From: Richard W.M. Jones <"Richard W.M. Jones "> Date: Tue, 14 Apr 2009 10:38:35 +0000 (+0100) Subject: New patches from Fedora. X-Git-Url: http://git.annexia.org/?a=commitdiff_plain;h=477530a53fa6b014c0fd24db0416da2b96cf8510;p=fedora-mingw.git New patches from Fedora. --- diff --git a/curl/curl-7.17.1-badsocket.patch b/curl/curl-7.17.1-badsocket.patch index 7f092ae..86cdab4 100644 --- a/curl/curl-7.17.1-badsocket.patch +++ b/curl/curl-7.17.1-badsocket.patch @@ -1,13 +1,13 @@ -diff -up curl-7.17.1/lib/ftp.c.badsocket curl-7.17.1/lib/ftp.c ---- curl-7.17.1/lib/ftp.c.badsocket 2007-10-27 00:25:19.000000000 +0200 -+++ curl-7.17.1/lib/ftp.c 2008-01-08 15:09:03.000000000 +0100 -@@ -3228,7 +3228,8 @@ static CURLcode Curl_ftp_done(struct con - /* Note that we keep "use" set to TRUE since that (next) connection is - still requested to use SSL */ - } -- sclose(conn->sock[SECONDARYSOCKET]); -+ if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET]) -+ sclose(conn->sock[SECONDARYSOCKET]); - - conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD; +diff -ruNp curl-7.19.3.orig/lib/ftp.c curl-7.19.3/lib/ftp.c +--- curl-7.19.3.orig/lib/ftp.c 2009-02-11 10:57:33.334280000 +0100 ++++ curl-7.19.3/lib/ftp.c 2009-02-11 10:59:43.957585266 +0100 +@@ -3222,7 +3222,8 @@ static CURLcode ftp_done(struct connectd + /* Note that we keep "use" set to TRUE since that (next) connection is + still requested to use SSL */ + } +- sclose(conn->sock[SECONDARYSOCKET]); ++ if(CURL_SOCKET_BAD != conn->sock[SECONDARYSOCKET]) ++ sclose(conn->sock[SECONDARYSOCKET]); + conn->sock[SECONDARYSOCKET] = CURL_SOCKET_BAD; + } diff --git a/curl/curl-7.19.4-enable-aes.patch b/curl/curl-7.19.4-enable-aes.patch new file mode 100644 index 0000000..06351d8 --- /dev/null +++ b/curl/curl-7.19.4-enable-aes.patch @@ -0,0 +1,47 @@ +diff -ruNp curl.orig/lib/nss.c curl/lib/nss.c +--- curl.orig/lib/nss.c 2009-03-04 17:54:28.459240000 +0100 ++++ curl/lib/nss.c 2009-03-18 11:38:34.245797020 +0100 +@@ -162,6 +162,18 @@ static const cipher_s cipherlist[] = { + #endif + }; + ++/* following ciphers are new in NSS 3.4 and not enabled by default, therefor ++ they are enabled explicitly */ ++static const int enable_ciphers_by_default[] = { ++ TLS_DHE_DSS_WITH_AES_128_CBC_SHA, ++ TLS_DHE_DSS_WITH_AES_256_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_128_CBC_SHA, ++ TLS_DHE_RSA_WITH_AES_256_CBC_SHA, ++ TLS_RSA_WITH_AES_128_CBC_SHA, ++ TLS_RSA_WITH_AES_256_CBC_SHA, ++ SSL_NULL_WITH_NULL_NULL ++}; ++ + #ifdef HAVE_PK11_CREATEGENERICOBJECT + static const char* pem_library = "libnsspem.so"; + #endif +@@ -954,6 +966,7 @@ CURLcode Curl_nss_connect(struct connect + #endif + char *certDir = NULL; + int curlerr; ++ const int *cipher_to_enable; + + curlerr = CURLE_SSL_CONNECT_ERROR; + +@@ -1057,6 +1070,16 @@ CURLcode Curl_nss_connect(struct connect + if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) + goto error; + ++ /* enable all ciphers from enable_ciphers_by_default */ ++ cipher_to_enable = enable_ciphers_by_default; ++ while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { ++ if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) { ++ curlerr = CURLE_SSL_CIPHER; ++ goto error; ++ } ++ cipher_to_enable++; ++ } ++ + if(data->set.ssl.cipher_list) { + if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) { + curlerr = CURLE_SSL_CIPHER; diff --git a/curl/curl-7.19.4-nss-leak.patch b/curl/curl-7.19.4-nss-leak.patch new file mode 100644 index 0000000..5c98cf2 --- /dev/null +++ b/curl/curl-7.19.4-nss-leak.patch @@ -0,0 +1,171 @@ +diff -ruNp curl-7.19.4.orig/lib/nss.c curl-7.19.4/lib/nss.c +--- curl-7.19.4.orig/lib/nss.c 2009-04-10 12:51:24.940363000 +0200 ++++ curl-7.19.4/lib/nss.c 2009-04-10 12:51:59.268700902 +0200 +@@ -282,13 +282,12 @@ static int is_file(const char *filename) + return 0; + } + +-static int +-nss_load_cert(const char *filename, PRBool cacert) ++static int nss_load_cert(struct ssl_connect_data *ssl, ++ const char *filename, PRBool cacert) + { + #ifdef HAVE_PK11_CREATEGENERICOBJECT + CK_SLOT_ID slotID; + PK11SlotInfo * slot = NULL; +- PK11GenericObject *rv; + CK_ATTRIBUTE *attrs; + CK_ATTRIBUTE theTemplate[20]; + CK_BBOOL cktrue = CK_TRUE; +@@ -363,11 +362,12 @@ nss_load_cert(const char *filename, PRBo + /* This load the certificate in our PEM module into the appropriate + * slot. + */ +- rv = PK11_CreateGenericObject(slot, theTemplate, 4, PR_FALSE /* isPerm */); ++ ssl->cacert[slotID] = PK11_CreateGenericObject(slot, theTemplate, 4, ++ PR_FALSE /* isPerm */); + + PK11_FreeSlot(slot); + +- if(rv == NULL) { ++ if(ssl->cacert[slotID] == NULL) { + free(nickname); + return 0; + } +@@ -474,11 +474,10 @@ static int nss_load_crl(const char* crlf + return 1; + } + +-static int nss_load_key(struct connectdata *conn, char *key_file) ++static int nss_load_key(struct connectdata *conn, int sockindex, char *key_file) + { + #ifdef HAVE_PK11_CREATEGENERICOBJECT + PK11SlotInfo * slot = NULL; +- PK11GenericObject *rv; + CK_ATTRIBUTE *attrs; + CK_ATTRIBUTE theTemplate[20]; + CK_BBOOL cktrue = CK_TRUE; +@@ -486,6 +485,7 @@ static int nss_load_key(struct connectda + CK_SLOT_ID slotID; + pphrase_arg_t *parg = NULL; + char slotname[SLOTSIZE]; ++ struct ssl_connect_data *sslconn = &conn->ssl[sockindex]; + + attrs = theTemplate; + +@@ -505,8 +505,9 @@ static int nss_load_key(struct connectda + strlen(key_file)+1); attrs++; + + /* When adding an encrypted key the PKCS#11 will be set as removed */ +- rv = PK11_CreateGenericObject(slot, theTemplate, 3, PR_FALSE /* isPerm */); +- if(rv == NULL) { ++ sslconn->key = PK11_CreateGenericObject(slot, theTemplate, 3, ++ PR_FALSE /* isPerm */); ++ if(sslconn->key == NULL) { + PR_SetError(SEC_ERROR_BAD_KEY, 0); + return 0; + } +@@ -554,13 +555,14 @@ static int display_error(struct connectd + return 0; /* The caller will print a generic error */ + } + +-static int cert_stuff(struct connectdata *conn, char *cert_file, char *key_file) ++static int cert_stuff(struct connectdata *conn, ++ int sockindex, char *cert_file, char *key_file) + { + struct SessionHandle *data = conn->data; + int rv = 0; + + if(cert_file) { +- rv = nss_load_cert(cert_file, PR_FALSE); ++ rv = nss_load_cert(&conn->ssl[sockindex], cert_file, PR_FALSE); + if(!rv) { + if(!display_error(conn, PR_GetError(), cert_file)) + failf(data, "Unable to load client cert %d.", PR_GetError()); +@@ -569,10 +571,10 @@ static int cert_stuff(struct connectdata + } + if(key_file || (is_file(cert_file))) { + if(key_file) +- rv = nss_load_key(conn, key_file); ++ rv = nss_load_key(conn, sockindex, key_file); + else + /* In case the cert file also has the key */ +- rv = nss_load_key(conn, cert_file); ++ rv = nss_load_key(conn, sockindex, cert_file); + if(!rv) { + if(!display_error(conn, PR_GetError(), key_file)) + failf(data, "Unable to load client key %d.", PR_GetError()); +@@ -938,6 +940,12 @@ void Curl_nss_close(struct connectdata * + free(connssl->client_nickname); + connssl->client_nickname = NULL; + } ++ if(connssl->key) ++ (void)PK11_DestroyGenericObject(connssl->key); ++ if(connssl->cacert[1]) ++ (void)PK11_DestroyGenericObject(connssl->cacert[1]); ++ if(connssl->cacert[0]) ++ (void)PK11_DestroyGenericObject(connssl->cacert[0]); + connssl->handle = NULL; + } + } +@@ -973,6 +981,10 @@ CURLcode Curl_nss_connect(struct connect + if (connssl->state == ssl_connection_complete) + return CURLE_OK; + ++ connssl->cacert[0] = NULL; ++ connssl->cacert[1] = NULL; ++ connssl->key = NULL; ++ + /* FIXME. NSS doesn't support multiple databases open at the same time. */ + PR_Lock(nss_initlock); + if(!initialized) { +@@ -1100,7 +1112,8 @@ CURLcode Curl_nss_connect(struct connect + /* skip the verifying of the peer */ + ; + else if(data->set.ssl.CAfile) { +- int rc = nss_load_cert(data->set.ssl.CAfile, PR_TRUE); ++ int rc = nss_load_cert(&conn->ssl[sockindex], data->set.ssl.CAfile, ++ PR_TRUE); + if(!rc) { + curlerr = CURLE_SSL_CACERT_BADFILE; + goto error; +@@ -1128,7 +1141,7 @@ CURLcode Curl_nss_connect(struct connect + + snprintf(fullpath, sizeof(fullpath), "%s/%s", data->set.ssl.CApath, + entry->name); +- rc = nss_load_cert(fullpath, PR_TRUE); ++ rc = nss_load_cert(&conn->ssl[sockindex], fullpath, PR_TRUE); + /* FIXME: check this return value! */ + } + /* This is purposefully tolerant of errors so non-PEM files +@@ -1178,7 +1191,7 @@ CURLcode Curl_nss_connect(struct connect + free(nickname); + goto error; + } +- if(!cert_stuff(conn, data->set.str[STRING_CERT], ++ if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT], + data->set.str[STRING_KEY])) { + /* failf() is already done in cert_stuff() */ + if(nickname_alloc) +diff -ruNp curl-7.19.4.orig/lib/urldata.h curl-7.19.4/lib/urldata.h +--- curl-7.19.4.orig/lib/urldata.h 2009-03-03 00:05:31.000000000 +0100 ++++ curl-7.19.4/lib/urldata.h 2009-04-10 12:51:59.270700921 +0200 +@@ -93,6 +93,7 @@ + + #ifdef USE_NSS + #include ++#include + #endif + + #ifdef USE_QSOSSL +@@ -210,6 +211,10 @@ struct ssl_connect_data { + #ifdef USE_NSS + PRFileDesc *handle; + char *client_nickname; ++#ifdef HAVE_PK11_CREATEGENERICOBJECT ++ PK11GenericObject *key; ++ PK11GenericObject *cacert[2]; ++#endif + #endif /* USE_NSS */ + #ifdef USE_QSOSSL + SSLHandle *handle; diff --git a/curl/curl-7.19.4-tool-leak.patch b/curl/curl-7.19.4-tool-leak.patch new file mode 100644 index 0000000..ccb84ef --- /dev/null +++ b/curl/curl-7.19.4-tool-leak.patch @@ -0,0 +1,39 @@ +diff -ruNp curl-7.19.4.orig/include/curl/curl.h curl-7.19.4/include/curl/curl.h +--- curl-7.19.4.orig/include/curl/curl.h 2009-03-03 00:05:31.000000000 +0100 ++++ curl-7.19.4/include/curl/curl.h 2009-03-10 14:49:47.017943954 +0100 +@@ -1510,7 +1510,7 @@ CURL_EXTERN void curl_free(void *p); + * DESCRIPTION + * + * curl_global_init() should be invoked exactly once for each application that +- * uses libcurl ++ * uses libcurl and before any call of other libcurl function + */ + CURL_EXTERN CURLcode curl_global_init(long flags); + +diff -ruNp curl-7.19.4.orig/src/main.c curl-7.19.4/src/main.c +--- curl-7.19.4.orig/src/main.c 2009-02-17 10:10:21.000000000 +0100 ++++ curl-7.19.4/src/main.c 2009-03-10 14:49:50.297971916 +0100 +@@ -3969,6 +3969,12 @@ operate(struct Configurable *config, int + + memset(&heads, 0, sizeof(struct OutStruct)); + ++ /* initialize curl library - do not call any libcurl functions before */ ++ if (main_init() != CURLE_OK) { ++ helpf(config->errors, "error initializing curl library\n"); ++ return CURLE_FAILED_INIT; ++ } ++ + #ifdef CURLDEBUG + /* this sends all memory debug messages to a logfile named memdump */ + env = curlx_getenv("CURL_MEMDEBUG"); +@@ -4015,10 +4021,6 @@ operate(struct Configurable *config, int + #endif + + /* inits */ +- if (main_init() != CURLE_OK) { +- helpf(config->errors, "error initializing curl library\n"); +- return CURLE_FAILED_INIT; +- } + config->postfieldsize = -1; + config->showerror=TRUE; + config->use_httpget=FALSE;