl-7.19.4.orig/lib/urldata.h     2009-03-03 00:05:31.000000000 +0100
++++ curl-7.19.4/lib/urldata.h  2009-04-10 12:51:59.270700921 +0200
+@@ -93,6 +93,7 @@
+ 
+ #ifdef USE_NSS
+ #include <nspr.h>
++#include <pk11pub.h>
+ #endif
+ 
+ #ifdef USE_QSOSSL
+@@ -210,6 +211,10 @@ struct ssl_connect_data {
+ #ifdef USE_NSS
+   PRFileDesc *handle;
+   char *client_nickname;
++#ifdef HAVE_PK11_CREATEGENERICOBJECT
++  PK11GenericObject *key;
++  PK11GenericObject *cacert[2];
++#endif
+ #endif /* USE_NSS */
+ #ifdef USE_QSOSSL
+   SSLHandle *handle;

diff --git a/curl/curl-7.19.4-tool-leak.patch b/curl/curl-7.19.4-tool-leak.patch
new file mode 100644 (file)
index 0000000..ccb84ef
--- /dev/null
+++ b/curl/curl-7.19.4-tool-leak.patch
@@ -0,0 +1,39 @@
+diff -ruNp curl-7.19.4.orig/include/curl/curl.h curl-7.19.4/include/curl/curl.h
+--- curl-7.19.4.orig/include/curl/curl.h       2009-03-03 00:05:31.000000000 +0100
++++ curl-7.19.4/include/curl/curl.h    2009-03-10 14:49:47.017943954 +0100
+@@ -1510,7 +1510,7 @@ CURL_EXTERN void curl_free(void *p);
+  * DESCRIPTION
+  *
+  * curl_global_init() should be invoked exactly once for each application that
+- * uses libcurl
++ * uses libcurl and before any call of other libcurl function
+  */
+ CURL_EXTERN CURLcode curl_global_init(long flags);
+ 
+diff -ruNp curl-7.19.4.orig/src/main.c curl-7.19.4/src/main.c
+--- curl-7.19.4.orig/src/main.c        2009-02-17 10:10:21.000000000 +0100
++++ curl-7.19.4/src/main.c     2009-03-10 14:49:50.297971916 +0100
+@@ -3969,6 +3969,12 @@ operate(struct Configurable *config, int
+ 
+   memset(&heads, 0, sizeof(struct OutStruct));
+ 
++  /* initialize curl library - do not call any libcurl functions before */
++  if (main_init() != CURLE_OK) {
++    helpf(config->errors, "error initializing curl library\n");
++    return CURLE_FAILED_INIT;
++  }
++
+ #ifdef CURLDEBUG
+   /* this sends all memory debug messages to a logfile named memdump */
+   env = curlx_getenv("CURL_MEMDEBUG");
+@@ -4015,10 +4021,6 @@ operate(struct Configurable *config, int
+ #endif
+ 
+   /* inits */
+-  if (main_init() != CURLE_OK) {
+-    helpf(config->errors, "error initializing curl library\n");
+-    return CURLE_FAILED_INIT;
+-  }
+   config->postfieldsize = -1;
+   config->showerror=TRUE;
+   config->use_httpget=FALSE;