From bd6ce822d04d3388c1408bd960a6ddab3acadce7 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Wed, 6 Sep 2023 23:15:09 +0100 Subject: [PATCH 01/21] ECH experimental changes for curl --- .github/scripts/spellcheck.words | 21 + .gitignore | 1 + CMakeLists.txt | 28 + configure.ac | 39 +- docs/ECH.md | 484 +++++++++++++++ docs/EXPERIMENTAL.md | 1 + docs/cmdline-opts/ech.d | 35 ++ docs/libcurl/opts/CURLOPT_ECH.3 | 73 +++ docs/libcurl/opts/Makefile.inc | 1 + docs/libcurl/symbols-in-versions | 1 + docs/options-in-versions | 1 + include/curl/curl.h | 7 +- include/curl/typecheck-gcc.h | 1 + lib/curl_config.h.cmake | 6 + lib/doh.c | 405 ++++++++++++- lib/doh.h | 39 +- lib/easyoptions.c | 1 + lib/hostip.c | 17 + lib/hostip.h | 28 + lib/setopt.c | 43 ++ lib/strerror.c | 5 + lib/urldata.h | 17 + lib/vtls/openssl.c | 279 +++++++++ lib/vtls/wolfssl.c | 105 ++++ m4/curl-confopts.m4 | 37 ++ packages/OS400/ccsidcurl.c | 3 + src/tool_cfgable.c | 8 + src/tool_cfgable.h | 6 + src/tool_getparam.c | 56 +- src/tool_listhelp.c | 6 + src/tool_operate.c | 10 + tests/ech_combos.py | 79 +++ tests/ech_tests.sh | 974 +++++++++++++++++++++++++++++++ 33 files changed, 2801 insertions(+), 16 deletions(-) create mode 100644 docs/ECH.md create mode 100644 docs/cmdline-opts/ech.d create mode 100644 docs/libcurl/opts/CURLOPT_ECH.3 create mode 100755 tests/ech_combos.py create mode 100755 tests/ech_tests.sh diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words index 4495454e174f44..5378e4c44bc209 100644 --- a/.github/scripts/spellcheck.words +++ b/.github/scripts/spellcheck.words @@ -2,6 +2,7 @@ # # SPDX-License-Identifier: curl # +AAAA ABI accessor ACK @@ -10,6 +11,7 @@ AIA AIX al Alessandro +aliasMode allocator alnum ALPN @@ -107,6 +109,7 @@ CLA CLAs cleartext CLI +ClientHello clientp cliget closesocket @@ -114,6 +117,8 @@ CMake CMake's cmake cmake's +CNAME +CNAMEs CMakeLists CodeQL codeql @@ -143,6 +148,7 @@ cURL CURLcode curldown CURLE +CURLECH CURLH curlimages CURLINFO @@ -161,6 +167,7 @@ dbg Debian DEBUGBUILD decrypt +decrypting deepcode DELE DER @@ -187,6 +194,7 @@ DNS dns dnsop DoH +DoT doxygen drftpd dsa @@ -198,6 +206,9 @@ EBCDIC ECC ECDHE ECH +ecl +ECHConfig +ECHConfigList ECONNREFUSED eCOS EFnet @@ -281,6 +292,8 @@ GOST GPG GPL GPLed +GREASE +GREASEing Greear groff GSKit @@ -303,6 +316,7 @@ Hards Haxx haxx Heimdal +HelloRetryRequest HELO HH HMAC @@ -312,6 +326,7 @@ homebrew hostname hostnames Housley +HRR Hruska HSTS hsts @@ -584,6 +599,7 @@ pkcs PKGBUILD PKI pluggable +pn PolarSSL Polhem pollset @@ -619,6 +635,7 @@ py pycurl pytest Pytest +qname QNX QoS Qubes @@ -662,6 +679,9 @@ Roadmap Rockbox roffit RPG +RR +RRs +RRtype RSA RTMP rtmp @@ -778,6 +798,7 @@ SunSSH superset svc svcb +SVCB Svyatoslav Swisscom sws diff --git a/.gitignore b/.gitignore index 2d5c292325d8e3..6d1e69ed04b589 100644 --- a/.gitignore +++ b/.gitignore @@ -65,3 +65,4 @@ curl_fuzzer_seed_corpus.zip libstandaloneengine.a tests/string tests/config +tests/ech-log/ diff --git a/CMakeLists.txt b/CMakeLists.txt index 2194a6598a2c92..92458fef815c90 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -37,6 +37,7 @@ # HAVE_GNUTLS_SRP: `gnutls_srp_verifier` present in GnuTLS # HAVE_SSL_CTX_SET_QUIC_METHOD: `SSL_CTX_set_quic_method` present in OpenSSL/wolfSSL # HAVE_QUICHE_CONN_SET_QLOG_FD: `quiche_conn_set_qlog_fd` present in QUICHE +# HAVE_ECH: ECH API checks for OpenSSL, boriingssl or wolfSSL # # For each of the above variables, if the variable is DEFINED (either # to ON or OFF), the symbol detection will be skipped. If the @@ -655,6 +656,31 @@ if(USE_OPENSSL OR USE_WOLFSSL) endif() endif() +option(USE_HTTPSRR "Enable HTTPS RR support for ECH (experimental)" OFF) +option(USE_ECH "Enable ECH support" OFF) +if(USE_ECH) + if(USE_OPENSSL OR USE_WOLFSSL) + # Be sure that the OpenSSL/wolfSSL library actually supports ECH. + if(NOT DEFINED HAVE_ECH) + if(USE_OPENSSL AND HAVE_BORINGSSL) + openssl_check_symbol_exists(SSL_set1_ech_config_list "openssl/ssl.h" HAVE_ECH) + elseif(USE_OPENSSL) + openssl_check_symbol_exists(SSL_ech_set1_echconfig "openssl/ech.h" HAVE_ECH) + elseif(USE_WOLFSSL) + openssl_check_symbol_exists(wolfSSL_CTX_GenerateEchConfig "wolfssl/options.h;wolfssl/ssl.h" HAVE_ECH) + endif() + endif() + if(NOT HAVE_ECH) + message(FATAL_ERROR "ECH support missing in OpenSSL/BoringSSL/wolfSSL") + else() + message("ECH enabled.") + endif() + else() + message(FATAL_ERROR "ECH requires ECH-enablded OpenSSL, BoringSSL or wolfSSL") + endif() +endif() + + option(USE_NGHTTP2 "Use nghttp2 library" OFF) if(USE_NGHTTP2) find_package(NGHTTP2 REQUIRED) @@ -1568,6 +1594,8 @@ if(NOT CURL_DISABLE_INSTALL) _add_if("IPFS" NOT CURL_DISABLE_HTTP) _add_if("IPNS" NOT CURL_DISABLE_HTTP) _add_if("HTTPS" NOT CURL_DISABLE_HTTP AND SSL_ENABLED) + _add_if("ECH" HAVE_ECH) + _add_if("HTTPSRR" HAVE_ECH) _add_if("FTP" NOT CURL_DISABLE_FTP) _add_if("FTPS" NOT CURL_DISABLE_FTP AND SSL_ENABLED) _add_if("FILE" NOT CURL_DISABLE_FILE) diff --git a/configure.ac b/configure.ac index cd0e2d07d8d164..3c0f7d3996274e 100644 --- a/configure.ac +++ b/configure.ac @@ -51,6 +51,7 @@ CURL_CHECK_OPTION_CURLDEBUG CURL_CHECK_OPTION_SYMBOL_HIDING CURL_CHECK_OPTION_ARES CURL_CHECK_OPTION_RT +CURL_CHECK_OPTION_HTTPSRR CURL_CHECK_OPTION_ECH XC_CHECK_PATH_SEPARATOR @@ -4518,6 +4519,18 @@ if test "x$hsts" != "xyes"; then AC_DEFINE(CURL_DISABLE_HSTS, 1, [disable alt-svc]) fi + +dnl ************************************************************* +dnl check whether HTTPSRR support if desired +dnl +if test "x$want_httpsrr" != "xno"; then + AC_MSG_RESULT([HTTPSRR support is available]) + AC_DEFINE(USE_HTTPSRR, 1, [enable HTTPS RR support]) + experimental="$experimental HTTPSRR" +else + AC_DEFINE(USE_HTTPSRR, 0, [HTTPS RR support off]) +fi + dnl ************************************************************* dnl check whether ECH support, if desired, is actually available dnl @@ -4528,18 +4541,28 @@ if test "x$want_ech" != "xno"; then ECH_ENABLED=0 ECH_SUPPORT='' - dnl OpenSSL with a chosen ECH function should be enough - dnl so more exhaustive checking seems unnecessary for now + dnl check for OpenSSL if test "x$OPENSSL_ENABLED" = "x1"; then - AC_CHECK_FUNCS(SSL_get_ech_status, - ECH_SUPPORT="ECH support available (OpenSSL with SSL_get_ech_status)" + AC_CHECK_FUNCS(SSL_ech_set1_echconfig, + ECH_SUPPORT="ECH support available via OpenSSL with SSL_ech_set1_echconfig" + ECH_ENABLED=1) + fi + dnl check for boringssl equivalent + if test "x$OPENSSL_ENABLED" = "x1"; then + AC_CHECK_FUNCS(SSL_set1_ech_config_list, + ECH_SUPPORT="ECH support available via boringssl with SSL_set1_ech_config_list" + ECH_ENABLED=1) + fi + if test "x$WOLFSSL_ENABLED" = "x1"; then + AC_CHECK_FUNCS(wolfSSL_CTX_GenerateEchConfig, + ECH_SUPPORT="ECH support available via WolfSSL with wolfSSL_CTX_GenerateEchConfig" ECH_ENABLED=1) - - dnl add 'elif' chain here for additional implementations fi dnl now deal with whatever we found if test "x$ECH_ENABLED" = "x1"; then + dnl force pre-requisites for ECH + AC_DEFINE(USE_HTTPSRR, 1, [force HTTPS RR support for ECH]) AC_DEFINE(USE_ECH, 1, [if ECH support is available]) AC_MSG_RESULT($ECH_SUPPORT) experimental="$experimental ECH" @@ -4762,10 +4785,6 @@ else AC_MSG_RESULT([no]) fi -if test "x$ECH_ENABLED" = "x1"; then - SUPPORT_FEATURES="$SUPPORT_FEATURES ECH" -fi - if test ${ac_cv_sizeof_curl_off_t} -gt 4; then if test ${ac_cv_sizeof_off_t} -gt 4 -o \ "$curl_win32_file_api" = "win32_large_files"; then diff --git a/docs/ECH.md b/docs/ECH.md new file mode 100644 index 00000000000000..d56f77f9e002ab --- /dev/null +++ b/docs/ECH.md @@ -0,0 +1,484 @@ + +# Building curl with HTTPS-RR and ECH support + +We've added support for ECH to a recent curl build. That can use HTTPS RRs +published in the DNS, if curl is using DoH, or else can accept the relevant +ECHConfigList values from the command line. That works with OpenSSL, +WolfSSL or boringssl as it's TLS provider, depending on how you build curl. + +This has not been tested. DO NOT USE. + +This should however provide enough of a proof-of-concept to prompt an informed +discussion about a good path forward for ECH support in curl, when using +OpenSSL, or other TLS libraries, as those add ECH support. + +## OpenSSL Build + +To build our ECH-enabled OpenSSL fork: + +```bash + cd $HOME/code + git clone https://github.com/sftcd/openssl + cd openssl + git checkout ECH-draft-13c + ./config + ...stuff... + make -j8 + ...stuff (maybe go for coffee)... +``` + +To build our ECH-enabled curl fork, making use of the above: + +```bash + cd $HOME/code + git clone https://github.com/sftcd/curl + cd curl + git checkout ECH-experimental + autoreconf -fi + export LD_LIBRARY_PATH=$HOME/code/openssl + LDFLAGS="-L$HOME/code/openssl" ./configure --with-ssl=$HOME/code/openssl --enable-ech --enable-httpsrr + ...lots of output... + WARNING: ech ECH HTTPSRR enabled but marked EXPERIMENTAL... + make + ...lots more output... +``` + +If you don't get that WARNING at the end of the ``configure`` command, then ECH +isn't enabled, so go back some steps and re-do whatever needs re-doing:-) If you +want to debug curl then you should add ``--enable-debug`` to the ``configure`` +command. + +## Building with cmake + +This is not working cleanly yet, but to build with cmake: + +```bash + cd $HOME/code + git clone https://github.com/sftcd/curl + cd curl + mkdir build + cd build + cmake -DOPENSSL_ROOT_DIR=$HOME/code/openssl -DUSE_ECH=1 -DUSE_HTTPSRR=1 -DUSE_MANUAL=1 .. + ... + make + ... + [85%] Generating ../curl.1 + .../code/curl/docs/cmdline-opts::1:ERROR: unrecognized Multi: '' +``` + +The ``USE_MANUAL`` above avoids what seems an odd error with +``tool_hugehelp.c`` The build still however fails when trying to make +``docs/curl.1`` so I fixed that manually for now: + +```bash + cd $HOME/code/curl/build + $HOME/code/curl/docs/cmdline-opts/gen.pl mainpage $HOME/code/ $HOME/code/curl/docs/cmdline-opts/*.d >docs/curl.1 + make + ... + [100%] Built target curl +``` + +So we finally get a binary, and our ``tests/ech_test.sh`` script seems happy. + +## Using ECH and DoH + +Curl supports using DoH for A/AAAA lookups so it was relatively easy to add +retrieval of HTTPS RRs in that situation. To use ECH and DoH together: + +```bash + cd $HOME/code/curl + LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl --ech true --doh-url https://1.1.1.1/dns-query https://defo.ie/ech-check.php + ... + SSL_ECH_STATUS: success good
+ ... +``` + +The output snippet above is within the HTML for the web page, when things work. + +The above works for these test sites: + +```bash + https://defo.ie/ech-check.php + https://draft-13.esni.defo.ie:8413/stats + https://draft-13.esni.defo.ie:8414/stats + https://crypto.cloudflare.com/cdn-cgi/trace + https://tls-ech.dev +``` + +So we seem to have the basic thing functioning now. That list has 4 different +server technologies, implemented by 3 different parties, and includes a case +(the port 8414 server) where HelloRetryRequest (HRR) is forced. + +We currently support the following new curl command line arguments/options: + +- ``--ech `` - the ``config`` value can be one of: + - ``false`` says to not attempt ECH + - ``true`` says to attempt ECH, if possible + - ``grease`` if attempting ECH is not possible, then send a GREASE ECH extension + - ``hard`` hard-fail the connection if ECH cannot be attempted + - ``ecl:`` a base64 encoded ECHConfigList, rather than one accessed from the DNS + - ``pn:`` over-ride the ``public_name`` from an ECHConfigList + +Note that in the above "attempt ECH" means the client emitting a TLS +ClientHello with a "real" ECH extension, but that does not mean that the +relevant server will succeed in decrypting, as things can fail for other +reasons. + +## Supplying an ECHConfigList on the command line + +To supply the ECHConfigList on the command line, you might need a bit of +cut-and-paste, e.g.: + +```bash + dig +short https defo.ie + 1 . ipv4hint=213.108.108.101 ech=AED+DQA8PAAgACD8WhlS7VwEt5bf3lekhHvXrQBGDrZh03n/LsNtAodbUAAEAAEAAQANY292ZXIuZGVmby5pZQAA ipv6hint=2a00:c6c0:0:116:5::10 +``` + +Then paste the base64 encoded ECHConfigList onto the curl command line: + +```bash + LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl --ech ecl:AED+DQA8PAAgACD8WhlS7VwEt5bf3lekhHvXrQBGDrZh03n/LsNtAodbUAAEAAEAAQANY292ZXIuZGVmby5pZQAA https://defo.ie/ech-check.php + ... + SSL_ECH_STATUS: success good
+ ... +``` + +The output snippet above is within the HTML for the web page. + +If you paste in the wrong ECHConfigList (it changes hourly for ``defo.ie``) you'll +get an error like this: + +```bash + LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo+qYNsNRNj+vfuQfFIkrrUFmM4vogucxKj/4nzYgAEAAEAAQANY292ZXIuZGVmby5pZQAA https://defo.ie/ech-check.php + ... + * OpenSSL/3.2.0: error:0A00054B:SSL routines::ech required + ... +``` + +There is a reason to keep this command line option - for use before publishing +the ECHConfigList in the DNS (e.g. as per the Internet-draft +[A well-known URI for publishing ECHConfigList values](https://datatracker.ietf.org/doc/draft-ietf-tls-wkech/). + +If you do use a wrong ECHConfigList value, then the server might return a +good value, via the ``retry_configs`` mechanism. You can see that value in +the verbose output, e.g.: + +```bash + LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo+qYNsNRNj+vfuQfFIkrrUFmM4vogucxKj/4nzYgAEAAEAAQANY292ZXIuZGVmby5pZQAA https://defo.ie/ech-check.php + ... +* ECH: retry_configs AQD+DQA8DAAgACBvYqJy+Hgk33wh/ZLBzKSPgwxeop7gvojQzfASq7zeZQAEAAEAAQANY292ZXIuZGVmby5pZQAA/g0APEMAIAAgXkT5r4cYs8z19q5rdittyIX8gfQ3ENW4wj1fVoiJZBoABAABAAEADWNvdmVyLmRlZm8uaWUAAP4NADw2ACAAINXSE9EdXzEQIJZA7vpwCIQsWqsFohZARXChgPsnfI1kAAQAAQABAA1jb3Zlci5kZWZvLmllAAD+DQA8cQAgACASeiD5F+UoSnVoHvA2l1EifUVMFtbVZ76xwDqmMPraHQAEAAEAAQANY292ZXIuZGVmby5pZQAA +* ECH: retry_configs for defo.ie from cover.defo.ie, 319 + ... +``` + +At that point, you could copy the base64 encoded value above and try again. +For now, this only works for the OpenSSL and boringssl builds. + +## Default settings + +Curl has various ways to configure default settings, e.g. in ``$HOME/.curlrc``, +so one can set the DoH URL and enable ECH that way: + +```bash + cat ~/.curlrc + doh-url=https://one.one.one.one/dns-query + silent=TRUE + ech=TRUE +``` + +Note that when you use the system's curl command (rather than our ECH-enabled +build), it's liable to warn that ``ech`` is an unknown option. If that's an +issue (e.g. if some script re-directs stdout and stderr somewhere) then adding +the ``silent=TRUE`` line above seems to be a good enough fix. (Though of +course, yet another script could depend on non-silent behavior, so you'll have +to figure out what you prefer yourself.) + +And if you want to always use our OpenSSL build you can set ``LD_LIBRARY_PATH`` +in the environment: + +```bash + export LD_LIBRARY_PATH=$HOME/code/openssl +``` + +Note that when you do that, there can be a mismatch between OpenSSL versions +for applications that check that. A ``git push`` for example will fail so you +should unset ``LD_LIBRARY_PATH`` before doing that or use a different shell. + +```bash + git push + OpenSSL version mismatch. Built against 30000080, you have 30200000 + ... +``` + +With all that setup as above the command line gets simpler: + +```bash + ./src/curl https://defo.ie/ech-check.php + ... + SSL_ECH_STATUS: success good
+ ... +``` + +The ``--ech true`` option is opportunistic, so will try to do ECH but won't fail if +the client for example can't find any ECHConfig values. The ``--ech hard`` +option hard-fails if there is no ECHConfig found in DNS, so for now, that's not +a good option to set as a default. + +## Code changes for ECH support when using DoH + +All code changes are in a new ``ECH-experimental`` branch of our fork +([here](https://github.com/sftcd/curl/tree/ECH-experimental)) and are +``#ifdef`` protected via ``USE_ECH`` or ``USE_HTTPSRR``: + +- ``USE_HTTPSRR`` is used for HTTPS RR retrieval code that could be generically + used should non-ECH uses for HTTPS RRs be identified, e.g. use of ALPN values +or IP address hints. + +- ``USE_ECH`` protects ECH specific code, which is likely almost all also + OpenSSL-specific. (Though some fragments should be usable for other TLS +libraries in future.) + +There are various obvious code blocks for handling the new command line +arguments which aren't described here, but should be fairly clear. + +As shown in the ``configure`` usage above, there are ``configure.ac`` changes +that allow separately dis/enabling ``USE_HTTPSRR`` and ``USE_ECH``. If ``USE_ECH`` +is enabled, then ``USE_HTTPSRR`` will be forced. In both cases ``USE_DOH`` +is required. (There may be some configuration conflicts available for the +determined:-) + +The main functional change, as you'd expect, is in ``lib/vtls/openssl.c`` +([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/vtls/openssl.c#L3768)) +where an ECHConfig, if available from command line or DNS cache, is fed into +the OpenSSL library via the new APIs implemented in our OpenSSL fork for that +purpose. This code also implements the opportunistic (``--ech true``) or hard-fail +(``--ech hard``) logic. + +Other than that, the main additions are in ``lib/doh.c`` +([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/doh.c#L418)) +where we re-use ``dohprobe()`` to retrieve an HTTPS RR value for the target +domain. If such a value is found, that's stored using a new ``store_https()`` +function +([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/doh.c#L527)) in +a new field in the ``dohentry`` structure. + +The qname for the DoH query is modified if the port number is not 443, as +defined in the SVCB specification. +([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/doh.c#L418)) + +When the DoH process has worked, ``Curl_doh_is_resolved()`` now also returns +the relevant HTTPS RR value data in the ``Curl_dns_entry`` structure. +([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/doh.c#L1086)) +That is later accessed when the TLS session is being established, if ECH is +enabled (from ``lib/vtls/openssl.c`` as described above). + +Things that need fixing, but that can probably be ignored for the +moment: + +- We could easily add code to make use of an ``alpn=`` value found in an HTTPS + RR, passing that on to OpenSSL for use as the "inner" ALPN value, but have +yet to do that. + +Current limitations (more interesting than the above): + +- Only the first HTTPS RR value retrieved is actually processed as described + above, that could be extended in future, though picking the "right" HTTPS RR +could be non-trivial if multiple RRs are published - matching IP address hints +versus A/AAAA values might be a good basis for that. Last I checked though, +browsers supporting ECH didn't handle multiple HTTPS RRs well, though that +needs re-checking as it's been a while. + +- It's unclear how one should handle any IP address hints found in an HTTPS RR. + It may be that a bit of consideration of how "multi-CDN" deployments might +emerge would provide good answers there, but for now, it's not clear how best +curl might handle those values when present in the DNS. + +- The SVCB/HTTPS RR specification supports a new "CNAME at apex" indirection + ("aliasMode") - the current code takes no account of that at all. One could +envisage implementing the equivalent of following CNAMEs in such cases, but +it's not clear if that'd be a good plan. (As of now, chrome browsers don't seem +to have any support for that "aliasMode" and we've not checked Firefox for that +recently.) + +- We have not investigated what related changes or additions might be needed + for applications using libcurl, as opposed to use of curl as a command line +tool. + +- We have not yet implemented tests as part of the usual curl test harness. + For now, we only have a ``$TOP/tests/ech_test.sh`` script that +attempts ECH with various test servers. While that is a useful test and does +find issues (e.g. with the wolfSSL build), it's nowhere near comprehensive and +we're not (as yet) sure what would be the right level of coverage. + +## WolfSSL build + +Mailing list discussion indicates that WolfSSL also supports ECH and can be +used by curl, so here's how: + +```bash + cd $HOME/code + git clone https://github.com/sftcd/wolfssl + cd wolfssl + ./autogen.sh + ./configure --prefix=$HOME/code/wolfssl/inst --enable-ech --enable-debug --enable-opensslextra + make + make install +``` + +The install prefix (``inst``) in the above causes WolfSSL to be installed there +and we seem to need that for the curl configure command to work out. The +``--enable-opensslextra`` turns out (after much faffing about;-) to be +important or else we get build problems with curl below. + +Probably, a basic WolfSSL install would work but we made a fork in +case we wanted to change something, e.g. see +[this issue](https://github.com/wolfSSL/wolfssl/issues/6774) or +[this bug](https://github.com/wolfSSL/wolfssl/issues/6791) - the latter +does currently require a change. + +Let's use that to build curl... + +```bash + cd $HOME/code + git clone https://github.com/sftcd/curl + cd curl + git checkout ECH-experimental + autoregen -fi + ./configure --with-wolfssl=$HOME/code/wolfssl/inst --enable-ech --enable-httpsrr + make +``` + +Right now, this works almost the same as the OpenSSL variant, but not with +[this web site](https://tls-ech.dev), (see [same +issue](https://github.com/wolfSSL/wolfssl/issues/6774), and for some reason +``--insecure`` is needed. + +To run against a localhost ``s_server`` for testing: + +```bash + cd $HOME/code/openssl/esnistuff + ./echsrv.sh -d + ... +``` + +In another window: + +```bash + cd $HOME/code/curl-wo/ + ./src/curl -vvv --insecure --connect-to foo.example.com:8443:localhost:8443 https://foo.example.com:8443/stats --ech ecl:AD7+DQA6uwAgACBix2B78sX+EQhEbxMspDOc8Z3xVS5aQpYP0Cxpc2AWPAAEAAEAAQALZXhhbXBsZS5jb20AAA== +``` + +### Changes to support WolfSSL + +There are what seem like oddball differences: + +- The DoH URL in``$HOME/.curlrc`` can use "1.1.1.1" for OpenSSL but has to be + "one.one.one.one" for WolfSSL. The latter works for both, so OK, we'll change + to that. +- There seems to be some difference in CA databases too - the WolfSSL version + doesn't like ``defo.ie``, whereas the system and OpenSSL ones do. We can ignore + that for our purposes via ``--insecure``/``-k`` but would need to fix for a + real setup. (Browsers do like those certificates though.) + +Then there are some functional code changes: + +- tweak to ``configure.ac`` to check if WolfSSL has ECH or not +- added code to ``lib/vtls/wolfssl.c`` mirroring what's done in the + OpenSSL equivalent above. +- WolfSSL doesn't support ``--ech false`` or the ``--ech pn:`` command line + argument. + +The lack of support for ``--ech false`` is because wolfSSL has decided to +always at least GREASE if built to support ECH. In other words, GREASE is +a compile time choice for wolfSSL, but a run-time choice for OpenSSL or +boringssl. (Both are reasonable.) + +There's also a current +[bug/issue](https://github.com/wolfSSL/wolfssl/issues/6802) that the wolfSSL +client support for ECH seems to not correctly support HelloRetryRequest. +WolfSSL also seems to send a GREASE ECH extension regardless of the +``--ech false`` setting as of now. + +## boringssl build + +The boringssl APIs do not support the ``--ech pn:`` command line variant as +of now. + +BoringSSL is also supported by curl and also supports ECH, so to build +one of those: + +```bash + cd $HOME/code + git clone https://boringssl.googlesource.com/boringssl + cd boringssl + cmake -DCMAKE_INSTALL_PREFIX:PATH=$HOME/code/boringssl/inst -DBUILD_SHARED_LIBS=1 + make + ... + make install +``` + +Then: + +```bash + cd $HOME/code + git clone https://github.com/sftcd/curl + cd curl + git checkout ECH-experimental + automake -fi + ./configure --with-ssl=$HOME/code/boringssl/inst --enable-ech --enable-httpsrr + ...lots of output... + WARNING: ech ECH HTTPSRR enabled but marked EXPERIMENTAL. Use with caution! + make +``` + +To use that you need ``LD_LIBRARY_PATH=$HOME/code/boringssl/inst/lib`` set in +the environment, but then it works. + +## Supporting ECH without DoH + +All of the above only applies if DoH is being used. There should be a use-case +for ECH when DoH is not used by curl - if a system stub resolver supports DoT +or DoH, then, considering only ECH and the network threat model, it would make +sense for curl to support ECH without curl itself using DoH. The author for +example uses a combination of stubby+unbound as the system resolver listening +on localhost:53, so would fit this use-case. That said, it's unclear if +this is a niche that's worth trying to address. (The author is just as happy to +let curl use DoH to talk to the same public recursive that stubby might use:-) + +Assuming for the moment this is a use-case we'd like to support, then +if DoH is not being used by curl, it's not clear at this time how to provide +support for ECH. One option would seem to be to extend the ``c-ares`` library +to support HTTPS RRs, but in that case it's not now clear whether such changes +would be attractive to the ``c-ares`` maintainers, nor whether the "tag=value" +extensibility inherent in the HTTPS/SVCB specification is a good match for the +``c-ares`` approach of defining structures specific to decoded answers for each +supported RRtype. We're also not sure how many downstream curl deployments +actually make use of the ``c-ares`` library, which would affect the utility of +such changes. Another option might be to consider using some other generic DNS +library that does support HTTPS RRs, but it's unclear if such a library could +or would be used by all or almost all curl builds and downstream releases of +curl. + +Our current conclusion is that doing the above is likely best left until we +have some experience with the "using DoH" stuff, so we're going to punt on +this for now. + +## Debugging + +Just a note to self as remembering this is a nuisance: + +```bash +LD_LIBRARY_PATH=$HOME/code/openssl:./lib/.libs gdb ./src/.libs/curl +``` + +## Not supported so far... + +As of now we have not: + +- added support for using ``retry_config`` handling in the application - for a + command line tool, one can just use ``dig`` (or ``kdig``) to get the HTTPS + RR and pass the ECHConfigList from that on the command line, if needed + +Both our OpenSSL fork and boringssl have APIs for both controlling GREASE and +accessing and logging ``retry_configs``, it seems WolfSSL has neither. + diff --git a/docs/EXPERIMENTAL.md b/docs/EXPERIMENTAL.md index de694013d1af7a..46fdb88faa31be 100644 --- a/docs/EXPERIMENTAL.md +++ b/docs/EXPERIMENTAL.md @@ -22,3 +22,4 @@ Experimental support in curl means: - HTTP/3 support (using the quiche or msh3 backends) - The rustls backend - WebSocket + - Use of the HTTPS resource record and Encrypted Client Hello (ECH) when using DoH diff --git a/docs/cmdline-opts/ech.d b/docs/cmdline-opts/ech.d new file mode 100644 index 00000000000000..b33f00a195e303 --- /dev/null +++ b/docs/cmdline-opts/ech.d @@ -0,0 +1,35 @@ +c: Copyright (C) Daniel Stenberg, , et al. +SPDX-License-Identifier: curl +Long: ech +Arg: +Help: TLS Encrypted Client Hello (ECH) +Added: x.xx.x +Category: tls ECH +Example: --ech $URL +See-also: doh-url +Multi: single +--- +Configure Encrypted Client Hello (ECH) for use with the TLS session. + +Possible values for are: + +- "false": do not attempt ECH + +- "grease": send a GREASE'd ECH extension + +- "true": attempt ECH if possible, but don't fail if not + +- "hard": attempt ECH and fail if that's not possible + +- "ecl:": a base64 encoded ECHConfigList that will be used for ECH + +- "pn:": a name to use to over-ride the public_name field of an + ECHConfigList + +When multiple ``--ech`` options are supplied then the most-recent +value for true/false/hard/grease will be used, as will the most-recent +``ecl:`` value, and ``pn:`` value, if either of +those were provided. + +ECH only works with TLS 1.3 and also requires using +DoH or providing an ECHConfigList on the command line. diff --git a/docs/libcurl/opts/CURLOPT_ECH.3 b/docs/libcurl/opts/CURLOPT_ECH.3 new file mode 100644 index 00000000000000..7007bba124d7d7 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_ECH.3 @@ -0,0 +1,73 @@ +.\" ************************************************************************** +.\" * _ _ ____ _ +.\" * Project ___| | | | _ \| | +.\" * / __| | | | |_) | | +.\" * | (__| |_| | _ <| |___ +.\" * \___|\___/|_| \_\_____| +.\" * +.\" * Copyright (C) Daniel Stenberg, , et al. +.\" * +.\" * This software is licensed as described in the file COPYING, which +.\" * you should have received as part of this distribution. The terms +.\" * are also available at https://curl.se/docs/copyright.html. +.\" * +.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell +.\" * copies of the Software, and permit persons to whom the Software is +.\" * furnished to do so, under the terms of the COPYING file. +.\" * +.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +.\" * KIND, either express or implied. +.\" * +.\" * SPDX-License-Identifier: curl +.\" * +.\" ************************************************************************** +.\" +.TH CURLOPT_ECH 3 "30 Sep 2023" libcurl libcurl +.SH NAME +CURLOPT_ECH \- configuration for Encrypted Client Hello +.SH SYNOPSIS +.nf +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config); +.fi +.SH DESCRIPTION +Pass a string that specifies configuration details for ECH. +In all cases, if ECH is attempted, it may fail for various reasons. +The keywords supported are: +.IP false +Turns off ECH. +.IP grease +Instructs client to emit a GREASE'd ECH extension. +.IP true +Instructs client to attempt ECH, if possible, but to not fail if attempting ECH is not possible. +.IP hard +Instructs client to attempt ECH and fail if if attempting ECH is not possible. +.IP ecl: +If the string starts with "ecl:" then the remainder of the string should be a base64-encoded +ECHConfigList that is used for ECH rather than attempting to download such a value from +the DNS. +.IP pn: +If the string starts with "pn:" then the remainder of the string should be a DNS/host name +that is used to over-ride the public_name field of the ECHConfigList that will be used +for ECH. +.SH DEFAULT +NULL, meaning ECH is disabled. +.SH PROTOCOLS +TLS, and requires TLS1.3. +.SH EXAMPLE +.nf +CURL *curl = curl_easy_init(); + +const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; +if(curl) { + curl_easy_setopt(curl, CURLOPT_ECH, config); + curl_easy_perform(curl); +} +.fi +.SH AVAILABILITY +Added in 8.6.0 +.SH RETURN VALUE +Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient heap space. +.SH "SEE ALSO" +.BR CURLOPT_DOH_URL (3) diff --git a/docs/libcurl/opts/Makefile.inc b/docs/libcurl/opts/Makefile.inc index be7035bf00d2b4..9e8f54c2b22989 100644 --- a/docs/libcurl/opts/Makefile.inc +++ b/docs/libcurl/opts/Makefile.inc @@ -165,6 +165,7 @@ man_MANS = \ CURLOPT_DOH_SSL_VERIFYPEER.3 \ CURLOPT_DOH_SSL_VERIFYSTATUS.3 \ CURLOPT_DOH_URL.3 \ + CURLOPT_ECH.3 \ CURLOPT_EGDSOCKET.3 \ CURLOPT_ERRORBUFFER.3 \ CURLOPT_EXPECT_100_TIMEOUT_MS.3 \ diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index c20008a7313d36..16035a24b7098f 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -616,6 +616,7 @@ CURLOPT_DOH_SSL_VERIFYHOST 7.76.0 CURLOPT_DOH_SSL_VERIFYPEER 7.76.0 CURLOPT_DOH_SSL_VERIFYSTATUS 7.76.0 CURLOPT_DOH_URL 7.62.0 +CURLOPT_ECH 8.4.0 CURLOPT_EGDSOCKET 7.7 7.84.0 CURLOPT_ENCODING 7.10 7.21.6 CURLOPT_ERRORBUFFER 7.1 diff --git a/docs/options-in-versions b/docs/options-in-versions index 0905809439c35b..f5e7bc9a0cdd87 100644 --- a/docs/options-in-versions +++ b/docs/options-in-versions @@ -55,6 +55,7 @@ --doh-insecure 7.76.0 --doh-url 7.62.0 --dump-header (-D) 5.7 +--ech 8.4.0 --egd-file 7.7 --engine 7.9.3 --etag-compare 7.68.0 diff --git a/include/curl/curl.h b/include/curl/curl.h index eb06022501c6fb..c2e5cca30cc3b8 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -632,6 +632,9 @@ typedef enum { CURLE_SSL_CLIENTCERT, /* 98 - client-side certificate required */ CURLE_UNRECOVERABLE_POLL, /* 99 - poll/select returned fatal error */ CURLE_TOO_LARGE, /* 100 - a value/data met its maximum */ +#ifdef USE_ECH + CURLE_ECH_REQUIRED , /* 101 - ECH tried but failed */ +#endif CURL_LAST /* never use! */ } CURLcode; @@ -2205,6 +2208,8 @@ typedef enum { /* millisecond version */ CURLOPT(CURLOPT_SERVER_RESPONSE_TIMEOUT_MS, CURLOPTTYPE_LONG, 324), + /* set ECH configuration */ + CURLOPT(CURLOPT_ECH, CURLOPTTYPE_STRINGPOINT, 325), CURLOPT_LASTENTRY /* the last unused */ } CURLoption; @@ -3153,7 +3158,7 @@ typedef struct curl_version_info_data curl_version_info_data; #define CURL_VERSION_GSASL (1<<29) /* libgsasl is supported */ #define CURL_VERSION_THREADSAFE (1<<30) /* libcurl API is thread-safe */ - /* +/* * NAME curl_version_info() * * DESCRIPTION diff --git a/include/curl/typecheck-gcc.h b/include/curl/typecheck-gcc.h index b880f3dc60552e..873a49e0209840 100644 --- a/include/curl/typecheck-gcc.h +++ b/include/curl/typecheck-gcc.h @@ -275,6 +275,7 @@ CURLWARNING(_curl_easy_getinfo_err_curl_off_t, (option) == CURLOPT_DNS_LOCAL_IP6 || \ (option) == CURLOPT_DNS_SERVERS || \ (option) == CURLOPT_DOH_URL || \ + (option) == CURLOPT_ECH || \ (option) == CURLOPT_EGDSOCKET || \ (option) == CURLOPT_FTP_ACCOUNT || \ (option) == CURLOPT_FTP_ALTERNATIVE_TO_USER || \ diff --git a/lib/curl_config.h.cmake b/lib/curl_config.h.cmake index 937b93edb6d8de..5842f07eb65399 100644 --- a/lib/curl_config.h.cmake +++ b/lib/curl_config.h.cmake @@ -793,3 +793,9 @@ ${SIZEOF_TIME_T_CODE} /* Define to 1 to enable TLS-SRP support. */ #cmakedefine USE_TLS_SRP 1 + +/* Define to 1 to query for HTTPSRR when using DoH */ +#cmakedefine USE_HTTPSRR 1 + +/* if ECH support is available */ +#cmakedefine USE_ECH 1 diff --git a/lib/doh.c b/lib/doh.c index ef32d507df2ba3..59862cb38809f0 100644 --- a/lib/doh.c +++ b/lib/doh.c @@ -42,9 +42,13 @@ #include "curl_printf.h" #include "curl_memory.h" #include "memdebug.h" +#include "escape.h" #define DNS_CLASS_IN 0x01 +/* local_print_buf truncates if the hex string will be more than this */ +#define LOCAL_PB_HEXMAX 400 + #ifndef CURL_DISABLE_VERBOSE_STRINGS static const char * const errors[]={ "", @@ -182,6 +186,26 @@ doh_write_cb(const void *contents, size_t size, size_t nmemb, void *userp) return realsize; } +#if defined(USE_HTTPSRR) && defined(CURLDEBUG) +static void local_print_buf(struct Curl_easy *data, + const char *prefix, + unsigned char *buf, size_t len) +{ + unsigned char hexstr[LOCAL_PB_HEXMAX]; + size_t hlen = LOCAL_PB_HEXMAX; + bool truncated = false; + + if(len > (LOCAL_PB_HEXMAX / 2)) + truncated = true; + Curl_hexencode(buf, len, hexstr, hlen); + if(!truncated) + infof(data, "%s: len=%d, val=%s", prefix, (int)len, hexstr); + else + infof(data, "%s: len=%d (truncated)val=%s", prefix, (int)len, hexstr); + return; +} +#endif + /* called from multi.c when this DoH transfer is complete */ static int doh_done(struct Curl_easy *doh, CURLcode result) { @@ -371,6 +395,12 @@ struct Curl_addrinfo *Curl_doh(struct Curl_easy *data, int slot; struct dohdata *dohp; struct connectdata *conn = data->conn; +#ifdef USE_HTTPSRR + /* for now, this is only used when ECH is enabled */ +# ifdef USE_ECH + char *qname = NULL; +# endif +#endif *waitp = FALSE; (void)hostname; (void)port; @@ -410,6 +440,37 @@ struct Curl_addrinfo *Curl_doh(struct Curl_easy *data, goto error; dohp->pending++; } +#endif + +#ifdef USE_HTTPSRR + /* + * TODO: Figure out the conditions under which we want to make + * a request for an HTTPS RR when we are not doing ECH. For now, + * making this request breaks a bunch of DoH tests, e.g. test2100, + * where the addiitonal request doesn't match the pre-cooked data + * files, so there's a bit of work attached to making the request + * in a non-ECH use-case. For the present, we'll only make the + * request when ECH is enabled in the build and is being used for + * the curl operation. + */ +# ifdef USE_ECH + if(data->set.tls_ech & (1 << CURLECH_ENABLE) + || data->set.tls_ech & (1 << CURLECH_HARD)) { + if(port == 443) + qname = strdup(hostname); + else + qname = aprintf("_%d._https.%s", port, hostname); + if(!qname) + goto error; + result = dohprobe(data, &dohp->probe[DOH_PROBE_SLOT_HTTPS], + DNS_TYPE_HTTPS, qname, data->set.str[STRING_DOH], + data->multi, dohp->headers); + free(qname); + if(result) + goto error; + dohp->pending++; + } +# endif #endif *waitp = TRUE; /* this never returns synchronously */ return NULL; @@ -493,6 +554,25 @@ static DOHcode store_aaaa(const unsigned char *doh, return DOH_OK; } +#ifdef USE_HTTPSRR +static DOHcode store_https(const unsigned char *doh, + int index, + struct dohentry *d, + uint16_t len) +{ + /* silently ignore RRs over the limit */ + if(d->numhttps_rrs < DOH_MAX_HTTPS) { + struct dohhttps_rr *h = &d->https_rrs[d->numhttps_rrs]; + h->val = Curl_memdup(&doh[index], len); + if(!h->val) + return DOH_OUT_OF_MEM; + h->len = len; + d->numhttps_rrs++; + } + return DOH_OK; +} +#endif + static DOHcode store_cname(const unsigned char *doh, size_t dohlen, unsigned int index, @@ -555,7 +635,8 @@ static DOHcode rdata(const unsigned char *doh, /* RDATA - A (TYPE 1): 4 bytes - AAAA (TYPE 28): 16 bytes - - NS (TYPE 2): N bytes */ + - NS (TYPE 2): N bytes + - HTTPS (TYPE 65): N bytes */ DOHcode rc; switch(type) { @@ -573,6 +654,13 @@ static DOHcode rdata(const unsigned char *doh, if(rc) return rc; break; +#ifdef USE_HTTPSRR + case DNS_TYPE_HTTPS: + rc = store_https(doh, index, d, rdlength); + if(rc) + return rc; + break; +#endif case DNS_TYPE_CNAME: rc = store_cname(doh, dohlen, index, d); if(rc) @@ -729,7 +817,11 @@ UNITTEST DOHcode doh_decode(const unsigned char *doh, if(index != dohlen) return DOH_DNS_MALFORMAT; /* something is wrong */ +#ifdef USE_HTTTPS + if((type != DNS_TYPE_NS) && !d->numcname && !d->numaddr && !d->numhttps_rrs) +#else if((type != DNS_TYPE_NS) && !d->numcname && !d->numaddr) +#endif /* nothing stored! */ return DOH_NO_CONTENT; @@ -768,6 +860,16 @@ static void showdoh(struct Curl_easy *data, infof(data, "%s", buffer); } } +#ifdef USE_HTTPSRR + for(i = 0; i < d->numhttps_rrs; i++) { +# ifdef CURLDEBUG + local_print_buf(data, "DoH HTTPS", + d->https_rrs[i].val, d->https_rrs[i].len); +# else + infof(data, "DoH HTTPS RR: length %d", d->https_rrs[i].len); +# endif + } +#endif for(i = 0; i < d->numcname; i++) { infof(data, "CNAME: %s", Curl_dyn_ptr(&d->cname[i])); } @@ -887,7 +989,18 @@ static CURLcode doh2ai(const struct dohentry *de, const char *hostname, #ifndef CURL_DISABLE_VERBOSE_STRINGS static const char *type2name(DNStype dnstype) { - return (dnstype == DNS_TYPE_A)?"A":"AAAA"; + switch(dnstype) { + case DNS_TYPE_A: + return "A"; + case DNS_TYPE_AAAA: + return "AAAA"; +#ifdef USE_HTTPSRR + case DNS_TYPE_HTTPS: + return "HTTPS"; +#endif + default: + return "unknown"; + } } #endif @@ -897,8 +1010,274 @@ UNITTEST void de_cleanup(struct dohentry *d) for(i = 0; i < d->numcname; i++) { Curl_dyn_free(&d->cname[i]); } +#ifdef USE_HTTPSRR + for(i = 0; i < d->numhttps_rrs; i++) + free(d->https_rrs[i].val); +#endif +} + +#ifdef USE_HTTPSRR + +/* + * @brief decode the DNS name in a binary RRData + * @param buf points to the buffer (in/out) + * @param remaining points to the remaining buffer length (in/out) + * @param dnsname returns the string form name on success + * @return is 1 for success, error otherwise + * + * The encoding here is defined in + * https://tools.ietf.org/html/rfc1035#section-3.1 + * + * The input buffer pointer will be modified so it points to + * just after the end of the DNS name encoding on output. (And + * that's why it's an "unsigned char **" :-) + */ +static CURLcode local_decode_rdata_name(unsigned char **buf, size_t *remaining, + char **dnsname) +{ + unsigned char *cp = NULL; + size_t rem = 0; + char *thename = NULL, *tp = NULL; + unsigned char clen = 0; /* chunk len */ + + if(!buf || !remaining || !dnsname) + return CURLE_OUT_OF_MEMORY; + rem = *remaining; + thename = calloc(1, CURL_MAXLEN_host_name); + if(!thename) + return CURLE_OUT_OF_MEMORY; + cp = *buf; + tp = thename; + clen = *cp++; + if(clen == 0) { + /* special case - return "." as name */ + thename[0] = '.'; + thename[1] = 0x00; + } + while(clen) { + if(clen > rem) { + free(thename); + return CURLE_OUT_OF_MEMORY; + } + if(((tp - thename) + clen) > CURL_MAXLEN_host_name) { + free(thename); + return CURLE_OUT_OF_MEMORY; + } + memcpy(tp, cp, clen); + tp += clen; + *tp++ = '.'; + cp += clen; + rem -= (clen + 1); + clen = *cp++; + } + *buf = cp; + *remaining = rem - 1; + *dnsname = thename; + return CURLE_OK; +} + +static CURLcode local_decode_rdata_alpn(unsigned char *rrval, size_t len, + char **alpns) +{ + /* + * spec here is as per draft-ietf-dnsop-svcb-https, section-7.1.1 + * encoding is catenated list of strings each preceded by a one + * octet length + * output is comma-sep list of the strings + * implementations may or may not handle quoting of comma within + * string values, so we might see a comma within the wire format + * version of a string, in which case we'll precede that by a + * backslash - same goes for a backslash character, and of course + * we need to use two backslashes in strings when we mean one;-) + */ + int remaining = (int) len; + char *oval; + size_t olen = 0, i; + unsigned char *cp = rrval; + struct dynbuf dval; + + if(!alpns) + return CURLE_OUT_OF_MEMORY; + Curl_dyn_init(&dval, DYN_DOH_RESPONSE); + remaining = (int)len; + cp = rrval; + while(remaining > 0) { + size_t tlen = (size_t) *cp++; + + /* if not 1st time, add comma */ + if(remaining != (int)len && Curl_dyn_addn(&dval, ",", 1)) + goto err; + remaining--; + if(tlen > (size_t)remaining) + goto err; + /* add escape char if needed, clunky but easier to read */ + for(i = 0; i != tlen; i++) { + if('\\' == *cp || ',' == *cp) { + if(Curl_dyn_addn(&dval, "\\", 1)) + goto err; + } + if(Curl_dyn_addn(&dval, cp++, 1)) + goto err; + } + remaining -= (int)tlen; + } + olen = Curl_dyn_len(&dval); + /* I think the + 1 here is ok but it could trigger a read error */ + oval = (char *)Curl_memdup(Curl_dyn_ptr(&dval), olen + 1); + if(!oval) + goto err; + Curl_dyn_free(&dval); + oval[olen]='\0'; + *alpns = oval; + return CURLE_OK; +err: + Curl_dyn_free(&dval); + return CURLE_BAD_CONTENT_ENCODING; +} + +#ifdef CURLDEBUG +static CURLcode test_alpn_escapes(void) +{ + /* we'll use an example from draft-ietf-dnsop-svcb, figure 10 */ + static unsigned char example[] = { + 0x08, /* length 8 */ + 0x66, 0x5c, 0x6f, 0x6f, 0x2c, 0x62, 0x61, 0x72, /* value "f\\oo,bar" */ + 0x02, /* length 2 */ + 0x68, 0x32 /* value "h2" */ + }; + size_t example_len = sizeof(example); + char *aval = NULL; + static const char *expected = "f\\\\oo\\,bar,h2"; + + if(local_decode_rdata_alpn(example, example_len, &aval) != CURLE_OK) + return CURLE_BAD_CONTENT_ENCODING; + if(strlen(aval) != strlen(expected)) + return CURLE_BAD_CONTENT_ENCODING; + if(memcmp(aval, expected, strlen(aval))) + return CURLE_BAD_CONTENT_ENCODING; + return CURLE_OK; +} +#endif + +static CURLcode Curl_doh_decode_httpsrr(unsigned char *rrval, size_t len, + struct Curl_https_rrinfo **hrr) +{ + size_t remaining = len; + unsigned char *cp = rrval; + uint16_t pcode = 0, plen = 0; + struct Curl_https_rrinfo *lhrr = NULL; + char *dnsname = NULL; + +#ifdef CURLDEBUG + /* a few tests of escaping, shouldn't be here but ok for now */ + if(test_alpn_escapes() != CURLE_OK) + return CURLE_OUT_OF_MEMORY; +#endif + lhrr = calloc(1, sizeof(struct Curl_https_rrinfo)); + if(!lhrr) + return CURLE_OUT_OF_MEMORY; + lhrr->val = calloc(1, len); + if(!lhrr->val) + goto err; + lhrr->len = len; + memcpy(lhrr->val, rrval, len); + if(remaining <= 2) + goto err; + lhrr->priority = (uint16_t)((cp[0] << 8) + cp[1]); + cp += 2; + remaining -= (uint16_t)2; + if(local_decode_rdata_name(&cp, &remaining, &dnsname) != CURLE_OK) + goto err; + lhrr->target = dnsname; + while(remaining >= 4) { + pcode = (uint16_t)((*cp << 8) + (*(cp + 1))); + cp += 2; + plen = (uint16_t)((*cp << 8) + (*(cp + 1))); + cp += 2; + remaining -= 4; + if(pcode == HTTPS_RR_CODE_ALPN) { + if(local_decode_rdata_alpn(cp, plen, &lhrr->alpns) != CURLE_OK) + goto err; + } + if(pcode == HTTPS_RR_CODE_NO_DEF_ALPN) + lhrr->no_def_alpn = TRUE; + else if(pcode == HTTPS_RR_CODE_IPV4) { + lhrr->ipv4hints = Curl_memdup(cp, plen); + if(!lhrr->ipv4hints) + goto err; + lhrr->ipv4hints_len = (size_t)plen; + } + else if(pcode == HTTPS_RR_CODE_ECH) { + lhrr->echconfiglist = Curl_memdup(cp, plen); + if(!lhrr->echconfiglist) + goto err; + lhrr->echconfiglist_len = (size_t)plen; + } + else if(pcode == HTTPS_RR_CODE_IPV6) { + lhrr->ipv6hints = Curl_memdup(cp, plen); + if(!lhrr->ipv6hints) + goto err; + lhrr->ipv6hints_len = (size_t)plen; + } + if(plen > 0 && plen <= remaining) { + cp += plen; + remaining -= plen; + } + } + DEBUGASSERT(!remaining); + *hrr = lhrr; + return CURLE_OK; +err: + if(lhrr) { + if(lhrr->target) + free(lhrr->target); + if(lhrr->echconfiglist) + free(lhrr->echconfiglist); + if(lhrr->val) + free(lhrr->val); + free(lhrr); + } + return CURLE_OUT_OF_MEMORY; } +# ifdef CURLDEBUG +static void local_print_httpsrr(struct Curl_easy *data, + struct Curl_https_rrinfo *hrr) +{ + DEBUGASSERT(hrr); + infof(data, "HTTPS RR: priority %d, target: %s", + hrr->priority, hrr->target); + if(hrr->alpns) + infof(data, "HTTPS RR: alpns %s", hrr->alpns); + else + infof(data, "HTTPS RR: no alpns"); + if(hrr->no_def_alpn) + infof(data, "HTTPS RR: no_def_alpn set"); + else + infof(data, "HTTPS RR: no_def_alpn not set"); + if(hrr->ipv4hints) { + local_print_buf(data, "HTTPS RR: ipv4hints", + hrr->ipv4hints, hrr->ipv4hints_len); + } + else + infof(data, "HTTPS RR: no ipv4hints"); + if(hrr->echconfiglist) { + local_print_buf(data, "HTTPS RR: ECHConfigList", + hrr->echconfiglist, hrr->echconfiglist_len); + } + else + infof(data, "HTTPS RR: no ECHConfigList"); + if(hrr->ipv6hints) { + local_print_buf(data, "HTTPS RR: ipv6hint", + hrr->ipv6hints, hrr->ipv6hints_len); + } + else + infof(data, "HTTPS RR: no ipv6hints"); + return; +} +# endif +#endif + CURLcode Curl_doh_is_resolved(struct Curl_easy *data, struct Curl_dns_entry **dnsp) { @@ -915,9 +1294,15 @@ CURLcode Curl_doh_is_resolved(struct Curl_easy *data, CURLE_COULDNT_RESOLVE_HOST; } else if(!dohp->pending) { +#ifndef USE_HTTPSRR DOHcode rc[DOH_PROBE_SLOTS] = { DOH_OK, DOH_OK }; +#else + DOHcode rc[DOH_PROBE_SLOTS] = { + DOH_OK, DOH_OK, DOH_OK + }; +#endif struct dohentry de; int slot; /* remove DoH handles from multi handle and close them */ @@ -980,6 +1365,22 @@ CURLcode Curl_doh_is_resolved(struct Curl_easy *data, } /* address processing done */ /* Now process any build-specific attributes retrieved from DNS */ +#ifdef USE_HTTPSRR + if(de.numhttps_rrs > 0 && result == CURLE_OK && *dnsp) { + struct Curl_https_rrinfo *hrr = NULL; + result = Curl_doh_decode_httpsrr(de.https_rrs->val, de.https_rrs->len, + &hrr); + if(result) { + infof(data, "Failed to decode HTTPS RR"); + return result; + } + infof(data, "Some HTTPS RR to process"); +# ifdef CURLDEBUG + local_print_httpsrr(data, hrr); +# endif + (*dnsp)->hinfo = hrr; + } +#endif /* All done */ de_cleanup(&de); diff --git a/lib/doh.h b/lib/doh.h index 7d7b694f33add7..b8e9063c4e79aa 100644 --- a/lib/doh.h +++ b/lib/doh.h @@ -26,6 +26,9 @@ #include "urldata.h" #include "curl_addrinfo.h" +#ifdef USE_HTTPSRR +# include +#endif #ifndef CURL_DISABLE_DOH @@ -51,7 +54,8 @@ typedef enum { DNS_TYPE_NS = 2, DNS_TYPE_CNAME = 5, DNS_TYPE_AAAA = 28, - DNS_TYPE_DNAME = 39 /* RFC6672 */ + DNS_TYPE_DNAME = 39, /* RFC6672 */ + DNS_TYPE_HTTPS = 65 } DNStype; /* one of these for each DoH request */ @@ -88,6 +92,7 @@ int Curl_doh_getsock(struct connectdata *conn, curl_socket_t *socks); #define DOH_MAX_ADDR 24 #define DOH_MAX_CNAME 4 +#define DOH_MAX_HTTPS 4 struct dohaddr { int type; @@ -97,12 +102,44 @@ struct dohaddr { } ip; }; +#ifdef USE_HTTPSRR + +/* + * These are the code points for DNS wire format SvcParams as + * per draft-ietf-dnsop-svcb-https + * Not all are supported now, and even those that are may need + * more work in future to fully support the spec. + */ +#define HTTPS_RR_CODE_ALPN 0x01 +#define HTTPS_RR_CODE_NO_DEF_ALPN 0x02 +#define HTTPS_RR_CODE_PORT 0x03 +#define HTTPS_RR_CODE_IPV4 0x04 +#define HTTPS_RR_CODE_ECH 0x05 +#define HTTPS_RR_CODE_IPV6 0x06 + +/* + * These may need escaping when found within an alpn string + * value. + */ +#define COMMA_CHAR ',' +#define BACKSLASH_CHAR '\\' + +struct dohhttps_rr { + uint16_t len; /* raw encoded length */ + unsigned char *val; /* raw encoded octets */ +}; +#endif + struct dohentry { struct dynbuf cname[DOH_MAX_CNAME]; struct dohaddr addr[DOH_MAX_ADDR]; int numaddr; unsigned int ttl; int numcname; +#ifdef USE_HTTPSRR + struct dohhttps_rr https_rrs[DOH_MAX_HTTPS]; + int numhttps_rrs; +#endif }; diff --git a/lib/easyoptions.c b/lib/easyoptions.c index da4c6111a3b7d0..ad2a1df120db5c 100644 --- a/lib/easyoptions.c +++ b/lib/easyoptions.c @@ -86,6 +86,7 @@ struct curl_easyoption Curl_easyopts[] = { {"DOH_SSL_VERIFYPEER", CURLOPT_DOH_SSL_VERIFYPEER, CURLOT_LONG, 0}, {"DOH_SSL_VERIFYSTATUS", CURLOPT_DOH_SSL_VERIFYSTATUS, CURLOT_LONG, 0}, {"DOH_URL", CURLOPT_DOH_URL, CURLOT_STRING, 0}, + {"ECH", CURLOPT_ECH, CURLOT_STRING, 0}, {"EGDSOCKET", CURLOPT_EGDSOCKET, CURLOT_STRING, 0}, {"ENCODING", CURLOPT_ACCEPT_ENCODING, CURLOT_STRING, CURLOT_FLAG_ALIAS}, {"ERRORBUFFER", CURLOPT_ERRORBUFFER, CURLOT_OBJECT, 0}, diff --git a/lib/hostip.c b/lib/hostip.c index 4f44d348f6e572..aa57887975a276 100644 --- a/lib/hostip.c +++ b/lib/hostip.c @@ -1070,6 +1070,23 @@ static void freednsentry(void *freethis) dns->inuse--; if(dns->inuse == 0) { Curl_freeaddrinfo(dns->addr); +#ifdef USE_HTTPSRR + if(dns->hinfo) { + if(dns->hinfo->target) + free(dns->hinfo->target); + if(dns->hinfo->alpns) + free(dns->hinfo->alpns); + if(dns->hinfo->ipv4hints) + free(dns->hinfo->ipv4hints); + if(dns->hinfo->echconfiglist) + free(dns->hinfo->echconfiglist); + if(dns->hinfo->ipv6hints) + free(dns->hinfo->ipv6hints); + if(dns->hinfo->val) + free(dns->hinfo->val); + free(dns->hinfo); + } +#endif free(dns); } } diff --git a/lib/hostip.h b/lib/hostip.h index fb53a5776bcb87..66a57cc8e476af 100644 --- a/lib/hostip.h +++ b/lib/hostip.h @@ -32,6 +32,10 @@ #include +#ifdef USE_HTTPSRR +# include +#endif + /* Allocate enough memory to hold the full name information structs and * everything. OSF1 is known to require at least 8872 bytes. The buffer * required for storing all possible aliases and IP numbers is according to @@ -58,8 +62,32 @@ struct connectdata; */ struct Curl_hash *Curl_global_host_cache_init(void); +#ifdef USE_HTTPSRR + +#define CURL_MAXLEN_host_name 253 + +struct Curl_https_rrinfo { + size_t len; /* raw encoded length */ + unsigned char *val; /* raw encoded octets */ + /* fields from HTTPS RR */ + uint16_t priority; + char *target; + char *alpns; + bool no_def_alpn; + unsigned char *ipv4hints; + size_t ipv4hints_len; + unsigned char *echconfiglist; + size_t echconfiglist_len; + unsigned char *ipv6hints; + size_t ipv6hints_len; +}; +#endif + struct Curl_dns_entry { struct Curl_addrinfo *addr; +#ifdef USE_HTTPSRR + struct Curl_https_rrinfo *hinfo; +#endif /* timestamp == 0 -- permanent CURLOPT_RESOLVE entry (doesn't time out) */ time_t timestamp; /* use-counter, use Curl_resolv_unlock to release reference */ diff --git a/lib/setopt.c b/lib/setopt.c index e5614cd35140d7..8f3751cef92042 100644 --- a/lib/setopt.c +++ b/lib/setopt.c @@ -3133,6 +3133,49 @@ CURLcode Curl_vsetopt(struct Curl_easy *data, CURLoption option, va_list param) data->set.ws_raw_mode = raw; break; } +#endif +#ifdef USE_ECH + case CURLOPT_ECH: { + size_t plen = 0; + + argptr = va_arg(param, char *); + if(!argptr) { + data->set.tls_ech = CURLECH_DISABLE; + result = CURLE_BAD_FUNCTION_ARGUMENT; + return result; + } + plen = strlen(argptr); + if(plen > CURL_MAX_INPUT_LENGTH) { + data->set.tls_ech = CURLECH_DISABLE; + result = CURLE_BAD_FUNCTION_ARGUMENT; + return result; + } + /* set tls_ech flag value, preserving CLA_CFG bit */ + if(plen == 5 && strcasecompare(argptr, "FALSE")) + data->set.tls_ech = (1 << CURLECH_DISABLE) + | (data->set.tls_ech & (1 << CURLECH_CLA_CFG)); + else if(plen == 6 && strcasecompare(argptr, "GREASE")) + data->set.tls_ech = (1 << CURLECH_GREASE) + | (data->set.tls_ech & (1 << CURLECH_CLA_CFG)); + else if(plen == 4 && strcasecompare(argptr, "TRUE")) + data->set.tls_ech = (1 << CURLECH_ENABLE) + | (data->set.tls_ech & (1 << CURLECH_CLA_CFG)); + else if(plen == 4 && strcasecompare(argptr, "HARD")) + data->set.tls_ech = (1 << CURLECH_HARD) + | (data->set.tls_ech & (1 << CURLECH_CLA_CFG)); + else if(plen > 5 && strncasecompare(argptr, "ECL:", 4)) { + result = Curl_setstropt(&data->set.str[STRING_ECH_CONFIG], argptr + 4); + if(result) + return result; + data->set.tls_ech |= (1 << CURLECH_CLA_CFG); + } + else if(plen > 4 && strncasecompare(argptr, "PN:", 3)) { + result = Curl_setstropt(&data->set.str[STRING_ECH_PUBLIC], argptr + 3); + if(result) + return result; + } + break; + } #endif case CURLOPT_QUICK_EXIT: data->set.quick_exit = (0 != va_arg(param, long)) ? 1L:0L; diff --git a/lib/strerror.c b/lib/strerror.c index a900e78d151d46..e7d54905aead9f 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -322,6 +322,11 @@ curl_easy_strerror(CURLcode error) case CURLE_TOO_LARGE: return "A value or data field grew larger than allowed"; +#ifdef USE_ECH + case CURLE_ECH_REQUIRED: + return "ECH attempted but failed"; +#endif + /* error codes not used by current libcurl */ case CURLE_OBSOLETE20: case CURLE_OBSOLETE24: diff --git a/lib/urldata.h b/lib/urldata.h index fabc30ea4b1d94..ba73015fda8b3c 100644 --- a/lib/urldata.h +++ b/lib/urldata.h @@ -53,6 +53,15 @@ #define PORT_GOPHER 70 #define PORT_MQTT 1883 +#ifdef USE_ECH +/* CURLECH_ bits for the tls_ech option */ +# define CURLECH_DISABLE 0 +# define CURLECH_GREASE 1 +# define CURLECH_ENABLE 2 +# define CURLECH_HARD 3 +# define CURLECH_CLA_CFG 4 +#endif + #ifdef USE_WEBSOCKETS /* CURLPROTO_GOPHERS (29) is the highest publicly used protocol bit number, * the rest are internal information. If we use higher bits we only do this on @@ -636,6 +645,9 @@ enum doh_slots { DOH_PROBE_SLOT_IPADDR_V6 = 1, /* 'V6' likewise */ /* Space here for (possibly build-specific) additional slot definitions */ +#ifdef USE_HTTPSRR + DOH_PROBE_SLOT_HTTPS = 2, /* for HTTPS RR */ +#endif /* for example */ /* #ifdef WANT_DOH_FOOBAR_TXT */ @@ -1615,6 +1627,8 @@ enum dupstring { STRING_SSL_EC_CURVES, STRING_AWS_SIGV4, /* Parameters for V4 signature */ STRING_HAPROXY_CLIENT_IP, /* CURLOPT_HAPROXY_CLIENT_IP */ + STRING_ECH_CONFIG, /* CURLOPT_ECH_CONFIG */ + STRING_ECH_PUBLIC, /* CURLOPT_ECH_PUBLIC */ /* -- end of null-terminated strings -- */ @@ -1928,6 +1942,9 @@ struct UserDefined { #ifdef USE_WEBSOCKETS BIT(ws_raw_mode); #endif +#ifdef USE_ECH + int tls_ech; /* TLS ECH configuration */ +#endif }; struct Names { diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index c8ec76a1d136d4..3a603eee3d4dcc 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -82,6 +82,17 @@ #include #include +#ifdef USE_ECH +# ifndef OPENSSL_IS_BORINGSSL +# include +# endif +# include "curl_base64.h" +# define ECH_ENABLED(__data__) \ + (__data__->set.tls_ech && \ + !(__data__->set.tls_ech & (1 << CURLECH_DISABLE))\ + ) +#endif /* USE_ECH */ + #if (OPENSSL_VERSION_NUMBER >= 0x0090808fL) && !defined(OPENSSL_NO_OCSP) #include #endif @@ -3799,6 +3810,136 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, return CURLE_SSL_CONNECT_ERROR; } } + +#ifdef USE_ECH + if(ECH_ENABLED(data)) { + unsigned char *ech_config = NULL; + size_t ech_config_len = 0; + char *outername = data->set.str[STRING_ECH_PUBLIC]; + int trying_ech_now = 0; + + if(data->set.tls_ech & (1 << CURLECH_GREASE)) { + infof(data, "ECH: will GREASE ClientHello"); +# ifdef OPENSSL_IS_BORINGSSL + SSL_set_enable_ech_grease(backend->handle, 1); +# else + SSL_set_options(backend->handle, SSL_OP_ECH_GREASE); +# endif + } + else if(data->set.tls_ech & (1 << CURLECH_CLA_CFG)) { +# ifdef OPENSSL_IS_BORINGSSL + /* have to do base64 decode here for boring */ + const char *b64 = data->set.str[STRING_ECH_CONFIG]; + + if(!b64) { + infof(data, "ECH: ECHConfig from command line empty"); + return CURLE_SSL_CONNECT_ERROR; + } + ech_config_len = 2 * strlen(b64); + result = Curl_base64_decode(b64, &ech_config, &ech_config_len); + if(result || !ech_config) { + infof(data, "ECH: can't base64 decode ECHConfig from command line"); + if(data->set.tls_ech & (1 << CURLECH_HARD)) + return result; + } + if(SSL_set1_ech_config_list(backend->handle, + ech_config, ech_config_len) != 1) { + infof(data, "ECH: SSL_ECH_set1_echconfig failed"); + if(data->set.tls_ech & (1 << CURLECH_HARD)) { + free(ech_config); + return CURLE_SSL_CONNECT_ERROR; + } + } + free(ech_config); + trying_ech_now = 1; +# else + ech_config = (unsigned char *) data->set.str[STRING_ECH_CONFIG]; + if(!ech_config) { + infof(data, "ECH: ECHConfig from command line empty"); + return CURLE_SSL_CONNECT_ERROR; + } + infof(data, "ECH: ECHConfig from command line"); + ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]); + if(SSL_ech_set1_echconfig(backend->handle, + ech_config, ech_config_len) != 1) { + infof(data, "ECH: SSL_ECH_set1_echconfig failed"); + if(data->set.tls_ech & (1 << CURLECH_HARD)) + return CURLE_SSL_CONNECT_ERROR; + } + else + trying_ech_now = 1; +# endif + } + else { + struct Curl_dns_entry *dns = NULL; + + dns = Curl_fetch_addr(data, connssl->hostname, connssl->port); + if(!dns) { + infof(data, "ECH: requested but no DNS info available"); + if(data->set.tls_ech & (1 << CURLECH_HARD)) + return CURLE_SSL_CONNECT_ERROR; + } + else { + struct Curl_https_rrinfo *rinfo = NULL; + + rinfo = dns->hinfo; + if(rinfo && rinfo->echconfiglist) { + unsigned char *ecl = rinfo->echconfiglist; + size_t elen = rinfo->echconfiglist_len; + + infof(data, "ECH: ECHConfig from DoH HTTPS RR"); +# ifndef OPENSSL_IS_BORINGSSL + if(SSL_ech_set1_echconfig(backend->handle, ecl, elen) != 1) { + infof(data, "ECH: SSL_ECH_set1_echconfig failed"); + if(data->set.tls_ech & (1 << CURLECH_HARD)) + return CURLE_SSL_CONNECT_ERROR; + } +# else + if(SSL_set1_ech_config_list(backend->handle, ecl, elen) != 1) { + infof(data, "ECH: SSL_set1_ech_config_list failed (boring)"); + if(data->set.tls_ech & (1 << CURLECH_HARD)) + return CURLE_SSL_CONNECT_ERROR; + } +# endif + else { + trying_ech_now = 1; + infof(data, "ECH: imported ECHConfigList of length %ld", elen); + } + } + else { + infof(data, "ECH: requested but no ECHConfig available"); + if(data->set.tls_ech & (1 << CURLECH_HARD)) + return CURLE_SSL_CONNECT_ERROR; + } + Curl_resolv_unlock(data, dns); + } + } +# ifdef OPENSSL_IS_BORINGSSL + if(trying_ech_now && outername) { + infof(data, "ECH: setting public_name not supported with boringssl"); + return CURLE_SSL_CONNECT_ERROR; + } +# else + if(trying_ech_now && outername) { + infof(data, "ECH: inner: '%s', outer: '%s'", + hostname, outername); + result = SSL_ech_set_server_names(backend->handle, + hostname, outername, + 0 /* do send outer */); + if(result != 1) { + infof(data, "ECH: rv failed to set server name(s) %d [ERROR]", result); + return CURLE_SSL_CONNECT_ERROR; + } + } +# endif /* not BORING */ + if(trying_ech_now + && SSL_set_min_proto_version(backend->handle, TLS1_3_VERSION) != 1) { + infof(data, "ECH: Can't force TLSv1.3 [ERROR]"); + return CURLE_SSL_CONNECT_ERROR; + } + } +#endif /* USE_ECH */ + #endif SSL_set_app_data(backend->handle, cf); @@ -3847,6 +3988,67 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, return CURLE_OK; } +#ifdef USE_ECH +/* If we have retry configs, then trace those out */ +static void ossl_trace_ech_retry_configs(struct Curl_easy *data, + struct ossl_ssl_backend_data *backend, + int reason) +{ + CURLcode result = CURLE_OK; + size_t rcl = 0; + int rv = 1; + char *inner = NULL; +# ifndef OPENSSL_IS_BORINGSSL + unsigned char *rcs = NULL; + char *outer = NULL; +# else + const uint8_t *rcs = NULL; + const char *outer = NULL; + size_t out_name_len = 0; +# endif + + /* nothing to trace if not doing ECH */ + if(!ECH_ENABLED(data)) + return; +# ifndef OPENSSL_IS_BORINGSSL + rv = SSL_ech_get_retry_config(backend->handle, &rcs, &rcl); +# else + SSL_get0_ech_name_override(backend->handle, &outer, &out_name_len); + SSL_get0_ech_retry_configs(backend->handle, &rcs, &rcl); + inner = connssl->hostname; + rv = (int)rcl; +# endif + + if(rv && rcs) { +# define HEXSTR_MAX 800 + char *b64str = NULL; + size_t blen = 0; + + result = Curl_base64_encode((const char *)rcs, rcl, + &b64str, &blen); + if(!result && b64str) + infof(data, "ECH: retry_configs %s", b64str); + free(b64str); +# ifndef OPENSSL_IS_BORINGSSL + rv = SSL_ech_get_status(backend->handle, &inner, &outer); + infof(data, "ECH: retry_configs for %s from %s, %d %d", + inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); +#else + rv = SSL_ech_accepted(backend->handle); + infof(data, "ECH: retry_configs for %s from %s, %d %d", + inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); +#endif + } + else + infof(data, "ECH: no retry_configs (rv = %d)", rv); +# ifndef OPENSSL_IS_BORINGSSL + OPENSSL_free((void *)rcs); +# endif + return; +} + +#endif + static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) { @@ -3958,6 +4160,21 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, result = CURLE_SSL_CLIENTCERT; ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); } +#endif +#ifdef USE_ECH + else if((lib == ERR_LIB_SSL) && +# ifndef OPENSSL_IS_BORINGSSL + (reason == SSL_R_ECH_REQUIRED)) { +# else + (reason == SSL_R_ECH_REJECTED)) { +# endif + + /* trace retry_configs if we got some */ + ossl_trace_ech_retry_configs(data, backend, reason); + + result = CURLE_ECH_REQUIRED; + ossl_strerror(errdetail, error_buffer, sizeof(error_buffer)); + } #endif else { result = CURLE_SSL_CONNECT_ERROR; @@ -4012,6 +4229,68 @@ static CURLcode ossl_connect_step2(struct Curl_cfilter *cf, negotiated_group_name? negotiated_group_name : "[blank]", OBJ_nid2sn(psigtype_nid)); +#ifdef USE_ECH +# ifndef OPENSSL_IS_BORINGSSL + if(ECH_ENABLED(data)) { + char *inner = NULL, *outer = NULL; + const char *status = NULL; + int rv; + + rv = SSL_ech_get_status(backend->handle, &inner, &outer); + switch(rv) { + case SSL_ECH_STATUS_SUCCESS: + status = "succeeded"; + break; + case SSL_ECH_STATUS_GREASE_ECH: + status = "sent GREASE, got retry-configs"; + break; + case SSL_ECH_STATUS_GREASE: + status = "sent GREASE"; + break; + case SSL_ECH_STATUS_NOT_TRIED: + status = "not attempted"; + break; + case SSL_ECH_STATUS_NOT_CONFIGURED: + status = "not configured"; + break; + case SSL_ECH_STATUS_BACKEND: + status = "backend (unexpected)"; + break; + case SSL_ECH_STATUS_FAILED: + status = "failed"; + break; + case SSL_ECH_STATUS_BAD_CALL: + status = "bad call (unexpected)"; + break; + case SSL_ECH_STATUS_BAD_NAME: + status = "bad name (unexpected)"; + break; + default: + status = "unexpected status"; + infof(data, "ECH: unexpected status %d",rv); + } + infof(data, "ECH: result: status is %s, inner is %s, outer is %s", + (status?status:"NULL"), + (inner?inner:"NULL"), + (outer?outer:"NULL")); + OPENSSL_free(inner); + OPENSSL_free(outer); + if(rv == SSL_ECH_STATUS_GREASE_ECH) { + /* trace retry_configs if we got some */ + ossl_trace_ech_retry_configs(data, backend, 0); + } + if(rv != SSL_ECH_STATUS_SUCCESS + && data->set.tls_ech & (1 << CURLECH_HARD)) { + infof(data, "ECH: ech-hard failed"); + return CURLE_SSL_CONNECT_ERROR; + } + } + else { + infof(data, "ECH: result: status is not attempted"); + } +# endif /* BORING */ +#endif /* USE_ECH */ + #ifdef HAS_ALPN /* Sets data and len to negotiated protocol, len is 0 if no protocol was * negotiated diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index a3c017ceaab54e..83de6418e7a597 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -74,6 +74,10 @@ #include "curl_memory.h" #include "memdebug.h" +#ifdef USE_ECH +# include "curl_base64.h" +#endif /* USE_ECH */ + /* KEEP_PEER_CERT is a product of the presence of build time symbol OPENSSL_EXTRA without NO_CERTS, depending on the version. KEEP_PEER_CERT is in wolfSSL's settings.h, and the latter two are build time symbols in @@ -722,6 +726,82 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) Curl_ssl_sessionid_unlock(data); } +#ifdef USE_ECH + if(data->set.tls_ech != CURLECH_DISABLE) { + int trying_ech_now = 0; + + if(data->set.str[STRING_ECH_PUBLIC]) { + infof(data, "ECH: outername not (yet) supported with WolfSSL"); + return CURLE_SSL_CONNECT_ERROR; + } + if(data->set.tls_ech == CURLECH_GREASE) { + infof(data, "ECH: GREASE'd ECH not yet supported for wolfSSL"); + return CURLE_SSL_CONNECT_ERROR; + } + if(data->set.tls_ech == CURLECH_CLA_CFG + && data->set.str[STRING_ECH_CONFIG]) { + char *b64val = data->set.str[STRING_ECH_CONFIG]; + word32 b64len = 0; + + b64len = (word32) strlen(b64val); + if(b64len + && wolfSSL_SetEchConfigsBase64(backend->handle, b64val, b64len) + != WOLFSSL_SUCCESS) { + if(data->set.tls_ech == CURLECH_HARD) + return CURLE_SSL_CONNECT_ERROR; + } + else { + trying_ech_now = 1; + infof(data, "ECH: ECHConfig set from command line: %s", b64val); + } + } + else { + struct Curl_dns_entry *dns = NULL; + + dns = Curl_fetch_addr(data, connssl->hostname, connssl->port); + if(!dns) { + infof(data, "ECH: requested but no DNS info available"); + if(data->set.tls_ech == CURLECH_HARD) + return CURLE_SSL_CONNECT_ERROR; + } + else { + struct Curl_https_rrinfo *rinfo = NULL; + + rinfo = dns->hinfo; + if(rinfo && rinfo->echconfiglist) { + unsigned char *ecl = rinfo->echconfiglist; + size_t elen = rinfo->echconfiglist_len; + + infof(data, "ECH: ECHConfig from DoH HTTPS RR"); + if(wolfSSL_SetEchConfigs(backend->handle, ecl, (word32) elen) != + WOLFSSL_SUCCESS) { + infof(data, "ECH: wolfSSL_SetEchConfigs failed"); + if(data->set.tls_ech == CURLECH_HARD) + return CURLE_SSL_CONNECT_ERROR; + } + else { + trying_ech_now = 1; + infof(data, "ECH: imported ECHConfigList of length %ld", elen); + } + } + else { + infof(data, "ECH: requested but no ECHConfig available"); + if(data->set.tls_ech == CURLECH_HARD) + return CURLE_SSL_CONNECT_ERROR; + } + Curl_resolv_unlock(data, dns); + } + } + + if(trying_ech_now + && SSL_set_min_proto_version(backend->handle, TLS1_3_VERSION) != 1) { + infof(data, "ECH: Can't force TLSv1.3 [ERROR]"); + return CURLE_SSL_CONNECT_ERROR; + } + + } +#endif /* USE_ECH */ + #ifdef USE_BIO_CHAIN { WOLFSSL_BIO *bio; @@ -851,6 +931,31 @@ wolfssl_connect_step2(struct Curl_cfilter *cf, struct Curl_easy *data) "continuing anyway"); } } +#endif +#ifdef USE_ECH + else if(-1 == detail) { + /* try access a retry_config ECHConfigList for tracing */ + byte echConfigs[1000]; + word32 echConfigsLen = 1000; + int rv = 0; + + /* this currently doesn't produce the retry_configs */ + rv = wolfSSL_GetEchConfigs(backend->handle, echConfigs, + &echConfigsLen); + if(rv != WOLFSSL_SUCCESS) { + infof(data, "Failed to get ECHConfigs"); + } + else { + char *b64str = NULL; + size_t blen = 0; + + rv = Curl_base64_encode((const char *)echConfigs, echConfigsLen, + &b64str, &blen); + if(!rv && b64str) + infof(data, "ECH: (not yet) retry_configs %s", b64str); + free(b64str); + } + } #endif else if(backend->io_result == CURLE_AGAIN) { return CURLE_OK; diff --git a/m4/curl-confopts.m4 b/m4/curl-confopts.m4 index 37f7d4c2e6cde4..41cdb4596aaf9a 100644 --- a/m4/curl-confopts.m4 +++ b/m4/curl-confopts.m4 @@ -631,6 +631,42 @@ AC_DEFUN([CURL_CHECK_NTLM_WB], [ fi ]) +dnl CURL_CHECK_OPTION_HTTPSRR +dnl ----------------------------------------------------- +dnl Verify whether configure has been invoked with option +dnl --enable-httpsrr or --disable-httpsrr, and set +dnl shell variable want_httpsrr as appropriate. + +AC_DEFUN([CURL_CHECK_OPTION_HTTPSRR], [ + AC_MSG_CHECKING([whether to enable HTTPSRR support]) + OPT_HTTPSRR="default" + AC_ARG_ENABLE(httpsrr, +AS_HELP_STRING([--enable-httpsrr],[Enable HTTPSRR support]) +AS_HELP_STRING([--disable-httpsrr],[Disable HTTPSRR support]), + OPT_HTTPSRR=$enableval) + case "$OPT_HTTPSRR" in + no) + dnl --disable-httpsrr option used + want_httpsrr="no" + curl_httpsrr_msg="no (--enable-httpsrr)" + AC_MSG_RESULT([no]) + ;; + default) + dnl configure option not specified + want_httpsrr="no" + curl_httpsrr_msg="no (--enable-httpsrr)" + AC_MSG_RESULT([no]) + ;; + *) + dnl --enable-httpsrr option used + want_httpsrr="yes" + curl_httpsrr_msg="enabled (--disable-httpsrr)" + experimental="httpsrr" + AC_MSG_RESULT([yes]) + ;; + esac +]) + dnl CURL_CHECK_OPTION_ECH dnl ----------------------------------------------------- dnl Verify whether configure has been invoked with option @@ -666,3 +702,4 @@ AS_HELP_STRING([--disable-ech],[Disable ECH support]), ;; esac ]) +]) diff --git a/packages/OS400/ccsidcurl.c b/packages/OS400/ccsidcurl.c index 596c1f1e150b21..4d1e2b52addf3b 100644 --- a/packages/OS400/ccsidcurl.c +++ b/packages/OS400/ccsidcurl.c @@ -1097,6 +1097,9 @@ curl_easy_setopt_ccsid(CURL *easy, CURLoption tag, ...) case CURLOPT_DNS_LOCAL_IP6: case CURLOPT_DNS_SERVERS: case CURLOPT_DOH_URL: +#ifdef USE_ECH + case CURLOPT_ECH: +#endif case CURLOPT_EGDSOCKET: case CURLOPT_FTPPORT: case CURLOPT_FTP_ACCOUNT: diff --git a/src/tool_cfgable.c b/src/tool_cfgable.c index 3259bc7a5f0562..bb271583263db3 100644 --- a/src/tool_cfgable.c +++ b/src/tool_cfgable.c @@ -176,6 +176,14 @@ static void free_config_fields(struct OperationConfig *config) Curl_safefree(config->aws_sigv4); Curl_safefree(config->proto_str); Curl_safefree(config->proto_redir_str); +#ifdef USE_ECH + Curl_safefree(config->ech); + config->ech = NULL; + Curl_safefree(config->ech_config); + config->ech_config = NULL; + Curl_safefree(config->ech_public); + config->ech_public = NULL; +#endif } void config_free(struct OperationConfig *config) diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h index dfa74d81ff4b81..74d0c45f2ed121 100644 --- a/src/tool_cfgable.h +++ b/src/tool_cfgable.h @@ -298,6 +298,12 @@ struct OperationConfig { struct State state; /* for create_transfer() */ bool rm_partial; /* on error, remove partially written output files */ +#ifdef USE_ECH + char *ech; /* Config set by --ech keywords */ + char *ech_config; /* Config set by "--ech esl:" option */ + char *ech_public; /* Config set by "--ech pn:" option */ +#endif + }; struct GlobalConfig { diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 4c910fd73c912b..4f5129e1258dfa 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -339,7 +339,10 @@ typedef enum { C_VERSION, C_WDEBUG, C_WRITE_OUT, - C_XATTR + C_XATTR, +#ifdef USE_ECH + C_ECH +#endif } cmdline_t; struct LongShort { @@ -623,6 +626,9 @@ static const struct LongShort aliases[]= { #endif {"write-out", ARG_STRG, 'w', C_WRITE_OUT}, {"xattr", ARG_BOOL, ' ', C_XATTR}, +#ifdef USE_ECH + {"ech", ARG_STRG, ' ', C_ECH}, +#endif }; /* Split the argument of -E to 'certname' and 'passphrase' separated by colon. @@ -2075,8 +2081,54 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ if(!err && config->engine && !strcmp(config->engine, "list")) { err = PARAM_ENGINES_REQUESTED; + break; +#ifdef USE_ECH + case C_ECH: + if(strlen(nextarg) > 4 && strncasecompare("pn:", nextarg, 3)) { + /* a public_name */ + GetStr(&config->ech_public, nextarg); } - break; + else if(strlen(nextarg) > 5 && strncasecompare("ecl:", nextarg, 4)) { + /* an ECHConfigList */ + if('@' != *(nextarg + 4)) { + GetStr(&config->ech_config, nextarg); + } + else { + /* Indirect case: @filename or @- for stdin */ + char *tmpcfg = NULL; + FILE *file; + + nextarg++; /* skip over '@' */ + if(!strcmp("-", nextarg)) { + file = stdin; + } + else { + file = fopen(nextarg, FOPEN_READTEXT); + } + if(!file) { + warnf(global, + "Couldn't read file \"%s\" " + "specified for \"--ech ecl:\" option", + nextarg); + return PARAM_BAD_USE; /* */ + } + err = file2string(&tmpcfg, file); + if(file != stdin) + fclose(file); + if(err) + return err; + config->ech_config = aprintf("ecl:%s",tmpcfg); + if(!config->ech_config) + return PARAM_NO_MEM; + free(tmpcfg); + } /* file done */ + } + else { + /* Simple case: just a string, with a keyword */ + GetStr(&config->ech, nextarg); + } + break; +#endif case C_CAPATH: /* --capath */ err = getstr(&config->capath, nextarg, DENY_BLANK); break; diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c index 23472f345a50d6..c562d509662433 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c @@ -168,6 +168,12 @@ const struct helptxt helptext[] = { {"-D, --dump-header ", "Write the received headers to ", CURLHELP_HTTP | CURLHELP_FTP}, +#ifdef USE_ECH + {" --ech ", + "Encrypted Client Hello controls", + CURLHELP_TLS}, +#endif + {" --egd-file ", "EGD socket path for random data", CURLHELP_TLS}, diff --git a/src/tool_operate.c b/src/tool_operate.c index 5a5fc8745ed14b..cb4312e68d30c6 100644 --- a/src/tool_operate.c +++ b/src/tool_operate.c @@ -2187,6 +2187,16 @@ static CURLcode single_transfer(struct GlobalConfig *global, if(config->hsts) my_setopt_str(curl, CURLOPT_HSTS, config->hsts); +#ifdef USE_ECH + /* only if enabled in configure */ + if(config->ech) /* only if set (optional) */ + my_setopt_str(curl, CURLOPT_ECH, config->ech); + if(config->ech_public) /* only if set (optional) */ + my_setopt_str(curl, CURLOPT_ECH, config->ech_public); + if(config->ech_config) /* only if set (optional) */ + my_setopt_str(curl, CURLOPT_ECH, config->ech_config); +#endif + /* initialize retry vars for loop below */ per->retry_sleep_default = (config->retry_delay) ? config->retry_delay*1000L : RETRY_SLEEP_DEFAULT; /* ms */ diff --git a/tests/ech_combos.py b/tests/ech_combos.py new file mode 100755 index 00000000000000..d21621533bbb41 --- /dev/null +++ b/tests/ech_combos.py @@ -0,0 +1,79 @@ +#!/usr/bin/python +# Python3 program to print all combination +# of size r in an array of size n +# used to generate test lines in tests/ech_test.sh + +''' arr[] ---> Input Array + chosen[] ---> Temporary array to store + current combination + start & end ---> Starting and Ending indexes in arr[] + r---> Size of a combination to be printed + + ''' +def CombinationRepetitionUtil(chosen, arr, badarr, index, + r, start, end): + + # Current combination is ready, + # print it + if index == r: + # figure out if result should be good or bad and + # print prefix, assuming $turl does support ECH so + # should work if given "positive" parameters + res = 1 + j = len(chosen) - 1 + while res and j >= 0: + if chosen[j] in badarr: + res = 0 + j = j - 1 + print("cli_test $turl 1", res, end = " ") + # print combination but eliminating any runs of + # two identical params + for j in range(r): + if j != 0 and chosen[j] != chosen[j-1]: + print(chosen[j], end = " ") + + print() + return + + # When no more elements are + # there to put in chosen[] + if start > n: + return + + # Current is included, put + # next at next location + chosen[index] = arr[start] + + # Current is excluded, replace it + # with next (Note that i+1 is passed, + # but index is not changed) + CombinationRepetitionUtil(chosen, arr, badarr, index + 1, + r, start, end) + CombinationRepetitionUtil(chosen, arr, badarr, index, + r, start + 1, end) + +# The main function that prints all +# combinations of size r in arr[] of +# size n. This function mainly uses +# CombinationRepetitionUtil() +def CombinationRepetition(arr, badarr, n, r): + + # A temporary array to store + # all combination one by one + chosen = [0] * r + + # Print all combination using + # temporary array 'chosen[]' + CombinationRepetitionUtil(chosen, arr, badarr, 0, r, 0, n) + +# Driver code +badarr = [ '--ech grease', '--ech false', '--ech ecl:$badecl', '--ech pn:$badpn' ] +goodarr = [ '--ech hard', '--ech true', '--ech ecl:$goodecl', '--ech pn:$goodpn' ] +arr = badarr + goodarr +r = 8 +n = len(arr) - 1 + +CombinationRepetition(arr, badarr, n, r) + +# This code is contributed by Vaibhav Kumar 12. + diff --git a/tests/ech_tests.sh b/tests/ech_tests.sh new file mode 100755 index 00000000000000..39718741dd2660 --- /dev/null +++ b/tests/ech_tests.sh @@ -0,0 +1,974 @@ +#!/bin/bash +#*************************************************************************** +# _ _ ____ _ +# Project ___| | | | _ \| | +# / __| | | | |_) | | +# | (__| |_| | _ <| |___ +# \___|\___/|_| \_\_____| +# +# Copyright (C) Daniel Stenberg, , et al. +# +# This software is licensed as described in the file COPYING, which +# you should have received as part of this distribution. The terms +# are also available at https://curl.se/docs/copyright.html. +# +# You may opt to use, copy, modify, merge, publish, distribute and/or sell +# copies of the Software, and permit persons to whom the Software is +# furnished to do so, under the terms of the COPYING file. +# +# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +# KIND, either express or implied. +# +# SPDX-License-Identifier: curl +# +########################################################################### +# + +# Run some tests against servers we know to support ECH (CF, defo.ie, etc.). +# as well as some we know don't do ECH but have an HTTPS RR, and finally some +# for which neither is the case. + +# TODO: Translate this into something that approximates a valid curl test:-) +# Should be useful though even before such translation and a pile less work +# to do this than that. The pile of work required would include making an +# ECH-enabled server and a DoH server. For now, this is just run manually. + +# set -x + +# Targets we expect to be ECH-enabled servers +# for which an HTTPS RR is published. +# structure is host:port mapped to pathname +# TODO: add negative tests for these +declare -A ech_targets=( + [my-own.net]="ech-check.php" + [my-own.net:8443]="ech-check.php" + [defo.ie]="ech-check.php" + [cover.defo.ie]="" + [draft-13.esni.defo.ie:8413]="stats" + [draft-13.esni.defo.ie:8414]="stats" + [draft-13.esni.defo.ie:9413]="" + [draft-13.esni.defo.ie:10413]="" + [draft-13.esni.defo.ie:11413]="" + [draft-13.esni.defo.ie:12413]="" + [draft-13.esni.defo.ie:12414]="" + [crypto.cloudflare.com]="cdn-cgi/trace" + [tls-ech.dev]="" + [epochbelt.com]="" +) + +# Targets we expect not to be ECH-enabled servers +# but for which an HTTPS RR is published. +declare -A httpsrr_targets=( + [ietf.org]="" + [rte.ie]="" +) + +# Targets we expect not to be ECH-enabled servers +# and for which no HTTPS RR is published. +declare -A neither_targets=( + [www.tcd.ie]="" + [jell.ie]="" +) + +# +# Variables that can be over-ridden from environment +# + +# Top of curl test tree, assume we're there +: ${CTOP:="."} + +# Plase to put test log output +: ${LTOP:="$CTOP/tests/ech-log/"} + +# place to stash outputs when things go wrong +: ${BTOP:="$LTOP"} + +# time to wait for a remote access to work, 10 seconds +: ${tout:="10s"} + +# Where we find OpenSSL .so's +: ${OSSL:="$HOME/code/openssl"} + +# Where we find WolfSSL .so's +: ${WSSL:="$HOME/code/wolfssl/inst/lib"} + +# Where we find boringssl .so's +: ${BSSL:="$HOME/code/boringssl/inst/lib"} + +# Where we send DoH queries when using kdig or curl +: ${DOHSERVER:="one.one.one.one"} +: ${DOHPATH:="dns-query"} + +# Whether to send mail when bad things happen (mostly for cronjob) +: ${DOMAIL:="no"} + +# Misc vars and functions + +DEFPORT=443 + +function whenisitagain() +{ + /bin/date -u +%Y%m%d-%H%M%S +} + +function fileage() +{ + echo $(($(date +%s) - $(date +%s -r "$1"))) +} + +function hostport2host() +{ + case $1 in + *:*) host=${1%:*} port=${1##*:};; + *) host=$1 port=$DEFPORT;; + esac + echo $host +} + +function hostport2port() +{ + case $1 in + *:*) host=${1%:*} port=${1##*:};; + *) host=$1 port=$DEFPORT;; + esac + echo $port +} + +function cli_test() +{ + # 1st param is target URL + turl=$1 + # 2nd param is 0 if we expect curl to not work or 1 if we expect it + # to have worked + curl_winorlose=$2 + # 3rd param is 0 if we expect ECH to not work or 1 if we expect it + # to have worked + ech_winorlose=$3 + # remaining params are passed to command line + echparms="${@:4}" + + TMPF=`mktemp` + cmd="timeout $tout $CURL $echparms $turl >$TMPF 2>&1" + echo "cli_test: $cmd " >> $logfile + timeout $tout $CURL $echparms $turl >$TMPF 2>&1 + eres=$? + if [[ "$eres" == "124" ]] + then + allgood="no" + echo "cli_test: Timeout running $cmd" + cat $TMPF >>$logfile + echo "cli_test: Timeout running $cmd" >>$logfile + fi + ech_success=`grep -c "ECH: result: status is succeeded" $TMPF` + if [[ "$ech_success" == "$ech_winorlose" ]] + then + echo "cli_test ok for $echparms" + else + allgood="no" + echo "cli_test: Failure running $cmd" + cat $TMPF >>$logfile + echo "cli_test: Failure running $cmd" >>$logfile + fi + rm -f $TMPF +} + +function get_ech_configlist() +{ + domain=$1 + ecl=`dig +short https $domain | grep "ech=" | sed -e 's/^.*ech=//' | sed -e 's/ .*//'` + echo $ecl +} + +# start of main script + +# start by assuming we have nothing we need... +have_ossl="no" +have_wolf="no" +have_bssl="no" +using_ossl="no" +using_wolf="no" +using_bssl="no" +have_curl="no" +have_dig="no" +have_kdig="no" +have_presout="no" +have_portsblocked="no" + +# setup logging +NOW=$(whenisitagain) +BINNAME=`basename $0 .sh` +if [ ! -d $LTOP ] +then + mkdir -p $LTOP +fi +if [ ! -d $LTOP ] +then + echo "Can't see $LTOP for logs - exiting" + exit 1 +fi +logfile=$LTOP/$BINNAME_$NOW.log + +echo "-----" >$logfile +echo "Running $0 at $NOW" >>$logfile +echo "Running $0 at $NOW" + +# check we have the binaries needed and which TLS library we'll be using +if [ -f $OSSL/libssl.so ] +then + have_ossl="yes" +fi +if [ -f $WSSL/libwolfssl.so ] +then + have_wolf="yes" +fi +if [ -f $BSSL/libssl.so ] +then + have_bssl="yes" +fi +CURL="$CTOP/src/curl -vvv --doh-url https://one.one.one.one/dns-query " +if [ -f $CTOP/src/curl ] +then + have_curl="yes" +fi +ossl_cnt=`LD_LIBRARY_PATH=$OSSL $CURL -V 2> /dev/null | grep -c OpenSSL` +if ((ossl_cnt == 1)) +then + using_ossl="yes" + # setup access to our .so + export LD_LIBRARY_PATH=$OSSL +fi +bssl_cnt=`LD_LIBRARY_PATH=$BSSL $CURL -V 2> /dev/null | grep -c BoringSSL` +if ((bssl_cnt == 1)) +then + using_bssl="yes" + # setup access to our .so + export LD_LIBRARY_PATH=$BSSL +fi +wolf_cnt=`$CURL -V 2> /dev/null | grep -c wolfSSL` +if ((wolf_cnt == 1)) +then + using_wolf="yes" + # for some reason curl+wolfSSL dislikes certs that are ok + # for browsers, so we'll test using "insecure" mode (-k) + # but that's ok here as we're only interested in ECH testing + CURL="$CURL -k" +fi +# check if we have dig and it knows https or not +digcmd="dig +short" +wdig=`which dig` +if [[ "$wdig" != "" ]] +then + have_dig="yes" +fi +wkdig=`which kdig` +if [[ "$wkdig" != "" ]] +then + have_kdig="yes" + digcmd="kdig @$DOHSERVER +https +short" +fi +# see if our dig version knows HTTPS +dout=`$digcmd https defo.ie` +if [[ $dout != "1 . "* ]] +then + dout=`$digcmd -t TYPE65 defo.ie` + if [[ $dout == "1 . "* ]] + then + # we're good + have_presout="yes" + fi +else + have_presout="yes" +fi + +# Check if ports other than 443 are blocked from this +# vantage point (I run tests in a n/w where that's +# sadly true sometimes;-) +# echo "Checking if ports other than 443 are maybe blocked" +not443testurl="https://draft-13.esni.defo.ie:9413/" +timeout $tout $CURL $not443testurl >/dev/null 2>&1 +eres=$? +if [[ "$eres" == "124" ]] +then + echo "Timeout running curl for $not443testurl" >>$logfile + echo "Timeout running curl for $not443testurl" + have_portsblocked="yes" +fi + +echo "have_ossl: $have_ossl" >>$logfile +echo "have_wolf: $have_wolf" >>$logfile +echo "have_bssl: $have_bssl" >>$logfile +echo "using_ossl: $using_ossl" >>$logfile +echo "using_wolf: $using_wolf" >>$logfile +echo "using_bssl: $using_bssl" >>$logfile +echo "have_curl: $have_curl" >>$logfile +echo "have_dig: $have_dig" >>$logfile +echo "have_kdig: $have_kdig" >>$logfile +echo "have_presout: $have_presout" >>$logfile +echo "have_portsblocked: $have_portsblocked" >>$logfile + +echo "curl: have $have_curl, cURL command: |$CURL|" +echo "ossl: have: $have_ossl, using: $using_ossl" +echo "wolf: have: $have_wolf, using: $using_wolf" +echo "bssl: have: $have_bssl, using: $using_bssl" +echo "dig: $have_dig, kdig: $have_kdig, HTTPS pres format: $have_presout" +echo "dig command: |$digcmd|" +echo "ports != 443 blocked: $have_portsblocked" + +if [[ "$have_curl" == "no" ]] +then + echo "Can't proceed without curl - exiting" + exit 32 +fi + +allgood="yes" + +# basic ECH good/bad +for targ in "${!ech_targets[@]}" +do + if [[ "$using_wolf" == "yes" && "$targ" == "draft-13.esni.defo.ie:8414" ]] + then + echo "Skipping $targ 'till wolf does HRR+ECH" + continue + fi + if [[ "$using_wolf" == "yes" && "$targ" == "tls-ech.dev" ]] + then + echo "Skipping $targ 'till wolf does HRR+ECH" + continue + fi + host=$(hostport2host $targ) + port=$(hostport2port $targ) + if [[ "$port" != "443" && "$have_portsblocked" == "yes" ]] + then + echo "Skipping $targ as ports != 443 seem blocked" + continue + fi + path=${ech_targets[$targ]} + turl="https://$host:$port/$path" + echo "ECH check for $turl" + echo "" >>$logfile + echo "ECH check for $turl" >>$logfile + timeout $tout $CURL --ech hard $turl >>$logfile 2>&1 + eres=$? + if [[ "$eres" == "124" ]] + then + allgood="no" + echo "Timeout for $turl" >>$logfile + echo -e "\tTimeout for $turl" >>$logfile + echo "Timeout running curl for $host:$port/$path" >>$logfile + fi + if [[ "$eres" != "0" ]] + then + allgood="no" + echo "Error ($eres) for $turl" >>$logfile + echo -e "\tError ($eres) for $turl" + fi + echo "" >>$logfile +done + +# check if public_name override works +for targ in "${!ech_targets[@]}" +do + if [[ "$using_wolf" == "yes" && "$targ" == "draft-13.esni.defo.ie:8414" ]] + then + echo "Skipping $targ 'till wolf does HRR+ECH" + continue + fi + if [[ "$using_wolf" == "yes" && "$targ" == "tls-ech.dev" ]] + then + echo "Skipping $targ 'till wolf does HRR+ECH" + continue + fi + host=$(hostport2host $targ) + port=$(hostport2port $targ) + if [[ "$port" != "443" && "$have_portsblocked" == "yes" ]] + then + echo "Skipping $targ as ports != 443 seem blocked" + continue + fi + path=${ech_targets[$targ]} + turl="https://$host:$port/$path" + echo "PN override check for $turl" + echo "" >>$logfile + echo "PN override check for $turl" >>$logfile + timeout $tout $CURL --ech pn:override --ech hard $turl >>$logfile 2>&1 + eres=$? + if [[ "$eres" == "124" ]] + then + allgood="no" + echo "Timeout for $turl" >>$logfile + echo -e "\tTimeout for $turl" >>$logfile + echo "Timeout running curl for $host:$port/$path" >>$logfile + fi + if [[ "$eres" != "0" ]] + then + allgood="no" + echo "PN override Error ($eres) for $turl" >>$logfile + echo -e "\tPN override Error ($eres) for $turl" + fi + echo "" >>$logfile +done + +for targ in "${!httpsrr_targets[@]}" +do + host=$(hostport2host $targ) + port=$(hostport2port $targ) + if [[ "$port" != "443" && "$have_portsblocked" == "yes" ]] + then + echo "Skipping $targ as ports != 443 seem blocked" + continue + fi + path=${httpsrr_targets[$targ]} + turl="https://$host:$port/$path" + echo "HTTPS RR but no ECHConfig check for $turl" + echo "" >>$logfile + echo "HTTPS RR but no ECHConfig check for $turl" >>$logfile + timeout $tout $CURL --ech true $turl >>$logfile 2>&1 + eres=$? + if [[ "$eres" == "124" ]] + then + allgood="no" + echo "Timeout for $turl" >>$logfile + echo -e "\tTimeout for $turl" >>$logfile + echo "Timeout running curl for $host:$port/$path" >>$logfile + fi + if [[ "$eres" != "0" ]] + then + allgood="no" + echo "Error ($eres) for $turl" >>$logfile + echo -e "\tError ($eres) for $turl" + fi + echo "" >>$logfile +done + +for targ in "${!neither_targets[@]}" +do + host=$(hostport2host $targ) + port=$(hostport2port $targ) + if [[ "$port" != "443" && "$have_portsblocked" == "yes" ]] + then + echo "Skipping $targ as ports != 443 seem blocked" + continue + fi + path=${neither_targets[$targ]} + turl="https://$host:$port/$path" + echo "Neither HTTPS nor ECHConfig check for $turl" + echo "" >>$logfile + echo "Neither HTTPS nor ECHConfig check for $turl" >>$logfile + timeout $tout $CURL --ech true $turl >>$logfile 2>&1 + eres=$? + if [[ "$eres" == "124" ]] + then + allgood="no" + echo "Timeout for $turl" >>$logfile + echo -e "\tTimeout for $turl" >>$logfile + echo "Timeout running curl for $host:$port/$path" >>$logfile + fi + if [[ "$eres" != "0" ]] + then + allgood="no" + echo "Error ($eres) for $turl" >>$logfile + echo -e "\tError ($eres) for $turl" + fi + echo "" >>$logfile +done + +# Check various command line options, if we're good so far +if [[ "$allgood" == "yes" ]] +then + # use this test URL as it'll tell us if things worked + turl="https://defo.ie/ech-check.php" + echo "cli_test with $turl" + echo "cli_test with $turl" >>$logfile + cli_test $turl 1 1 --ech true + cli_test $turl 1 0 --ech false + cli_test $turl 1 1 --ech false --ech true + if [[ "$using_ossl" == "yes" ]] + then + # only OpenSSL builds support pn: + cli_test $turl 1 1 --ech false --ech true --ech pn:foobar + cli_test $turl 1 1 --ech false --ech pn:foobar --ech true + fi + echconfiglist=$(get_ech_configlist defo.ie) + cli_test $turl 1 1 --ech ecl:$echconfiglist + cli_test $turl 1 0 --ech ecl: +fi + +# Check combinations of command line options, if we're good so far +if [[ "$allgood" == "yes" ]] +then + # ech can be hard, true, grease or false + # ecl:ecl can be correct, incorrect or missing + # ech:pn can be correct, incorrect or missing + # in all cases the "last" argument provided should "win" + # but only one of hard, true, grease or false will apply + turl="https://defo.ie/ech-check.php" + echconfiglist=$(get_ech_configlist defo.ie) + goodecl=$echconfiglist + echconfiglist=$(get_ech_configlist hidden.hoba.ie) + badecl=$echconfiglist + goodpn="cover.defo.ie" + badpn="hoba.ie" + echo "more cli_test with $turl" + echo "more cli_test with $turl" >>$logfile + + # The combinatorics here are handled via the tests/ech_combos.py script + # which produces all the relevant combinations or inputs and orders + # thereof. We have to manually assess whether or not ECH is expected to + # work for each case. + cli_test $turl 1 0 + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$badecl --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech ecl:$badecl --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech ecl:$badecl --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech pn:$badpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech pn:$badpn --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech false --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech false --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech pn:$badpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech pn:$badpn --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech pn:$badpn --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 0 --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true --ech ecl:$goodecl + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true --ech ecl:$goodecl --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + cli_test $turl 1 1 --ech true --ech pn:$goodpn + if [[ "$allgood" != "yes" ]] then echo $LINENO; fi + + # a target URL that doesn't support ECH + turl="https://tcd.ie" + echo "cli_test with $turl" + echo "cli_test with $turl" >>$logfile + # the params below don't matter much here as we'll fail anyway + echconfiglist=$(get_ech_configlist defo.ie) + goodecl=$echconfiglist + badecl=$goodecl + goodpn="tcd.ie" + badpn="tcd.ie" + cli_test $turl 1 0 + cli_test $turl 1 0 --ech ecl:$badecl + cli_test $turl 1 0 --ech ecl:$badecl --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech hard + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech true + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech true + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$badpn --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech true + cli_test $turl 1 0 --ech ecl:$badecl --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$badecl --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$badecl --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false + cli_test $turl 1 0 --ech false --ech ecl:$badecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech true + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$badpn --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech true + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$badecl --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech hard + cli_test $turl 1 0 --ech false --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech hard --ech true + cli_test $turl 1 0 --ech false --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard --ech true + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech true + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$badpn --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech true + cli_test $turl 1 0 --ech false --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech false --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech false --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech hard + cli_test $turl 1 0 --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech hard --ech true + cli_test $turl 1 0 --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn + cli_test $turl 1 0 --ech pn:$badpn --ech ecl:$goodecl + cli_test $turl 1 0 --ech pn:$badpn --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn --ech hard + cli_test $turl 1 0 --ech pn:$badpn --ech hard --ech ecl:$goodecl + cli_test $turl 1 0 --ech pn:$badpn --ech hard --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn --ech hard --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn --ech hard --ech true + cli_test $turl 1 0 --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech pn:$badpn --ech hard --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn --ech hard --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn --ech true + cli_test $turl 1 0 --ech pn:$badpn --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech pn:$badpn --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$badpn --ech true --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$goodpn + cli_test $turl 1 0 --ech true + cli_test $turl 1 0 --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech true --ech pn:$goodpn + cli_test $turl 1 0 + cli_test $turl 1 0 --ech ecl:$goodecl + cli_test $turl 1 0 --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech pn:$goodpn + cli_test $turl 1 0 --ech true + cli_test $turl 1 0 --ech true --ech ecl:$goodecl + cli_test $turl 1 0 --ech true --ech ecl:$goodecl --ech pn:$goodpn + cli_test $turl 1 0 --ech true --ech pn:$goodpn +fi + + +END=$(whenisitagain) +echo "Finished $0 at $END" >>$logfile +echo "-----" >>$logfile + +if [[ "$allgood" == "yes" ]] +then + echo "Finished $0 at $END" + echo "All good, log in $logfile" + exit 0 +else + echo "Finished $0 at $END" + echo "NOT all good, log in $logfile" +fi + +# send a mail to root (will be fwd'd) but just once every 24 hours +# 'cause we only really need "new" news +itsnews="yes" +age_of_news=0 +if [ -f $LTOP/bad_runs ] +then + age_of_news=$(fileage $LTOP/bad_runs) + # only consider news "new" if we haven't mailed today + if ((age_of_news < 24*3600)) + then + itsnews="no" + fi +fi +if [[ "$DOMAIL" == "yes" && "$itsnews" == "yes" ]] +then + echo "ECH badness at $NOW" | mail -s "ECH badness at $NOW" root +fi +# add to list of bad runs (updating file age) +echo "ECH badness at $NOW" >>$LTOP/bad_runs +exit 2 + From 09b050d6e3b0bfac138f629eaa649cc72496c98f Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Fri, 12 Jan 2024 20:33:06 +0000 Subject: [PATCH 02/21] rebased with upstream --- docs/ECH.md | 6 ++++++ lib/vtls/openssl.c | 8 ++++---- src/tool_getparam.c | 25 +++++++++++++------------ 3 files changed, 23 insertions(+), 16 deletions(-) diff --git a/docs/ECH.md b/docs/ECH.md index d56f77f9e002ab..4832b630c762e2 100644 --- a/docs/ECH.md +++ b/docs/ECH.md @@ -48,6 +48,9 @@ isn't enabled, so go back some steps and re-do whatever needs re-doing:-) If you want to debug curl then you should add ``--enable-debug`` to the ``configure`` command. +You may need to install some libraries to get ``configrure`` to +work, e.g. I recently had to add ``sudo apt install libpsl-dev`` + ## Building with cmake This is not working cleanly yet, but to build with cmake: @@ -309,6 +312,9 @@ tool. attempts ECH with various test servers. While that is a useful test and does find issues (e.g. with the wolfSSL build), it's nowhere near comprehensive and we're not (as yet) sure what would be the right level of coverage. +Note that when running that you should not have a ``$HOME/.curlrc`` file +that affects ECH or some of the negative tests could produce spurious +failures. ## WolfSSL build diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index 3a603eee3d4dcc..bbd24202efdba8 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3873,7 +3873,7 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, else { struct Curl_dns_entry *dns = NULL; - dns = Curl_fetch_addr(data, connssl->hostname, connssl->port); + dns = Curl_fetch_addr(data, connssl->peer.hostname, connssl->port); if(!dns) { infof(data, "ECH: requested but no DNS info available"); if(data->set.tls_ech & (1 << CURLECH_HARD)) @@ -3922,10 +3922,10 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, # else if(trying_ech_now && outername) { infof(data, "ECH: inner: '%s', outer: '%s'", - hostname, outername); + connssl->peer.hostname, outername); result = SSL_ech_set_server_names(backend->handle, - hostname, outername, - 0 /* do send outer */); + connssl->peer.hostname, outername, + 0 /* do send outer */); if(result != 1) { infof(data, "ECH: rv failed to set server name(s) %d [ERROR]", result); return CURLE_SSL_CONNECT_ERROR; diff --git a/src/tool_getparam.c b/src/tool_getparam.c index 4f5129e1258dfa..ed992cea8346c6 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -123,6 +123,9 @@ typedef enum { C_DOH_INSECURE, C_DOH_URL, C_DUMP_HEADER, +#ifdef USE_ECH + C_ECH, +#endif C_EGD_FILE, C_ENGINE, C_EPRT, @@ -339,10 +342,7 @@ typedef enum { C_VERSION, C_WDEBUG, C_WRITE_OUT, - C_XATTR, -#ifdef USE_ECH - C_ECH -#endif + C_XATTR } cmdline_t; struct LongShort { @@ -407,6 +407,9 @@ static const struct LongShort aliases[]= { {"doh-insecure", ARG_BOOL, ' ', C_DOH_INSECURE}, {"doh-url" , ARG_STRG, ' ', C_DOH_URL}, {"dump-header", ARG_FILE, 'D', C_DUMP_HEADER}, +#ifdef USE_ECH + {"ech", ARG_STRG, ' ', C_ECH}, +#endif {"egd-file", ARG_STRG, ' ', C_EGD_FILE}, {"engine", ARG_STRG, ' ', C_ENGINE}, {"eprt", ARG_BOOL, ' ', C_EPRT}, @@ -626,9 +629,6 @@ static const struct LongShort aliases[]= { #endif {"write-out", ARG_STRG, 'w', C_WRITE_OUT}, {"xattr", ARG_BOOL, ' ', C_XATTR}, -#ifdef USE_ECH - {"ech", ARG_STRG, ' ', C_ECH}, -#endif }; /* Split the argument of -E to 'certname' and 'passphrase' separated by colon. @@ -2081,17 +2081,18 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ if(!err && config->engine && !strcmp(config->engine, "list")) { err = PARAM_ENGINES_REQUESTED; - break; + } + break; #ifdef USE_ECH - case C_ECH: + case C_ECH: /* --ech */ if(strlen(nextarg) > 4 && strncasecompare("pn:", nextarg, 3)) { /* a public_name */ - GetStr(&config->ech_public, nextarg); + err = getstr(&config->ech_public, nextarg, DENY_BLANK); } else if(strlen(nextarg) > 5 && strncasecompare("ecl:", nextarg, 4)) { /* an ECHConfigList */ if('@' != *(nextarg + 4)) { - GetStr(&config->ech_config, nextarg); + err = getstr(&config->ech_config, nextarg, DENY_BLANK); } else { /* Indirect case: @filename or @- for stdin */ @@ -2125,7 +2126,7 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ } else { /* Simple case: just a string, with a keyword */ - GetStr(&config->ech, nextarg); + err = getstr(&config->ech, nextarg, DENY_BLANK); } break; #endif From 98a1ffff83be006ef839a8edad16ede5752592f4 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sat, 13 Jan 2024 02:37:10 +0000 Subject: [PATCH 03/21] fix signed issue from CI --- lib/doh.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/lib/doh.c b/lib/doh.c index 59862cb38809f0..cbbfa5b71e1fa6 100644 --- a/lib/doh.c +++ b/lib/doh.c @@ -1036,13 +1036,13 @@ static CURLcode local_decode_rdata_name(unsigned char **buf, size_t *remaining, char **dnsname) { unsigned char *cp = NULL; - size_t rem = 0; + int rem = 0; char *thename = NULL, *tp = NULL; unsigned char clen = 0; /* chunk len */ if(!buf || !remaining || !dnsname) return CURLE_OUT_OF_MEMORY; - rem = *remaining; + rem = (int)*remaining; thename = calloc(1, CURL_MAXLEN_host_name); if(!thename) return CURLE_OUT_OF_MEMORY; @@ -1055,7 +1055,7 @@ static CURLcode local_decode_rdata_name(unsigned char **buf, size_t *remaining, thename[1] = 0x00; } while(clen) { - if(clen > rem) { + if(clen >= rem) { free(thename); return CURLE_OUT_OF_MEMORY; } @@ -1068,9 +1068,17 @@ static CURLcode local_decode_rdata_name(unsigned char **buf, size_t *remaining, *tp++ = '.'; cp += clen; rem -= (clen + 1); + if(rem<=0) { + free(thename); + return CURLE_OUT_OF_MEMORY; + } clen = *cp++; } *buf = cp; + if(rem<=0) { + free(thename); + return CURLE_OUT_OF_MEMORY; + } *remaining = rem - 1; *dnsname = thename; return CURLE_OK; From b5b3349839fdb58647891d69a9d4bb05338afe84 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sat, 13 Jan 2024 02:45:49 +0000 Subject: [PATCH 04/21] spaces --- lib/doh.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/doh.c b/lib/doh.c index cbbfa5b71e1fa6..c8d89123870b95 100644 --- a/lib/doh.c +++ b/lib/doh.c @@ -1068,14 +1068,14 @@ static CURLcode local_decode_rdata_name(unsigned char **buf, size_t *remaining, *tp++ = '.'; cp += clen; rem -= (clen + 1); - if(rem<=0) { + if(rem <= 0) { free(thename); return CURLE_OUT_OF_MEMORY; } clen = *cp++; } *buf = cp; - if(rem<=0) { + if(rem <= 0) { free(thename); return CURLE_OUT_OF_MEMORY; } From 6e503fa734b91173df61e76789d97c4b299e0e4b Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sat, 13 Jan 2024 03:18:37 +0000 Subject: [PATCH 05/21] moar CI happiness hopefully --- docs/libcurl/opts/CURLOPT_ECH.3 | 12 ++++++---- tests/ech_combos.py | 42 ++++++++++++++++++++++++--------- 2 files changed, 38 insertions(+), 16 deletions(-) diff --git a/docs/libcurl/opts/CURLOPT_ECH.3 b/docs/libcurl/opts/CURLOPT_ECH.3 index 7007bba124d7d7..622b79b9511c4a 100644 --- a/docs/libcurl/opts/CURLOPT_ECH.3 +++ b/docs/libcurl/opts/CURLOPT_ECH.3 @@ -57,12 +57,14 @@ NULL, meaning ECH is disabled. TLS, and requires TLS1.3. .SH EXAMPLE .nf -CURL *curl = curl_easy_init(); +int main(void) { + CURL *curl = curl_easy_init(); + const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; -const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; -if(curl) { - curl_easy_setopt(curl, CURLOPT_ECH, config); - curl_easy_perform(curl); + if(curl) { + curl_easy_setopt(curl, CURLOPT_ECH, config); + curl_easy_perform(curl); + } } .fi .SH AVAILABILITY diff --git a/tests/ech_combos.py b/tests/ech_combos.py index d21621533bbb41..7f41198671b172 100755 --- a/tests/ech_combos.py +++ b/tests/ech_combos.py @@ -1,15 +1,35 @@ -#!/usr/bin/python -# Python3 program to print all combination -# of size r in an array of size n -# used to generate test lines in tests/ech_test.sh +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +#*************************************************************************** +# _ _ ____ _ +# Project ___| | | | _ \| | +# / __| | | | |_) | | +# | (__| |_| | _ <| |___ +# \___|\___/|_| \_\_____| +# +# Copyright (C) Daniel Stenberg, , et al. +# +# This software is licensed as described in the file COPYING, which +# you should have received as part of this distribution. The terms +# are also available at https://curl.se/docs/copyright.html. +# +# You may opt to use, copy, modify, merge, publish, distribute and/or sell +# copies of the Software, and permit persons to whom the Software is +# furnished to do so, under the terms of the COPYING file. +# +# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY +# KIND, either express or implied. +# +# SPDX-License-Identifier: curl +# +########################################################################### +# +# Python3 program to print all combination of size r in an array of size n. +# This is used to generate test lines in tests/ech_test.sh. +# This will be discarded in the process of moving from experimental, +# but is worth preserving for the moment in case of changes to the +# ECH command line args -''' arr[] ---> Input Array - chosen[] ---> Temporary array to store - current combination - start & end ---> Starting and Ending indexes in arr[] - r---> Size of a combination to be printed - - ''' def CombinationRepetitionUtil(chosen, arr, badarr, index, r, start, end): From 59c52c46f03f3c661d8dddd34cb1f1d6ce9745c1 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sat, 13 Jan 2024 20:40:33 +0000 Subject: [PATCH 06/21] some docs/CI test tweaks --- docs/ECH.md | 4 +++- docs/libcurl/libcurl-errors.md | 4 ++++ docs/libcurl/opts/CURLOPT_ECH.3 | 6 ++++-- docs/libcurl/symbols-in-versions | 3 ++- lib/easyoptions.c | 2 +- src/tool_listhelp.c | 9 +++------ 6 files changed, 17 insertions(+), 11 deletions(-) diff --git a/docs/ECH.md b/docs/ECH.md index 4832b630c762e2..83cb6daf2dd67d 100644 --- a/docs/ECH.md +++ b/docs/ECH.md @@ -483,7 +483,9 @@ As of now we have not: - added support for using ``retry_config`` handling in the application - for a command line tool, one can just use ``dig`` (or ``kdig``) to get the HTTPS - RR and pass the ECHConfigList from that on the command line, if needed + RR and pass the ECHConfigList from that on the command line, if needed, or + one can access the value from command line output in verbose more and then + re-use that in another invocation. Both our OpenSSL fork and boringssl have APIs for both controlling GREASE and accessing and logging ``retry_configs``, it seems WolfSSL has neither. diff --git a/docs/libcurl/libcurl-errors.md b/docs/libcurl/libcurl-errors.md index eb75753b0fe3e8..c08195f32f3c35 100644 --- a/docs/libcurl/libcurl-errors.md +++ b/docs/libcurl/libcurl-errors.md @@ -485,6 +485,10 @@ An internal call to poll() or select() returned error that is not recoverable. A value or data field grew larger than allowed. +# CURLE_ECH_REQUIRED (101)" + +ECH was attempted but failed. + # CURLMcode This is the generic return code used by functions in the libcurl multi diff --git a/docs/libcurl/opts/CURLOPT_ECH.3 b/docs/libcurl/opts/CURLOPT_ECH.3 index 622b79b9511c4a..a519440fe7c56a 100644 --- a/docs/libcurl/opts/CURLOPT_ECH.3 +++ b/docs/libcurl/opts/CURLOPT_ECH.3 @@ -57,9 +57,11 @@ NULL, meaning ECH is disabled. TLS, and requires TLS1.3. .SH EXAMPLE .nf -int main(void) { +int main(void) +{ CURL *curl = curl_easy_init(); - const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; + const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDT" + "nFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; if(curl) { curl_easy_setopt(curl, CURLOPT_ECH, config); diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 16035a24b7098f..5d47d02254577e 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -340,6 +340,7 @@ CURLE_URL_MALFORMAT_USER 7.1 7.17.0 CURLE_USE_SSL_FAILED 7.17.0 CURLE_WEIRD_SERVER_REPLY 7.51.0 CURLE_WRITE_ERROR 7.1 +CURLE_ECH_REQUIRED 8.6.0 CURLFILETYPE_DEVICE_BLOCK 7.21.0 CURLFILETYPE_DEVICE_CHAR 7.21.0 CURLFILETYPE_DIRECTORY 7.21.0 @@ -616,7 +617,7 @@ CURLOPT_DOH_SSL_VERIFYHOST 7.76.0 CURLOPT_DOH_SSL_VERIFYPEER 7.76.0 CURLOPT_DOH_SSL_VERIFYSTATUS 7.76.0 CURLOPT_DOH_URL 7.62.0 -CURLOPT_ECH 8.4.0 +CURLOPT_ECH 8.6.0 CURLOPT_EGDSOCKET 7.7 7.84.0 CURLOPT_ENCODING 7.10 7.21.6 CURLOPT_ERRORBUFFER 7.1 diff --git a/lib/easyoptions.c b/lib/easyoptions.c index ad2a1df120db5c..edd3da6683cb5c 100644 --- a/lib/easyoptions.c +++ b/lib/easyoptions.c @@ -376,6 +376,6 @@ struct curl_easyoption Curl_easyopts[] = { */ int Curl_easyopts_check(void) { - return ((CURLOPT_LASTENTRY%10000) != (324 + 1)); + return ((CURLOPT_LASTENTRY%10000) != (325 + 1)); } #endif diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c index c562d509662433..1820b7adb6ad0a 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c @@ -168,12 +168,9 @@ const struct helptxt helptext[] = { {"-D, --dump-header ", "Write the received headers to ", CURLHELP_HTTP | CURLHELP_FTP}, -#ifdef USE_ECH - {" --ech ", - "Encrypted Client Hello controls", - CURLHELP_TLS}, -#endif - + {" --ech ", + "TLS Encrypted Client Hello (ECH)", + CURLHELP_TLS | CURLHELP_ECH}, {" --egd-file ", "EGD socket path for random data", CURLHELP_TLS}, From f6607ab2201797b3ff685dafab17a95f2e644eff Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sat, 13 Jan 2024 21:25:05 +0000 Subject: [PATCH 07/21] added back ifdef for listhelp --- src/tool_listhelp.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c index 1820b7adb6ad0a..b41e9e7ba8ccea 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c @@ -168,9 +168,11 @@ const struct helptxt helptext[] = { {"-D, --dump-header ", "Write the received headers to ", CURLHELP_HTTP | CURLHELP_FTP}, +#ifdef USE_ECH {" --ech ", "TLS Encrypted Client Hello (ECH)", CURLHELP_TLS | CURLHELP_ECH}, +#endif {" --egd-file ", "EGD socket path for random data", CURLHELP_TLS}, From 8416cd201fb2ac8ab8afc5da6ceb77fde27d5e4d Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sun, 14 Jan 2024 00:32:48 +0000 Subject: [PATCH 08/21] remove ifdef's on command line args so doc/code consistency checks work --- include/curl/curl.h | 5 ++--- lib/strerror.c | 2 -- src/tool_getparam.c | 10 +++++----- src/tool_help.c | 1 + src/tool_help.h | 1 + src/tool_listhelp.c | 2 -- tests/data/test1462 | 1 + tests/data/test1538 | 3 ++- 8 files changed, 12 insertions(+), 13 deletions(-) diff --git a/include/curl/curl.h b/include/curl/curl.h index c2e5cca30cc3b8..53df0b1159ea5c 100644 --- a/include/curl/curl.h +++ b/include/curl/curl.h @@ -632,9 +632,7 @@ typedef enum { CURLE_SSL_CLIENTCERT, /* 98 - client-side certificate required */ CURLE_UNRECOVERABLE_POLL, /* 99 - poll/select returned fatal error */ CURLE_TOO_LARGE, /* 100 - a value/data met its maximum */ -#ifdef USE_ECH - CURLE_ECH_REQUIRED , /* 101 - ECH tried but failed */ -#endif + CURLE_ECH_REQUIRED, /* 101 - ECH tried but failed */ CURL_LAST /* never use! */ } CURLcode; @@ -2208,6 +2206,7 @@ typedef enum { /* millisecond version */ CURLOPT(CURLOPT_SERVER_RESPONSE_TIMEOUT_MS, CURLOPTTYPE_LONG, 324), + /* set ECH configuration */ CURLOPT(CURLOPT_ECH, CURLOPTTYPE_STRINGPOINT, 325), diff --git a/lib/strerror.c b/lib/strerror.c index e7d54905aead9f..f142cf181df059 100644 --- a/lib/strerror.c +++ b/lib/strerror.c @@ -322,10 +322,8 @@ curl_easy_strerror(CURLcode error) case CURLE_TOO_LARGE: return "A value or data field grew larger than allowed"; -#ifdef USE_ECH case CURLE_ECH_REQUIRED: return "ECH attempted but failed"; -#endif /* error codes not used by current libcurl */ case CURLE_OBSOLETE20: diff --git a/src/tool_getparam.c b/src/tool_getparam.c index ed992cea8346c6..fdb0caae5208e6 100644 --- a/src/tool_getparam.c +++ b/src/tool_getparam.c @@ -123,9 +123,7 @@ typedef enum { C_DOH_INSECURE, C_DOH_URL, C_DUMP_HEADER, -#ifdef USE_ECH C_ECH, -#endif C_EGD_FILE, C_ENGINE, C_EPRT, @@ -407,9 +405,7 @@ static const struct LongShort aliases[]= { {"doh-insecure", ARG_BOOL, ' ', C_DOH_INSECURE}, {"doh-url" , ARG_STRG, ' ', C_DOH_URL}, {"dump-header", ARG_FILE, 'D', C_DUMP_HEADER}, -#ifdef USE_ECH {"ech", ARG_STRG, ' ', C_ECH}, -#endif {"egd-file", ARG_STRG, ' ', C_EGD_FILE}, {"engine", ARG_STRG, ' ', C_ENGINE}, {"eprt", ARG_BOOL, ' ', C_EPRT}, @@ -2083,7 +2079,11 @@ ParameterError getparameter(const char *flag, /* f or -long-flag */ err = PARAM_ENGINES_REQUESTED; } break; -#ifdef USE_ECH +#ifndef USE_ECH + case C_ECH: /* --ech, not implemented by default */ + err = PARAM_LIBCURL_DOESNT_SUPPORT; + break; +#else case C_ECH: /* --ech */ if(strlen(nextarg) > 4 && strncasecompare("pn:", nextarg, 3)) { /* a public_name */ diff --git a/src/tool_help.c b/src/tool_help.c index 04ac245370758b..55bbc4d5e94b6f 100644 --- a/src/tool_help.c +++ b/src/tool_help.c @@ -66,6 +66,7 @@ static const struct category_descriptors categories[] = { {"telnet", "TELNET protocol options", CURLHELP_TELNET}, {"tftp", "TFTP protocol options", CURLHELP_TFTP}, {"tls", "All TLS/SSL related options", CURLHELP_TLS}, + {"ech", "All Encrypted Client Hello (ECH) options", CURLHELP_ECH}, {"upload", "All options for uploads", CURLHELP_UPLOAD}, {"verbose", "Options related to any kind of command line output of curl", diff --git a/src/tool_help.h b/src/tool_help.h index a7906266e343be..4ac761ea329582 100644 --- a/src/tool_help.h +++ b/src/tool_help.h @@ -69,6 +69,7 @@ struct helptxt { #define CURLHELP_TLS 1u << 22u #define CURLHELP_UPLOAD 1u << 23u #define CURLHELP_VERBOSE 1u << 24u +#define CURLHELP_ECH 1u << 25u extern const struct helptxt helptext[]; diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c index b41e9e7ba8ccea..1820b7adb6ad0a 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c @@ -168,11 +168,9 @@ const struct helptxt helptext[] = { {"-D, --dump-header ", "Write the received headers to ", CURLHELP_HTTP | CURLHELP_FTP}, -#ifdef USE_ECH {" --ech ", "TLS Encrypted Client Hello (ECH)", CURLHELP_TLS | CURLHELP_ECH}, -#endif {" --egd-file ", "EGD socket path for random data", CURLHELP_TLS}, diff --git a/tests/data/test1462 b/tests/data/test1462 index 654e443444b65a..a914f305a0ea5a 100644 --- a/tests/data/test1462 +++ b/tests/data/test1462 @@ -54,6 +54,7 @@ Invalid category provided, here is a list of all categories: telnet TELNET protocol options tftp TFTP protocol options tls All TLS/SSL related options + ech All Encrypted Client Hello (ECH) options upload All options for uploads verbose Options related to any kind of command line output of curl diff --git a/tests/data/test1538 b/tests/data/test1538 index c0f038be402854..7abbc555b48614 100644 --- a/tests/data/test1538 +++ b/tests/data/test1538 @@ -133,7 +133,8 @@ e97: proxy handshake error e98: SSL Client Certificate required e99: Unrecoverable error in select/poll e100: A value or data field grew larger than allowed -e101: Unknown error +e101: ECH attempted but failed +e102: Unknown error m-1: Please call curl_multi_perform() soon m0: No error m1: Invalid multi handle From e52c7c0235b7f6be8f87d69a5035be86b158ce32 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sun, 14 Jan 2024 02:04:45 +0000 Subject: [PATCH 09/21] try a fix for cmake issue --- configure.ac | 2 -- 1 file changed, 2 deletions(-) diff --git a/configure.ac b/configure.ac index 3c0f7d3996274e..55bf45f2eee65f 100644 --- a/configure.ac +++ b/configure.ac @@ -4527,8 +4527,6 @@ if test "x$want_httpsrr" != "xno"; then AC_MSG_RESULT([HTTPSRR support is available]) AC_DEFINE(USE_HTTPSRR, 1, [enable HTTPS RR support]) experimental="$experimental HTTPSRR" -else - AC_DEFINE(USE_HTTPSRR, 0, [HTTPS RR support off]) fi dnl ************************************************************* From 8431b469f04942ba9b35212989b88a494b02a2fe Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sun, 14 Jan 2024 04:04:14 +0000 Subject: [PATCH 10/21] initial rebase check for boringssl ok --- lib/vtls/openssl.c | 2 +- tests/ech_tests.sh | 91 +++++++++++++++++++++------------------------- 2 files changed, 42 insertions(+), 51 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index bbd24202efdba8..bc16d4c96099eb 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -4015,7 +4015,6 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, # else SSL_get0_ech_name_override(backend->handle, &outer, &out_name_len); SSL_get0_ech_retry_configs(backend->handle, &rcs, &rcl); - inner = connssl->hostname; rv = (int)rcl; # endif @@ -4035,6 +4034,7 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); #else rv = SSL_ech_accepted(backend->handle); + /* TODO: get the inner from boring */ infof(data, "ECH: retry_configs for %s from %s, %d %d", inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); #endif diff --git a/tests/ech_tests.sh b/tests/ech_tests.sh index 39718741dd2660..2c17907a55f1de 100755 --- a/tests/ech_tests.sh +++ b/tests/ech_tests.sh @@ -365,48 +365,41 @@ do echo "" >>$logfile done -# check if public_name override works -for targ in "${!ech_targets[@]}" -do - if [[ "$using_wolf" == "yes" && "$targ" == "draft-13.esni.defo.ie:8414" ]] - then - echo "Skipping $targ 'till wolf does HRR+ECH" - continue - fi - if [[ "$using_wolf" == "yes" && "$targ" == "tls-ech.dev" ]] - then - echo "Skipping $targ 'till wolf does HRR+ECH" - continue - fi - host=$(hostport2host $targ) - port=$(hostport2port $targ) - if [[ "$port" != "443" && "$have_portsblocked" == "yes" ]] - then - echo "Skipping $targ as ports != 443 seem blocked" - continue - fi - path=${ech_targets[$targ]} - turl="https://$host:$port/$path" - echo "PN override check for $turl" - echo "" >>$logfile - echo "PN override check for $turl" >>$logfile - timeout $tout $CURL --ech pn:override --ech hard $turl >>$logfile 2>&1 - eres=$? - if [[ "$eres" == "124" ]] - then - allgood="no" - echo "Timeout for $turl" >>$logfile - echo -e "\tTimeout for $turl" >>$logfile - echo "Timeout running curl for $host:$port/$path" >>$logfile - fi - if [[ "$eres" != "0" ]] - then - allgood="no" - echo "PN override Error ($eres) for $turl" >>$logfile - echo -e "\tPN override Error ($eres) for $turl" - fi - echo "" >>$logfile -done +# check if public_name override works (OpenSSL only) +if [[ "$using_ossl" == "yes" ]] +then + for targ in "${!ech_targets[@]}" + do + host=$(hostport2host $targ) + port=$(hostport2port $targ) + if [[ "$port" != "443" && "$have_portsblocked" == "yes" ]] + then + echo "Skipping $targ as ports != 443 seem blocked" + continue + fi + path=${ech_targets[$targ]} + turl="https://$host:$port/$path" + echo "PN override check for $turl" + echo "" >>$logfile + echo "PN override check for $turl" >>$logfile + timeout $tout $CURL --ech pn:override --ech hard $turl >>$logfile 2>&1 + eres=$? + if [[ "$eres" == "124" ]] + then + allgood="no" + echo "Timeout for $turl" >>$logfile + echo -e "\tTimeout for $turl" >>$logfile + echo "Timeout running curl for $host:$port/$path" >>$logfile + fi + if [[ "$eres" != "0" ]] + then + allgood="no" + echo "PN override Error ($eres) for $turl" >>$logfile + echo -e "\tPN override Error ($eres) for $turl" + fi + echo "" >>$logfile + done +fi for targ in "${!httpsrr_targets[@]}" do @@ -473,7 +466,7 @@ do done # Check various command line options, if we're good so far -if [[ "$allgood" == "yes" ]] +if [[ "$using_ossl" == "yes" && "$allgood" == "yes" ]] then # use this test URL as it'll tell us if things worked turl="https://defo.ie/ech-check.php" @@ -482,19 +475,17 @@ then cli_test $turl 1 1 --ech true cli_test $turl 1 0 --ech false cli_test $turl 1 1 --ech false --ech true - if [[ "$using_ossl" == "yes" ]] - then - # only OpenSSL builds support pn: - cli_test $turl 1 1 --ech false --ech true --ech pn:foobar - cli_test $turl 1 1 --ech false --ech pn:foobar --ech true - fi + cli_test $turl 1 1 --ech false --ech true --ech pn:foobar + cli_test $turl 1 1 --ech false --ech pn:foobar --ech true echconfiglist=$(get_ech_configlist defo.ie) cli_test $turl 1 1 --ech ecl:$echconfiglist cli_test $turl 1 0 --ech ecl: fi # Check combinations of command line options, if we're good so far -if [[ "$allgood" == "yes" ]] +# Most of this only works for openssl, which is ok, as we're checking +# the argument handling here, not the ECH protocol +if [[ "$using_ossl" == "yes" && "$allgood" == "yes" ]] then # ech can be hard, true, grease or false # ecl:ecl can be correct, incorrect or missing From f83c93a906a3da9129787e6e1024bd00f40449ec Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sun, 14 Jan 2024 21:16:48 +0000 Subject: [PATCH 11/21] more consistent logging for boring and openssl --- lib/vtls/openssl.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c index bc16d4c96099eb..81a87a09bb5a3a 100644 --- a/lib/vtls/openssl.c +++ b/lib/vtls/openssl.c @@ -3858,7 +3858,6 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, infof(data, "ECH: ECHConfig from command line empty"); return CURLE_SSL_CONNECT_ERROR; } - infof(data, "ECH: ECHConfig from command line"); ech_config_len = strlen(data->set.str[STRING_ECH_CONFIG]); if(SSL_ech_set1_echconfig(backend->handle, ech_config, ech_config_len) != 1) { @@ -3869,6 +3868,7 @@ static CURLcode ossl_connect_step1(struct Curl_cfilter *cf, else trying_ech_now = 1; # endif + infof(data, "ECH: ECHConfig from command line"); } else { struct Curl_dns_entry *dns = NULL; @@ -3997,14 +3997,16 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, CURLcode result = CURLE_OK; size_t rcl = 0; int rv = 1; - char *inner = NULL; # ifndef OPENSSL_IS_BORINGSSL + char *inner = NULL; unsigned char *rcs = NULL; char *outer = NULL; # else + const char *inner = NULL; const uint8_t *rcs = NULL; const char *outer = NULL; size_t out_name_len = 0; + int servername_type = 0; # endif /* nothing to trace if not doing ECH */ @@ -4013,7 +4015,6 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, # ifndef OPENSSL_IS_BORINGSSL rv = SSL_ech_get_retry_config(backend->handle, &rcs, &rcl); # else - SSL_get0_ech_name_override(backend->handle, &outer, &out_name_len); SSL_get0_ech_retry_configs(backend->handle, &rcs, &rcl); rv = (int)rcl; # endif @@ -4034,6 +4035,9 @@ static void ossl_trace_ech_retry_configs(struct Curl_easy *data, inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); #else rv = SSL_ech_accepted(backend->handle); + servername_type = SSL_get_servername_type(backend->handle); + inner = SSL_get_servername(backend->handle, servername_type); + SSL_get0_ech_name_override(backend->handle, &outer, &out_name_len); /* TODO: get the inner from boring */ infof(data, "ECH: retry_configs for %s from %s, %d %d", inner ? inner : "NULL", outer ? outer : "NULL", reason, rv); From 7b6728aab2323a85c242e097fe7e5ad33c83a233 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sun, 14 Jan 2024 22:53:01 +0000 Subject: [PATCH 12/21] initial rebase check for wolfssl ok --- docs/ECH.md | 4 ++-- lib/vtls/wolfssl.c | 4 ++-- tests/ech_tests.sh | 16 ++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/docs/ECH.md b/docs/ECH.md index 83cb6daf2dd67d..7d4cbc5d163e95 100644 --- a/docs/ECH.md +++ b/docs/ECH.md @@ -349,7 +349,7 @@ Let's use that to build curl... git clone https://github.com/sftcd/curl cd curl git checkout ECH-experimental - autoregen -fi + autoreconf -fi ./configure --with-wolfssl=$HOME/code/wolfssl/inst --enable-ech --enable-httpsrr make ``` @@ -430,7 +430,7 @@ Then: git clone https://github.com/sftcd/curl cd curl git checkout ECH-experimental - automake -fi + autoreconf -fi ./configure --with-ssl=$HOME/code/boringssl/inst --enable-ech --enable-httpsrr ...lots of output... WARNING: ech ECH HTTPSRR enabled but marked EXPERIMENTAL. Use with caution! diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 83de6418e7a597..7f0f367d937719 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -752,13 +752,13 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) } else { trying_ech_now = 1; - infof(data, "ECH: ECHConfig set from command line: %s", b64val); + infof(data, "ECH: ECHConfig from command line"); } } else { struct Curl_dns_entry *dns = NULL; - dns = Curl_fetch_addr(data, connssl->hostname, connssl->port); + dns = Curl_fetch_addr(data, connssl->peer.hostname, connssl->port); if(!dns) { infof(data, "ECH: requested but no DNS info available"); if(data->set.tls_ech == CURLECH_HARD) diff --git a/tests/ech_tests.sh b/tests/ech_tests.sh index 2c17907a55f1de..40a98411165bdf 100755 --- a/tests/ech_tests.sh +++ b/tests/ech_tests.sh @@ -325,15 +325,15 @@ allgood="yes" # basic ECH good/bad for targ in "${!ech_targets[@]}" do - if [[ "$using_wolf" == "yes" && "$targ" == "draft-13.esni.defo.ie:8414" ]] + if [[ "$using_wolf" == "yes" ]] then - echo "Skipping $targ 'till wolf does HRR+ECH" - continue - fi - if [[ "$using_wolf" == "yes" && "$targ" == "tls-ech.dev" ]] - then - echo "Skipping $targ 'till wolf does HRR+ECH" - continue + case $targ in + "draft-13.esni.defo.ie:8414" | "tls-ech.dev" | \ + "crypto.cloudflare.com" | "epochbelt.com") + echo "Skipping $targ 'cause wolf"; continue;; + *) + ;; + esac fi host=$(hostport2host $targ) port=$(hostport2port $targ) From 381e575a2415cf2712d225622c75d91c3c4c6fa6 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Tue, 6 Feb 2024 22:57:50 +0000 Subject: [PATCH 13/21] rebased again --- docs/libcurl/curl_easy_setopt.md | 6 +++ docs/libcurl/opts/CURLOPT_ECH.3 | 77 -------------------------------- docs/libcurl/opts/CURLOPT_ECH.md | 73 ++++++++++++++++++++++++++++++ 3 files changed, 79 insertions(+), 77 deletions(-) delete mode 100644 docs/libcurl/opts/CURLOPT_ECH.3 create mode 100644 docs/libcurl/opts/CURLOPT_ECH.md diff --git a/docs/libcurl/curl_easy_setopt.md b/docs/libcurl/curl_easy_setopt.md index 5e8313fae9a291..457ff094a338fa 100644 --- a/docs/libcurl/curl_easy_setopt.md +++ b/docs/libcurl/curl_easy_setopt.md @@ -1359,6 +1359,12 @@ int main(void) } ~~~ +# ENCRYPTED CLIENT HELLO OPTIONS + +## CURLOPT_ECH + +Set the configuration for ECH. See CURLOPT_ECH(3) + # AVAILABILITY Always diff --git a/docs/libcurl/opts/CURLOPT_ECH.3 b/docs/libcurl/opts/CURLOPT_ECH.3 deleted file mode 100644 index a519440fe7c56a..00000000000000 --- a/docs/libcurl/opts/CURLOPT_ECH.3 +++ /dev/null @@ -1,77 +0,0 @@ -.\" ************************************************************************** -.\" * _ _ ____ _ -.\" * Project ___| | | | _ \| | -.\" * / __| | | | |_) | | -.\" * | (__| |_| | _ <| |___ -.\" * \___|\___/|_| \_\_____| -.\" * -.\" * Copyright (C) Daniel Stenberg, , et al. -.\" * -.\" * This software is licensed as described in the file COPYING, which -.\" * you should have received as part of this distribution. The terms -.\" * are also available at https://curl.se/docs/copyright.html. -.\" * -.\" * You may opt to use, copy, modify, merge, publish, distribute and/or sell -.\" * copies of the Software, and permit persons to whom the Software is -.\" * furnished to do so, under the terms of the COPYING file. -.\" * -.\" * This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY -.\" * KIND, either express or implied. -.\" * -.\" * SPDX-License-Identifier: curl -.\" * -.\" ************************************************************************** -.\" -.TH CURLOPT_ECH 3 "30 Sep 2023" libcurl libcurl -.SH NAME -CURLOPT_ECH \- configuration for Encrypted Client Hello -.SH SYNOPSIS -.nf -#include - -CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config); -.fi -.SH DESCRIPTION -Pass a string that specifies configuration details for ECH. -In all cases, if ECH is attempted, it may fail for various reasons. -The keywords supported are: -.IP false -Turns off ECH. -.IP grease -Instructs client to emit a GREASE'd ECH extension. -.IP true -Instructs client to attempt ECH, if possible, but to not fail if attempting ECH is not possible. -.IP hard -Instructs client to attempt ECH and fail if if attempting ECH is not possible. -.IP ecl: -If the string starts with "ecl:" then the remainder of the string should be a base64-encoded -ECHConfigList that is used for ECH rather than attempting to download such a value from -the DNS. -.IP pn: -If the string starts with "pn:" then the remainder of the string should be a DNS/host name -that is used to over-ride the public_name field of the ECHConfigList that will be used -for ECH. -.SH DEFAULT -NULL, meaning ECH is disabled. -.SH PROTOCOLS -TLS, and requires TLS1.3. -.SH EXAMPLE -.nf -int main(void) -{ - CURL *curl = curl_easy_init(); - const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDT" - "nFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; - - if(curl) { - curl_easy_setopt(curl, CURLOPT_ECH, config); - curl_easy_perform(curl); - } -} -.fi -.SH AVAILABILITY -Added in 8.6.0 -.SH RETURN VALUE -Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient heap space. -.SH "SEE ALSO" -.BR CURLOPT_DOH_URL (3) diff --git a/docs/libcurl/opts/CURLOPT_ECH.md b/docs/libcurl/opts/CURLOPT_ECH.md new file mode 100644 index 00000000000000..fcbb45784f7d42 --- /dev/null +++ b/docs/libcurl/opts/CURLOPT_ECH.md @@ -0,0 +1,73 @@ +--- +c: Copyright (C) Daniel Stenberg, , et al. +SPDX-License-Identifier: curl +Title: CURLOPT_ECH +Section: 3 +Source: libcurl +See-also: + - CURLOPT_DOH_URL (3) +--- + +# NAME + +CURLOPT_ECH - configuration for Encrypted Client Hello + +# SYNOPSIS + +~~~c +#include + +CURLcode curl_easy_setopt(CURL *handle, CURLOPT_ECH, char *config); +~~~ + +# DESCRIPTION + +Pass a string that specifies configuration details for ECH. +In all cases, if ECH is attempted, it may fail for various reasons. +The keywords supported are: + +- false +Turns off ECH. +- grease +Instructs client to emit a GREASE'd ECH extension. +- true +Instructs client to attempt ECH, if possible, but to not fail if attempting ECH is not possible. +- hard +Instructs client to attempt ECH and fail if if attempting ECH is not possible. +- ecl: +If the string starts with "ecl:" then the remainder of the string should be a base64-encoded +ECHConfigList that is used for ECH rather than attempting to download such a value from +the DNS. +- pn: +If the string starts with "pn:" then the remainder of the string should be a DNS/host name +that is used to over-ride the public_name field of the ECHConfigList that will be used +for ECH. + +# DEFAULT + +NULL, meaning ECH is disabled. + +# PROTOCOLS + +TLS, and requires TLS1.3. + +# EXAMPLE + +~~~c +CURL *curl = curl_easy_init(); + +const char *config ="ecl:AED+DQA87wAgACB/RuzUCsW3uBbSFI7mzD63TUXpI8sGDTnFTbFCDpa+CAAEAAEAAQANY292ZXIuZGVmby5pZQAA"; +if(curl) { + curl_easy_setopt(curl, CURLOPT_ECH, config); + curl_easy_perform(curl); +} +~~~ + + +# AVAILABILITY + +Added in 8.6.0 + +# RETURN VALUE + +Returns CURLE_OK on success or CURLE_OUT_OF_MEMORY if there was insufficient heap space. From af20a59fe6caf38bed76a566607e94b2247f42f0 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Wed, 7 Feb 2024 03:01:54 +0000 Subject: [PATCH 14/21] couple of markdown doc nits fixed, couple more to go --- docs/cmdline-opts/Makefile.inc | 1 + docs/cmdline-opts/{ech.d => ech.md} | 28 ++++++++++++++-------------- docs/libcurl/symbols-in-versions | 2 +- docs/options-in-versions | 2 +- 4 files changed, 17 insertions(+), 16 deletions(-) rename docs/cmdline-opts/{ech.d => ech.md} (77%) diff --git a/docs/cmdline-opts/Makefile.inc b/docs/cmdline-opts/Makefile.inc index 428cc3bab2a066..deb4c7c326dc1c 100644 --- a/docs/cmdline-opts/Makefile.inc +++ b/docs/cmdline-opts/Makefile.inc @@ -90,6 +90,7 @@ DPAGES = \ doh-insecure.md \ doh-url.md \ dump-header.md \ + ech.md \ egd-file.md \ engine.md \ etag-compare.md \ diff --git a/docs/cmdline-opts/ech.d b/docs/cmdline-opts/ech.md similarity index 77% rename from docs/cmdline-opts/ech.d rename to docs/cmdline-opts/ech.md index b33f00a195e303..465f800d9df522 100644 --- a/docs/cmdline-opts/ech.d +++ b/docs/cmdline-opts/ech.md @@ -1,30 +1,27 @@ +--- c: Copyright (C) Daniel Stenberg, , et al. SPDX-License-Identifier: curl Long: ech -Arg: -Help: TLS Encrypted Client Hello (ECH) -Added: x.xx.x +Arg: +Help: Configure Encrypted Client Hello (ECH) for use with the TLS session +Added: 8.6.1 Category: tls ECH -Example: --ech $URL -See-also: doh-url Multi: single +See-also: + - doh-url +Example: + - --ech true $URL --- -Configure Encrypted Client Hello (ECH) for use with the TLS session. -Possible values for are: +## `--ech` +Possible values for are: - "false": do not attempt ECH - - "grease": send a GREASE'd ECH extension - - "true": attempt ECH if possible, but don't fail if not - - "hard": attempt ECH and fail if that's not possible - - "ecl:": a base64 encoded ECHConfigList that will be used for ECH - -- "pn:": a name to use to over-ride the public_name field of an - ECHConfigList +- "pn:": a name to use to over-ride the public_name field of an ECHConfigList When multiple ``--ech`` options are supplied then the most-recent value for true/false/hard/grease will be used, as will the most-recent @@ -33,3 +30,6 @@ those were provided. ECH only works with TLS 1.3 and also requires using DoH or providing an ECHConfigList on the command line. + +Most errors cause error +*CURLE_ECH_REUIQRED* (101). diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions index 5d47d02254577e..7f16dad2a943a1 100644 --- a/docs/libcurl/symbols-in-versions +++ b/docs/libcurl/symbols-in-versions @@ -340,7 +340,7 @@ CURLE_URL_MALFORMAT_USER 7.1 7.17.0 CURLE_USE_SSL_FAILED 7.17.0 CURLE_WEIRD_SERVER_REPLY 7.51.0 CURLE_WRITE_ERROR 7.1 -CURLE_ECH_REQUIRED 8.6.0 +CURLE_ECH_REQUIRED 8.6.1 CURLFILETYPE_DEVICE_BLOCK 7.21.0 CURLFILETYPE_DEVICE_CHAR 7.21.0 CURLFILETYPE_DIRECTORY 7.21.0 diff --git a/docs/options-in-versions b/docs/options-in-versions index f5e7bc9a0cdd87..36b07171e6c092 100644 --- a/docs/options-in-versions +++ b/docs/options-in-versions @@ -55,7 +55,7 @@ --doh-insecure 7.76.0 --doh-url 7.62.0 --dump-header (-D) 5.7 ---ech 8.4.0 +--ech 8.6.1 --egd-file 7.7 --engine 7.9.3 --etag-compare 7.68.0 From 74239c0f8a1878a0d3ee61b2fc7c2e18a4fd6f4e Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Wed, 7 Feb 2024 16:21:23 +0000 Subject: [PATCH 15/21] fix various doc checks --- docs/ECH.md | 58 +++++++++++++++++----------------- docs/cmdline-opts/ech.md | 47 +++++++++++++++++++-------- docs/libcurl/libcurl-errors.md | 2 +- src/tool_listhelp.c | 4 +-- 4 files changed, 66 insertions(+), 45 deletions(-) diff --git a/docs/ECH.md b/docs/ECH.md index 7d4cbc5d163e95..00a917f04f69ea 100644 --- a/docs/ECH.md +++ b/docs/ECH.md @@ -4,7 +4,7 @@ We've added support for ECH to a recent curl build. That can use HTTPS RRs published in the DNS, if curl is using DoH, or else can accept the relevant ECHConfigList values from the command line. That works with OpenSSL, -WolfSSL or boringssl as it's TLS provider, depending on how you build curl. +WolfSSL or boringssl as the TLS provider, depending on how you build curl. This has not been tested. DO NOT USE. @@ -43,8 +43,8 @@ To build our ECH-enabled curl fork, making use of the above: ...lots more output... ``` -If you don't get that WARNING at the end of the ``configure`` command, then ECH -isn't enabled, so go back some steps and re-do whatever needs re-doing:-) If you +If you do not get that WARNING at the end of the ``configure`` command, then ECH +is not enabled, so go back some steps and re-do whatever needs re-doing:-) If you want to debug curl then you should add ``--enable-debug`` to the ``configure`` command. @@ -81,7 +81,7 @@ The ``USE_MANUAL`` above avoids what seems an odd error with [100%] Built target curl ``` -So we finally get a binary, and our ``tests/ech_test.sh`` script seems happy. +We finally get a binary, and our ``tests/ech_test.sh`` script seems happy. ## Using ECH and DoH @@ -96,7 +96,7 @@ retrieval of HTTPS RRs in that situation. To use ECH and DoH together: ... ``` -The output snippet above is within the HTML for the web page, when things work. +The output snippet above is within the HTML for the webpage, when things work. The above works for these test sites: @@ -146,10 +146,10 @@ Then paste the base64 encoded ECHConfigList onto the curl command line: ... ``` -The output snippet above is within the HTML for the web page. +The output snippet above is within the HTML for the webpage. -If you paste in the wrong ECHConfigList (it changes hourly for ``defo.ie``) you'll -get an error like this: +If you paste in the wrong ECHConfigList (it changes hourly for ``defo.ie``) you +should get an error like this: ```bash LD_LIBRARY_PATH=$HOME/code/openssl ./src/curl -vvv --ech ecl:AED+DQA8yAAgACDRMQo+qYNsNRNj+vfuQfFIkrrUFmM4vogucxKj/4nzYgAEAAEAAQANY292ZXIuZGVmby5pZQAA https://defo.ie/ech-check.php @@ -190,13 +190,13 @@ so one can set the DoH URL and enable ECH that way: ``` Note that when you use the system's curl command (rather than our ECH-enabled -build), it's liable to warn that ``ech`` is an unknown option. If that's an +build), it is liable to warn that ``ech`` is an unknown option. If that is an issue (e.g. if some script re-directs stdout and stderr somewhere) then adding the ``silent=TRUE`` line above seems to be a good enough fix. (Though of -course, yet another script could depend on non-silent behavior, so you'll have +course, yet another script could depend on non-silent behavior, so you will have to figure out what you prefer yourself.) -And if you want to always use our OpenSSL build you can set ``LD_LIBRARY_PATH`` +If you want to always use our OpenSSL build you can set ``LD_LIBRARY_PATH`` in the environment: ```bash @@ -223,8 +223,8 @@ With all that setup as above the command line gets simpler: ``` The ``--ech true`` option is opportunistic, so will try to do ECH but won't fail if -the client for example can't find any ECHConfig values. The ``--ech hard`` -option hard-fails if there is no ECHConfig found in DNS, so for now, that's not +the client for example cannot find any ECHConfig values. The ``--ech hard`` +option hard-fails if there is no ECHConfig found in DNS, so for now, that is not a good option to set as a default. ## Code changes for ECH support when using DoH @@ -250,7 +250,7 @@ is enabled, then ``USE_HTTPSRR`` will be forced. In both cases ``USE_DOH`` is required. (There may be some configuration conflicts available for the determined:-) -The main functional change, as you'd expect, is in ``lib/vtls/openssl.c`` +The main functional change, as you would expect, is in ``lib/vtls/openssl.c`` ([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/vtls/openssl.c#L3768)) where an ECHConfig, if available from command line or DNS cache, is fed into the OpenSSL library via the new APIs implemented in our OpenSSL fork for that @@ -260,7 +260,7 @@ purpose. This code also implements the opportunistic (``--ech true``) or hard-fa Other than that, the main additions are in ``lib/doh.c`` ([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/doh.c#L418)) where we re-use ``dohprobe()`` to retrieve an HTTPS RR value for the target -domain. If such a value is found, that's stored using a new ``store_https()`` +domain. If such a value is found, that is stored using a new ``store_https()`` function ([here](https://github.com/sftcd/curl/blob/ECH-experimental/lib/doh.c#L527)) in a new field in the ``dohentry`` structure. @@ -288,18 +288,18 @@ Current limitations (more interesting than the above): above, that could be extended in future, though picking the "right" HTTPS RR could be non-trivial if multiple RRs are published - matching IP address hints versus A/AAAA values might be a good basis for that. Last I checked though, -browsers supporting ECH didn't handle multiple HTTPS RRs well, though that -needs re-checking as it's been a while. +browsers supporting ECH did not handle multiple HTTPS RRs well, though that +needs re-checking as it has been a while. - It's unclear how one should handle any IP address hints found in an HTTPS RR. It may be that a bit of consideration of how "multi-CDN" deployments might -emerge would provide good answers there, but for now, it's not clear how best +emerge would provide good answers there, but for now, it is not clear how best curl might handle those values when present in the DNS. - The SVCB/HTTPS RR specification supports a new "CNAME at apex" indirection ("aliasMode") - the current code takes no account of that at all. One could envisage implementing the equivalent of following CNAMEs in such cases, but -it's not clear if that'd be a good plan. (As of now, chrome browsers don't seem +it is not clear if that'd be a good plan. (As of now, chrome browsers do not seem to have any support for that "aliasMode" and we've not checked Firefox for that recently.) @@ -310,7 +310,7 @@ tool. - We have not yet implemented tests as part of the usual curl test harness. For now, we only have a ``$TOP/tests/ech_test.sh`` script that attempts ECH with various test servers. While that is a useful test and does -find issues (e.g. with the wolfSSL build), it's nowhere near comprehensive and +find issues (e.g. with the wolfSSL build), it is nowhere near comprehensive and we're not (as yet) sure what would be the right level of coverage. Note that when running that you should not have a ``$HOME/.curlrc`` file that affects ECH or some of the negative tests could produce spurious @@ -382,7 +382,7 @@ There are what seem like oddball differences: "one.one.one.one" for WolfSSL. The latter works for both, so OK, we'll change to that. - There seems to be some difference in CA databases too - the WolfSSL version - doesn't like ``defo.ie``, whereas the system and OpenSSL ones do. We can ignore + does not like ``defo.ie``, whereas the system and OpenSSL ones do. We can ignore that for our purposes via ``--insecure``/``-k`` but would need to fix for a real setup. (Browsers do like those certificates though.) @@ -391,15 +391,15 @@ Then there are some functional code changes: - tweak to ``configure.ac`` to check if WolfSSL has ECH or not - added code to ``lib/vtls/wolfssl.c`` mirroring what's done in the OpenSSL equivalent above. -- WolfSSL doesn't support ``--ech false`` or the ``--ech pn:`` command line +- WolfSSL does not support ``--ech false`` or the ``--ech pn:`` command line argument. The lack of support for ``--ech false`` is because wolfSSL has decided to always at least GREASE if built to support ECH. In other words, GREASE is -a compile time choice for wolfSSL, but a run-time choice for OpenSSL or +a compile time choice for wolfSSL, but a runtime choice for OpenSSL or boringssl. (Both are reasonable.) -There's also a current +There is also a current [bug/issue](https://github.com/wolfSSL/wolfssl/issues/6802) that the wolfSSL client support for ECH seems to not correctly support HelloRetryRequest. WolfSSL also seems to send a GREASE ECH extension regardless of the @@ -447,21 +447,21 @@ for ECH when DoH is not used by curl - if a system stub resolver supports DoT or DoH, then, considering only ECH and the network threat model, it would make sense for curl to support ECH without curl itself using DoH. The author for example uses a combination of stubby+unbound as the system resolver listening -on localhost:53, so would fit this use-case. That said, it's unclear if -this is a niche that's worth trying to address. (The author is just as happy to +on localhost:53, so would fit this use-case. That said, it is unclear if +this is a niche that is worth trying to address. (The author is just as happy to let curl use DoH to talk to the same public recursive that stubby might use:-) Assuming for the moment this is a use-case we'd like to support, then -if DoH is not being used by curl, it's not clear at this time how to provide +if DoH is not being used by curl, it is not clear at this time how to provide support for ECH. One option would seem to be to extend the ``c-ares`` library -to support HTTPS RRs, but in that case it's not now clear whether such changes +to support HTTPS RRs, but in that case it is not now clear whether such changes would be attractive to the ``c-ares`` maintainers, nor whether the "tag=value" extensibility inherent in the HTTPS/SVCB specification is a good match for the ``c-ares`` approach of defining structures specific to decoded answers for each supported RRtype. We're also not sure how many downstream curl deployments actually make use of the ``c-ares`` library, which would affect the utility of such changes. Another option might be to consider using some other generic DNS -library that does support HTTPS RRs, but it's unclear if such a library could +library that does support HTTPS RRs, but it is unclear if such a library could or would be used by all or almost all curl builds and downstream releases of curl. diff --git a/docs/cmdline-opts/ech.md b/docs/cmdline-opts/ech.md index 465f800d9df522..7d364fa179bab6 100644 --- a/docs/cmdline-opts/ech.md +++ b/docs/cmdline-opts/ech.md @@ -13,23 +13,44 @@ Example: - --ech true $URL --- -## `--ech` +# `--ech` -Possible values for are: -- "false": do not attempt ECH -- "grease": send a GREASE'd ECH extension -- "true": attempt ECH if possible, but don't fail if not -- "hard": attempt ECH and fail if that's not possible -- "ecl:": a base64 encoded ECHConfigList that will be used for ECH -- "pn:": a name to use to over-ride the public_name field of an ECHConfigList +When multiple ``--ech`` options are supplied then the most-recent value for +true/false/hard/grease value will be used, as will the most-recent +``ecl:`` value, and ``pn:`` value, if either of those were +provided. -When multiple ``--ech`` options are supplied then the most-recent -value for true/false/hard/grease will be used, as will the most-recent -``ecl:`` value, and ``pn:`` value, if either of -those were provided. +The values allowed for can be: +## "false" +Do not attempt ECH + +## "grease" + +Send a GREASE'd ECH extension + +## "true" + +Attempt ECH if possible, but don't fail if ECH is not attempted. +(The connection will fail if ECH is attempted but fails.) + +## "hard" + +Attempt ECH and fail if that's not possible. ECH only works with TLS 1.3 and also requires using DoH or providing an ECHConfigList on the command line. +## "ecl:" + +A base64 encoded ECHConfigList that will be used for ECH. + +## "pn:" + +A name to use to over-ride the `public_name` field of an ECHConfigList +(only available with OpenSSL TLS support) + +## Errors + Most errors cause error -*CURLE_ECH_REUIQRED* (101). +*CURLE_ECH_REQUIRED* (101). + diff --git a/docs/libcurl/libcurl-errors.md b/docs/libcurl/libcurl-errors.md index c08195f32f3c35..7d7da4c136bdb2 100644 --- a/docs/libcurl/libcurl-errors.md +++ b/docs/libcurl/libcurl-errors.md @@ -485,7 +485,7 @@ An internal call to poll() or select() returned error that is not recoverable. A value or data field grew larger than allowed. -# CURLE_ECH_REQUIRED (101)" +## CURLE_ECH_REQUIRED (101)" ECH was attempted but failed. diff --git a/src/tool_listhelp.c b/src/tool_listhelp.c index 1820b7adb6ad0a..c9468a8ff3c623 100644 --- a/src/tool_listhelp.c +++ b/src/tool_listhelp.c @@ -168,8 +168,8 @@ const struct helptxt helptext[] = { {"-D, --dump-header ", "Write the received headers to ", CURLHELP_HTTP | CURLHELP_FTP}, - {" --ech ", - "TLS Encrypted Client Hello (ECH)", + {" --ech ", + "Configure Encrypted Client Hello (ECH) for use with the TLS session", CURLHELP_TLS | CURLHELP_ECH}, {" --egd-file ", "EGD socket path for random data", From 8aa7e3e83b5be6e1fdd8084aa1cc2177d6fc7a72 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Wed, 7 Feb 2024 16:25:04 +0000 Subject: [PATCH 16/21] moar doc nits --- docs/ECH.md | 6 +++--- docs/libcurl/opts/CURLOPT_ECH.md | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/ECH.md b/docs/ECH.md index 00a917f04f69ea..bdb715d5a7b63a 100644 --- a/docs/ECH.md +++ b/docs/ECH.md @@ -108,7 +108,7 @@ The above works for these test sites: https://tls-ech.dev ``` -So we seem to have the basic thing functioning now. That list has 4 different +We seem to have the basic thing functioning now. That list has 4 different server technologies, implemented by 3 different parties, and includes a case (the port 8414 server) where HelloRetryRequest (HRR) is forced. @@ -222,7 +222,7 @@ With all that setup as above the command line gets simpler: ... ``` -The ``--ech true`` option is opportunistic, so will try to do ECH but won't fail if +The ``--ech true`` option is opportunistic, so will try to do ECH but will not fail if the client for example cannot find any ECHConfig values. The ``--ech hard`` option hard-fails if there is no ECHConfig found in DNS, so for now, that is not a good option to set as a default. @@ -291,7 +291,7 @@ versus A/AAAA values might be a good basis for that. Last I checked though, browsers supporting ECH did not handle multiple HTTPS RRs well, though that needs re-checking as it has been a while. -- It's unclear how one should handle any IP address hints found in an HTTPS RR. +- It is unclear how one should handle any IP address hints found in an HTTPS RR. It may be that a bit of consideration of how "multi-CDN" deployments might emerge would provide good answers there, but for now, it is not clear how best curl might handle those values when present in the DNS. diff --git a/docs/libcurl/opts/CURLOPT_ECH.md b/docs/libcurl/opts/CURLOPT_ECH.md index fcbb45784f7d42..1122bae2636be2 100644 --- a/docs/libcurl/opts/CURLOPT_ECH.md +++ b/docs/libcurl/opts/CURLOPT_ECH.md @@ -39,7 +39,7 @@ If the string starts with "ecl:" then the remainder of the string should be a ba ECHConfigList that is used for ECH rather than attempting to download such a value from the DNS. - pn: -If the string starts with "pn:" then the remainder of the string should be a DNS/host name +If the string starts with "pn:" then the remainder of the string should be a DNS/hostname that is used to over-ride the public_name field of the ECHConfigList that will be used for ECH. From ea38244a2bbc9e4182979399ed5328378000ac08 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Wed, 7 Feb 2024 16:33:20 +0000 Subject: [PATCH 17/21] moar doc nits --- docs/cmdline-opts/ech.md | 2 +- docs/libcurl/opts/CURLOPT_ECH.md | 15 ++++++++------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/cmdline-opts/ech.md b/docs/cmdline-opts/ech.md index 7d364fa179bab6..b2051d2159d707 100644 --- a/docs/cmdline-opts/ech.md +++ b/docs/cmdline-opts/ech.md @@ -27,7 +27,7 @@ Do not attempt ECH ## "grease" -Send a GREASE'd ECH extension +Send a GREASE ECH extension ## "true" diff --git a/docs/libcurl/opts/CURLOPT_ECH.md b/docs/libcurl/opts/CURLOPT_ECH.md index 1122bae2636be2..c9ad19d8c3c9d8 100644 --- a/docs/libcurl/opts/CURLOPT_ECH.md +++ b/docs/libcurl/opts/CURLOPT_ECH.md @@ -26,19 +26,20 @@ Pass a string that specifies configuration details for ECH. In all cases, if ECH is attempted, it may fail for various reasons. The keywords supported are: -- false +## false Turns off ECH. -- grease -Instructs client to emit a GREASE'd ECH extension. -- true +## grease +Instructs client to emit a GREASE ECH extension. +(The connection will fail if ECH is attempted but fails.) +## true Instructs client to attempt ECH, if possible, but to not fail if attempting ECH is not possible. -- hard +## hard Instructs client to attempt ECH and fail if if attempting ECH is not possible. -- ecl: +## ecl: If the string starts with "ecl:" then the remainder of the string should be a base64-encoded ECHConfigList that is used for ECH rather than attempting to download such a value from the DNS. -- pn: +## pn: If the string starts with "pn:" then the remainder of the string should be a DNS/hostname that is used to over-ride the public_name field of the ECHConfigList that will be used for ECH. From 6ab4b8841d3cb66e8fb88fb738ab7b7bc330639b Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Sun, 11 Feb 2024 01:59:54 +0000 Subject: [PATCH 18/21] fix for .curlrc change for silent --- docs/ECH.md | 8 +++++--- lib/vtls/wolfssl.c | 6 +++++- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/docs/ECH.md b/docs/ECH.md index bdb715d5a7b63a..a6ce0ec75b83db 100644 --- a/docs/ECH.md +++ b/docs/ECH.md @@ -185,16 +185,18 @@ so one can set the DoH URL and enable ECH that way: ```bash cat ~/.curlrc doh-url=https://one.one.one.one/dns-query - silent=TRUE + silent ech=TRUE ``` Note that when you use the system's curl command (rather than our ECH-enabled build), it is liable to warn that ``ech`` is an unknown option. If that is an issue (e.g. if some script re-directs stdout and stderr somewhere) then adding -the ``silent=TRUE`` line above seems to be a good enough fix. (Though of +the ``silent`` line above seems to be a good enough fix. (Though of course, yet another script could depend on non-silent behavior, so you will have -to figure out what you prefer yourself.) +to figure out what you prefer yourself.) That seems to have changed with the +latest build, previously ``silent=TRUE`` was what I used in ``~/.curlrc`` but +now that seems to cause a problem, so that the following line(s) are ignored. If you want to always use our OpenSSL build you can set ``LD_LIBRARY_PATH`` in the environment: diff --git a/lib/vtls/wolfssl.c b/lib/vtls/wolfssl.c index 7f0f367d937719..232eac39a698f5 100644 --- a/lib/vtls/wolfssl.c +++ b/lib/vtls/wolfssl.c @@ -76,6 +76,10 @@ #ifdef USE_ECH # include "curl_base64.h" +# define ECH_ENABLED(__data__) \ + (__data__->set.tls_ech && \ + !(__data__->set.tls_ech & (1 << CURLECH_DISABLE))\ + ) #endif /* USE_ECH */ /* KEEP_PEER_CERT is a product of the presence of build time symbol @@ -727,7 +731,7 @@ wolfssl_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data) } #ifdef USE_ECH - if(data->set.tls_ech != CURLECH_DISABLE) { + if(ECH_ENABLED(data)) { int trying_ech_now = 0; if(data->set.str[STRING_ECH_PUBLIC]) { From a1afc98e7af5cefd1c3eb5ae94bbd70d80cf5d43 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Fri, 16 Feb 2024 21:15:19 +0000 Subject: [PATCH 19/21] added packages --- .github/workflows/packages.yaml | 80 +++++++++++++++++++++++++++++++++ 1 file changed, 80 insertions(+) create mode 100644 .github/workflows/packages.yaml diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml new file mode 100644 index 00000000000000..9c89310c2393d4 --- /dev/null +++ b/.github/workflows/packages.yaml @@ -0,0 +1,80 @@ +name: builder + +on: + workflow_dispatch: + push: + +jobs: + build: + runs-on: ubuntu-22.04 + steps: + - name: Check out the repo + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - name: merge upstream + run: | + git remote add upstream https://github.com/curl/curl.git + git fetch upstream + git -c user.name=Github -c user.email=none merge upstream/master + + - name: Cache ccache + uses: actions/cache@v3 + with: + path: /home/runner/.cache/ccache + key: ccache + + - name: Prepare build environment + run: | + sudo add-apt-repository -y ppa:v-launchpad-jochen-sprickerhof-de/sbuild + sudo DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends sbuild mmdebstrap debian-archive-keyring ccache uidmap + + mkdir -p "$HOME/.cache/sbuild" + mmdebstrap --variant=buildd --include=apt,ccache,ca-certificates \ + --customize-hook='chroot "$1" update-ccache-symlinks' \ + unstable "$HOME/.cache/sbuild/unstable-amd64.tar" + + ccache --zero-stats --max-size=10.0G + chmod a+X "$HOME" "$HOME/.cache" + chmod -R a+rwX "$HOME/.cache/ccache" + + cat << "EOF" > "$HOME/.sbuildrc" + $build_environment = { "CCACHE_DIR" => "/build/ccache" }; + $path = "/usr/lib/ccache:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games"; + $build_path = "/build/package/"; + $dsc_dir = "package"; + $unshare_bind_mounts = [ { directory => "$HOME/.cache/ccache", mountpoint => "/build/ccache" } ]; + $verbose = 1; + EOF + mkdir "$HOME/apt_repo" + + - name: Run sbuild + run: | + sed -i "1 s/([^)]*)/($(git describe --tags | sed 's/^[^0-9]*//;s/-/./g;s/_/./g')-$(date -u '+%Y%m%d.%H%M%S%N'))/" debian/changelog + sbuild -d unstable --chroot-mode=unshare --no-clean-source --no-run-lintian \ + --extra-repository="deb [trusted=yes] https://github.com/jspricke/openssl/raw/packages/ ./" \ + --dpkg-source-opts="-Zgzip -z1 --format=1.0 -sn" --build-dir="$HOME/apt_repo" + cd "$HOME/apt_repo" + apt-ftparchive packages . > Packages + apt-ftparchive release . > Release + + - name: Test packages + run: | + mmdebstrap --chrooted-customize-hook="curl --ech true --doh-url 'https://1.1.1.1/dns-query' 'https://defo.ie/ech-check.php' | grep 'SSL_ECH_STATUS: success'" \ + --variant=essential --include=ca-certificates,curl unstable /dev/null \ + "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://deb.debian.org/debian unstable main" \ + "deb [trusted=yes] https://github.com/jspricke/openssl/raw/packages/ /" \ + "deb [trusted=yes] copy:/$HOME/apt_repo /" + + - name: Upload apt repository + run: | + cd "$HOME/apt_repo" + BRANCH=packages + REPOSITORY="$(printf "%s" "$GITHUB_REPOSITORY" | tr / _)" + echo "echo \"deb [trusted=yes] $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/raw/$BRANCH/ /\" | sudo tee /etc/apt/sources.list.d/$REPOSITORY.list" >> README.md + git init -b "$BRANCH" + git remote add origin "$(echo "$GITHUB_SERVER_URL/$GITHUB_REPOSITORY.git" | sed "s#https://#https://x-access-token:${{ secrets.GITHUB_TOKEN }}@#")" + git add . + git -c user.name=Github -c user.email=none commit --message="Generated with $GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" + git push --force origin "$BRANCH" From 0de7944f686606841b4fcc7648178deadcf0ce76 Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Fri, 16 Feb 2024 21:33:41 +0000 Subject: [PATCH 20/21] added debian --- .github/workflows/packages.yaml | 4 +- debian/README.Debian | 11 + debian/README.source | 9 + debian/changelog | 2911 +++++++++++++++++ debian/control | 201 ++ debian/copyright | 534 +++ debian/curl.install | 3 + debian/gbp.conf | 15 + debian/libcurl3-gnutls.install | 1 + debian/libcurl3-gnutls.links | 3 + debian/libcurl3-gnutls.lintian-overrides | 1 + debian/libcurl3-gnutls.symbols | 97 + debian/libcurl4-doc.docs | 6 + debian/libcurl4-doc.examples | 1 + debian/libcurl4-doc.links | 10 + debian/libcurl4-gnutls-dev.install | 6 + debian/libcurl4-gnutls-dev.links | 4 + debian/libcurl4-openssl-dev.install | 6 + debian/libcurl4.install | 1 + debian/libcurl4.symbols | 97 + .../patches/04_workaround_as_needed_bug.patch | 40 + debian/patches/08_enable-zsh.patch | 22 + .../11_omit-directories-from-config.patch | 55 + debian/patches/90_gnutls.patch | 190 ++ ...LDFLAGS-from-curl-config-static-libs.patch | 42 + .../add_errorcodes_upstream_file.patch | 106 + ...-gssapi-link-flags-between-LDFLAGS-a.patch | 32 + ...d_tests_errorcodes_pl_to_the_tarball.patch | 46 + .../patches/openldap_fix_an_LDAP_crash.patch | 35 + debian/patches/series | 10 + debian/rules | 184 ++ debian/salsa-ci.yml | 6 + debian/source/format | 1 + debian/tests/LDAP-bindata.c | 354 ++ debian/tests/control | 11 + debian/tests/curl-ldapi-test | 24 + debian/tests/upstream-tests-gnutls | 37 + debian/tests/upstream-tests-openssl | 40 + debian/upstream/metadata | 5 + debian/watch | 3 + 40 files changed, 5162 insertions(+), 2 deletions(-) create mode 100644 debian/README.Debian create mode 100644 debian/README.source create mode 100644 debian/changelog create mode 100644 debian/control create mode 100644 debian/copyright create mode 100755 debian/curl.install create mode 100644 debian/gbp.conf create mode 100644 debian/libcurl3-gnutls.install create mode 100755 debian/libcurl3-gnutls.links create mode 100644 debian/libcurl3-gnutls.lintian-overrides create mode 100644 debian/libcurl3-gnutls.symbols create mode 100644 debian/libcurl4-doc.docs create mode 100644 debian/libcurl4-doc.examples create mode 100644 debian/libcurl4-doc.links create mode 100644 debian/libcurl4-gnutls-dev.install create mode 100755 debian/libcurl4-gnutls-dev.links create mode 100644 debian/libcurl4-openssl-dev.install create mode 100644 debian/libcurl4.install create mode 100644 debian/libcurl4.symbols create mode 100644 debian/patches/04_workaround_as_needed_bug.patch create mode 100644 debian/patches/08_enable-zsh.patch create mode 100644 debian/patches/11_omit-directories-from-config.patch create mode 100644 debian/patches/90_gnutls.patch create mode 100644 debian/patches/Remove-curl-s-LDFLAGS-from-curl-config-static-libs.patch create mode 100644 debian/patches/add_errorcodes_upstream_file.patch create mode 100644 debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch create mode 100644 debian/patches/dist_add_tests_errorcodes_pl_to_the_tarball.patch create mode 100644 debian/patches/openldap_fix_an_LDAP_crash.patch create mode 100644 debian/patches/series create mode 100755 debian/rules create mode 100644 debian/salsa-ci.yml create mode 100644 debian/source/format create mode 100644 debian/tests/LDAP-bindata.c create mode 100644 debian/tests/control create mode 100644 debian/tests/curl-ldapi-test create mode 100644 debian/tests/upstream-tests-gnutls create mode 100644 debian/tests/upstream-tests-openssl create mode 100644 debian/upstream/metadata create mode 100644 debian/watch diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index 9c89310c2393d4..990b39ea3d61e9 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -53,7 +53,7 @@ jobs: run: | sed -i "1 s/([^)]*)/($(git describe --tags | sed 's/^[^0-9]*//;s/-/./g;s/_/./g')-$(date -u '+%Y%m%d.%H%M%S%N'))/" debian/changelog sbuild -d unstable --chroot-mode=unshare --no-clean-source --no-run-lintian \ - --extra-repository="deb [trusted=yes] https://github.com/jspricke/openssl/raw/packages/ ./" \ + --extra-repository="deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ ./" \ --dpkg-source-opts="-Zgzip -z1 --format=1.0 -sn" --build-dir="$HOME/apt_repo" cd "$HOME/apt_repo" apt-ftparchive packages . > Packages @@ -64,7 +64,7 @@ jobs: mmdebstrap --chrooted-customize-hook="curl --ech true --doh-url 'https://1.1.1.1/dns-query' 'https://defo.ie/ech-check.php' | grep 'SSL_ECH_STATUS: success'" \ --variant=essential --include=ca-certificates,curl unstable /dev/null \ "deb [signed-by=/usr/share/keyrings/debian-archive-keyring.gpg] http://deb.debian.org/debian unstable main" \ - "deb [trusted=yes] https://github.com/jspricke/openssl/raw/packages/ /" \ + "deb [trusted=yes] https://github.com/defo-project/openssl/raw/packages/ /" \ "deb [trusted=yes] copy:/$HOME/apt_repo /" - name: Upload apt repository diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 00000000000000..009428d21fe9ef --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,11 @@ +README for curl Debian package +============================== + +Maintaining curl is not an easy task so it's important to have multiple people +taking care of it. With that in mind, the Debian Curl Maintainers team was +created to ease the maintenance burden. We also decided to keep the package +under the Debian namespace on Salsa because of its importance. Nonetheless, if +you would like to make changes to the package please try to reach us first +before committing and uploading. + + -- Carlos Henrique Lima Melara Sun, 26 Nov 2023 22:54:15 -0300 diff --git a/debian/README.source b/debian/README.source new file mode 100644 index 00000000000000..511e9579457e31 --- /dev/null +++ b/debian/README.source @@ -0,0 +1,9 @@ +Adding New Patches +================== + +Note that when adding new patches they must be applied *before* 90_gnutls.patch +and 99_nss.patch. This is needed by curl's package byzantine build process, +which builds the source multiple times with different TLS libraries. + +This basically means that when adding new patches to the debian/patches/series +file, they must be listed before the aformentioned patches. diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 00000000000000..3530853912a682 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,2911 @@ +curl (8.5.0-2.1~1.gbpecf5952a8) UNRELEASED; urgency=medium + + ** SNAPSHOT build @ecf5952a8 ** + + * Add ECH patch + + -- Jochen Sprickerhof Wed, 18 Oct 2023 23:19:51 +0200 + +curl (8.5.0-2) unstable; urgency=medium + + * d/p/openldap_fix_an_LDAP_crash.patch: New patch to fix ldap segfault + (closes: #1057855) + + -- Samuel Henrique Fri, 29 Dec 2023 15:34:11 -0300 + +curl (8.5.0-1) unstable; urgency=medium + + [ Samuel Henrique ] + * New upstream version 8.5.0 + - Fix CVE-2023-46218: cookie mixed case PSL bypass (closes: #1057646) + - Fix CVE-2023-46219: HSTS long file name clears contents (closes: #1057645) + * d/rules: Use pkg-info.mk instead of dpkg-parsechangelog for DEB_VERSION + * d/p/90_gnutls.patch: Update patch + * d/p/dist_add_tests_errorcodes_pl_to_the_tarball.patch: Upstream patch to + fix tests + * d/p/add_errorcodes_upstream_file.patch: Include missing file from upstream + tarball + + [ Carlos Henrique Lima Melara ] + * d/control: change Maintainer field to curl packaging team + * d/README.Debian: add readme to explain curl's team creation + * d/control: add myself to Uploaders + + -- Samuel Henrique Wed, 06 Dec 2023 20:15:49 +0000 + +curl (8.4.0-2) unstable; urgency=medium + + * d/rules: set CURL_PATCHSTAMP to package's version, so it shows up in + "--version" output + + -- Samuel Henrique Sat, 14 Oct 2023 12:19:21 +0100 + +curl (8.4.0-1) unstable; urgency=medium + + * New upstream version 8.4.0 + * d/libcurl*.symbols: New symbol curl_multi_get_handles + * d/patches: + - Remove patches from 8.4.0 release + - 90_gnutls.patch: Update patch + + -- Samuel Henrique Fri, 13 Oct 2023 00:53:16 +0100 + +curl (8.3.0-3) unstable; urgency=high + + * Add patches to fix CVE-2023-38545 and CVE-2023-38546 + + -- Samuel Henrique Thu, 05 Oct 2023 22:26:40 +0100 + +curl (8.3.0-2) unstable; urgency=medium + + * d/rules: Add test 3102 to TESTS_FAILS_ON_IPV6_ONLY_MACHINES + * d/patches: Import two upstream patches to try to fix FTBFS on armel/armhf + - test650_fix_an_end_tag_typo.patch + - tests_increase_the_default_server_logs_lock_timeout.patch + * d/p/lib_use_wrapper_for_curl_mime_data_fseek_callback.patch: New patch to + fix armel/armhf FTBFS + + -- Samuel Henrique Sun, 01 Oct 2023 15:01:42 +0100 + +curl (8.3.0-1) unstable; urgency=medium + + * New upstream version 8.3.0 + - Fix CVE-2023-38039: HTTP headers eat all memory + * debian/: Remove files used for the nss packaging + * d/patches: + - Refresh patches + - gen_pl_escape_all_dashes.patch: Drop merged patch + - 90_gnutls.patch: Update patch + * d/libcurl*.symbols: New symbol curl_global_trace + + -- Samuel Henrique Thu, 14 Sep 2023 16:13:10 +0530 + +curl (8.2.1-2) unstable; urgency=medium + + [ Andreas Hasenack ] + * Move ldap-test to a script and add retry logic + + [ Samuel Henrique ] + * Build without nss, dropped by upstream in the next release + * d/p/gen_pl_escape_all_dashes.patch: New patch to fix manpage generation + (closes: #1043309, #1043339) + + -- Samuel Henrique Fri, 25 Aug 2023 20:05:02 +0100 + +curl (8.2.1-1) unstable; urgency=medium + + [ Samuel Henrique ] + * New upstream version 8.2.1 + + [ Sergio Durigan Junior ] + * d/p/{90_gnutls,99_nss}.patch: + Update GNUTls/NSS patches to unbreak tests/http/clients + * Drop unnecessary patches. + d/p/CVE-2023-27533.patch + d/p/CVE-2023-27534.patch + d/p/CVE-2023-27535.patch + d/p/CVE-2023-27536.patch + d/p/CVE-2023-27537.patch + d/p/CVE-2023-27538.patch + d/p/CVE-2023-28319.patch + d/p/CVE-2023-28320-1.patch + d/p/CVE-2023-28320.patch + d/p/CVE-2023-28321.patch + d/p/CVE-2023-28322.patch + d/p/CVE-2023-32001.patch + d/p/Use-OpenLDAP-specific-functionality.patch + d/p/fix-unix-domain-socket.patch + + -- Sergio Durigan Junior Thu, 03 Aug 2023 20:00:01 -0400 + +curl (7.88.1-11) unstable; urgency=medium + + [ Carlos Henrique Lima Melara ] + * Fix CVE-2023-32001: TOCTOU race condition in Curl_fopen(): + - Done by d/p/CVE-2023-32001.patch (Closes: #1041812). + + [ John Scott ] + * LDAP backend: correct the usage of OpenLDAP-specific functionality being + disabled with an upstream patch (Closes: #1041964) + This corrects the improper fetching of binary attributes. + * debian/tests: add a DEP-8 test that getting binary LDAP attributes works now + + -- Samuel Henrique Fri, 28 Jul 2023 21:11:25 +0100 + +curl (7.88.1-10) unstable; urgency=medium + + * Add new patches to fix CVEs (closes: #1036239): + - CVE-2023-28319: UAF in SSH sha256 fingerprint check + - CVE-2023-28320: siglongjmp race condition + - CVE-2023-28321: IDN wildcard match + - CVE-2023-28322: more POST-after-PUT confusion + * d/libcurl*.symbols: Drop curl_jmpenv, not built anymore due to + CVE-2023-28320 + + -- Samuel Henrique Thu, 18 May 2023 23:43:40 +0100 + +curl (7.88.1-9) unstable; urgency=medium + + [ Sergio Durigan Junior ] + * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: + Don't prepend "nss" when opening libnssckbi.so. (Closes: #1034359) + + [ Samuel Henrique ] + * Update list of tests that fail on IPv6-only envs and don't skip them on + autopkgtest + * d/p/fix-unix-domain-socket.patch: Import upstream patch to fix --unix + (closes: #1033963) + + -- Samuel Henrique Sat, 15 Apr 2023 20:03:44 +0100 + +curl (7.88.1-8) unstable; urgency=medium + + [ Samuel Henrique ] + * d/gbp.conf: Push gbp conf with sane defaults + * d/salsa-ci.yml: Disable dh_auto_test with DEB_BUILD_OPTIONS + * d/rules: Add new build profiles to limit builds to a single TLS backend + * d/tests: Add new autopkgtests that runs curl's test suite + + [ Sergio Durigan Junior ] + * d/rules: Remove -D_DEB_HOST_ARCH from curl-config's CFLAGS. + + -- Samuel Henrique Sun, 26 Mar 2023 11:36:24 +0100 + +curl (7.88.1-7) unstable; urgency=medium + + * Bump Standards-Version to 4.6.2 + * d/p/06_always-disable-valgrind.patch: Remove unused patch + * d/patches: Refresh all patches + * Import 5 new upstream patches fixing CVES: + - CVE-2023-27533: TELNET option IAC injection + - CVE-2023-27534: SFTP path ~ resolving discrepancy + - CVE-2023-27535: FTP too eager connection reuse + - CVE-2023-27536: GSS delegation too eager connection re-use + - CVE-2023-27537: HSTS double-free + - CVE-2023-27538: SSH connection too eager reuse still + + -- Samuel Henrique Tue, 21 Mar 2023 22:39:05 +0000 + +curl (7.88.1-6) unstable; urgency=medium + + * d/rules: Ignore test results from tests that fail on IPv6-only builders + (closes: #1032343) + * d/control: Don't install gnutls-bin for tests on ppc64el (tests hangs + forever) + + -- Samuel Henrique Wed, 08 Mar 2023 20:57:09 +0000 + +curl (7.88.1-5) unstable; urgency=medium + + * Fix stringification of _DEB_HOST_ARCH macro. + - d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: + Use _DEB_HOST_ARCH directly. + - d/rules: Quote _DEB_HOST_ARCH when passing it with -D. + + -- Sergio Durigan Junior Mon, 06 Mar 2023 10:22:32 -0500 + +curl (7.88.1-4) unstable; urgency=medium + + * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: + Prepend "/nss/" before the library name. + + -- Sergio Durigan Junior Sun, 05 Mar 2023 18:38:13 -0500 + +curl (7.88.1-3) unstable; urgency=medium + + * d/p/Use-correct-path-when-loading-libnss-pem-ckbi-.so.patch: + Use correct paths when loading libnss{pem,ckbi}.so. (Closes: #726073) + * d/rules: Pass _DEB_HOST_ARCH via C{,XX}FLAGS; reenable NSS PEM tests. + * d/control: B-D on nss-plugin-pem (test only). + Also, make libcurl3-nss depend on nss-plugin-pem as well. + + -- Sergio Durigan Junior Sun, 05 Mar 2023 12:59:58 -0500 + +curl (7.88.1-2) unstable; urgency=medium + + * Multiple test improvements, which will increase the reliability of the + package, especially when backporting fixes on stable and oldstable: + - Test results are now critical to the build process, if a test fails, + the build will fail. + - Add two new test build-dependencies to increase coverage: locales-all + and gnutls-bin. + - Only run non-flaky tests. + - Print logs of failed tests. + - Run all tests even if there was a failure. + - Ignore results of known failing tests (for Debian). + - Disable valgrind through a test parameter instead of patching + upstream source code. + + -- Samuel Henrique Fri, 03 Mar 2023 08:28:19 +0000 + +curl (7.88.1-1) unstable; urgency=medium + + * New upstream version 7.88.1 + - Fix the following CVEs (closes: #1031371) + ~ CVE-2023-23916: HTTP multi-header compression denial of service + ~ CVE-2023-23915: HSTS amnesia with --parallel + ~ CVE-2023-23914: HSTS ignored on multiple requests + - Fix curl_multi_socket_action regression (closes: #1029231) + * d/patches: Drop backported patch added to fix regression in setopt/getinfo + * d/copyright: Drop removed file from copyright + * d/control: Update BD to drop transitional package libidn11-dev + + -- Samuel Henrique Mon, 20 Feb 2023 22:35:53 +0000 + +curl (7.87.0-2) unstable; urgency=medium + + * d/patches: Add new upstream patch to fix regression in setopt/getinfo + (closes: #1027564) + * d/p/build-Divide-mit-krb5...patch: Refresh patch + + -- Samuel Henrique Sun, 15 Jan 2023 21:12:09 +0000 + +curl (7.87.0-1) unstable; urgency=medium + + * New upstream version 7.87.0 + * d/patches: + - Update patches + - Drop all backported patches that are applied in the new release + * d/copyright: Remove missing file + * d/*.lintian-overrides: Remove unused overrides + + [ Simon McVittie ] + * Make -dev packages 'Multi-Arch: same' back again (closes: #1024668) + + -- Samuel Henrique Fri, 23 Dec 2022 20:36:01 +0000 + +curl (7.86.0-3) unstable; urgency=medium + + * Fix two HSTS-related CVEs. + - d/p/CVE-2022-43551-another-hsts-bypass-via-idn.patch: use the IDN + decoded name in HSTS checks. + (Closes: #1026829, CVE-2022-43551) + - d/p/CVE-2022-43552-http-proxy-deny-use-after-free.patch: do not free + smb's/telnet's protocol struct in *_done(). + (Closes: #1026830, CVE-2022-43552) + + -- Sergio Durigan Junior Wed, 21 Dec 2022 15:55:18 -0500 + +curl (7.86.0-2) unstable; urgency=medium + + [ Debian Janitor ] + * Apply multi-arch hints. + libcurl4-gnutls-dev, libcurl4-nss-dev, + libcurl4-openssl-dev: Drop Multi-Arch: same. + + [ Samuel Henrique ] + * d/patches: Backport three upstream patches to fix noproxy option. + + -- Samuel Henrique Tue, 15 Nov 2022 21:04:55 +0000 + +curl (7.86.0-1) unstable; urgency=medium + + * New upstream version 7.86.0 + - Fix HSTS bypass via IDN: + curl's HSTS check could be bypassed to trick it to keep using HTTP. + (closes: CVE-2022-42916) + - Fix HTTP proxy double-free (closes: CVE-2022-42915) + - Fix .netrc parser out-of-bounds access (closes: CVE-2022-35260) + - Fix POST following PUT confusion (closes: CVE-2022-32221) + + -- Samuel Henrique Thu, 27 Oct 2022 20:38:24 +0100 + +curl (7.85.0-1) unstable; urgency=medium + + * New upstream version 7.85.0 + - Fix control code in cookie denial of service: + When curl retrieves and parses cookies from an HTTP(S) server, it + accepts cookies using control codes (byte values below 32). When cookies + that contain such control codes are later sent back to an HTTP(S) server, + it might make the server return a 400 response. Effectively allowing a + "sister site" to deny service to siblings + (closes: #1018831, CVE-2022-35252) + - Fix FTBFS on riscv64 with gcc-12 (closes: #1015835) + * Bump Standards-Version to 4.6.1 + * Add lintian overrides for old-style-config-script-multiarch-path triggered + for curl-config + * d/patches: + - 11_omit-directories-from-config.patch: Update patch + - 20_ftbfs_import_sched.patch: Drop patch, applied upstream + * d/rules: Fix configure args, remove bogus '--without-ssl' + * d/copyright: Update the whole file + * d/(control|watch): Update upstream's URL + + -- Samuel Henrique Fri, 02 Sep 2022 13:00:10 +0100 + +curl (7.84.0-2) unstable; urgency=medium + + * d/p/20_ftbfs_import_sched.patch: New upstream patch to fix FTBFS + (closes: #1014596) + + -- Samuel Henrique Mon, 11 Jul 2022 22:50:01 +0100 + +curl (7.84.0-1) unstable; urgency=medium + + * New upstream version 7.84.0 + - Fix the following CVEs: + ~ Improper Enforcement of Message Integrity During Transmission in a + Communication Channel (CVE-2022-32208) + ~ Improper Preservation of Permissions (CVE-2022-32207) + ~ Allocation of Resources Without Limits or Throttling (CVE-2022-32205, + CVE-2022-32206) + + -- Samuel Henrique Mon, 27 Jun 2022 22:06:25 +0100 + +curl (7.83.1-2) unstable; urgency=medium + + * d/p/fix_multiline_header_regression.patch: New upstream patch to fix + regression (closes: #1012263, #1011696) + + -- Samuel Henrique Tue, 14 Jun 2022 18:05:23 +0100 + +curl (7.83.1-1) unstable; urgency=medium + + * New upstream version 7.83.1 + - Fix the following CVEs: + ~ HSTS bypass via trailing dot (CVE-2022-30115) + ~ TLS and SSH connection too eager reuse (CVE-2022-27782) + ~ CERTINFO never-ending busy-loop (CVE-2022-27781) + ~ percent-encoded path separator in URL host (CVE-2022-27780) + ~ cookie for trailing dot TLD (CVE-2022-27779) + ~ curl removes wrong file on error (CVE-2022-27778) + + -- Samuel Henrique Wed, 11 May 2022 17:46:48 +0100 + +curl (7.83.0-1) unstable; urgency=medium + + * New upstream version 7.83.0 + - Fix auth/cookie leak on redirect (closes: #1010252, CVE-2022-27776) + - Fix bad local IPv6 connection reuse (closes: #1010253, CVE-2022-27775) + - Fix credential leak on redirect (closes: #1010254, CVE-2022-27774) + - Fix OAUTH2 bearer bypass in connection re-use + (closes: #1010295, CVE-2022-22576) + * d/libcurl*.symbols: update symbols files to add curl_easy_header and + curl_easy_nextheader + * d/patches: + - Refresh patches + - 12_fix_openssl_cm_check.patch: remove patch, applied upstream + + -- Samuel Henrique Thu, 28 Apr 2022 18:53:32 +0100 + +curl (7.82.0-2) unstable; urgency=medium + + * d/p/12_fix_openssl_cm_check.patch: New upstream patch to fix openssl CN + check (closes: #1007739, #1007740) + * d/control: + - Set libcurl4-doc as Multi-Arch: foreign + - Remove ancient version requirements for dependencies + * d/salsa-ci.yml: Disable reprotest until it acknowledges + SALSA_CI_DPKG_BUILDPACKAGE_ARGS + + -- Samuel Henrique Sat, 19 Mar 2022 13:55:00 +0000 + +curl (7.82.0-1) unstable; urgency=medium + + * New upstream version 7.82.0 + * d/salsa-ci.yml: Add CI definition customized to skip tests (nocheck), to + avoid long build times + * Update and refresh patches: 13_fix-man-formatting.patch has been merged + upstream + * d/rules: + - Add --with-nss-deprecated, required to build with nss now + (upstream will drop support in August) + - Look for nocheck build profile in DEB_BUILD_PROFILES instead of + DEB_BUILD_OPTIONS (wider coverage) + + -- Samuel Henrique Sat, 05 Mar 2022 13:40:14 +0000 + +curl (7.81.0-1) unstable; urgency=medium + + * New upstream version 7.81.0 + * d/p/13_fix-man-formatting.patch: Refresh patch + + -- Samuel Henrique Wed, 05 Jan 2022 09:31:32 -0300 + +curl (7.80.0-3) unstable; urgency=medium + + * Revert "Revert "debian/control: Add Build-Depends on libssh-dev for + Ubuntu". + + As per #1002598, the blocker has been solved. + + Note that this does not changes Debian's curl to libssh, it still + uses libssh2. + + Discussions about changing to libssh are ongoing at #897950 + + -- Samuel Henrique Sun, 26 Dec 2021 13:22:18 -0300 + +curl (7.80.0-2) unstable; urgency=medium + + * Revert "debian/control: Add Build-Depends on libssh-dev for Ubuntu" + (closes: #1002597) + The change had side effects on Debian due to the inclusion of the new + Build-dep, even though it doesn't changes the resulting binary. It cause + issues for architecture bootstraping. + + We are gonna reintroduce this change once the issues are fixed, to allow + Ubuntu to remove its delta. + + See discussions at #1002598 and #1002597 for details + + -- Samuel Henrique Sat, 25 Dec 2021 10:47:13 -0300 + +curl (7.80.0-1) unstable; urgency=medium + + [ Samuel Henrique ] + * New upstream version 7.80.0 + * Bump Standards-Version to 4.6.0 + * Add new symbol curl_url_strerror to symbols files + * Compile with zstd support (closes: #983660) + * d/p/12_use-python3-in-tests.patch: Drop patch, merged upstream + * d/p/13_fix-man-formatting.patch: Update patch + * d/p/14_fix-compatibility-impacket-0-9-23.patch: Drop patch, merged upstream + + [ Jeremy Bicha ] + * debian/control: Add Build-Depends on libssh-dev for Ubuntu + + -- Samuel Henrique Fri, 24 Dec 2021 11:42:57 -0300 + +curl (7.79.1-2) unstable; urgency=medium + + * d/rules: Make test failures non-fatal again. + Unfortunately there are some test failures happening on a few + architectures, so we have to make the build pass even if not all tests + are succeeding, at least until we have time to properly investigate + the reason for these failures. + + -- Sergio Durigan Junior Mon, 08 Nov 2021 23:54:35 -0500 + +curl (7.79.1-1) unstable; urgency=medium + + [ Samuel Henrique ] + * Add myself as an Uploader + * Add sergiodj as an uploader + * New upstream version 7.79.1 (closes: #989046) + - Changes since 7.74.0: + ~ vtls: fix connection reuse checks for issuer cert and case sensitivity + (closes: #991492, CVE-2021-22924) + ~ Fix User-Agent header missing in some cases (closes: #994940) + ~ Fix TELNET stack contents disclosure (closes: #989228, CVE-2021-22898) + * d/rules: Add --with-{openssl|gnutls|nss} to configure args + * Update all patches. + Remove patches: + - 07_do-not-disable-debug-symbols: Obsolete as per + https://github.com/curl/curl/issues/7216. + - 14_transfer-strip-credentials-from-the-auto-referer-hea: + Originally from upstream, part of the release now. + - 15_vtls-add-isproxy-argument-to-Curl_ssl_get-addsession: + Originally from upstream, part of the release now. + - fix-regression-microseconds-instead-of-seconds: + Originally from upstream, part of the release now. + Update patches: + - 12_use-python3-in-tests: Update and forward upstream. + - 90_gnutls: Update + - 99_nss: Update + - 13_fix-man-formatting: Update + + [ Debian Janitor ] + * Use secure URI in Homepage field. + * Set debhelper-compat version in Build-Depends. + * Set upstream metadata fields: Bug-Database, + Bug-Submit (from ./configure), Repository, Repository-Browse. + * Avoid explicitly specifying -Wl,--as-needed linker flag. + + [ Helmut Grohne ] + * Also remove -ffile-prefix-map from curl-config (closes: #990128) + * Explicitly disable zstd support (closes: #992505) + + [ Sergio Durigan Junior ] + * d/control: Add Rules-Requires-Root: no. + * d/copyright: Add public-domain license text. + * Enable GPG-checking of orig tarball. + - d/upstream/signing-key.asc: Upstream public key. + - d/watch: Add "pgpmode=auto" as an option. + * Bump debhelper-compat to 13. + - d/control: B-D on debhelper-compat = 13. + - d/rules: After the override_dh_auto_install target has been run, + we know that we can safely get rid of the contents inside the + debian/tmp/ directory. This is needed because otherwise dh_missing + will complain about uninstalled files, which will make the build + fail when using debhelper-compat 13. + * d/rules: Some minor cleanup and removal of unneeded comments. + * d/rules: Honour "nocheck" build option. + * Make OpenSSL and GNUTLS builds fail if tests fail + - d/rules: Adjust rule to make OpenSSL and GNUTLS builds fail if their + tests fail. Unfortunately, it's still not possible to make the NSS + build fail if its tests fail; we're still investigating the failures + there with it. + - d/p/14_fix-compatibility-impacket-0-9-23.patch: Needed patch + to make tests pass with impacket 0.9.23+. + + -- Samuel Henrique Mon, 08 Nov 2021 21:14:47 +0000 + +curl (7.74.0-1.3) unstable; urgency=medium + + * Non-maintainer upload. + * Add upstream patch bc7ecc7 so curl -w times shown as seconds with + fractions (Closes: #989064) + + -- Paul Gevers Fri, 25 Jun 2021 20:59:54 +0200 + +curl (7.74.0-1.2) unstable; urgency=medium + + * Non-maintainer upload. + * transfer: strip credentials from the auto-referer header field + (CVE-2021-22876) (Closes: #986269) + * vtls: add 'isproxy' argument to Curl_ssl_get/addsessionid() + (CVE-2021-22890) (Closes: #986270) + + -- Salvatore Bonaccorso Sat, 03 Apr 2021 14:43:39 +0200 + +curl (7.74.0-1.1) unstable; urgency=medium + + * Non-maintainer upload. + + [ Bruno Kleinert ] + * Fixed "Please build-depend on libidn2-dev instead of obsolete transition + package libidn2-0-dev" (Closes: #974996) + + -- Samuel Henrique Wed, 10 Feb 2021 00:42:40 +0000 + +curl (7.74.0-1) unstable; urgency=medium + + * New upstream release + + Fix inferior OCSP verification as per CVE-2020-8286 (Closes: #977161) + https://curl.se/docs/CVE-2020-8286.html + + Fix FTP wildcard stack overflow as per CVE-2020-8285 (Closes: #977162) + https://curl.se/docs/CVE-2020-8285.html + + Fix trusting FTP PASV responses as per CVE-2020-8284 (Closes: #977163) + https://curl.se/docs/CVE-2020-8284.html + * Update debian/watch to new upstream download page layout + * Update 12_use-python3-in-tests.patch due to renamed file + * Refresh patches + * Fix cross-build due to python build dependencies. + Thanks to Helmut Grohne for the patch (Closes: #969004) + * Fix formatting in some man pages. + Thanks to Bjarni Ingi Gislason for the patch (Closes: #963559) + * Update list of documentation files to install + * Update symbols + * Bump Standards-Version to 4.5.1 (no changes needed) + * Drop removed file from d/copyright + + -- Alessandro Ghedini Thu, 31 Dec 2020 15:22:05 +0100 + +curl (7.72.0-1) unstable; urgency=medium + + * New upstream release + + Fix partial password leak over DNS on HTTP redirect as per CVE-2020-8169 + (Closes: #965280) + https://curl.haxx.se/docs/CVE-2020-8169.html + + Fix local file overwrite with -J option as per CVE-2020-8177 + (Closes: #965281) + https://curl.haxx.se/docs/CVE-2020-8177.html + + Fix wrong connect-only connection as per CVE-2020-8231 (Closes: #968831) + https://curl.haxx.se/docs/CVE-2020-8231.html + * Refresh patches + * Do not install *.la files. + Thanks to Pino Toscano for the patch. (Closes: #955785) + * Update list of doc files + * Update copyright for polarssl -> mbedtls rename + * Use python3 executable in tests + + -- Alessandro Ghedini Mon, 24 Aug 2020 10:26:12 +0200 + +curl (7.68.0-1) unstable; urgency=medium + + * New upstream release + * Bump Standards-Version to 4.5.0 (no changes needed) + * Update symbols files + * Configure default CA file with OpenSSL again (Closes: #948441) + + -- Alessandro Ghedini Sat, 22 Feb 2020 14:37:19 +0000 + +curl (7.67.0-2) unstable; urgency=medium + + * Restore :native annotation for python3 Build-Depends. + Thanks to Helmut Grohne for the patch (Closes: #945928) + + -- Alessandro Ghedini Sun, 01 Dec 2019 13:29:28 +0000 + +curl (7.67.0-1) unstable; urgency=medium + + * New upstream release + * Replace python with python3 in Build-Depends (Closes: #942984) + * Bump Standards-Version to 4.4.1 (no changes needed) + + -- Alessandro Ghedini Sat, 30 Nov 2019 12:45:07 +0000 + +curl (7.66.0-1) unstable; urgency=medium + + * New upstream release (Closes: #940024) + + Fix FTP-KRB double-free as per CVE-2019-5481 (Closes: #940009) + https://curl.haxx.se/docs/CVE-2019-5481.html + + Fix TFTP small blocksize heap buffer overflow as per CVE-2019-5482 + (Closes: #940010) + https://curl.haxx.se/docs/CVE-2019-5482.html + * Refresh patches + * Enable brotli support (Closes: #940129) + * Update *.symbols files + + -- Alessandro Ghedini Sun, 15 Sep 2019 15:47:05 +0100 + +curl (7.65.3-1) unstable; urgency=medium + + * New upstream release + * Drop 12_fix-man-errors.patch (merged upstream) + * Remove Ian Jackson from Uploaders as he has never done an upload + + -- Alessandro Ghedini Fri, 09 Aug 2019 19:45:02 +0100 + +curl (7.65.1-1) unstable; urgency=medium + + * New upstream release + + Reduce verbose output (Closes: #926148) + + Fix parsing URLs with link local addresses (Closes: #926812) + * Drop patches merged upstream + * Refresh patches + * Bump STandards-Version to 4.4.0 (no changes needed) + * Update entry in copyright for renamed files + * Fix some man errors. + Thanks to Bjarni Ingi Gislason for the patch (Closes: #926352) + * Add Build-Depends-Package field to symbols files + + -- Alessandro Ghedini Sat, 13 Jul 2019 12:37:09 +0100 + +curl (7.64.0-4) unstable; urgency=medium + + * Fix TFTP receive buffer overflow as per CVE-2019-5436 (Closes: #929351) + https://curl.haxx.se/docs/CVE-2019-5436.html + * Fix integer overflow in curl_url_set() as per CVE-2019-5435 (Closes: #929352) + https://curl.haxx.se/docs/CVE-2019-5435.html + + -- Alessandro Ghedini Fri, 14 Jun 2019 19:23:32 +0100 + +curl (7.64.0-3) unstable; urgency=medium + + * Fix potential crash in HTTP/2 code and busy loop at the end of connections + (Closes: #927471) + + -- Alessandro Ghedini Sat, 04 May 2019 12:51:06 +0100 + +curl (7.64.0-2) unstable; urgency=medium + + * Fix infinite loop when fetching URLs with unreachable IPv6 (Closes: #922554) + + -- Alessandro Ghedini Thu, 07 Mar 2019 20:02:35 +0000 + +curl (7.64.0-1) unstable; urgency=medium + + * New upstream release + + Fix NTLM type-2 out-of-bounds buffer read as per CVE-2018-16890 + https://curl.haxx.se/docs/CVE-2018-16890.html + + Fix NTLMv2 type-3 header stack buffer overflow as per CVE-2019-3822 + https://curl.haxx.se/docs/CVE-2019-3822.html + + Fix SMTP end-of-response out-of-bounds read as per CVE-2019-3823 + https://curl.haxx.se/docs/CVE-2019-3823.html + + Fix HTTP negotiation with POST requests (Closes: #920267) + * Refresh patches + * Import fixes for zsh completion script generator (Closes: #92145) + + -- Alessandro Ghedini Wed, 06 Feb 2019 22:33:05 +0000 + +curl (7.63.0-1) unstable; urgency=medium + + * New upstream release + + Fix IPv6 numeral address parser (Closes: #915520) + + Fix timeout handling (Closes: #914793) + + Fix HTTP auth to include query in URI (Closes: #913214) + * Drop 12_fix-runtests-curl.patch (merged upstream) + * Update symbols + * Update copyright for removed files + * Bump debhlper compat level to 12 + * Bump Standards-Version to 4.3.0 (no changes needed) + + -- Alessandro Ghedini Tue, 15 Jan 2019 20:47:40 +0000 + +curl (7.62.0-1) unstable; urgency=medium + + * New upstream release + + Fix NTLM password overflow via integer overflow as per CVE-2018-14618 + (Closes: #908327) https://curl.haxx.se/docs/CVE-2018-14618.html + + Fix SASL password overflow via integer overflow as per CVE-2018-16839 + https://curl.haxx.se/docs/CVE-2018-16839.html + + Fix use-after-free in handle close as per CVE-2018-16840 + https://curl.haxx.se/docs/CVE-2018-16840.html + + Fix warning message out-of-buffer read as per CVE-2018-16842 + https://curl.haxx.se/docs/CVE-2018-16842.html + + Fix broken terminal output (closes: #911333) + * Refresh patches + * Add 12_fix-runtests-curl.patch to fix running curl in tests + + -- Alessandro Ghedini Wed, 31 Oct 2018 22:42:44 +0000 + +curl (7.61.0-1) unstable; urgency=medium + + * New upstream release + + Fix SMTP send heap buffer overflow as per CVE-2018-0500 (Closes: #903546) + https://curl.haxx.se/docs/adv_2018-70a2.html + + Fix some crashes related to HTTP/2 (Closes: #902628) + * Disable libssh2 on Ubuntu. + Thanks to Gianfranco Costamagna for the patch (Closes: #888449) + * Bump Standards-Version to 4.2.0 (no changes needed) + * Don't configure default CA bundle with OpenSSL and GnuTLS (Closes: #883174) + + -- Alessandro Ghedini Sat, 11 Aug 2018 13:32:28 +0100 + +curl (7.60.0-2) unstable; urgency=medium + + [ Steve Langasek ] + * Build-depend on libssl-dev instead of libssl1.0-dev. + * Rename libcurl3 to libcurl4, because libcurl exposes an SSL_CTX via + CURLOPT_SSL_CTX_FUNCTION, and this object changes incompatibly between + openssl 1.0 and openssl 1.1. + * debian/patches/03_keep_symbols_compat.patch: drop, since we are no longer + claiming compatibility. + * debian/patches/90_gnutls.patch: Retain symbol versioning compatibility for + non-OpenSSL builds. Closes: #858398. + * Adjust libssl1.1 vs libssl1.0 Suggests/Conflicts; thanks, Adrian Bunk + + -- Alessandro Ghedini Wed, 23 May 2018 20:25:39 +0100 + +curl (7.60.0-1) unstable; urgency=medium + + * New upstream release (Closes: #891997, #893546, #898856) + + Fix use of IPv6 literals with NO_PROXY + + Fix NIL byte out of bounds write due to FTP path trickery + as per CVE-2018-1000120 + https://curl.haxx.se/docs/adv_2018-9cd6.html + + Fix LDAP NULL pointer dereference as per CVE-2018-1000121 + https://curl.haxx.se/docs/adv_2018-97a2.html + + Fix RTSP RTP buffer over-read as per CVE-2018-1000122 + https://curl.haxx.se/docs/adv_2018-b047.html + + Fix heap buffer overflow when closing down an FTP connection + with very long server command replies as per CVE-2018-1000300 + https://curl.haxx.se/docs/adv_2018-82c2.html + + Fix heap buffer over-read when parsing bad RTSP headers + as per CVE-2018-1000301 + https://curl.haxx.se/docs/adv_2018-b138.html + * Refresh patches + * Bump Standards-Version to 4.1.4 (no changes needed) + + -- Alessandro Ghedini Fri, 18 May 2018 20:21:17 +0100 + +curl (7.58.0-2) unstable; urgency=medium + + * Explicitly enable libssh2 support which got silently disabled in the + previous update + + -- Alessandro Ghedini Wed, 24 Jan 2018 20:27:50 +0000 + +curl (7.58.0-1) unstable; urgency=medium + + * New upstream release + - Fix HTTP/2 trailer out-of-bounds read as per CVE-2018-1000005 + https://curl.haxx.se/docs/adv_2018-824a.html + - Fix HTTP authentication leak in redirects as per CVE-2018-1000007 + https://curl.haxx.se/docs/adv_2018-b3bf.html + * Point Vcs-* to salsa.d.o + * Bump Standards-Version to 4.1.3 (no changes needed) + * Bump debhlper compat level to 11 + * Refresh patches + * fix insecure-copyright-format-uri + + -- Alessandro Ghedini Wed, 24 Jan 2018 11:13:58 +0000 + +curl (7.57.0-1) unstable; urgency=medium + + * New upstream release + - Fix NTLM buffer overflow via integer overflow as per CVE-2017-8816 + https://curl.haxx.se/docs/adv_2017-11e7.html + - Fix FTP wildcard out of bounds read as per CVE-2017-8817 + https://curl.haxx.se/docs/adv_2017-ae72.html + - Fix SSL out of buffer access as per CVE-2017-8818 + https://curl.haxx.se/docs/adv_2017-af0a.html + * Remove -fdebug-prefix-map from curl-config. + Thanks to Timo Weingärtner for the patch (Closes: #861974, #874223, #874238) + * Don't install zsh completion when cross compiling. + Thanks to Wookey for the patch (Closes: #812965) + + -- Alessandro Ghedini Thu, 30 Nov 2017 10:16:03 +0000 + +curl (7.56.1-1) unstable; urgency=medium + + * New upstream release + - Fix IMAP FETCH response out of bounds read as per CVE-2017-1000257 + https://curl.haxx.se/docs/adv_20171023.html + * Bump Standards-Version to 4.1.1 (no changes needed) + * Drop 01_runtests_gdb.patch + * Drop 12_dont-wait-on-CONNECT.patch + * Refresh patches + * Update *.symbols files + * Use https:// URL in watch file + + -- Alessandro Ghedini Tue, 24 Oct 2017 11:05:48 +0100 + +curl (7.55.1-1) unstable; urgency=medium + + * New upstream release + - Fix FTBFS on powerpc (Closes: #872502) + * Apply upstream patch to fix connection timeouts with NetworkManager + (Closes: #873181) + * Refresh patches + * Bump Standards-Version to 4.1.0 (no changes needed) + + -- Alessandro Ghedini Sat, 02 Sep 2017 12:10:22 +0100 + +curl (7.55.0-1) unstable; urgency=medium + + * New upstream release + - Fix TFTP sends more than buffer size as per CVE-2017-1000100 + (Closes: #871555) + - Fix URL globbing out of bounds read as per CVE-2017-1000101 + (Closes: #871554) + * Refresh patches and drop patches merged upstream + * Update Standards-Version to 4.0.1 (no changes needed) + * Drop -dbg package + + -- Alessandro Ghedini Sat, 12 Aug 2017 15:18:05 +0100 + +curl (7.52.1-5) unstable; urgency=high + + * Fix TLS session resumption client cert bypass as per CVE-2017-7468 + https://curl.haxx.se/docs/adv_20170419.html + + -- Alessandro Ghedini Wed, 19 Apr 2017 11:19:50 +0100 + +curl (7.52.1-4) unstable; urgency=medium + + * Fix regression in CONNECT response handling (Closes: #857613) + * Fix buffer read overrun on --write-out as per CVE-2017-7407 + https://curl.haxx.se/docs/adv_20170403.html (Closes: #859500) + + -- Alessandro Ghedini Sat, 08 Apr 2017 21:55:27 +0100 + +curl (7.52.1-3) unstable; urgency=high + + * Make SSL_VERIFYSTATUS work again as per CVE-2017-2629 + https://curl.haxx.se/docs/adv_20170222.html + + -- Alessandro Ghedini Tue, 21 Feb 2017 22:38:41 +0000 + +curl (7.52.1-2) unstable; urgency=medium + + * Fix HTTPS connection timeout with OpenSSL (Closes: #852317) + + -- Alessandro Ghedini Sun, 29 Jan 2017 21:34:10 +0000 + +curl (7.52.1-1) unstable; urgency=medium + + * New upstream release + - Fix printf floating point buffer overflow as per CVE-2016-9586 + (Closes: #848958) + * B-D on "libssl1.0-dev | libssl-dev (<< 1.1)" (Closes: #850880, #844018) + * Another attempt at making -dev packages multi-arch. + Thanks to Benjamin Moody for the patches. (Closes: #731998, #846360) + * Enable support for PSL (Closes: #847958) + * Re-enable support for IDN (Closes: #849539) + * Drop 10_disable-network-tests.patch. + It didn't really work, and the issue is not urgent. + * Switch curl binary back to libcurl3/OpenSSL. + While the GnuTLS flavour mostly worked fine, there are a bunch of features + that are not implemented. + + -- Alessandro Ghedini Thu, 12 Jan 2017 22:02:44 +0000 + +curl (7.51.0-1) unstable; urgency=medium + + * New upstream release + - Fix cookie injection for other servers as per CVE-2016-8615 + https://curl.haxx.se/docs/adv_20161102A.html + - Fix case insensitive password comparison as per CVE-2016-8616 + https://curl.haxx.se/docs/adv_20161102B.html + - Fix OOB write via unchecked multiplication as per CVE-2016-8617 + https://curl.haxx.se/docs/adv_20161102C.html + - Fix double-free in curl_maprintf as per CVE-2016-8618 + https://curl.haxx.se/docs/adv_20161102D.html + - Fix double-free in krb5 code as per CVE-2016-8619 + https://curl.haxx.se/docs/adv_20161102E.html + - Fix glob parser write/read out of bounds as per CVE-2016-8620 + https://curl.haxx.se/docs/adv_20161102F.html + - Fix curl_getdate read out of bounds as per CVE-2016-8621 + https://curl.haxx.se/docs/adv_20161102G.html + - Fix URL unescape heap overflow via integer truncation as per CVE-2016-8622 + https://curl.haxx.se/docs/adv_20161102H.html + - Fix use-after-free via shared cookies as per CVE-2016-8623 + https://curl.haxx.se/docs/adv_20161102I.html + - Fix invalid URL parsing with '#' as per CVE-2016-8624 + https://curl.haxx.se/docs/adv_20161102J.html + - Fix IDNA 2003 makes curl use wrong host + https://curl.haxx.se/docs/adv_20161102K.html + - Fix escape and unescape integer overflows as + per CVE-2016-7167 (Closes: #837945) + https://curl.haxx.se/docs/adv_20160914.html + - Fix incorrect reuse of client certificates (NSS backend) + as per CVE-2016-7141 (Closes: #836918) + https://curl.haxx.se/docs/adv_20160907.html + * Drop 02_art_http_scripting.patch (file not shipped anymore) + * Refresh patches + * Temporarily disable IDN support + * Don't install pdf and html docs (they are not shipped in the tarball anymore) + * Install markdown docs + + -- Alessandro Ghedini Thu, 03 Nov 2016 22:46:14 +0000 + +curl (7.50.1-2) unstable; urgency=medium + + * Disable more network tests (Closes: #830273) + + -- Alessandro Ghedini Sun, 28 Aug 2016 14:48:05 +0100 + +curl (7.50.1-1) unstable; urgency=medium + + * New upstream release (Closes: #827900) + - Fix TLS session resumption client cert bypass as per CVE-2016-5419 + https://curl.haxx.se/docs/adv_20160803A.html + - Fix re-using connection with wrong client cert as per CVE-2016-5420 + https://curl.haxx.se/docs/adv_20160803B.html + - Fix use of connection struct after free as per CVE-2016-5421 + https://curl.haxx.se/docs/adv_20160803C.html + - Support OpenSSL 1.1 (Closes: #828127) + * Fix 04_workaround_as_needed_bug.patch. + Thanks to Yuriy M. Kaminskiy for the patch (Closes: #818131) + * Bump Standards-Version to 3.9.8 (no changes needed) + * Update Vcs-* URLs + * Refresh patches + * Add 08_enable-zsh.patch to re-enable zsh completion generation + * Remove 08_fix-zsh-completion.patch (was already disabled) + * Add 09_fix-typo.patch to fix spelling-error-in-manpage + * Add 10_disable-network-tests.patch to disable networked tests + (Closes: #830273) + * Improve cross Build-Depends satisfiability. + Thanks to Helmut Grohne for the patch (Closes: #818092) + + -- Alessandro Ghedini Wed, 03 Aug 2016 12:46:05 +0100 + +curl (7.47.0-1) unstable; urgency=high + + * New upstream release + - Fix NTLM credentials not-checked for proxy connection re-use + as per CVE-2016-0755 + http://curl.haxx.se/docs/adv_20160127A.html + - Set uyrgency=high accordingly + * Remove hard-coded dependency on libgnutls (Closes: #812542) + * Drop 08_fix-zsh-completion.patch (merged upstream) + * Refresh patches + + -- Alessandro Ghedini Wed, 27 Jan 2016 11:45:59 +0000 + +curl (7.46.0-1) unstable; urgency=medium + + * New upstream release + - Initialize OpenSSL algorithms after loading config (Closes: #805408) + * Install curl zsh completion (Closes: #805509) + - Add 08_fix-zsh-completion.patch to fix zsh completion generation + + -- Alessandro Ghedini Sun, 27 Dec 2015 18:18:09 +0100 + +curl (7.45.0-1) unstable; urgency=medium + + * New upstream release + * Drop 08_spelling.patch (merged upstream) + + -- Alessandro Ghedini Wed, 07 Oct 2015 12:59:03 +0200 + +curl (7.44.0-2) unstable; urgency=medium + + * Enable HTTP/2 support (Closes: #796302) + + -- Alessandro Ghedini Thu, 10 Sep 2015 11:25:14 +0200 + +curl (7.44.0-1) unstable; urgency=medium + + * New upstream release + * Refresh patches + * Update symbols files + * Add 08_spelling.patch to fix some spelling errors + + -- Alessandro Ghedini Wed, 12 Aug 2015 11:49:04 +0200 + +curl (7.43.0-1) unstable; urgency=medium + + * New upstream release + - Fix lingering HTTP credentials in connection re-use as per CVE-2015-3236 + http://curl.haxx.se/docs/adv_20150617A.html + - Fix SMB send off unrelated memory contents as per CVE-2015-3237 + http://curl.haxx.se/docs/adv_20150617B.html + * Refresh patches + * Fix spelling-error-in-description + + -- Alessandro Ghedini Wed, 17 Jun 2015 10:21:34 +0200 + +curl (7.42.1-3) unstable; urgency=medium + + * Update copyright + * Set both CA bundle and CA path default values for OpenSSL and GnuTLS + backends + * Bump versioned depends on libgnutls to workaround lack of nettle versioned + symbols (Closes: #787960) + + -- Alessandro Ghedini Sun, 07 Jun 2015 18:15:15 +0200 + +curl (7.42.1-2) unstable; urgency=medium + + * Switch curl binary to libcurl3-gnutls (Closes: #342719) + This is the first step of a possible migration to a GnuTLS-only + libcurl for Debian. Let's see how it goes. + + -- Alessandro Ghedini Sun, 03 May 2015 13:13:15 +0200 + +curl (7.42.1-1) unstable; urgency=high + + * New upstream release + - Don't send sensitive HTTP server headers to proxies as per + CVE-2015-3153 + http://curl.haxx.se/docs/adv_20150429.html + * Drop 08_fix-spelling.patch (merged upstream) + * Refresh patches + + -- Alessandro Ghedini Wed, 29 Apr 2015 10:43:43 +0200 + +curl (7.42.0-1) unstable; urgency=medium + + * New upstream release + - Fix re-using authenticated connection when unauthenticated + as per CVE-2015-3143 + http://curl.haxx.se/docs/adv_20150422A.html + - Fix host name out of boundary memory access as per CVE-2015-3144 + http://curl.haxx.se/docs/adv_20150422D.html + - Fix cookie parser out of boundary memory access as per CVE-2015-3145 + http://curl.haxx.se/docs/adv_20150422C.html + - Fix Negotiate not treated as connection-oriented as per CVE-2015-3148 + http://curl.haxx.se/docs/adv_20150422B.html + - Disable SSLv3 in the OpenSSL backend when OPENSSL_NO_SSL3_METHOD is + defined (Closes: #768562) + * Drop patches merged upstream + * Refresh patches + * Bump Standards-Version to 3.9.6 (no changes needed) + + -- Alessandro Ghedini Wed, 22 Apr 2015 11:07:32 +0200 + +curl (7.38.0-4) unstable; urgency=high + + * Fix URL request injection vulnerability as per CVE-2014-8150 + http://curl.haxx.se/docs/adv_20150108B.html + * Set urgency=high accordingly + + -- Alessandro Ghedini Thu, 08 Jan 2015 10:47:24 +0100 + +curl (7.38.0-3) unstable; urgency=high + + * Enable all hardening options (Closes: #763372) + * Fix duphandle read out of bounds as per CVE-2014-3707 + http://curl.haxx.se/docs/adv_20141105.html + * Set urgency=high accordingly + + -- Alessandro Ghedini Thu, 06 Nov 2014 11:40:24 +0100 + +curl (7.38.0-2) unstable; urgency=medium + + * Check for libtoolize instead of libtool during build. + Thanks to Helmut Grohne for the patch (Closes: #761740) + * Add README.source note regarding ordering of patches (Closes: #762193) + * Add 10_fix-resolver.patch from upstream (Closes: #762014) + + -- Alessandro Ghedini Tue, 23 Sep 2014 16:41:53 +0200 + +curl (7.38.0-1) unstable; urgency=medium + + * New upstream release + - Only use full host matches for hosts used as IP address + as per CVE-2014-3613 + http://curl.haxx.se/docs/adv_20140910A.html + - Reject incoming cookies set for TLDs as per CVE-2014-3620 + http://curl.haxx.se/docs/adv_20140910B.html + * Drop 08_link-curl-to-nss.patch (merged upstream) + * Refresh patches + * Fix wildcard-matches-nothing-in-dep5-copyright + * Add 08_fix-spelling.patch + + -- Alessandro Ghedini Wed, 10 Sep 2014 20:11:02 +0200 + +curl (7.37.1-1) unstable; urgency=medium + + * New upstream release + * Re-enable RTMP support (Closes: #754222) + * Add 08_link-curl-to-nss.patch to fix NSS build + * Refresh patches + * Install manpages of single libcurl options too + + -- Alessandro Ghedini Fri, 18 Jul 2014 10:18:03 +0200 + +curl (7.37.0-1) unstable; urgency=medium + + * New upstream release + - Fix NULL pointer dereference in GnuTLS code (Closes: #746349) + * Drop 08_fix-imap-tests.patch (merged upstream) + * Refresh 01_runtests_gdb.patch + * Remove Build-Depends on libgcrypt + + -- Alessandro Ghedini Wed, 21 May 2014 15:22:38 +0200 + +curl (7.36.0-2) unstable; urgency=medium + + * Move Depends on -dev packages needed to use static libraries to Suggests + * Switch to GnuTLS 3.x (Closes: #741568) + * Disable RTMP support (librtmp-dev requires libgnutls-dev, which conflicts + with libgnutls28-dev) + + -- Alessandro Ghedini Mon, 28 Apr 2014 19:37:14 +0200 + +curl (7.36.0-1) unstable; urgency=high + + * New upstream release (Closes: #742728) + - Fix connection re-use when using different log-in credentials + as per CVE-2014-0138 + http://curl.haxx.se/docs/adv_20140326A.html + - Reject IP address wildcard matches as per CVE-2014-0139 + http://curl.haxx.se/docs/adv_20140326B.html + - Set urgency=high accordingly + * Add 08_fix-imap-tests.patch to fix tests broken by the fix for CVE-2014-0138 + + -- Alessandro Ghedini Sun, 30 Mar 2014 15:36:35 +0200 + +curl (7.35.0-1) unstable; urgency=high + + * New upstream release + - Fix re-use of wrong HTTP NTLM connection as per CVE-2014-0015 + http://curl.haxx.se/docs/adv_20140129.html + - Set urgency=high accordingly + * Refresh patches + + -- Alessandro Ghedini Wed, 29 Jan 2014 11:16:57 +0100 + +curl (7.34.0-1) unstable; urgency=high + + * New upstream release + - Fix GnuTLS checking of a certificate CN or SAN name field when the + digital signature verification is turned off as per CVE-2013-6422 + http://curl.haxx.se/docs/adv_20131217.html + - Set urgency=high accordingly + * Drop patches merged upstream: + - 08_fix-typo.patch + - 09_fix-urlglob.patch + + -- Alessandro Ghedini Tue, 17 Dec 2013 13:16:19 +0100 + +curl (7.33.0-2) unstable; urgency=low + + * Make -dev packages Multi-Arch: same too (Closes: #731309) + * Bump Standards-Version to 3.9.5 (no changes needed) + * Add 09_fix-urlglob.patch to fix URL globbing (Closes: #731855) + + -- Alessandro Ghedini Wed, 11 Dec 2013 18:44:37 +0100 + +curl (7.33.0-1) unstable; urgency=low + + * New upstream release + - Handle arbitrary-length username and password (Closes: #719856) + * Remove Luk from Uploaders as per his request (Closes: #723603) + * Do not Build-Depends on specific automake version (Closes: #724361) + * Fix lintian vcs-field-not-canonical + * Add 08_fix-typo.patch + * Refresh patches + + -- Alessandro Ghedini Mon, 14 Oct 2013 22:11:14 +0200 + +curl (7.32.0-1) unstable; urgency=low + + * New upstream release + * Fix typo in changelog entry for 7.31.0-1 (Closes: #714502) + * Drop 08_typo.patch (merged upstream) + * Drop 09_openssl-recv.patch (merged upstream) + * Refresh 90_gnutls.patch and 99_nss.patch + * Refresh 06_always-disable-valgrind.patch + * Enable threaded DNS resolver (Closes: #570436) + See NEWS.Debian for more info + + -- Alessandro Ghedini Mon, 12 Aug 2013 12:19:05 +0200 + +curl (7.31.0-2) unstable; urgency=high + + * Add 09_openssl-recv.patch to fix incorrect OpenSSL usage (Closes: #714050) + * Set urgency=high because of the security fix in the previous upload + + -- Alessandro Ghedini Wed, 26 Jun 2013 11:47:00 +0200 + +curl (7.31.0-1) unstable; urgency=low + + * New upstream release + - Fix URL decode buffer boundary flaw as per CVE-2013-2174 + http://curl.haxx.se/docs/adv_20130622.html + * Make curl Multi-Arch: foreign (Closes: #712585) + * Drop 08_reset-timecond.patch (merged upstream) + * Refresh patches + * Add 08_typo.patch to fix a couple of typos in one of the manpages + + -- Alessandro Ghedini Sat, 22 Jun 2013 15:46:53 +0200 + +curl (7.30.0-2) unstable; urgency=low + + * Move textual docs to the -doc package too + * Move manpages from -dev packages to -doc as well + - Add Breaks+Replaces accordingly + * Remove outdated Replaces/Conflicts + * Update watch file version to 3 + * Add 08_reset-timecond.patch (Closes: #705783) + + -- Alessandro Ghedini Fri, 10 May 2013 17:46:46 +0200 + +curl (7.30.0-1) unstable; urgency=low + + * New upstream release + * Update upstream copyright years + * Drop patches merged upstream: + - 08_NULL-pointer-dereference-on-close.patch + - 09_CVE-213-1944.patch + - 10_test1218-another-cookie-tailmatch-test.patch + * Update patches: + - 03_keep_symbols_compat.patch + - 90_gnutls.patch + - 99_nss.patch + * Add libcurl4-doc package: + - Move *.pdf and *.html files to the libcurl4-doc package + - Add Suggests for -doc package to -dev packages + - Move examples to the -doc package + * Add Build-Depends on python which is used by some tests + + -- Alessandro Ghedini Thu, 18 Apr 2013 12:55:09 +0200 + +curl (7.29.0-2.1) unstable; urgency=high + + * Non-maintainer upload. + + [ Alessandro Ghedini ] + * Do not compress *.pdf files (Closes: #704093) + + [ Salvatore Bonaccorso ] + * Add 09_CVE-213-1944.patch. + Fix CVE-2013-1944: fix tailmatching to prevent cross-domain leakage. + Cookies set for 'example.com' could accidentaly also be sent by libcurl + to the 'bexample.com' (ie with a prefix to the first domain name). + (Closes: #705274) + * Add testcase for CVE-2013-1944. + + -- Salvatore Bonaccorso Fri, 12 Apr 2013 13:55:34 +0200 + +curl (7.29.0-2) unstable; urgency=low + + * Fix a segfault when closing an unused multi handle (Closes: #701713) + * Mention LDAPS in packages' long descriptions + * Clean-up d/rules + - Switch to short-form dh + - Enable test suite on hurd and kfreebsd too + - Enable GSSAPI support on hurd too + + -- Alessandro Ghedini Mon, 11 Mar 2013 19:02:56 +0100 + +curl (7.29.0-1) unstable; urgency=high + + * New upstream release + - Fix buffer overflow when negotiating SASL DIGEST-MD5 authentication + as per CVE-2013-0249 (Closes: #700002) + http://curl.haxx.se/docs/adv_20130206.html + - Set urgency=high accordingly + * Install all the examples + * Update 90_gnutls.patch and 99_nss.patch + * Refresh patches + * Correctly pass CPPFLAGS to ./configure + * Upload to unstable + + -- Alessandro Ghedini Mon, 11 Feb 2013 14:48:03 +0100 + +curl (7.28.1-1) experimental; urgency=low + + * New upstream release + * Drop 05_fix-git-over-https.patch and 08_fix-git-auth.patch + (merged upstream) + * Update 07_do-not-disable-debug-symbols.patch + * Refresh patches + * Add NEWS entry about change in CURLOPT_SSL_VERIFYHOST semantics + + -- Alessandro Ghedini Mon, 26 Nov 2012 17:51:27 +0100 + +curl (7.28.0-3) unstable; urgency=low + + * Add 07_do-not-disable-debug-symbols.patch, do not pass --enable-debug + anymore (Closes: #693110) + * Update 05_fix-git-over-https.patch to reflect new upstream patch + * Add 08_fix-git-auth.patch to fix HTTPS authentication (Closes: #690764) + + -- Alessandro Ghedini Sat, 17 Nov 2012 14:07:21 +0100 + +curl (7.28.0-2) unstable; urgency=low + + * Add 05_fix-git-over-https.patch (Closes: #690551) + * Add 06_always-disable-valgrind.patch (Closes: #690968) + + -- Alessandro Ghedini Mon, 22 Oct 2012 14:35:02 +0200 + +curl (7.28.0-1) unstable; urgency=low + + * New upstream release + - gnutls: do not fail on non-fatal handshake errors (Closes: #685402) + * Remove versioned build depends on libssh2 (already in stable) + * Bump Standards-Version to 3.9.4 (no changes needed) + * Refresh 01_runtests_gdb.patch + * Update *.symbols files + * Build depend on ca-certifcates to avoid test failure + + -- Alessandro Ghedini Thu, 11 Oct 2012 19:11:09 +0200 + +curl (7.27.0-1) unstable; urgency=low + + * New upstream release + * Update upstream copyright + * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch + + -- Alessandro Ghedini Wed, 08 Aug 2012 17:22:00 +0200 + +curl (7.26.0-1) unstable; urgency=low + + * New upstream release + - Reject numerical IPv6 addresses outside brackets (Closes: #670126) + * Email change: Alessandro Ghedini -> ghedo@debian.org + * Stricter Depends on libcurl3 (Closes: #666089) + * Remove Ramakrishnan (as per his request), move myself to Maintainer + Thank you for all your work so far + * Disable memory tracking, but keep debug enabled + - Remove memdebug symbols (used by curl only) + * Refresh 01_runtests_gdb.patch, 90_gnutls.patch and 99_nss.patch + * Disable not-quite-working symbols hiding + + -- Alessandro Ghedini Fri, 25 May 2012 15:19:51 +0200 + +curl (7.25.0-1) unstable; urgency=low + + * New upstream release + - Add --ssl-allow-beast and CURLOPT_SSL_OPTIONS (Closes: #658276) + - Allow negative numbers as option value (Closes: #659591) + * Add libssh2-1-dev to libcurl4-gnutls-dev and libcurl4-nss-dev Depends + * Bump debhelper compat level to 9 + - Make *.links files executable to simplify rules file + * Pass --as-needed ld flag to avoid unneeded dependencies + - Add workaround_as_needed_bug to workaround a libtool bug + - Drop dont_link_to_krb5 (not needed because of --as-needed) + * Do some clean-up in debian/rules + * Update debian/copyright format as in Debian Policy 3.9.3 + * Bump Standards-Version to 3.9.3 + * Explicit Conflicts in -dev packages (fixes binaries-have-file-conflict) + * Add openssh-server to build depends to enable some more tests + * Update upstream copyright years + * Refresh patches + + -- Alessandro Ghedini Fri, 23 Mar 2012 16:24:51 +0100 + +curl (7.24.0-1) unstable; urgency=high + + * New upstream release + - Improve documentation for the --capath option (Closes: #628697) + - Fix URL sanitization vulnerability as per CVE-2012-0036 + http://curl.haxx.se/docs/adv_20120124.html + - Fix SSL CBC IV vulnerability as per CVE-2011-3389 + http://curl.haxx.se/docs/adv_20120124B.html + - Set urgency=high accordingly + * Remove curl_links_with_rt patch (curl links to librt anyway) + * Improve descriptions of -dev and -dbg packages + * Drop fix_manpage_spelling and versioned patches (merged upstream) + * Refresh patches + * Add keep_symbols_compat patch to not break backwards ABI compatibility + * Enable libssh2 support for GnuTLS and NSS flavours too + (libssh2 now uses libgcrypt instead of libssl) + + -- Alessandro Ghedini Tue, 24 Jan 2012 12:04:04 +0100 + +curl (7.23.1-3) unstable; urgency=low + + * Enable security hardening flags + * Remove libdb-dev from B-D (not used) + * Improve short and long descriptions + * Provide proper *.symbols files (Closes: #651619) + * Do not version Curl_* symbols (for internal use only) + * Do not override dh_makeshlibs version anymore + + -- Alessandro Ghedini Tue, 13 Dec 2011 19:55:31 +0100 + +curl (7.23.1-2) unstable; urgency=low + + * Bump shlibs version for libcurl3-nss (Closes: #650498) + + -- Alessandro Ghedini Thu, 01 Dec 2011 22:32:19 +0100 + +curl (7.23.1-1) unstable; urgency=low + + * New upstream release + - Do not use gnutls_priority_set_direct and + gnutls_certificate_type_set_priority anymore (Closes: #624024) + * Refresh patches + * Add --enable-debug flag to configure (Closes: #648902) + * One Provides/Replaces per line + * libcurl4-openssl-dev Provides libcurl4-dev too (Closes: #644126) + * Specify only 3 components for Standards-Version + (the fourth is not really needed) + * Move ca-certificates to Recommends in lib* packages (Closes: #546607) + * Add NSS flavour to versioned symbols + + -- Alessandro Ghedini Sun, 27 Nov 2011 18:45:01 +0100 + +curl (7.22.0-3) unstable; urgency=low + + [ Ramakrishnan Muthukrishnan ] + * Add new Uploaders, Ian and Alessandro. (Closes: #647255) + + [ Luk Claes ] + * Install lintian overrides with dh_lintian. + * Install all files with dh_install and get rid of dh_installdirs. + + [ Alessandro Ghedini ] + * New upstream release. + * Bump debhelper compat level to 8. + * debian/control: + - One (Build-)Depends per line. + - Sort (Build-)Depends. + - Remove Build-Depends on binutils + (v2.18 is already in oldstable and it is Build-Essential: yes). + - Build depends on stunnel4 instead of stunnel + (stunnel is just a dummy package). + - Remove duplicate Section field in package curl. + - Add Luk to Uploaders too, sort names. + * debian/patches: + - Update runtests_gdb patch, add DEP3 headers. + - Update gnutls and nss patches, add DEP3 headers. + - Refresh other patches. + - Add DEP3 headers to all the patches. + - Remove libtool patch (not applied anyway) + - Set Forwarded: not-needed for Debian specific patches + * Replace dh_clean -k call with dh_prep + (dh_clean -k is deprecated since debhelper 7). + * Add fix_manpage_spelling patch + * debian/copyright: + - Switch to DEP5 format + - Update copyright information + * Add librtmp-dev to libcurl4-nss-dev too + + -- Alessandro Ghedini Sun, 13 Nov 2011 21:07:32 +0100 + +curl (7.21.7-3) unstable; urgency=low + + * debian/rules: Build only curl and libcurl3 with rtmp support. Rest of the + packages do not need to be built with rtmp support. (closes: #641173) + + -- Ramakrishnan Muthukrishnan Sun, 11 Sep 2011 22:08:08 +0200 + +curl (7.21.7-2) unstable; urgency=low + + * debian/control: libcurl*-dev packages should depend on librtmp-dev. + (closes: #640260) + * debian/rules: add build-arch and build-indep targets. + + -- Ramakrishnan Muthukrishnan Mon, 05 Sep 2011 16:12:42 +0200 + +curl (7.21.7-1) unstable; urgency=low + + * New Upstream release which fixes the following bugs. + - libcurl3-gnutls: HTTPS over HTTP still broken in + Git (closes: #627335) + - git-core: gnutls_handshake() fail when using + https:// over a proxy (closes: #559371) + * debian/control: capitalize 'ftp'. (closes: #587338) + * debian/rules: add build-arch and build-indep targets. + + -- Ramakrishnan Muthukrishnan Sat, 30 Jul 2011 17:57:08 +0530 + +curl (7.21.6-3) unstable; urgency=low + + * Apply the Multiarch patch from Steve Langasek. + (closes: #631946) + + -- Ramakrishnan Muthukrishnan Wed, 29 Jun 2011 08:26:56 +0530 + +curl (7.21.6-2) unstable; urgency=high + + * Fix for the inappropriate GSSAPI delegation vulnerability (CVE-2011-2192). + (closes: #631615) + + -- Ramakrishnan Muthukrishnan Sat, 25 Jun 2011 23:37:04 +0530 + +curl (7.21.6-1) unstable; urgency=low + + * New upstream release to fix a HTTPS over a HTTP proxy bug on 7.21.5. + + -- Ramakrishnan Muthukrishnan Sat, 23 Apr 2011 07:12:57 +0530 + +curl (7.21.5-1) unstable; urgency=low + + * New Upstream version. (closes: #623459) + * debian/patches/{sslv2_disable, error_code}: removed as these + patches were backported earlier from new upstream and this + release incorporates them. + + -- Ramakrishnan Muthukrishnan Fri, 22 Apr 2011 13:14:41 +0530 + +curl (7.21.4-2) unstable; urgency=low + + * debian/patches/{sslv2-disable, series}: Apply the + upstream commit c66b0b32fba175d5f096c944d8ec8f9f06299f4a. + (closes: #622016) + * debian/{rules, control}: enable rtmp. (closes: #622328) + * debian/control: removing hurd from dependencies. Hurd is + an 'essential' package. + + -- Ramakrishnan Muthukrishnan Wed, 13 Apr 2011 16:15:27 -0700 + +curl (7.21.4-1) unstable; urgency=low + + * New upstream release. + * debian/control: downgraded the version number of libdb-dev required + to 4.6 from 4.7, based on the inputs from Erik Schanze . + + -- Ramakrishnan Muthukrishnan Mon, 28 Feb 2011 19:35:36 +0530 + +curl (7.21.3-1) unstable; urgency=low + + * New upstream release. + * debian/*.manpages: adding all manpages for the curl library. + (closes: #605651) + * gnutls->handshake: improved timeout handling. See #594150 for details. + + -- Ramakrishnan Muthukrishnan Wed, 15 Dec 2010 23:39:26 +0530 + +curl (7.21.2-4) unstable; urgency=low + + * support for curl library built against nss. + (closes: #606244) + * honour DEB_BUILD_OPTIONS=nocheck option. + (closes: #606059) + + -- Ramakrishnan Muthukrishnan Thu, 09 Dec 2010 20:11:37 +0530 + +curl (7.21.2-3) unstable; urgency=low + + * debian/rules: reverting changes related to c-ares inclusion. + * debian/control: removing libc-ares-dev for now. + (closes: #605558) + + -- Ramakrishnan Muthukrishnan Thu, 02 Dec 2010 10:56:36 +0530 + +curl (7.21.2-2) unstable; urgency=low + + * debian/control: add libc-ares-dev as build dependency. + * debian/rules: invoke configure with --enable-ares. + (closes: #570436) + * debian/copyright: add copyright notice of `lib/security.c' + to the copyright file. (closes: #603712) + + -- Ramakrishnan Muthukrishnan Tue, 30 Nov 2010 17:35:29 +0530 + +curl (7.21.2-1) unstable; urgency=low + + * New upstream release. + + -- Ramakrishnan Muthukrishnan Mon, 18 Oct 2010 11:13:17 +0530 + +curl (7.21.1-1) unstable; urgency=low + + * New upstream release. + + -- Ramakrishnan Muthukrishnan Thu, 12 Aug 2010 08:20:48 +0530 + +curl (7.21.0-1) unstable; urgency=low + + * New upstream. + + -- Ramakrishnan Muthukrishnan Wed, 16 Jun 2010 19:25:37 +0530 + +curl (7.20.1-2) unstable; urgency=low + + * debian/rules: Removed the custom LDFLAGS variable. This is not + required as we are no longer using the libtool patch. + (closes: #578774) + + -- Ramakrishnan Muthukrishnan Wed, 28 Apr 2010 18:40:27 +0530 + +curl (7.20.1-1) unstable; urgency=low + + * New upstream release. + * debian/patches/missing-double-quote: No longer needed as it has been + fixed by the upstream. + * debian/patches/no_com_err: Reworked the patches for the new release. + * debian/patches/versioned: fix for build failure of 'make test'. + (closes: #576237) + * debian/rules: removed --enable-ldaps option from the configure as LDAP + SSL (Novell extensions to openldap) is not available as Debian packages. + * lib/http.c: chunked-encoding with Content-Length header problem has + been fixed in the upstream. (closes: #572276) + + -- Ramakrishnan Muthukrishnan Mon, 19 Apr 2010 09:21:35 +0530 + +curl (7.20.0-3) unstable; urgency=low + + * debian/control: Vcs* tags added. + * docs/libcurl/libcurl.m4: added the missing double quote (closes: #576518). + + -- Ramakrishnan Muthukrishnan Mon, 05 Apr 2010 18:56:40 +0530 + +curl (7.20.0-2) unstable; urgency=low + + * New Maintainer (closes: #574137). + * Bug #533669 (curl segmentation fault in addbyter()) is fixed + from release 7.19.7 onwards (closes: #533669). + * Bug #510559 (curl sends whitespace unencoded in the url) can't + be reproduced in the 7.20.0 release (closes: #510559). + + -- Ramakrishnan Muthukrishnan Thu, 18 Mar 2010 08:55:19 +0530 + +curl (7.20.0-1) unstable; urgency=low + + * Package is orphaned. + * New upstream release. + * Switch to dpkg-source 3.0 (quilt) format (closes: #538547). + * Fixed build error with binutils-gold (closes: #554296). + + -- Domenico Andreoli Tue, 09 Feb 2010 13:06:39 +0100 + +curl (7.19.7-1) unstable; urgency=low + + * New upstream release: + - curl_getdate(3) now correctly manages single letter military + timezones as specified in RFC 822 (closes: #551461). + * build depends on generic libdb-dev (closes: #548476). + * build depends on libssh2-1-dev (>= 1.2) to enable new curl options. + + -- Domenico Andreoli Thu, 05 Nov 2009 10:11:57 +0100 + +curl (7.19.5-1) unstable; urgency=low + + * New upstream release + * Fix "libcurl3-gnutls has memory corruption" by upgrading to new upstream + release, which fixes this bug (Closes: #530131) + * update standards version to 3.8.1 + * adjust overrides from libdevel to debug for -dbg package + * adjust doc-base section + + -- Andreas Schuldei Sun, 24 May 2009 21:12:19 +0200 + +curl (7.19.4-1) unstable; urgency=low + + * New upstream release + * Fix "newer bdb version" + (Closes: #517277) + * resolve libtool version confusion, thanks to + Stefanos Harhalakis + * add new dependency on libgcrypt11-dev due to newly arising binary symbols + + -- Andreas Schuldei Thu, 02 Apr 2009 23:35:45 +0200 + +curl (7.18.2-8lenny1) stable-security; urgency=high + + * Applied upstream patch to fix arbitrary file access (CVE-2009-0037). + + -- Domenico Andreoli Tue, 03 Mar 2009 10:29:03 +0100 + +curl (7.18.2-8) unstable; urgency=low + + * Fix "Please add support for ldap/ldaps protocols" + by changing the linker option for liblber (Closes: #506096) + + -- Andreas Schuldei Fri, 26 Dec 2008 23:48:19 +0100 + +curl (7.18.2-7) unstable; urgency=low + + * disable c-ares support again, no fix yet, just get stuff working again. + + -- Andreas Schuldei Tue, 15 Jul 2008 01:17:29 +0200 + +curl (7.18.2-6) unstable; urgency=low + + * enable c-ares support, with ipv6 support + + -- Andreas Schuldei Fri, 11 Jul 2008 02:05:16 +0200 + +curl (7.18.2-5) unstable; urgency=low + + * /usr/lib/pkgconfig/libcurl.pc: "pkg-config --libs libcurl" returns + "-Wl, -z, defs" (Closes: #488701), closing same bug again for + curl-config --libs command + + -- Andreas Schuldei Wed, 02 Jul 2008 11:24:40 +0200 + +curl (7.18.2-4) unstable; urgency=medium + + * /usr/lib/pkgconfig/libcurl.pc: "pkg-config --libs libcurl" returns + "-Wl, -z, defs" (Closes: #488701) + + -- Andreas Schuldei Mon, 30 Jun 2008 23:59:55 +0200 + +curl (7.18.2-3) unstable; urgency=low + + * removing c-ares from the dependencies + + -- Andreas Schuldei Sat, 28 Jun 2008 03:34:50 +0200 + +curl (7.18.2-2) unstable; urgency=medium + + * blanking the "dependency_libs" line in lib*.la file to keep all the listed libs + from being linked to other libs linking to curl. + * fixing miss-linking problem by specifying liblber as a configure argument + * disabling c-ares again for stability reasons + * correcting libgssapi linking in configure.ac (patch no_com_err) + + -- Andreas Schuldei Fri, 27 Jun 2008 03:40:18 +0200 + +curl (7.18.2-1e1) experimental; urgency=low + + * testing c-ares-ipv6 integration patch + + -- Andreas Schuldei Mon, 23 Jun 2008 08:48:31 +0200 + +curl (7.18.2-1) unstable; urgency=low + + * New upstream release: + - removed patches/ftp-response, it is already in the upstream release + - fixed issues with kerberos ftp (closes: #478864). + * Disable c-ares support, it is still not ready for Debian's wide + user base (closes: #478864, #481189). + * Standards-Version bumped to 3.8.0: + - added support for parallel builds to debian/rules + * Removal of $QUILT_PC's override makes this package ready for new + source format 3.0 (quilt) (closes: #485023). + * Configure build with --with-ca-path but only for OpenSSL flavour, + GnuTLS supports only --with-ca-bundle (closes: #482814, #483999). + Both libcurl3 and libcurl3-gnutls now depend on ca-certificates. + + -- Domenico Andreoli Mon, 09 Jun 2008 14:09:42 +0200 + +curl (7.18.1-1) unstable; urgency=low + + * New upstream release. + * Fixed crossbuilding bug (closes: #465089). + * Improved error reporting in case of failing FTP (closes: #474224). + * Enable c-ares support (closes: #352694). + * libcurl3-dbg now depends on either libcurl3 or libcurl3-gnutls + (closes: #463173). + + -- Domenico Andreoli Thu, 17 Apr 2008 10:22:28 +0200 + +curl (7.18.0-1) unstable; urgency=low + + * New upstream release. + * Use Homepage field in debian/control. + + -- Domenico Andreoli Tue, 29 Jan 2008 02:16:25 +0100 + +curl (7.17.1-1) unstable; urgency=low + + * New upstream release: + - fixed bad use of "its" in curl.1 (closes: #443734) + - fixed curl_easy_escape() with input bytes that are >= 0x80 + (closes: #445214) + + -- Domenico Andreoli Wed, 31 Oct 2007 01:12:54 +0100 + +curl (7.17.0-1) unstable; urgency=low + + * New upstream release. + * Updated to use libssh2-1-dev (closes: #441979, #442198). + * Do not run the test suite on hurd (closes: #433834). + * Enabled support for LDAPS protocol. + + -- Domenico Andreoli Fri, 14 Sep 2007 00:24:21 +0200 + +curl (7.16.4-5) unstable; urgency=low + + * libcurl4-openssl-dev now depends on libssh2-0-dev. + closes: #439317, #439326. + + -- Domenico Andreoli Fri, 24 Aug 2007 18:13:17 +0200 + +curl (7.16.4-4) unstable; urgency=low + + * Build libcurl/GnuTLS without libssh2 because of the usual OpenSSL + vs. GPL software lincense conflict (closes: #439176). + + -- Domenico Andreoli Thu, 23 Aug 2007 23:47:35 +0200 + +curl (7.16.4-3) unstable; urgency=low + + * Added support for scp and SFTP protocols. + + -- Domenico Andreoli Wed, 22 Aug 2007 00:48:32 +0200 + +curl (7.16.4-2) unstable; urgency=low + + * Fixed regression with FTP sites not requesting PASS (closes: #435771). + + -- Domenico Andreoli Sat, 04 Aug 2007 02:04:40 +0200 + +curl (7.16.4-1) unstable; urgency=low + + * New upstream release (closes: #432514). + * Welcome Andreas to the curl packagers! + * Build-Depends is now more backporting friendly. + + -- Domenico Andreoli Wed, 18 Jul 2007 16:44:30 +0200 + +curl (7.16.2-6) unstable; urgency=low + + * Added missing libcurl3 symlinks (closes: #429945) + Patch courtesy of Bryan Donlan. + + -- Domenico Andreoli Sat, 23 Jun 2007 00:39:20 +0200 + +curl (7.16.2-5) unstable; urgency=low + + [ Steve Langasek ] + * Re-introduce curl3 symbol versions and rename the packages back to + libcurl3*, restoring ABI compatibility with the etch version of the + package. + + [ Domenico Andreoli ] + * Package libcurl4-gnutls-dev now suggests libcurl3-dbg. + * libcurl3-dbg replaces/conflict/provide libcurl4-dbg. + * Properly use ${binary:Version} in control file. + + -- Domenico Andreoli Wed, 20 Jun 2007 17:52:38 +0200 + +curl (7.16.2-4) unstable; urgency=low + + * Fixed configure.ac in case of build with GNUTLS (closes: #425013). + * Fixed double-free bug (closes: #424894). + Patch courtesy of Daniel Stenberg. + + -- Domenico Andreoli Sun, 20 May 2007 01:15:01 +0200 + +curl (7.16.2-3) unstable; urgency=low + + * Updated to db4.5 (closes: #421933). + * Got rid of unused libcomerr2 dependency (closes: #392294). + + -- Domenico Andreoli Tue, 08 May 2007 08:46:21 +0200 + +curl (7.16.2-2) experimental; urgency=low + + * Improved package descriptions (closes: #410472). + * Updated package Provides to ease the soname transition. + + -- Domenico Andreoli Fri, 27 Apr 2007 15:37:44 +0200 + +curl (7.16.2-1) experimental; urgency=low + + * New upstream release. + * libcurl4-openssl-dev now depends on libcurl4-openssl (closes: #419774). + * Bumped shlibs version to 7.16.2-1. + * Patches are now managed with quilt. + + -- Domenico Andreoli Wed, 18 Apr 2007 09:29:48 +0200 + +curl (7.16.1-1) experimental; urgency=low + + * New upstream release. + * Bumped shlibs version to 7.16.1-1. + * Added HIDDEN section to version script to handle any __*, _rest or + _save* local symbol. + * Gopher protocol is not supported since 7.15.2. Removed any reference + in package description (closes: #408704). + * Moved libcurl/openssl to the new package libcurl4-openssl, now + libcurl4 contains a version with no SSL or GSSAPI support (any + future cryptographic stuff will be kept out of there). + * Package libcurl4-dev now contains the matching headers for libcurl4 + (so crypto stuff). + + -- Domenico Andreoli Thu, 1 Feb 2007 12:49:32 +0100 + +curl (7.16.0-1) experimental; urgency=low + + * New upstream release. + * Bumped shlibs version to 7.16.0-1. + * libcurl4 and libcurl4-gnutls now only recommend ca-certificates + (closes: #404103). + * pkg-config .pc file now uses Libs.private (closes: #405226). + + -- Domenico Andreoli Fri, 26 Jan 2007 14:26:55 +0100 + +curl (7.15.5-1) unstable; urgency=low + + * New upstream release: + - fixed nodes removal from the splay tree (closes: #375076). + * Make package build also if $TAPE is set (closes: #377470). + * Bumped shlibs version to 7.15.5-1. + + -- Domenico Andreoli Mon, 7 Aug 2006 10:26:13 +0200 + +curl (7.15.4-1ubuntu1) edgy; urgency=low + + * Synchronize to Debian. Only change left: Removal of stunnel and + libdb4.2-dev build dependencies. + + -- Martin Pitt Thu, 29 Jun 2006 15:04:24 +0200 + +curl (7.15.4-1) unstable; urgency=low + + * New upstream release. + * Bumped shlibs version to 7.15.4-1. + + -- Domenico Andreoli Wed, 14 Jun 2006 14:41:16 +0200 + +curl (7.15.3-2) unstable; urgency=low + + * Fixed bug in configure.ac that makes FTBFS (closes: #367954). + + -- Domenico Andreoli Wed, 31 May 2006 15:18:26 +0200 + +curl (7.15.3-1) unstable; urgency=high + + * New upstream release: + - fixed TFTP packet buffer overflow vulnerability + [lib/tftp.c, CVE-2006-1061]. + - improved curl_getenv.3 manpage grammar (closes: #357388). + + -- Domenico Andreoli Mon, 20 Mar 2006 11:46:25 +0100 + +curl (7.15.2-3) unstable; urgency=low + + * Applied upstream patch to fix multi interface and multi-part formposts + (closes: #355715). + * Build back with -O2, gcc 4.0.2-10 fixed the previously trigged bug. + + -- Domenico Andreoli Wed, 8 Mar 2006 15:29:15 +0100 + +curl (7.15.2-2) unstable; urgency=low + + * Added missing autotools invocation. Re-added versioned symbols + (closes: #355241). + * Bumped shlibs version to 7.15.2-2. + * Build with -O3 to work around sospicious segfaults on tests 253 + and 255. + + -- Domenico Andreoli Sat, 4 Mar 2006 22:47:23 +0100 + +curl (7.15.2-1) unstable; urgency=low + + * New upstream release. + * Bumped shlibs version to 7.15.2-1. + * Adopted debhelper's compatibility level 5. + + -- Domenico Andreoli Wed, 1 Mar 2006 16:12:51 +0100 + +curl (7.15.1-1ubuntu2) dapper; urgency=low + + * SECURITY UPDATE: Arbitrary remote code execution with long tftp:// URLs. + * lib/tftp.c: Fix unbounded sprintf() to avoid buffer overflow. Thanks to + Ulf Harnhammar for discovering this. + * CVE-2006-1061 + + -- Martin Pitt Thu, 16 Mar 2006 11:30:25 +0100 + +curl (7.15.1-1ubuntu1) dapper; urgency=low + + * Resynchronise with Debian to get URL parser overflow fix from 7.15.1 + (CVE-2005-4077). + + -- Martin Pitt Mon, 12 Dec 2005 15:04:52 +0100 + +curl (7.15.1-1) unstable; urgency=low + + * New upstream release: + - fixed buffer overflow in URL parser function (closes: #342339). + + -- Domenico Andreoli Wed, 7 Dec 2005 11:11:38 +0100 + +curl (7.15.0-5.1) unstable; urgency=high + + * Non-maintainer upload. + * Urgency high for RC bug fix. + * Let libcurl3-*-dev depend on libkrb5-dev (closes: #340784, #340916). + + -- Luk Claes Sun, 4 Dec 2005 11:59:20 +0100 + +curl (7.15.0-5) unstable; urgency=low + + * libcurl3-gnutls-dev and libcurl3-openssl-dev now only recommend + libkrb5-dev (closes: #334888). + * Applied upstream patch to fix error message in case FTP-path does + not exist (closes: #338680). + * Applied upstream patch to fix parsing of --limit-rate command line + option (closes: #338681). + + -- Domenico Andreoli Fri, 25 Nov 2005 10:30:25 +0100 + +curl (7.15.0-4ubuntu1) dapper; urgency=low + + * Resynchronise with Debian (only change left: Removal of stunnel build + dependency). + * Remove libdb4.2-dev build dependency. + + -- Martin Pitt Thu, 10 Nov 2005 17:44:35 -0500 + +curl (7.15.0-4) unstable; urgency=low + + * Fixed output of curl-config --vernum (closes: #335296). + * libcurl3-openssl-dev now replaces libcurl3-dev older than 7.14.1-1 + (closes: #335277). + + -- Domenico Andreoli Tue, 25 Oct 2005 11:48:53 +0200 + +curl (7.15.0-3) unstable; urgency=low + + * libcurl3 and libcurl3-gnutls now suggest libldap2 (closes: #294407). + + * Re-introduced libcurl3-dev package for transition reasons. + + -- Domenico Andreoli Wed, 19 Oct 2005 12:45:43 +0200 + +curl (7.15.0-2) unstable; urgency=low + + * Fixed depends of libcurl3-*-dev packages (closes: #334021, #333609, #334048). + * Bumped shlibs version to 7.15.0-1 (closes: #334053). + + -- Domenico Andreoli Sun, 16 Oct 2005 15:34:40 +0200 + +curl (7.15.0-1) unstable; urgency=low + + * New upstream release: + - fixed user+domain name buffer overflow in the NTLM code + (CAN-2005-3185, closes: #333734). + - libcurl3-*-dev packages now depend on libkrb5-dev (closes: #333609). + - improved docs about curl_easy_setopt() and ERRORBUFFER (closes: #329313). + + -- Domenico Andreoli Fri, 14 Oct 2005 13:32:06 +0200 + +curl (7.14.1-5) unstable; urgency=low + + * Added build dependency on libtool (closes: #332729, #333174). + + -- Domenico Andreoli Tue, 11 Oct 2005 10:05:36 +0200 + +curl (7.14.1-4) unstable; urgency=low + + * Fixed SEE ALSO section in curl_excape.3 (closes: #331505). + * Fixed configure.ac when --host=i586-mingw32msvc is given (closes: #329444). + * Added missing example files (closes: #331722). + * Updated build dependency for OpenSSL 0.9.8 transition. + + -- Domenico Andreoli Mon, 10 Oct 2005 12:43:25 +0200 + +curl (7.14.1-3) experimental; urgency=low + + * Fixed soname of libcurl-gnutls.so* variant. + * Fixed broken sentence (closes: #329305). + * Fixed reference to TheArtOfHttpScripting.gz (closes: #329299). + * Added clarification about WRITEFUNCTION and WRITEDATA (closes: #329311). + + -- Domenico Andreoli Wed, 28 Sep 2005 17:13:51 +0200 + +curl (7.14.1-2) experimental; urgency=low + + * Started using the system-wide CA certificate file (closes: #308514). + * Fixed apostrophe typos in the curl man page (closes: #326511). + * Only curl_* symbols are now globally visible outside of libcurl. + + -- Domenico Andreoli Sat, 17 Sep 2005 23:52:28 +0200 + +curl (7.14.1-1) experimental; urgency=low + + * New upstream release. + * libcurl3-gnutls has a modified soname and may be installed together + with libcurl3 (closes: #318590). + * Both libcurl3 and libcurl3-gnutls are built with versioned symbols + and with support of GSSAPI authentication. + * Renamed libcurl3-dev to libcurl3-openssl-dev. + * Dropped package libcurl3-gssapi. + + -- Domenico Andreoli Thu, 15 Sep 2005 23:59:32 +0200 + +curl (7.14.0-5) unstable; urgency=low + + * Added libcurl3-gnutls and libcurl3-gnutls-dev packages (closes: #318590). + * libcurl3-gssapi now has its own shlibs file. Packages built with this + package installed will depend on it. + + -- Domenico Andreoli Thu, 18 Aug 2005 02:26:38 +0200 + +curl (7.14.0-4) unstable; urgency=low + + * OpenSSL is back (closes: #321294, #321391). + + -- Domenico Andreoli Fri, 5 Aug 2005 23:34:45 +0200 + +curl (7.14.0-3) unstable; urgency=low + + * Updated the use of dpkg-architecture (closes: #320046). + * Added missing aclocal file libcurl.m4 to libcurl3-dev (closes: #315848). + * Added (many) missing man pages (closes: #315850). + * OpenSSL is replaced by GnuTLS in providing SSL support (closes: #318590). + * Heimdal is replaced by MIT Kerberos in providing GSSAPI support. + + -- Domenico Andreoli Tue, 2 Aug 2005 22:34:01 +0200 + +curl (7.14.0-2ubuntu1) breezy; urgency=low + + * Synchronize with Debian. + + -- Matthias Klose Tue, 26 Jul 2005 19:03:01 +0200 + +curl (7.14.0-2) unstable; urgency=low + + * Rebuilt and uploaded to unstable. + + -- Domenico Andreoli Wed, 15 Jun 2005 11:41:32 +0200 + +curl (7.14.0-1) experimental; urgency=low + + * New upstream release. + + -- Domenico Andreoli Tue, 17 May 2005 10:42:35 +0200 + +curl (7.13.2-3) unstable; urgency=high + + * HTTP response headers with null bytes are now correctly managed + (closes: #310948). + + -- Domenico Andreoli Fri, 3 Jun 2005 23:59:30 +0200 + +curl (7.13.2-2) unstable; urgency=low + + * Fixed conditional build of package libcurl3-gssapi + (closes: #303939, #303953). + + -- Domenico Andreoli Mon, 11 Apr 2005 19:00:27 +0200 + +curl (7.13.2-1) unstable; urgency=low + + * New upstream release: + - fixed curl man page typos (closes: #302820). + + -- Domenico Andreoli Tue, 5 Apr 2005 14:41:13 +0200 + +curl (7.13.1-3) unstable; urgency=low + + * Fixed hanging of some SSL connections (closes: #302366). + + -- Domenico Andreoli Thu, 31 Mar 2005 16:27:41 +0200 + +curl (7.13.1-2) unstable; urgency=low + + * Rebuilt to get the correct libidn11 dependency (closes: #299348). + * Added some missing documentation files (closes: #298855). + + -- Domenico Andreoli Wed, 16 Mar 2005 14:30:03 +0100 + +curl (7.13.1-1) unstable; urgency=low + + * New upstream release. + * Bumped up shlibs version for libcurl3 because of new curl options. + + -- Domenico Andreoli Fri, 4 Mar 2005 16:03:17 +0100 + +curl (7.13.0-2) unstable; urgency=high + + * Fixed NTLM Authentication buffer overflow (closes: #296678). + Patch courtesy of Daniel Stenberg. This handles CAN-2005-0490. + * Removed libcurl2* packages and all the scary stuff used to build them + (closes: #274631). + + -- Domenico Andreoli Thu, 24 Feb 2005 10:07:22 +0100 + +curl (7.13.0-1) unstable; urgency=low + + * New upstream release. + * libcurl3 now suggests package libldap2-dev to enable support for + LDAP protocol. + * Bumped up shlibs version for libcurl3 because of new curl options. + + -- Domenico Andreoli Sat, 5 Feb 2005 10:39:52 +0100 + +curl (7.12.3-2ubuntu3) hoary; urgency=low + + * Fix the version numbers internal to debian/rules. Closes; #8088 + + -- LaMont Jones Wed, 23 Mar 2005 18:41:29 -0700 + +curl (7.12.3-2) unstable; urgency=low + + * Disabled test suite on m68k, it stalls. + + -- Domenico Andreoli Thu, 30 Dec 2004 11:11:48 +0100 + +curl (7.12.3-1) unstable; urgency=low + + * New upstream release: + - fixed debug tracing to network socket is stderr is closed + (closes: #278691). + * Applied patch to fix getpass license problems (closes: #286794). + Patch courtesy of Daniel Stenberg. + * Bumped up shlibs version for libcurl3 because of new curl options. + + -- Domenico Andreoli Mon, 27 Dec 2004 12:50:30 +0100 + +curl (7.12.2-2) unstable; urgency=low + + * libcurl3-dbg package is now built by dh_strip --dbg-package + (closes: #274710). + * Added build dependency on libdb4.2-dev. + + -- Domenico Andreoli Thu, 4 Nov 2004 11:36:17 +0100 + +curl (7.12.2-1) unstable; urgency=low + + * New upstream release. + * Update diff to 7.11.2. + * Add debian/watch file. + * Add myself as a uploader. + + -- Matthias Klose Wed, 3 Nov 2004 00:55:52 +0100 + +curl (7.12.1-1) unstable; urgency=low + + * New upstream release: + - workaround for ASN1_STRING_to_UTF8 failing if input is already + UTF-8 encoded (closes: #264711). + * Bumped up shlibs version for libcurl3 because of the introduction + of FTP 3rd party transfer support options. + + -- Domenico Andreoli Tue, 10 Aug 2004 11:40:29 +0200 + +curl (7.12.0.rel-6) unstable; urgency=low + + * In rebuilding the 7.11.2 tree starting from the 7.12.0 one, + lib/getdate.y is patched before lib/getdate.c (closes: #262597). + + -- Domenico Andreoli Sun, 1 Aug 2004 17:59:57 +0200 + +curl (7.12.0.rel-5) unstable; urgency=low + + * Tests are performed only if build target and building host are the + same and are not kfreebsd-gnu or knetbsd-gnu (closes: #261591). + * On hurd-i386 libcurl3-gssapi is not built. + + -- Domenico Andreoli Thu, 29 Jul 2004 15:17:51 +0200 + +curl (7.12.0.rel-4) unstable; urgency=low + + * Added build dependency on groff-base to really build the built-in + manual. + * libcurl3 now replaces old libcurl2 versions (closes: #255262). + + -- Domenico Andreoli Tue, 20 Jul 2004 11:40:09 +0200 + +curl (7.12.0.rel-3) unstable; urgency=low + + * Enabled curl's built-in manual. + * configure script for 7.11.2 is now managed correctly. + + -- Domenico Andreoli Sun, 18 Jul 2004 22:25:00 +0200 + +curl (7.12.0.rel-2) unstable; urgency=low + + * libcurl2 uses curl-ca-bundle-7.11.2.crt (closes: #255262). + Yes, it is a hack to not add libcurl-common package right now. + + -- Domenico Andreoli Sun, 18 Jul 2004 16:40:45 +0200 + +curl (7.12.0.rel-1) experimental; urgency=low + + * Version 7.12.0 is back with proper libcurl3* packages. + * libcurl2* 7.11.2 packages are still provided (closes: #252879). + * Enabled again the support for libidn. + + -- Domenico Andreoli Sun, 6 Jun 2004 23:09:33 +0200 + +curl (7.12.0.is.7.11.2-1) unstable; urgency=low + + * Reverted to version 7.11.2 (closes: #252348). + * Disabled support for libidn (closes: #252367). This is to leave + curl in unstable as much similar as possible to the one in testing. + + -- Domenico Andreoli Fri, 4 Jun 2004 19:09:25 +0200 + +curl (7.12.0-1) unstable; urgency=low + + * New upstream release: + - fixed minor man page problem (closes: #232928) + - improved --create-dirs description in curl man page (closes: #251351) + * Enabled support for libidn. + + -- Domenico Andreoli Wed, 2 Jun 2004 18:06:05 +0200 + +curl (7.11.2-2) unstable; urgency=low + + * Fixed curl.1 man page (closes: #232928). + Patch courtesy of Daniel Stenberg, the upstream developer. + + -- Domenico Andreoli Tue, 27 Apr 2004 19:47:09 +0200 + +curl (7.11.2-1) unstable; urgency=low + + * New upstream release. + * Bumped up shlibs version because of the introduction of + CURLOPT_TCP_NODELAY option. + + -- Domenico Andreoli Mon, 26 Apr 2004 14:14:20 +0200 + +curl (7.11.1-2) unstable; urgency=low + + * Added GSSAPI support to package libcurl2-gssapi (closes: #241553). + + -- Domenico Andreoli Fri, 2 Apr 2004 18:03:15 +0200 + +curl (7.11.1-1) unstable; urgency=low + + * New upstream release. + * Bumped up shlibs version because of the introduction of + CURLOPT_POSTFIELDSIZE_LARGE option. + + -- Domenico Andreoli Fri, 19 Mar 2004 11:39:07 +0100 + +curl (7.11.0-4) unstable; urgency=low + + * Applied fix from upstream's CVS which adds another CRLF in + chunked-transfers. + + -- Domenico Andreoli Sun, 1 Feb 2004 13:19:02 +0100 + +curl (7.11.0-3) unstable; urgency=low + + * "Fixed" build process, now the right file is searched for CA + certificates (closes: #228182). + + -- Domenico Andreoli Sat, 31 Jan 2004 20:06:10 +0100 + +curl (7.11.0-2) unstable; urgency=low + + * Test suite is still performed but is not critical for the build + being successful any more. + + -- Domenico Andreoli Fri, 30 Jan 2004 13:03:03 +0100 + +curl (7.11.0-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Sun, 25 Jan 2004 17:50:43 +0100 + +curl (7.10.8+7.11.0-pre1-1) unstable; urgency=low + + * New upstream pre-release: + - proxy+ssl now passes post variables (closes: #222901) + - various test case problems exposed in #222140 should now be fixed. + * Bumped up shlibs version because of the introduction of + CURLOPT_NETRC_FILE and CURLOPT_FTP_SSL options in libcurl. + + -- Domenico Andreoli Wed, 14 Jan 2004 17:35:46 +0100 + +curl (7.10.8-1) unstable; urgency=low + + * New upstream release: + - fixed LDAP support (closes: #149609) + - cleaner environment for testsuite execution (closes: #210253) + - fixed lib/Makefile.am's use of LDFLAGS (closes: #212086) + - fixed name clash in curl.h with respect to unistd.h (closes: #213180) + - fixed typo in curl manpage (closes: #218046). + * Bumped up shlibs version because of new libcurl options. + * Added stunnel to the Build-Depends in order to enable SSL test cases. + + -- Domenico Andreoli Mon, 3 Nov 2003 10:26:12 +0100 + +curl (7.10.7-2) unstable; urgency=low + + * Fixed bug in cache_resolv_response on alpha and ia64 (closes: #207174). + Patch courtesy of Jurij Smakov. + + -- Domenico Andreoli Mon, 8 Sep 2003 21:55:46 +0200 + +curl (7.10.7-1) unstable; urgency=low + + * New upstream release. + * Bumped up shlibs version because of the introduction of CURLOPT_PROXYAUTH + and CURLOPT_FTP_CREATE_MISSING_DIRS options in libcurl. + + -- Domenico Andreoli Mon, 18 Aug 2003 00:19:43 +0200 + +curl (7.10.6-3) unstable; urgency=low + + * Applied patch to fix test 60 on ia64. + + -- Domenico Andreoli Sat, 9 Aug 2003 04:26:15 +0200 + +curl (7.10.6-2) unstable; urgency=low + + * Applied patch from upstream to fix url globbing (closes: #203827). + * make test is still performed on building debug stuff but errors + are ignored. + + -- Domenico Andreoli Thu, 7 Aug 2003 02:20:46 +0200 + +curl (7.10.6-1) unstable; urgency=low + + * New upstream release: + - added spport for http_proxy env var with name:passwd + (closes: #193630). + * make test is invoked after build + + -- Domenico Andreoli Tue, 29 Jul 2003 01:26:50 +0200 + +curl (7.10.5-1) unstable; urgency=low + + * New upstream release: + - fixed typo in curl's man page (closes: #189272). + * New libcurl option CURLOPT_FTP_USE_EPRT has been added, bumped + up shlibs. + + -- Domenico Andreoli Mon, 19 May 2003 23:57:12 +0200 + +curl (7.10.4-1) unstable; urgency=low + + * New upstream release: + - now uses new settings properly when re-using an existing connection + (closes: #185254) + - curl man page now refers to MANUAL (closes: #178509). + * Changed section of libcurl2-dev and libcurl2-dbg to libdevel. + + -- Domenico Andreoli Wed, 2 Apr 2003 21:25:24 +0200 + +curl (7.10.3-3) unstable; urgency=low + + * Rebuilt to link against libssl0.9.7. + * Improved package descriptions thanks to suggestions provided by + Filip Van Raemdonck (closes: #177995). + + -- Domenico Andreoli Fri, 14 Mar 2003 16:08:38 +0100 + +curl (7.10.3-2) unstable; urgency=low + + * Development package is now named libcurl2-dev, it provides + libcurl-dev. People can now safely make their build dependencies + and be sure to use the right stuff. + * New package libcurl2-dbg is provided to help in debugging sessions. + + -- Domenico Andreoli Mon, 20 Jan 2003 22:04:32 +0100 + +curl (7.10.3-1) unstable; urgency=low + + * New upstream release. + * It now suggests ca-certificates package. + + -- Domenico Andreoli Thu, 16 Jan 2003 00:27:48 +0100 + +curl (7.10.2-2) unstable; urgency=low + + * Added AM_MAINTAINER_MODE to configure.in (closes: #170050). + + -- Domenico Andreoli Fri, 22 Nov 2002 14:28:22 +0100 + +curl (7.10.2-1) unstable; urgency=low + + * New upstream release: + - fixed segfault on retrieving relative redirects (closes: #165382) + - fixed a leak of debug output (closes: #167678). + * Updated config.guess and config.sub (closes: #166153). + * Added zlib1g-dev to build and libcurl-dev dependencies + (closes: #169654). + * Added HTML and PDF versions of all manpages in libcurl-dev package. + + -- Domenico Andreoli Wed, 20 Nov 2002 23:38:24 +0100 + +curl (7.10.1-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Fri, 11 Oct 2002 23:26:50 +0200 + +curl (7.10-1) unstable; urgency=low + + * New upstream release: + - new way to use option -x to prevent curl from using any proxy + server (closes: #161153). + + -- Domenico Andreoli Wed, 2 Oct 2002 01:04:20 +0200 + +curl (7.9.8-2) unstable; urgency=low + + * Added again libcurl2-ssl to the libcurl2 conflicts. + + -- Domenico Andreoli Thu, 4 Jul 2002 02:35:24 +0200 + +curl (7.9.8-1) unstable; urgency=low + + * New upstream release. + * Double flavor of curl to support both non-SSL and SSL is gone. + Now curl comes only with SSL. Who needs SSL can require curl + version >= 7.9.8 . + + -- Domenico Andreoli Mon, 24 Jun 2002 23:04:37 +0200 + +curl (7.9.7-2) unstable; urgency=low + + * Fixed the bashism in debian/rules (closes: #147352). + * SSL and non-SSL series of curl packages are now built from the + same source. thanks crypto-in-main! :) + + -- Domenico Andreoli Mon, 20 May 2002 23:28:05 +0200 + +curl (7.9.7-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Wed, 15 May 2002 21:09:19 +0200 + +curl (7.9.6-1) unstable; urgency=low + + * New upstream release. + * libcurl.3 manpage is now installed by libcurl-dev instead of + libcurl2. Indeed it provides an overview on how to use libcurl in + C programs. + + -- Domenico Andreoli Sat, 20 Apr 2002 17:06:51 +0200 + +curl (7.9.5-2) unstable; urgency=low + + * curl-ssl stuff moved from non-US to main. + + -- Domenico Andreoli Mon, 25 Mar 2002 23:40:02 +0100 + +curl (7.9.5-1) unstable; urgency=low + + * New upstream release (closes: #134608). + * Added autotools-dev to the build dependencies. config.{guess,sub} + can now be updated automatically in the build process. + + -- Domenico Andreoli Tue, 12 Mar 2002 19:06:21 +0100 + +curl (7.9.3-2) unstable; urgency=low + + * Upstream source code has been correctly imported in my CVS + repository (closes: #130906). + + -- Domenico Andreoli Sun, 27 Jan 2002 22:23:54 +0100 + +curl (7.9.3-1) unstable; urgency=low + + * New upstream release: + - fixed wrong assumption on char signedness (closes: #127011) + - missing header added accordingly (closes: #130401) + * Fixed a typo in curl description (closes: #124526). + + -- Domenico Andreoli Thu, 24 Jan 2002 20:04:04 +0100 + +curl (7.9.2-1) unstable; urgency=low + + * New upstream release: + - two bad timeout matters in libcurl2 are now solved (closes: #118595). + + -- Domenico Andreoli Fri, 7 Dec 2001 16:58:45 +0100 + +curl (7.9.1-3) unstable; urgency=low + + * Fixed return type of Curl_ftpsendf(...) to CURLcode (closes: #120485). + * Versions in debian/libcurl2.shlibs have been incremented to + ">= 7.9.1-1". + + -- Domenico Andreoli Thu, 22 Nov 2001 15:35:40 +0100 + +curl (7.9.1-2) unstable; urgency=low + + * Reverted to unpatched released 7.9.1 source tree, patch behavior + was weird. + + -- Domenico Andreoli Thu, 15 Nov 2001 18:05:58 +0100 + +curl (7.9.1-1) unstable; urgency=low + + * New upstream release. + * Applied upstream patch #478780 found on sourceforge, fixes libcurl + which didn't restore SIGALRM handler (closes: #118595). + * Applied patch for patch #478780 of above, see bug #118595 in BTS. + Patch courtesy of Enrik Berkhan . + * Build-Depends reduced to what is strictly required for building. + autoconf, automake and libtool build dependencies are gone. + + -- Domenico Andreoli Fri, 9 Nov 2001 13:56:36 +0100 + +curl (7.9-1) unstable; urgency=low + + * New upstream release: + - output of "curl-config --libs" now includes -lcurl. + + -- Domenico Andreoli Tue, 25 Sep 2001 18:38:46 +0200 + +curl (7.8-3) unstable; urgency=low + + * Added libc6-dev to libcurl2-dev dependencies. + * Fixed lack of some FD_ZERO(...)s in lib/transfer.c (closes: #105516). + + -- Domenico Andreoli Fri, 3 Aug 2001 16:32:20 +0200 + +curl (7.8-2) unstable; urgency=low + + * libcurl2.shlibs now includes version numbers. some new symbols have + been introduced in libcurl 7.8, so program linked against 7.8 cannot + work with older ones. + * IPv6 support is now enabled + * configure.in has been renamed to autoconf.ac to force the use of + autoconf 2.50 + + -- Domenico Andreoli Thu, 5 Jul 2001 01:38:24 +0200 + +curl (7.8-1) unstable; urgency=low + + * New upstream release. + * Applied patch for correct shared library versioning of libcurl, curl + 7.8 comes with broken shared library version out of the box. + Patch provided by upstream developer. + + -- Domenico Andreoli Sat, 9 Jun 2001 21:12:05 +0200 + +curl (7.7.3-3) unstable; urgency=low + + * Fixed manpages libcurl-dev with required simlinks (closes: 99610). + + -- Domenico Andreoli Mon, 4 Jun 2001 14:37:49 +0200 + +curl (7.7.3-2) unstable; urgency=low + + * lib/url.c and lib/version.c are now fixed (closes: #97709). + * install upstream changelog (closes: #97628). + + -- Domenico Andreoli Fri, 18 May 2001 10:32:25 +0200 + +curl (7.7.3-1) unstable; urgency=low + + * New upstream release. + * Using dh_installman instead dh_installmanpages. + * Installing libcurl examples with dh_installexamples. + * Policy 3.5.3.0 compliant. + + -- Domenico Andreoli Thu, 10 May 2001 09:45:05 +0200 + +curl (7.7.2-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Tue, 24 Apr 2001 09:14:51 +0200 + +curl (7.7.1-2) unstable; urgency=low + + * Fixed debian/rules (closes: #78232, #93837). + + -- Domenico Andreoli Tue, 17 Apr 2001 17:12:19 +0200 + +curl (7.7.1-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Tue, 10 Apr 2001 13:26:09 +0200 + +curl (7.7-1) unstable; urgency=low + + * New upstream release. + * Fixed formatting errors in curl.1 (closes: #90281). + + -- Domenico Andreoli Fri, 23 Mar 2001 18:25:26 +0100 + +curl (7.6.1-5) unstable; urgency=low + + * Fixed debian/libcurl1.shlibs in order to solve any problem for those + packages which should depend on either libcurl1 or libcurl1-ssl. + I should have done it long time ago. + + -- Domenico Andreoli Tue, 13 Mar 2001 18:29:06 +0100 + +curl (7.6.1-4) unstable; urgency=low + + * Added versioned Build-Depend for debhelper. + + -- Domenico Andreoli Tue, 6 Mar 2001 15:16:02 +0100 + +curl (7.6.1-3) unstable; urgency=low + + * Refining the transition to debhelper compatibility 2. I forgot the + executable in the curl package (closes: #87886). + + -- Domenico Andreoli Wed, 28 Feb 2001 14:31:43 +0100 + +curl (7.6.1-2) unstable; urgency=low + + * Switched to debhelper compatibility version 2. + + -- Domenico Andreoli Fri, 23 Feb 2001 18:24:02 +0100 + +curl (7.6.1-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Tue, 13 Feb 2001 18:04:04 +0100 + +curl (7.6-2) unstable; urgency=low + + * Adjusted dependencies in order to let curl-ssl package manage a + smooth upgrade from potato. + + -- Domenico Andreoli Fri, 9 Feb 2001 13:36:11 +0100 + +curl (7.6-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Mon, 29 Jan 2001 16:00:59 +0100 + +curl (7.5.2-2) unstable; urgency=low + + * This is a service upload in order to fix dependencies problems arose + for a ill-formed upload of 7.5.2-1. + + -- Domenico Andreoli Mon, 29 Jan 2001 14:54:57 +0100 + +curl (7.5.2-1) unstable; urgency=low + + * New upstream release. + * It needed to be recompiled against the new libc (closes: #80256). + + -- Domenico Andreoli Mon, 15 Jan 2001 13:08:15 +0100 + +curl (7.5-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Mon, 4 Dec 2000 13:15:33 +0100 + +curl (7.4.2-2) unstable; urgency=low + + * curl replaces curl-ssl. curl is only a frontend for libcurl and is not + aware of any protocol, libcurl is. so what is really different whether + ssl is enable or not is only libcurl. + * curl now depends on (libcurl0 | libcurl0-ssl). + * The workaround for libtool -rpath parameter is not required, so + it has been removed from configure.in. + * Removed "Suggests: " field in control file for libcurl0. It suggested + to install curl and libcurl-dev too but it really doesn't make sense + (this change was really applied in -1). + + -- Domenico Andreoli Tue, 28 Nov 2000 14:27:29 +0100 + +curl (7.4.2-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Fri, 17 Nov 2000 16:19:23 +0100 + +curl (7.2.1-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Mon, 4 Sep 2000 01:22:44 +0200 + +curl (7.1-3) unstable; urgency=low + + * Added "Suggests: " field in control file for libcurl0. Now curl and + libcurl-dev are suggested upon installation of libcurl0. + + -- Domenico Andreoli Mon, 14 Aug 2000 15:01:08 +0200 + +curl (7.1-2) unstable; urgency=low + + * Fixed a line that did not install development manpages. + + -- Domenico Andreoli Thu, 10 Aug 2000 14:32:23 +0200 + +curl (7.1-1) unstable; urgency=low + + * New upstream release. + * libcurl is now a separate package, it provides shared libraries and + includes to allow developing for other applications. + + -- Domenico Andreoli Wed, 9 Aug 2000 01:21:25 +0200 + +curl (6.5.2-4) unstable; urgency=low + + * Some missing build dependencies (autoconf, automake, libtool) added. + + -- Domenico Andreoli Sat, 8 Jul 2000 00:13:16 +0200 + +curl (6.5.2-3) unstable; urgency=low + + * Due to some policy and technical restrictions, curl's source package + has been splitted again in two, one for main archive and one for non-US. + + -- Domenico Andreoli Tue, 4 Jul 2000 15:52:14 +0200 + +curl (6.5.2-2) unstable; urgency=low + + * Added a Build-Depends in order to compile curl-ssl only if + libssl09-dev is installed. + * Documentation reflects the new location of curl debian packages + home page (http://curl-deb.sourceforge.net). + * Corrected minor spelling errors in README.Debian. + + -- Domenico Andreoli Sat, 17 Jun 2000 01:13:19 +0200 + +curl (6.5.2-1) unstable; urgency=low + + * New upstream release. + * Now curl and curl-ssl binary packages are generated from the same + debian source package. + * Uploads and downloads are now performed simultaneously (closes: #56627). + + -- Domenico Andreoli Sat, 25 Mar 2000 01:06:35 +0100 + +curl (6.4-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Sun, 30 Jan 2000 02:21:32 +0100 + +curl (6.3.1-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Sat, 11 Dec 1999 17:38:13 +0100 + +curl (6.2-1) unstable; urgency=low + + * New upstream release. + * No hack to compile without SSL is required anymore. Fixed by + upstream maintainer. + + -- Domenico Andreoli Mon, 1 Nov 1999 00:37:32 +0100 + +curl (6.0-1) unstable; urgency=low + + * New upstream release. + + -- Domenico Andreoli Mon, 27 Sep 1999 22:28:13 +0200 + +curl (5.11-1.1) unstable; urgency=low + + * Put sources into the right section. + + -- Domenico Andreoli Mon, 30 Aug 1999 03:14:21 +0200 + +curl (5.11-1) unstable; urgency=low + + * New upstream release. + * New debian maintainer. + + -- Domenico Andreoli Fri, 27 Aug 1999 11:50:04 +0200 + +curl (5.9-2) unstable; urgency=low + + * Moved to non-US, and compiled against ssl (closes: #40099). + + -- Leon Breedt Sat, 3 Jul 1999 15:46:54 +0200 + +curl (5.9-1) unstable; urgency=low + + * New upstream release. + + -- Leon Breedt Sun, 23 May 1999 21:51:30 +0200 + +curl (5.8-1) unstable; urgency=low + + * Initial Release. + + -- Leon Breedt Sun, 9 May 1999 18:55:48 +0200 diff --git a/debian/control b/debian/control new file mode 100644 index 00000000000000..953ffb419b2ec6 --- /dev/null +++ b/debian/control @@ -0,0 +1,201 @@ +Source: curl +Section: web +Priority: optional +Maintainer: Debian Curl Maintainers +Uploaders: Carlos Henrique Lima Melara , + Samuel Henrique , + Sergio Durigan Junior +Build-Depends: + debhelper-compat (= 13), + autoconf, + automake, + ca-certificates, + dh-exec, + groff-base, + libbrotli-dev, + libgnutls28-dev, + libidn2-dev, + libkrb5-dev, + libldap2-dev, + libnghttp2-dev, + libpsl-dev, + librtmp-dev, + libssh-dev, + libssh2-1-dev, + libssl-dev, + libtool, + libzstd-dev, + locales-all , + openssh-server , + python3:native , + python3-impacket , + gnutls-bin [amd64 arm64 armel armhf i386 mips64el mipsel s390x powerpc ppc64 riscv64] , + quilt, + stunnel4 , + zlib1g-dev, +Build-Conflicts: autoconf2.13, automake1.4 +Standards-Version: 4.6.2 +Vcs-Git: https://salsa.debian.org/debian/curl.git +Vcs-Browser: https://salsa.debian.org/debian/curl +Homepage: https://curl.se/ +Rules-Requires-Root: no + +Package: curl +Architecture: any +Depends: ${shlibs:Depends}, ${misc:Depends}, libcurl4 (= ${binary:Version}) +Multi-Arch: foreign +Description: command line tool for transferring data with URL syntax + curl is a command line tool for transferring data with URL syntax, supporting + DICT, FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, + POP3S, RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. + . + curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form + based upload, proxies, cookies, user+password authentication (Basic, Digest, + NTLM, Negotiate, kerberos...), file transfer resume, proxy tunneling and a + busload of other useful tricks. + +Package: libcurl4 +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: ca-certificates +Pre-Depends: ${misc:Pre-Depends} +Conflicts: libcurl3 +Replaces: libcurl3 +Multi-Arch: same +Description: easy-to-use client-side URL transfer library (OpenSSL flavour) + libcurl is an easy-to-use client-side URL transfer library, supporting DICT, + FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, + RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. + . + libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP + form based upload, proxies, cookies, user+password authentication (Basic, + Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling + and more! + . + libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, + fast, thoroughly documented and is already used by many known, big and + successful companies and numerous applications. + . + SSL support is provided by OpenSSL. + +Package: libcurl3-gnutls +Architecture: any +Section: libs +Depends: ${shlibs:Depends}, ${misc:Depends} +Recommends: ca-certificates +Pre-Depends: ${misc:Pre-Depends} +Multi-Arch: same +Description: easy-to-use client-side URL transfer library (GnuTLS flavour) + libcurl is an easy-to-use client-side URL transfer library, supporting DICT, + FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, + RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. + . + libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP + form based upload, proxies, cookies, user+password authentication (Basic, + Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling + and more! + . + libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, + fast, thoroughly documented and is already used by many known, big and + successful companies and numerous applications. + . + SSL support is provided by GnuTLS. + +Package: libcurl4-openssl-dev +Architecture: any +Section: libdevel +Provides: libcurl-dev, + libcurl-ssl-dev, + libcurl3-openssl-dev, + libcurl4-dev, + libcurl3-dev +Conflicts: libcurl4-gnutls-dev, libssl1.0-dev +Depends: ${misc:Depends}, libcurl4 (= ${binary:Version}) +Suggests: libcurl4-doc, + libidn-dev, + libkrb5-dev, + libldap2-dev, + librtmp-dev, + libssh2-1-dev, + libssl-dev, + pkg-config, + zlib1g-dev +Multi-Arch: same +Description: development files and documentation for libcurl (OpenSSL flavour) + libcurl is an easy-to-use client-side URL transfer library, supporting DICT, + FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, + RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. + . + libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP + form based upload, proxies, cookies, user+password authentication (Basic, + Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling + and more! + . + libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, + fast, thoroughly documented and is already used by many known, big and + successful companies and numerous applications. + . + This package provides the development files (ie. includes, static library, + manual pages) that allow one to build software which uses libcurl. + . + SSL support is provided by OpenSSL. + +Package: libcurl4-gnutls-dev +Architecture: any +Section: libdevel +Provides: libcurl-dev, + libcurl-ssl-dev, + libcurl3-gnutls-dev, + libcurl4-dev +Conflicts: libcurl4-openssl-dev +Depends: ${misc:Depends}, libcurl3-gnutls (= ${binary:Version}) +Suggests: libcurl4-doc, + libgnutls28-dev, + libidn-dev, + libkrb5-dev, + libldap2-dev, + librtmp-dev, + libssh2-1-dev, + pkg-config, + zlib1g-dev +Multi-Arch: same +Description: development files and documentation for libcurl (GnuTLS flavour) + libcurl is an easy-to-use client-side URL transfer library, supporting DICT, + FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, + RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. + . + libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP + form based upload, proxies, cookies, user+password authentication (Basic, + Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling + and more! + . + libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, + fast, thoroughly documented and is already used by many known, big and + successful companies and numerous applications. + . + This package provides the development files (ie. includes, static library, + manual pages) that allow one to build software which uses libcurl. + . + SSL support is provided by GnuTLS. + +Package: libcurl4-doc +Section: doc +Architecture: all +Multi-Arch: foreign +Depends: ${misc:Depends} +Description: documentation for libcurl + libcurl is an easy-to-use client-side URL transfer library, supporting DICT, + FILE, FTP, FTPS, GOPHER, HTTP, HTTPS, IMAP, IMAPS, LDAP, LDAPS, POP3, POP3S, + RTMP, RTSP, SCP, SFTP, SMTP, SMTPS, TELNET and TFTP. + . + libcurl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP + form based upload, proxies, cookies, user+password authentication (Basic, + Digest, NTLM, Negotiate, Kerberos), file transfer resume, http proxy tunneling + and more! + . + libcurl is free, thread-safe, IPv6 compatible, feature rich, well supported, + fast, thoroughly documented and is already used by many known, big and + successful companies and numerous applications. + . + This package provides the documentation files for libcurl. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 00000000000000..a9cbd5a1fa05ac --- /dev/null +++ b/debian/copyright @@ -0,0 +1,534 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: curl +Source: https://curl.se/ + +Files: * +Copyright: 1997-2022, Daniel Stenberg, , et al. +License: curl + +Files: debian/* +Copyright: 1999, Leon Breedt + 2005, Luk Claes + 2005, LaMont Jones + 2004-2005, Matthias Klose + 2005-2006, Martin Pitt + 2008, Andreas Schuldei + 2000-2010, Domenico Andreoli + 1999-2010, Domenico Andreoli + 2010-2011, Ramakrishnan Muthukrishnan + 2007, 2011, 2018, Steve Langasek + 2011-2020, Alessandro Ghedini + 2021, Bruno Kleinert + 2021, Jeremy Bicha + 2014-2011, Helmut Grohne + 2022, Paul Gevers + 2013, 2022, Salvatore Bonaccorso + 2022, Sergio Durigan Junior + 2021-2022, Samuel Henrique + 2023 John Scott +License: curl + +Files: debian/tests/LDAP-bindata.c +Copyright: 2019 Ryan Tandy + 2023 John Scott +License: OLDAP-2.8 + +Files: packages/vms/backup_gnv_curl_src.com + packages/vms/build_curl-config_script.com + packages/vms/build_gnv_curl.com + packages/vms/build_gnv_curl_pcsi_desc.com + packages/vms/build_gnv_curl_pcsi_text.com + packages/vms/build_gnv_curl_release_notes.com + packages/vms/build_libcurl_pc.com + packages/vms/clean_gnv_curl.com + packages/vms/config_h.com + packages/vms/curl_gnv_build_steps.txt + packages/vms/curl_startup.com + packages/vms/generate_config_vms_h_curl.com + packages/vms/generate_vax_transfer.com + packages/vms/gnv_conftest.c_first + packages/vms/gnv_curl_configure.sh + packages/vms/gnv_libcurl_symbols.opt + packages/vms/gnv_link_curl.com + packages/vms/make_gnv_curl_install.sh + packages/vms/make_pcsi_curl_kit_name.com + packages/vms/pcsi_gnv_curl_file_list.txt + packages/vms/pcsi_product_gnv_curl.com + packages/vms/report_openssl_version.c + packages/vms/setup_gnv_curl_build.com + packages/vms/stage_curl_install.com + packages/vms/vms_eco_level.h +Copyright: 2009-2022, John Malmberg +License: ISC + +Files: lib/curl_des.c + lib/curl_des.h + lib/system_win32.c + lib/system_win32.h + lib/vauth/krb5_sspi.c + lib/vauth/vauth.c + lib/vauth/vauth.h + lib/version_win32.c + lib/version_win32.h + projects/build-openssl.bat + projects/checksrc.bat + projects/generate.bat + tests/libtest/lib1520.c +Copyright: 2012-2022, Steve Holme, +License: curl + +Files: m4/xc-am-iface.m4 + m4/xc-cc-check.m4 + m4/xc-lt-iface.m4 + m4/xc-translit.m4 + m4/xc-val-flgs.m4 + m4/zz40-xc-ovr.m4 + m4/zz50-xc-ovr.m4 + m4/zz60-xc-ovr.m4 +Copyright: 2011-2022, Daniel Stenberg +License: ISC + +Files: compile + depcomp + missing + test-driver +Copyright: 1996-2021, Free Software Foundation, Inc. +License: GPL-2+ with Autoconf-data exception + +Files: lib/vtls/mbedtls.c + lib/vtls/mbedtls.h + lib/vtls/mbedtls_threadlock.c + lib/vtls/mbedtls_threadlock.h +Copyright: 2010-2011, Hoi-Ho Chan, + 2012-2022, Daniel Stenberg, , et al. +License: curl + +Files: tests/libtest/lib1506.c + tests/libtest/lib1508.c + tests/libtest/lib1510.c + tests/libtest/lib1512.c +Copyright: 2013-2022, Linus Nielsen Feltzing +License: curl + +Files: config.guess + config.sub +Copyright: 1992-2022, Free Software Foundation, Inc. +License: GPL-3+ with Autoconf-data exception + +Files: lib/inet_ntop.c + lib/inet_pton.c +Copyright: 1996-2022, Internet Software Consortium. +License: ISC + +Files: tests/certs/scripts/genroot.sh + tests/certs/scripts/genserv.sh +Copyright: 2000-2020, EdelWeb for EdelKey and OpenEvidence +License: curl + +Files: lib/smb.c + lib/smb.h +Copyright: 2014, 2018, Bill Nagel , Exacq Technologies + 2018-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/curl_sha256.h + lib/sha256.c +Copyright: 2017, Florin Petriuc, + 2018-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/conncache.c + lib/conncache.h +Copyright: 2012-2016, Linus Nielsen Feltzing, + 2012-2022, Daniel Stenberg, , et al. +License: curl + +Files: tests/appveyor.pm + tests/azure.pm +Copyright: 2020-2022, Daniel Stenberg, , et al. + 2020-2022, Marc Hoersken, +License: curl + +Files: lib/vtls/schannel.c + lib/vtls/schannel_verify.c +Copyright: 2012, Mark Salisbury, + 2012-2016, Marc Hoersken, + 2012-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/socks_gssapi.c + lib/socks_sspi.c +Copyright: 2011-2012, Markus Moeller, + 2012-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/vtls/sectransp.c + lib/vtls/sectransp.h +Copyright: 2012-2017, Nick Zitzmann, . + 2012-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/vauth/digest_sspi.c + lib/vauth/krb5_gssapi.c +Copyright: 2014-2019, Steve Holme, . + 2015-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/vtls/rustls.c + lib/vtls/rustls.h +Copyright: 2020-2022, Jacob Hoffman-Andrews, +License: curl + +Files: tests/libtest/lib1908.c + tests/libtest/lib1910.c +Copyright: 2013-2022, Linus Nielsen Feltzing, +License: curl + +Files: docs/libcurl/opts/CURLOPT_PREREQDATA.3 + docs/libcurl/opts/CURLOPT_PREREQFUNCTION.3 +Copyright: 2022, Max Dymond, , et al. +License: curl + +Files: lib/vtls/bearssl.c + lib/vtls/bearssl.h +Copyright: 2019-2022, Michael Forney, +License: curl + +Files: tests/libtest/lib1526.c + tests/libtest/lib1527.c +Copyright: 1998-2022, Vijay Panghal, , et al. +License: curl + +Files: m4/libtool.m4 + ltmain.sh +Copyright: 1996-2022, Free Software Foundation, Inc. +License: GPL-2+ with Libtool exception + +Files: lib/krb5.c +Copyright: 1995-1999, Kungliga Tekniska Högskolan + 2004-2022, Daniel Stenberg +License: BSD-3-clause + +Files: tests/server/tftpd.c +Copyright: 1983, Regents of the University of California. + 2005-2022, Daniel Stenberg, , et al. +License: BSD-4-Clause-UC + +Files: aclocal.m4 + m4/ltsugar.m4 + m4/ltversion.m4 + m4/ltoptions.m4 + m4/lt~obsolete.m4 +Copyright: 1996-2022, Free Software Foundation, Inc. +License: FSFULLR + +Files: install-sh +Copyright: 1994, X Consortium +License: X11 + +Files: lib/mqtt.h +Copyright: 2019-2022, Björn Stenberg, +License: curl + +Files: lib/mqtt.c +Copyright: 2019, Björn Stenberg, + 2020-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/curl_rtmp.c +Copyright: 2012, Howard Chu, + 2012-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/openldap.c +Copyright: 2010, Howard Chu, + 2011-2022, Daniel Stenberg, , et al. +License: curl + +Files: tests/server/fake_ntlm.c +Copyright: 2010, Mandy Wu, + 2011-2022, Daniel Stenberg, , et al. +License: curl + +Files: lib/vtls/schannel.h +Copyright: 2012, Marc Hoersken, , et al. + 2012-2022, Daniel Stenberg, , et al. +License: curl + +Files: tests/libtest/lib1525.c +Copyright: 1998, Vijay Panghal, , et al. + 1998-2022, Daniel Stenberg, , et al. +License: curl + +Files: docs/libcurl/libcurl.m4 +Copyright: 2006-2022, David Shaw +License: curl + +Files: tests/pathhelp.pm +Copyright: 2016-2022, Evgeny Grin (Karlson2k), . +License: curl + +Files: lib/curl_rtmp.h +Copyright: 2010-2022, Howard Chu, +License: curl + +Files: projects/build-wolfssl.bat +Copyright: 2012-2020, Steve Holme, . + 2015-2022, Jay Satiro, . +License: curl + +Files: docs/examples/crawler.c +Copyright: 2018-2022, Jeroen Ooms +License: curl + +Files: tests/libtest/libprereq.c +Copyright: 2021-2022, Max Dymond, +License: curl + +Files: tests/libtest/lib3010.c +Copyright: 2020-2022, Nicolas Sterchele, +License: curl + +Files: lib/vssh/libssh.c +Copyright: 2017-2022, Red Hat, Inc. +License: curl + +Files: lib/vauth/gsasl.c +Copyright: 2020-2022, Simon Josefsson, , et al. +License: curl + +License: curl + All rights reserved. + . + Permission to use, copy, modify, and distribute this software for any purpose + with or without fee is hereby granted, provided that the above copyright + notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OF THIRD PARTY RIGHTS. IN + NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, + DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR + OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE + OR OTHER DEALINGS IN THE SOFTWARE. + . + Except as contained in this notice, the name of a copyright holder shall not + be used in advertising or otherwise to promote the sale, use or other dealings + in this Software without prior written authorization of the copyright holder. + +License: BSD-3-Clause + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + . + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + . + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + . + 3. Neither the name of the Institute nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. + +License: BSD-4-Clause-UC + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. All advertising materials mentioning features or use of this software + must display the following acknowledgement: + This product includes software developed by the University of + California, Berkeley and its contributors. + 4. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + . + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. +Comment: Clause 3 has been deleted: + July 22, 1999 + . + To All Licensees, Distributors of Any Version of BSD: + . + As you know, certain of the Berkeley Software Distribution ("BSD") source + code files require that further distributions of products containing all or + portions of the software, acknowledge within their advertising materials + that such products contain software developed by UC Berkeley and its + contributors. + . + Specifically, the provision reads: + . + " * 3. All advertising materials mentioning features or use of this software + * must display the following acknowledgement: + * This product includes software developed by the University of + * California, Berkeley and its contributors." + . + Effective immediately, licensees and distributors are no longer required to + include the acknowledgement within advertising materials. Accordingly, the + foregoing paragraph of those BSD Unix files containing it is hereby deleted + in its entirety. + . + William Hoskins + Director, Office of Technology Licensing + University of California, Berkeley + +License: ISC + Permission to use, copy, modify, and/or distribute this software for any + purpose with or without fee is hereby granted, provided that the above + copyright notice and this permission notice appear in all copies. + . + THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +License: GPL-2+ with Autoconf-data exception + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2, or (at your option) + any later version. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see . + As a special exception to the GNU General Public License, if you + distribute this file as part of a program that contains a + configuration script generated by Autoconf, you may include it under + the same distribution terms that you use for the rest of that program. + +License: X11 + Permission is hereby granted, free of charge, to any person obtaining a copy + of this software and associated documentation files (the "Software"), to + deal in the Software without restriction, including without limitation the + rights to use, copy, modify, merge, publish, distribute, sublicense, and/or + sell copies of the Software, and to permit persons to whom the Software is + furnished to do so, subject to the following conditions: + . + The above copyright notice and this permission notice shall be included in + all copies or substantial portions of the Software. + . + THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + X CONSORTIUM BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN + AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNEC- + TION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + . + Except as contained in this notice, the name of the X Consortium shall not + be used in advertising or otherwise to promote the sale, use or other deal- + ings in this Software without prior written authorization from the X Consor- + tium. + +License: GPL-2+ with Libtool exception + GNU Libtool is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + As a special exception to the GNU General Public License, + if you distribute this file as part of a program or library that + is built using GNU Libtool, you may include this file under the + same distribution terms that you use for the rest of that program. + . + GNU Libtool is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with GNU Libtool; see the file COPYING. If not, a copy + can be downloaded from http://www.gnu.org/licenses/gpl.html, + or obtained by writing to the Free Software Foundation, Inc., + 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. + . + On Debian systems, the full text of the GNU General Public + License version 2 can be found in the file + `/usr/share/common-licenses/GPL-2'. + +License: GPL-3+ with Autoconf-data exception + This program is free software: you can redistribute it and/or modify it + under the terms of the GNU General Public License as published by the + Free Software Foundation, either version 3 of the License, or (at your + option) any later version. + . + This program is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General + Public License for more details. + . + You should have received a copy of the GNU General Public License along + with this program. If not, see . + . + As a special exception, the respective Autoconf Macro's copyright owner + gives unlimited permission to copy, distribute and modify the configure + scripts that are the output of Autoconf when processing the Macro. You + need not follow the terms of the GNU General Public License when using + or distributing such scripts, even though portions of the text of the + Macro appear in them. The GNU General Public License (GPL) does govern + all other use of the material that constitutes the Autoconf Macro. + . + This special exception to the GPL applies to versions of the Autoconf + Macro released by the Autoconf Archive. When you make and distribute a + modified version of the Autoconf Macro, you may extend this special + exception to the GPL to apply to your modified version as well. + +License: FSFULLR + This file is free software; the Free Software Foundation + gives unlimited permission to copy and/or distribute it, + with or without modifications, as long as this notice is preserved. + +License: OLDAP-2.8 + The OpenLDAP Public License + Version 2.8, 17 August 2003 + . + Redistribution and use of this software and associated documentation ("Software"), with or without modification, are permitted provided that the following conditions are met: + . + 1. Redistributions in source form must retain copyright statements and notices, + . + 2. Redistributions in binary form must reproduce applicable copyright statements and notices, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution, and + . + 3. Redistributions must contain a verbatim copy of this document. + . + The OpenLDAP Foundation may revise this license from time to time. Each revision is distinguished by a version number. You may use this Software under terms of this license revision or under the terms of any subsequent revision of the license. + , + THIS SOFTWARE IS PROVIDED BY THE OPENLDAP FOUNDATION AND ITS CONTRIBUTORS ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OPENLDAP FOUNDATION, ITS CONTRIBUTORS, OR THE AUTHOR(S) OR OWNER(S) OF THE SOFTWARE BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + . + The names of the authors and copyright holders must not be used in advertising or otherwise to promote the sale, use or other dealing in this Software without specific, written prior permission. Title to copyright in this Software shall at all times remain with copyright holders. + . + OpenLDAP is a registered trademark of the OpenLDAP Foundation. + . + Permission to copy and distribute verbatim copies of this document is granted. diff --git a/debian/curl.install b/debian/curl.install new file mode 100755 index 00000000000000..6c48bc8f8b795a --- /dev/null +++ b/debian/curl.install @@ -0,0 +1,3 @@ +#!/usr/bin/dh-exec +usr/bin/curl + usr/share/zsh/* diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 00000000000000..9c9e11e98947dd --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,15 @@ +[DEFAULT] +pristine-tar = True +cleaner = /bin/true +ignore-branch = True +debian-branch = debian/unstable +sign-tags = True + +[import-orig] +filter-pristine-tar = True + +[pq] +patch-numbers = False + +[dch] +multimaint-merge = True diff --git a/debian/libcurl3-gnutls.install b/debian/libcurl3-gnutls.install new file mode 100644 index 00000000000000..58c3413832567d --- /dev/null +++ b/debian/libcurl3-gnutls.install @@ -0,0 +1 @@ +usr/lib/*/libcurl-gnutls.so.4* diff --git a/debian/libcurl3-gnutls.links b/debian/libcurl3-gnutls.links new file mode 100755 index 00000000000000..43fb7847c3526e --- /dev/null +++ b/debian/libcurl3-gnutls.links @@ -0,0 +1,3 @@ +#!/bin/sh + +echo usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.so.4 usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.so.3 diff --git a/debian/libcurl3-gnutls.lintian-overrides b/debian/libcurl3-gnutls.lintian-overrides new file mode 100644 index 00000000000000..4775db98631df1 --- /dev/null +++ b/debian/libcurl3-gnutls.lintian-overrides @@ -0,0 +1 @@ +libcurl3-gnutls: package-name-doesnt-match-sonames libcurl-gnutls4 diff --git a/debian/libcurl3-gnutls.symbols b/debian/libcurl3-gnutls.symbols new file mode 100644 index 00000000000000..8fc7ea055f5408 --- /dev/null +++ b/debian/libcurl3-gnutls.symbols @@ -0,0 +1,97 @@ +libcurl-gnutls.so.4 libcurl3-gnutls #MINVER# +* Build-Depends-Package: libcurl4-gnutls-dev + CURL_GNUTLS_3@CURL_GNUTLS_3 7.16.2 + HIDDEN@HIDDEN 7.16.2 + curl_easy_cleanup@CURL_GNUTLS_3 7.16.2 + curl_easy_duphandle@CURL_GNUTLS_3 7.16.2 + curl_easy_escape@CURL_GNUTLS_3 7.16.2 + curl_easy_getinfo@CURL_GNUTLS_3 7.16.2 + curl_easy_header@CURL_GNUTLS_3 7.83.0 + curl_easy_init@CURL_GNUTLS_3 7.16.2 + curl_easy_nextheader@CURL_GNUTLS_3 7.83.0 + curl_easy_option_by_id@CURL_GNUTLS_3 7.74.0 + curl_easy_option_by_name@CURL_GNUTLS_3 7.74.0 + curl_easy_option_next@CURL_GNUTLS_3 7.74.0 + curl_easy_pause@CURL_GNUTLS_3 7.18.0 + curl_easy_perform@CURL_GNUTLS_3 7.16.2 + curl_easy_recv@CURL_GNUTLS_3 7.18.2 + curl_easy_reset@CURL_GNUTLS_3 7.16.2 + curl_easy_send@CURL_GNUTLS_3 7.18.2 + curl_easy_setopt@CURL_GNUTLS_3 7.16.2 + curl_easy_strerror@CURL_GNUTLS_3 7.16.2 + curl_easy_unescape@CURL_GNUTLS_3 7.16.2 + curl_easy_upkeep@CURL_GNUTLS_3 7.63.0 + curl_escape@CURL_GNUTLS_3 7.16.2 + curl_formadd@CURL_GNUTLS_3 7.16.2 + curl_formfree@CURL_GNUTLS_3 7.16.2 + curl_formget@CURL_GNUTLS_3 7.16.2 + curl_free@CURL_GNUTLS_3 7.16.2 + curl_getdate@CURL_GNUTLS_3 7.16.2 + curl_getenv@CURL_GNUTLS_3 7.16.2 + curl_global_cleanup@CURL_GNUTLS_3 7.16.2 + curl_global_init@CURL_GNUTLS_3 7.16.2 + curl_global_init_mem@CURL_GNUTLS_3 7.16.2 + curl_global_sslset@CURL_GNUTLS_3 7.56.1 + curl_global_trace@CURL_GNUTLS_3 8.3.0 + curl_maprintf@CURL_GNUTLS_3 7.16.2 + curl_mfprintf@CURL_GNUTLS_3 7.16.2 + curl_mime_addpart@CURL_GNUTLS_3 7.56.1 + curl_mime_data@CURL_GNUTLS_3 7.56.1 + curl_mime_data_cb@CURL_GNUTLS_3 7.56.1 + curl_mime_encoder@CURL_GNUTLS_3 7.56.1 + curl_mime_filedata@CURL_GNUTLS_3 7.56.1 + curl_mime_filename@CURL_GNUTLS_3 7.56.1 + curl_mime_free@CURL_GNUTLS_3 7.56.1 + curl_mime_headers@CURL_GNUTLS_3 7.56.1 + curl_mime_init@CURL_GNUTLS_3 7.56.1 + curl_mime_name@CURL_GNUTLS_3 7.56.1 + curl_mime_subparts@CURL_GNUTLS_3 7.56.1 + curl_mime_type@CURL_GNUTLS_3 7.56.1 + curl_mprintf@CURL_GNUTLS_3 7.16.2 + curl_msnprintf@CURL_GNUTLS_3 7.16.2 + curl_msprintf@CURL_GNUTLS_3 7.16.2 + curl_multi_add_handle@CURL_GNUTLS_3 7.16.2 + curl_multi_assign@CURL_GNUTLS_3 7.16.2 + curl_multi_cleanup@CURL_GNUTLS_3 7.16.2 + curl_multi_fdset@CURL_GNUTLS_3 7.16.2 + curl_multi_get_handles@CURL_GNUTLS_3 8.4.0 + curl_multi_info_read@CURL_GNUTLS_3 7.16.2 + curl_multi_init@CURL_GNUTLS_3 7.16.2 + curl_multi_perform@CURL_GNUTLS_3 7.16.2 + curl_multi_poll@CURL_GNUTLS_3 7.66.0 + curl_multi_remove_handle@CURL_GNUTLS_3 7.16.2 + curl_multi_setopt@CURL_GNUTLS_3 7.16.2 + curl_multi_socket@CURL_GNUTLS_3 7.16.2 + curl_multi_socket_action@CURL_GNUTLS_3 7.16.3 + curl_multi_socket_all@CURL_GNUTLS_3 7.16.2 + curl_multi_strerror@CURL_GNUTLS_3 7.16.2 + curl_multi_timeout@CURL_GNUTLS_3 7.16.2 + curl_multi_wait@CURL_GNUTLS_3 7.28.0 + curl_multi_wakeup@CURL_GNUTLS_3 7.68.0 + curl_mvaprintf@CURL_GNUTLS_3 7.16.2 + curl_mvfprintf@CURL_GNUTLS_3 7.16.2 + curl_mvprintf@CURL_GNUTLS_3 7.16.2 + curl_mvsnprintf@CURL_GNUTLS_3 7.16.2 + curl_mvsprintf@CURL_GNUTLS_3 7.16.2 + curl_pushheader_byname@CURL_GNUTLS_3 7.44.0 + curl_pushheader_bynum@CURL_GNUTLS_3 7.44.0 + curl_share_cleanup@CURL_GNUTLS_3 7.16.2 + curl_share_init@CURL_GNUTLS_3 7.16.2 + curl_share_setopt@CURL_GNUTLS_3 7.16.2 + curl_share_strerror@CURL_GNUTLS_3 7.16.2 + curl_slist_append@CURL_GNUTLS_3 7.16.2 + curl_slist_free_all@CURL_GNUTLS_3 7.16.2 + curl_strequal@CURL_GNUTLS_3 7.16.2 + curl_strnequal@CURL_GNUTLS_3 7.16.2 + curl_unescape@CURL_GNUTLS_3 7.16.2 + curl_url@CURL_GNUTLS_3 7.63.0 + curl_url_cleanup@CURL_GNUTLS_3 7.63.0 + curl_url_dup@CURL_GNUTLS_3 7.63.0 + curl_url_get@CURL_GNUTLS_3 7.63.0 + curl_url_set@CURL_GNUTLS_3 7.63.0 + curl_url_strerror@CURL_GNUTLS_3 7.80.0 + curl_version@CURL_GNUTLS_3 7.16.2 + curl_version_info@CURL_GNUTLS_3 7.16.2 + curl_ws_meta@CURL_GNUTLS_3 7.86.0 + curl_ws_recv@CURL_GNUTLS_3 7.86.0 + curl_ws_send@CURL_GNUTLS_3 7.86.0 diff --git a/debian/libcurl4-doc.docs b/debian/libcurl4-doc.docs new file mode 100644 index 00000000000000..0db8516af33149 --- /dev/null +++ b/debian/libcurl4-doc.docs @@ -0,0 +1,6 @@ +README +docs/*.md +docs/FAQ +docs/KNOWN_BUGS +docs/THANKS +docs/TODO diff --git a/debian/libcurl4-doc.examples b/debian/libcurl4-doc.examples new file mode 100644 index 00000000000000..684a743a4ecd55 --- /dev/null +++ b/debian/libcurl4-doc.examples @@ -0,0 +1 @@ +docs/examples/* diff --git a/debian/libcurl4-doc.links b/debian/libcurl4-doc.links new file mode 100644 index 00000000000000..ea9601b0d92fdf --- /dev/null +++ b/debian/libcurl4-doc.links @@ -0,0 +1,10 @@ +/usr/share/man/man3/curl_strequal.3 /usr/share/man/man3/curl_strnequal.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_maprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mfprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_msnprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_msprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvaprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvfprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvsnprintf.3 +/usr/share/man/man3/curl_mprintf.3 /usr/share/man/man3/curl_mvsprintf.3 diff --git a/debian/libcurl4-gnutls-dev.install b/debian/libcurl4-gnutls-dev.install new file mode 100644 index 00000000000000..1045c12741ba2c --- /dev/null +++ b/debian/libcurl4-gnutls-dev.install @@ -0,0 +1,6 @@ +usr/bin/curl-config +usr/lib/*/libcurl-gnutls.a +usr/lib/*/libcurl-gnutls.so +usr/lib/*/pkgconfig/libcurl.pc +usr/include +../../docs/libcurl/libcurl.m4 usr/share/aclocal diff --git a/debian/libcurl4-gnutls-dev.links b/debian/libcurl4-gnutls-dev.links new file mode 100755 index 00000000000000..9bd88d64d08954 --- /dev/null +++ b/debian/libcurl4-gnutls-dev.links @@ -0,0 +1,4 @@ +#!/bin/sh + +echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.a /usr/lib/$DEB_HOST_MULTIARCH/libcurl.a +echo /usr/lib/$DEB_HOST_MULTIARCH/libcurl-gnutls.so /usr/lib/$DEB_HOST_MULTIARCH/libcurl.so diff --git a/debian/libcurl4-openssl-dev.install b/debian/libcurl4-openssl-dev.install new file mode 100644 index 00000000000000..0946927dfd8c2b --- /dev/null +++ b/debian/libcurl4-openssl-dev.install @@ -0,0 +1,6 @@ +usr/bin/curl-config +usr/lib/*/libcurl.a +usr/lib/*/libcurl.so +usr/lib/*/pkgconfig/libcurl.pc +usr/include +../../docs/libcurl/libcurl.m4 usr/share/aclocal diff --git a/debian/libcurl4.install b/debian/libcurl4.install new file mode 100644 index 00000000000000..2a9d1c3d553e3c --- /dev/null +++ b/debian/libcurl4.install @@ -0,0 +1 @@ +usr/lib/*/libcurl.so.4* diff --git a/debian/libcurl4.symbols b/debian/libcurl4.symbols new file mode 100644 index 00000000000000..e17dcc9c4319e0 --- /dev/null +++ b/debian/libcurl4.symbols @@ -0,0 +1,97 @@ +libcurl.so.4 libcurl4 #MINVER# +* Build-Depends-Package: libcurl4-openssl-dev + CURL_OPENSSL_4@CURL_OPENSSL_4 7.16.2 + HIDDEN@HIDDEN 7.16.2 + curl_easy_cleanup@CURL_OPENSSL_4 7.16.2 + curl_easy_duphandle@CURL_OPENSSL_4 7.16.2 + curl_easy_escape@CURL_OPENSSL_4 7.16.2 + curl_easy_getinfo@CURL_OPENSSL_4 7.16.2 + curl_easy_header@CURL_OPENSSL_4 7.83.0 + curl_easy_init@CURL_OPENSSL_4 7.16.2 + curl_easy_nextheader@CURL_OPENSSL_4 7.83.0 + curl_easy_option_by_id@CURL_OPENSSL_4 7.74.0 + curl_easy_option_by_name@CURL_OPENSSL_4 7.74.0 + curl_easy_option_next@CURL_OPENSSL_4 7.74.0 + curl_easy_pause@CURL_OPENSSL_4 7.18.0 + curl_easy_perform@CURL_OPENSSL_4 7.16.2 + curl_easy_recv@CURL_OPENSSL_4 7.18.2 + curl_easy_reset@CURL_OPENSSL_4 7.16.2 + curl_easy_send@CURL_OPENSSL_4 7.18.2 + curl_easy_setopt@CURL_OPENSSL_4 7.16.2 + curl_easy_strerror@CURL_OPENSSL_4 7.16.2 + curl_easy_unescape@CURL_OPENSSL_4 7.16.2 + curl_easy_upkeep@CURL_OPENSSL_4 7.63.0 + curl_escape@CURL_OPENSSL_4 7.16.2 + curl_formadd@CURL_OPENSSL_4 7.16.2 + curl_formfree@CURL_OPENSSL_4 7.16.2 + curl_formget@CURL_OPENSSL_4 7.16.2 + curl_free@CURL_OPENSSL_4 7.16.2 + curl_getdate@CURL_OPENSSL_4 7.16.2 + curl_getenv@CURL_OPENSSL_4 7.16.2 + curl_global_cleanup@CURL_OPENSSL_4 7.16.2 + curl_global_init@CURL_OPENSSL_4 7.16.2 + curl_global_init_mem@CURL_OPENSSL_4 7.16.2 + curl_global_sslset@CURL_OPENSSL_4 7.56.1 + curl_global_trace@CURL_OPENSSL_4 8.3.0 + curl_maprintf@CURL_OPENSSL_4 7.16.2 + curl_mfprintf@CURL_OPENSSL_4 7.16.2 + curl_mime_addpart@CURL_OPENSSL_4 7.56.1 + curl_mime_data@CURL_OPENSSL_4 7.56.1 + curl_mime_data_cb@CURL_OPENSSL_4 7.56.1 + curl_mime_encoder@CURL_OPENSSL_4 7.56.1 + curl_mime_filedata@CURL_OPENSSL_4 7.56.1 + curl_mime_filename@CURL_OPENSSL_4 7.56.1 + curl_mime_free@CURL_OPENSSL_4 7.56.1 + curl_mime_headers@CURL_OPENSSL_4 7.56.1 + curl_mime_init@CURL_OPENSSL_4 7.56.1 + curl_mime_name@CURL_OPENSSL_4 7.56.1 + curl_mime_subparts@CURL_OPENSSL_4 7.56.1 + curl_mime_type@CURL_OPENSSL_4 7.56.1 + curl_mprintf@CURL_OPENSSL_4 7.16.2 + curl_msnprintf@CURL_OPENSSL_4 7.16.2 + curl_msprintf@CURL_OPENSSL_4 7.16.2 + curl_multi_add_handle@CURL_OPENSSL_4 7.16.2 + curl_multi_assign@CURL_OPENSSL_4 7.16.2 + curl_multi_cleanup@CURL_OPENSSL_4 7.16.2 + curl_multi_fdset@CURL_OPENSSL_4 7.16.2 + curl_multi_get_handles@CURL_OPENSSL_4 8.4.0 + curl_multi_info_read@CURL_OPENSSL_4 7.16.2 + curl_multi_init@CURL_OPENSSL_4 7.16.2 + curl_multi_perform@CURL_OPENSSL_4 7.16.2 + curl_multi_poll@CURL_OPENSSL_4 7.66.0 + curl_multi_remove_handle@CURL_OPENSSL_4 7.16.2 + curl_multi_setopt@CURL_OPENSSL_4 7.16.2 + curl_multi_socket@CURL_OPENSSL_4 7.16.2 + curl_multi_socket_action@CURL_OPENSSL_4 7.16.3 + curl_multi_socket_all@CURL_OPENSSL_4 7.16.2 + curl_multi_strerror@CURL_OPENSSL_4 7.16.2 + curl_multi_timeout@CURL_OPENSSL_4 7.16.2 + curl_multi_wait@CURL_OPENSSL_4 7.28.0 + curl_multi_wakeup@CURL_OPENSSL_4 7.68.0 + curl_mvaprintf@CURL_OPENSSL_4 7.16.2 + curl_mvfprintf@CURL_OPENSSL_4 7.16.2 + curl_mvprintf@CURL_OPENSSL_4 7.16.2 + curl_mvsnprintf@CURL_OPENSSL_4 7.16.2 + curl_mvsprintf@CURL_OPENSSL_4 7.16.2 + curl_pushheader_byname@CURL_OPENSSL_4 7.44.0 + curl_pushheader_bynum@CURL_OPENSSL_4 7.44.0 + curl_share_cleanup@CURL_OPENSSL_4 7.16.2 + curl_share_init@CURL_OPENSSL_4 7.16.2 + curl_share_setopt@CURL_OPENSSL_4 7.16.2 + curl_share_strerror@CURL_OPENSSL_4 7.16.2 + curl_slist_append@CURL_OPENSSL_4 7.16.2 + curl_slist_free_all@CURL_OPENSSL_4 7.16.2 + curl_strequal@CURL_OPENSSL_4 7.16.2 + curl_strnequal@CURL_OPENSSL_4 7.16.2 + curl_unescape@CURL_OPENSSL_4 7.16.2 + curl_url@CURL_OPENSSL_4 7.63.0 + curl_url_cleanup@CURL_OPENSSL_4 7.63.0 + curl_url_dup@CURL_OPENSSL_4 7.63.0 + curl_url_get@CURL_OPENSSL_4 7.63.0 + curl_url_set@CURL_OPENSSL_4 7.63.0 + curl_url_strerror@CURL_OPENSSL_4 7.80.0 + curl_version@CURL_OPENSSL_4 7.16.2 + curl_version_info@CURL_OPENSSL_4 7.16.2 + curl_ws_meta@CURL_OPENSSL_4 7.86.0 + curl_ws_recv@CURL_OPENSSL_4 7.86.0 + curl_ws_send@CURL_OPENSSL_4 7.86.0 diff --git a/debian/patches/04_workaround_as_needed_bug.patch b/debian/patches/04_workaround_as_needed_bug.patch new file mode 100644 index 00000000000000..5fc81d86f33c41 --- /dev/null +++ b/debian/patches/04_workaround_as_needed_bug.patch @@ -0,0 +1,40 @@ +Description: Work around libtool --as-needed reordering bug +Origin: vendor +Bug-Debian: http://bugs.debian.org/347650 +Forwarded: not-needed +Author: Alessandro Ghedini +Reviewed-by: Alessandro Ghedini +Last-Update: 2016-08-03 + +Index: curl/ltmain.sh +=================================================================== +--- curl.orig/ltmain.sh ++++ curl/ltmain.sh +@@ -7488,6 +7488,11 @@ func_mode_link () + arg=$func_stripname_result + ;; + ++ -Wl,--as-needed|-Wl,--no-as-needed) ++ deplibs="$arg $deplibs" ++ continue ++ ;; ++ + -Wl,*) + func_stripname '-Wl,' '' "$arg" + args=$func_stripname_result +@@ -7887,6 +7892,15 @@ func_mode_link () + lib= + found=false + case $deplib in ++ -Wl,--as-needed|-Wl,--no-as-needed) ++ if test "$linkmode,$pass" = "prog,link"; then ++ compile_deplibs="$deplib $compile_deplibs" ++ finalize_deplibs="$deplib $finalize_deplibs" ++ else ++ deplibs="$deplib $deplibs" ++ fi ++ continue ++ ;; + -mt|-mthreads|-kthread|-Kthread|-pthread|-pthreads|--thread-safe \ + |-threads|-fopenmp|-openmp|-mp|-xopenmp|-omp|-qsmp=*) + if test prog,link = "$linkmode,$pass"; then diff --git a/debian/patches/08_enable-zsh.patch b/debian/patches/08_enable-zsh.patch new file mode 100644 index 00000000000000..7ba7febc94ef56 --- /dev/null +++ b/debian/patches/08_enable-zsh.patch @@ -0,0 +1,22 @@ +Description: Enable zsh completion generation +Origin: vendor +Forwarded: not-needed +Author: Alessandro Ghedini +Reviewed-by: Alessandro Ghedini +Last-Update: 2016-08-03 + +Index: curl/Makefile.am +=================================================================== +--- curl.orig/Makefile.am ++++ curl/Makefile.am +@@ -133,8 +133,8 @@ CLEANFILES = $(VC14_LIBVCXPROJ) \ + + bin_SCRIPTS = curl-config + +-SUBDIRS = lib src +-DIST_SUBDIRS = $(SUBDIRS) tests packages scripts include docs ++SUBDIRS = lib src scripts ++DIST_SUBDIRS = $(SUBDIRS) tests packages include docs + + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = libcurl.pc diff --git a/debian/patches/11_omit-directories-from-config.patch b/debian/patches/11_omit-directories-from-config.patch new file mode 100644 index 00000000000000..70529663a825e7 --- /dev/null +++ b/debian/patches/11_omit-directories-from-config.patch @@ -0,0 +1,55 @@ +Description: In order to (partially) multi-arch-ify curl-config, remove all + mention of @includedir@ and @libdir@ from the script. On Debian, the actual + header and library directories are architecture-dependent, but will always be + in the C compiler's default search path, so -I and -L options are not + necessary (and may be harmful in multi-arch environments.) +Origin: vendor +Bug-Debian: http://bugs.debian.org/731998 +Forwarded: not-needed +Author: Benjamin Moody +Reviewed-by: Alessandro Ghedini +Last-Update: 2017-01-10 + +Index: curl/curl-config.in +=================================================================== +--- curl.orig/curl-config.in ++++ curl/curl-config.in +@@ -25,7 +25,6 @@ + + prefix="@prefix@" + exec_prefix=@exec_prefix@ +-includedir=@includedir@ + cppflag_curl_staticlib=@CPPFLAG_CURL_STATICLIB@ + + usage() +@@ -149,19 +148,11 @@ while test $# -gt 0; do + else + CPPFLAG_CURL_STATICLIB="" + fi +- if test "X@includedir@" = "X/usr/include"; then +- echo "$CPPFLAG_CURL_STATICLIB" +- else +- echo "${CPPFLAG_CURL_STATICLIB}-I@includedir@" +- fi ++ echo "$CPPFLAG_CURL_STATICLIB" + ;; + + --libs) +- if test "X@libdir@" != "X/usr/lib" -a "X@libdir@" != "X/usr/lib64"; then +- CURLLIBDIR="-L@libdir@ " +- else +- CURLLIBDIR="" +- fi ++ CURLLIBDIR="" + if test "X@ENABLE_SHARED@" = "Xno"; then + echo ${CURLLIBDIR}-lcurl @LIBCURL_LIBS@ + else +@@ -174,7 +165,7 @@ while test $# -gt 0; do + + --static-libs) + if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo "@libdir@/libcurl.@libext@" @LDFLAGS@ @LIBCURL_LIBS@ ++ echo -Wl,-Bstatic -lcurl -Wl,-Bdynamic @LDFLAGS@ @LIBCURL_LIBS@ + else + echo "curl was built with static libraries disabled" >&2 + exit 1 diff --git a/debian/patches/90_gnutls.patch b/debian/patches/90_gnutls.patch new file mode 100644 index 00000000000000..b41f8d083d4a1f --- /dev/null +++ b/debian/patches/90_gnutls.patch @@ -0,0 +1,190 @@ +From: Ramakrishnan Muthukrishnan +Date: Thu, 3 Aug 2023 18:35:34 -0400 +Subject: Build with GnuTLS. + +Origin: vendor +Forwarded: not-needed +Reviewed-by: Alessandro Ghedini +Last-Update: 2018-05-23 +--- + docs/examples/Makefile.am | 4 ++-- + lib/Makefile.am | 42 +++++++++++++++++++++--------------------- + lib/libcurl.vers.in | 2 +- + src/Makefile.am | 4 ++-- + tests/http/clients/Makefile.am | 4 ++-- + tests/http/clients/Makefile.in | 20 ++++++++++---------- + tests/libtest/Makefile.am | 8 ++++---- + 7 files changed, 42 insertions(+), 42 deletions(-) + +--- a/docs/examples/Makefile.am ++++ b/docs/examples/Makefile.am +@@ -51,9 +51,9 @@ LIBS = $(BLANK_AT_MAKETIME) + + # Dependencies + if USE_EXPLICIT_LIB_DEPS +-LDADD = $(LIBDIR)/libcurl.la @LIBCURL_LIBS@ ++LDADD = $(LIBDIR)/libcurl-gnutls.la @LIBCURL_LIBS@ + else +-LDADD = $(LIBDIR)/libcurl.la ++LDADD = $(LIBDIR)/libcurl-gnutls.la + endif + + # This might hold -Werror +--- a/lib/Makefile.am ++++ b/lib/Makefile.am +@@ -31,7 +31,7 @@ EXTRA_DIST = Makefile.mk config-win32.h config-win32ce.h config-plan9.h \ + config-os400.h setup-os400.h $(CMAKE_DIST) setup-win32.h .checksrc \ + Makefile.soname + +-lib_LTLIBRARIES = libcurl.la ++lib_LTLIBRARIES = libcurl-gnutls.la + + if BUILD_UNITTESTS + noinst_LTLIBRARIES = libcurlu.la +@@ -67,55 +67,55 @@ AM_CFLAGS = + # Makefile.inc provides the CSOURCES and HHEADERS defines + include Makefile.inc + +-libcurl_la_SOURCES = $(CSOURCES) $(HHEADERS) +-libcurlu_la_SOURCES = $(CSOURCES) $(HHEADERS) ++libcurl_gnutls_la_SOURCES = $(CSOURCES) $(HHEADERS) ++libcurlu_gnutls_la_SOURCES = $(CSOURCES) $(HHEADERS) + +-libcurl_la_CPPFLAGS_EXTRA = +-libcurl_la_LDFLAGS_EXTRA = +-libcurl_la_CFLAGS_EXTRA = ++libcurl_gnutls_la_CPPFLAGS_EXTRA = ++libcurl_gnutls_la_LDFLAGS_EXTRA = ++libcurl_gnutls_la_CFLAGS_EXTRA = + + if CURL_LT_SHLIB_USE_VERSION_INFO +-libcurl_la_LDFLAGS_EXTRA += $(VERSIONINFO) ++libcurl_gnutls_la_LDFLAGS_EXTRA += $(VERSIONINFO) + endif + + if CURL_LT_SHLIB_USE_NO_UNDEFINED +-libcurl_la_LDFLAGS_EXTRA += -no-undefined ++libcurl_gnutls_la_LDFLAGS_EXTRA += -no-undefined + endif + + if CURL_LT_SHLIB_USE_MIMPURE_TEXT +-libcurl_la_LDFLAGS_EXTRA += -mimpure-text ++libcurl_gnutls_la_LDFLAGS_EXTRA += -mimpure-text + endif + + if CURL_LT_SHLIB_USE_VERSIONED_SYMBOLS +-libcurl_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers ++libcurl_gnutls_la_LDFLAGS_EXTRA += -Wl,--version-script=libcurl.vers + else + # if symbol-hiding is enabled, hide them! + if DOING_CURL_SYMBOL_HIDING +-libcurl_la_LDFLAGS_EXTRA += -export-symbols-regex '^curl_.*' ++libcurl_gnutls_la_LDFLAGS_EXTRA += -export-symbols-regex '^curl_.*' + endif + endif + + if USE_CPPFLAG_CURL_STATICLIB +-libcurl_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB ++libcurl_gnutls_la_CPPFLAGS_EXTRA += -DCURL_STATICLIB + else + if HAVE_WINDRES +-libcurl_la_SOURCES += $(LIB_RCFILES) ++libcurl_gnutls_la_SOURCES += $(LIB_RCFILES) + $(LIB_RCFILES): $(top_srcdir)/include/curl/curlver.h + endif + endif + + if DOING_CURL_SYMBOL_HIDING +-libcurl_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS +-libcurl_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING) ++libcurl_gnutls_la_CPPFLAGS_EXTRA += -DCURL_HIDDEN_SYMBOLS ++libcurl_gnutls_la_CFLAGS_EXTRA += $(CFLAG_CURL_SYMBOL_HIDING) + endif + +-libcurl_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_la_CPPFLAGS_EXTRA) +-libcurl_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_la_LDFLAGS_EXTRA) $(CURL_LDFLAGS_LIB) $(LIBCURL_LIBS) +-libcurl_la_CFLAGS = $(AM_CFLAGS) $(libcurl_la_CFLAGS_EXTRA) ++libcurl_gnutls_la_CPPFLAGS = $(AM_CPPFLAGS) $(libcurl_gnutls_la_CPPFLAGS_EXTRA) ++libcurl_gnutls_la_LDFLAGS = $(AM_LDFLAGS) $(libcurl_gnutls_la_LDFLAGS_EXTRA) $(CURL_LDFLAGS_LIB) $(LIBCURL_LIBS) ++libcurl_gnutls_la_CFLAGS = $(AM_CFLAGS) $(libcurl_gnutls_la_CFLAGS_EXTRA) + +-libcurlu_la_CPPFLAGS = $(AM_CPPFLAGS) -DCURL_STATICLIB -DUNITTESTS +-libcurlu_la_LDFLAGS = $(AM_LDFLAGS) -static $(LIBCURL_LIBS) +-libcurlu_la_CFLAGS = $(AM_CFLAGS) ++libcurlu_gnutls_la_CPPFLAGS = $(AM_CPPFLAGS) -DCURL_STATICLIB -DUNITTESTS ++libcurlu_gnutls_la_LDFLAGS = $(AM_LDFLAGS) -static $(LIBCURL_LIBS) ++libcurlu_gnutls_la_CFLAGS = $(AM_CFLAGS) + + CHECKSRC = $(CS_$(V)) + CS_0 = @echo " RUN " $@; +--- a/lib/libcurl.vers.in ++++ b/lib/libcurl.vers.in +@@ -6,7 +6,7 @@ HIDDEN + _save*; + }; + +-CURL_@CURL_LT_SHLIB_VERSIONED_FLAVOUR@4 ++CURL_@CURL_LT_SHLIB_VERSIONED_FLAVOUR@3 + { + global: curl_*; + local: *; +--- a/src/Makefile.am ++++ b/src/Makefile.am +@@ -70,9 +70,9 @@ CFLAGS += @CURL_CFLAG_EXTRAS@ + LIBS = $(BLANK_AT_MAKETIME) + + if USE_EXPLICIT_LIB_DEPS +-curl_LDADD = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ ++curl_LDADD = $(top_builddir)/lib/libcurl-gnutls.la @LIBCURL_LIBS@ + else +-curl_LDADD = $(top_builddir)/lib/libcurl.la @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ ++curl_LDADD = $(top_builddir)/lib/libcurl-gnutls.la @SSL_LIBS@ @ZLIB_LIBS@ @CURL_NETWORK_AND_TIME_LIBS@ + endif + + # if unit tests are enabled, build a static library to link them with +--- a/tests/data/test1538 ++++ b/tests/data/test1538 +@@ -133,8 +133,7 @@ e97: proxy handshake error + e98: SSL Client Certificate required + e99: Unrecoverable error in select/poll + e100: A value or data field grew larger than allowed +-e101: ECH attempted but failed +-e102: Unknown error ++e101: Unknown error + m-1: Please call curl_multi_perform() soon + m0: No error + m1: Invalid multi handle +diff --git a/tests/http/clients/Makefile.am b/tests/http/clients/Makefile.am +index 8fdc190..ddc9be4 100644 +--- a/tests/http/clients/Makefile.am ++++ b/tests/http/clients/Makefile.am +@@ -51,9 +51,9 @@ LIBS = $(BLANK_AT_MAKETIME) + + # Dependencies + if USE_EXPLICIT_LIB_DEPS +-LDADD = $(LIBDIR)/libcurl.la @LIBCURL_LIBS@ ++LDADD = $(LIBDIR)/libcurl-gnutls.la @LIBCURL_LIBS@ + else +-LDADD = $(LIBDIR)/libcurl.la ++LDADD = $(LIBDIR)/libcurl-gnutls.la + endif + + # This might hold -Werror +--- a/tests/libtest/Makefile.am ++++ b/tests/libtest/Makefile.am +@@ -49,11 +49,11 @@ CLEANFILES = lib1521.c + LIBS = $(BLANK_AT_MAKETIME) + + if USE_EXPLICIT_LIB_DEPS +-SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ +-TESTUTIL_LIBS = $(top_builddir)/lib/libcurl.la @LIBCURL_LIBS@ ++SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @LIBCURL_LIBS@ ++TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @LIBCURL_LIBS@ + else +-SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_LIBS@ +-TESTUTIL_LIBS = $(top_builddir)/lib/libcurl.la @CURL_NETWORK_AND_TIME_LIBS@ ++SUPPORTFILES_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @CURL_NETWORK_LIBS@ ++TESTUTIL_LIBS = $(top_builddir)/lib/libcurl-gnutls.la @CURL_NETWORK_AND_TIME_LIBS@ + endif + + # Dependencies (may need to be overridden) diff --git a/debian/patches/Remove-curl-s-LDFLAGS-from-curl-config-static-libs.patch b/debian/patches/Remove-curl-s-LDFLAGS-from-curl-config-static-libs.patch new file mode 100644 index 00000000000000..4dec4b0cf706f4 --- /dev/null +++ b/debian/patches/Remove-curl-s-LDFLAGS-from-curl-config-static-libs.patch @@ -0,0 +1,42 @@ +From: Simon McVittie +Date: Tue, 22 Nov 2022 21:20:51 +0000 +Subject: Remove curl's LDFLAGS from curl-config --static-libs + +On current Debian bookworm, the LDFLAGS consist of +-L/usr/lib/${triplet}/mit-krb5 originating from +`pkg-config --libs-only-L mit-krb5-gssapi` from krb5-multidev, plus +some linker options that are intended for curl itself rather than for +dependent packages. None of these are really desirable, and they create +divergence between architectures that would prevent libcurl-*-dev from +being Multi-Arch: same. + +The -L flag is not really needed, for the same reason that -L@libdir@ +isn't. curl Build-Depends on libkrb5-dev, which doesn't need a special +-L flag to find libgssapi_krb5, and the various libcurl-*-dev packages +have Suggests on libkrb5-dev rather than on krb5-multidev for static +linking. + +The other options (currently `-Wl,-z-relro -Wl,-z,now`) are intended +for libcurl itself, and if dependent packages want those options then +they should set them from their own packaging. + +Bug-Debian: https://bugs.debian.org/1024668 +Forwarded: not-needed +Signed-off-by: Simon McVittie +--- + curl-config.in | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +Index: curl/curl-config.in +=================================================================== +--- curl.orig/curl-config.in ++++ curl/curl-config.in +@@ -165,7 +165,7 @@ while test $# -gt 0; do + + --static-libs) + if test "X@ENABLE_STATIC@" != "Xno" ; then +- echo -Wl,-Bstatic -lcurl -Wl,-Bdynamic @LDFLAGS@ @LIBCURL_LIBS@ ++ echo -Wl,-Bstatic -lcurl -Wl,-Bdynamic @LIBCURL_LIBS@ + else + echo "curl was built with static libraries disabled" >&2 + exit 1 diff --git a/debian/patches/add_errorcodes_upstream_file.patch b/debian/patches/add_errorcodes_upstream_file.patch new file mode 100644 index 00000000000000..c09b92538d2ba4 --- /dev/null +++ b/debian/patches/add_errorcodes_upstream_file.patch @@ -0,0 +1,106 @@ +Description: Add upstream file that missed the tarball for 8.5.0 + More context at https://github.com/curl/curl/issues/12462#issuecomment-1843569943 +Author: Samuel Henrique +Forwarded: not-needed +--- /dev/null ++++ b/tests/errorcodes.pl +@@ -0,0 +1,99 @@ ++#!/usr/bin/env perl ++#*************************************************************************** ++# _ _ ____ _ ++# Project ___| | | | _ \| | ++# / __| | | | |_) | | ++# | (__| |_| | _ <| |___ ++# \___|\___/|_| \_\_____| ++# ++# Copyright (C) Daniel Stenberg, , et al. ++# ++# This software is licensed as described in the file COPYING, which ++# you should have received as part of this distribution. The terms ++# are also available at https://curl.se/docs/copyright.html. ++# ++# You may opt to use, copy, modify, merge, publish, distribute and/or sell ++# copies of the Software, and permit persons to whom the Software is ++# furnished to do so, under the terms of the COPYING file. ++# ++# This software is distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY ++# KIND, either express or implied. ++# ++# SPDX-License-Identifier: curl ++# ++########################################################################### ++ ++# Check that libcurl-errors.3 and the public header files have the same set of ++# error codes. ++ ++use strict; ++use warnings; ++ ++# we may get the dir roots pointed out ++my $root=$ARGV[0] || "."; ++my $manpge = "$root/docs/libcurl/libcurl-errors.3"; ++my $curlh = "$root/include/curl"; ++my $errors=0; ++ ++my @hnames; ++my %wherefrom; ++my @mnames; ++my %manfrom; ++ ++sub scanheader { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^ (CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ if(($name !~ /OBSOLETE/) && ($name !~ /_LAST\z/)) { ++ push @hnames, $name; ++ if($wherefrom{$name}) { ++ print STDERR "double: $name\n"; ++ } ++ $wherefrom{$name}="$file:$line"; ++ } ++ } ++ } ++ close(H); ++} ++ ++sub scanmanpage { ++ my ($file)=@_; ++ open H, "<$file"; ++ my $line = 0; ++ while() { ++ $line++; ++ if($_ =~ /^\.IP \"(CURL(E|UE|SHE|HE|M)_[A-Z0-9_]*)/) { ++ my ($name)=($1); ++ push @mnames, $name; ++ $manfrom{$name}="$file:$line"; ++ } ++ } ++ close(H); ++} ++ ++ ++opendir(my $dh, $curlh) || die "Can't opendir $curlh: $!"; ++my @hfiles = grep { /\.h$/ } readdir($dh); ++closedir $dh; ++ ++for(sort @hfiles) { ++ scanheader("$curlh/$_"); ++} ++scanmanpage($manpge); ++ ++print "Result\n"; ++for my $h (sort @hnames) { ++ if(!$manfrom{$h}) { ++ printf "$h from %s, not in man page\n", $wherefrom{$h}; ++ } ++} ++ ++for my $m (sort @mnames) { ++ if(!$wherefrom{$m}) { ++ printf "$m from %s, not in any header\n", $manfrom{$m}; ++ } ++} diff --git a/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch b/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch new file mode 100644 index 00000000000000..a2842702160c9b --- /dev/null +++ b/debian/patches/build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch @@ -0,0 +1,32 @@ +From: Simon McVittie +Date: Tue, 22 Nov 2022 20:43:41 +0000 +Subject: build: Divide mit-krb5-gssapi link flags between LDFLAGS and LIBS + +From the comments nearby about not having --libs-only-L, it looks as +though the intention was to apply a split like this to all dependency +libraries where possible, and the only reason it was not done for +Kerberos is that krb5-config doesn't have that feature and pkg-config +was originally not supported here. For example, zlib, libssh and librtmp +all have their flags from pkg-config split in this way. + +Now that pkg-config is supported here, we can do the intended split. + +Signed-off-by: Simon McVittie +--- + configure.ac | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +Index: curl/configure.ac +=================================================================== +--- curl.orig/configure.ac ++++ curl/configure.ac +@@ -1890,7 +1890,8 @@ if test x"$want_gss" = xyes; then + gss_libs=`$GSSAPI_ROOT/bin/$host_alias-krb5-config --libs gssapi` + LIBS="$gss_libs $LIBS" + elif test "$PKGCONFIG" != "no" ; then +- gss_libs=`$PKGCONFIG --libs mit-krb5-gssapi` ++ LDFLAGS="$LDFLAGS `$PKGCONFIG --libs-only-L mit-krb5-gssapi`" ++ gss_libs=`$PKGCONFIG --libs-only-l mit-krb5-gssapi` + LIBS="$gss_libs $LIBS" + elif test -f "$KRB5CONFIG"; then + dnl krb5-config doesn't have --libs-only-L or similar, put everything diff --git a/debian/patches/dist_add_tests_errorcodes_pl_to_the_tarball.patch b/debian/patches/dist_add_tests_errorcodes_pl_to_the_tarball.patch new file mode 100644 index 00000000000000..91b0b1f292319d --- /dev/null +++ b/debian/patches/dist_add_tests_errorcodes_pl_to_the_tarball.patch @@ -0,0 +1,46 @@ +From da8c1d15782c8161b455a7ee90197c16ae5edb90 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Wed, 6 Dec 2023 09:40:30 +0100 +Subject: [PATCH] dist: add tests/errorcodes.pl to the tarball + +Used by test 1477 + +Reported-by: Xi Ruoyao +Follow-up to 0ca3a4ec9a7 +Fixes #12462 +Closes #12463 +--- + tests/Makefile.am | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +diff --git a/tests/Makefile.am b/tests/Makefile.am +index 17e9ad04938ebb..c6ae7a97afd93e 100644 +--- a/tests/Makefile.am ++++ b/tests/Makefile.am +@@ -26,15 +26,17 @@ HTMLPAGES = testcurl.html runtests.html + PDFPAGES = testcurl.pdf runtests.pdf + MANDISTPAGES = runtests.1.dist testcurl.1.dist + +-EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl CMakeLists.txt \ +- devtest.pl dictserver.py directories.pm disable-scan.pl error-codes.pl extern-scan.pl FILEFORMAT.md \ +- processhelp.pm ftpserver.pl getpart.pm globalconfig.pm http-server.pl http2-server.pl \ +- http3-server.pl manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ +- memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl options-scan.pl \ +- pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 runtests.pl secureserver.pl \ +- serverhelp.pm servers.pm smbserver.py sshhelp.pm sshserver.pl stunnel.pem symbol-scan.pl \ +- testcurl.1 testcurl.pl testutil.pm tftpserver.pl util.py valgrind.pm \ +- valgrind.supp version-scan.pl check-translatable-options.pl ++EXTRA_DIST = appveyor.pm azure.pm badsymbols.pl check-deprecated.pl \ ++ CMakeLists.txt devtest.pl dictserver.py directories.pm disable-scan.pl \ ++ error-codes.pl extern-scan.pl FILEFORMAT.md processhelp.pm ftpserver.pl \ ++ getpart.pm globalconfig.pm http-server.pl http2-server.pl http3-server.pl \ ++ manpage-scan.pl manpage-syntax.pl markdown-uppercase.pl mem-include-scan.pl \ ++ memanalyze.pl negtelnetserver.py nroff-scan.pl option-check.pl \ ++ options-scan.pl pathhelp.pm README.md rtspserver.pl runner.pm runtests.1 \ ++ runtests.pl secureserver.pl serverhelp.pm servers.pm smbserver.py sshhelp.pm \ ++ sshserver.pl stunnel.pem symbol-scan.pl testcurl.1 testcurl.pl testutil.pm \ ++ tftpserver.pl util.py valgrind.pm valgrind.supp version-scan.pl \ ++ check-translatable-options.pl errorcodes.pl + + DISTCLEANFILES = configurehelp.pm + diff --git a/debian/patches/openldap_fix_an_LDAP_crash.patch b/debian/patches/openldap_fix_an_LDAP_crash.patch new file mode 100644 index 00000000000000..ae2d7d476cc8ed --- /dev/null +++ b/debian/patches/openldap_fix_an_LDAP_crash.patch @@ -0,0 +1,35 @@ +From fa6e123929de94064f1b1cb135f30b0a945ba399 Mon Sep 17 00:00:00 2001 +From: Patrick Monnerat +Date: Wed, 27 Dec 2023 11:19:17 +0100 +Subject: [PATCH] openldap: fix an LDAP crash + +Reported-by: Ozan Cansel +Fixes #12593 +Closes #12600 +--- + lib/openldap.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/lib/openldap.c b/lib/openldap.c +index c9417fbe2a1c2b..fcc9f91f44c3d9 100644 +--- a/lib/openldap.c ++++ b/lib/openldap.c +@@ -887,10 +887,14 @@ static CURLcode oldap_do(struct Curl_easy *data, bool *done) + + result = oldap_url_parse(data, &lud); + if(!result) { +- Sockbuf *sb; +- /* re-install the libcurl SSL handlers into the sockbuf. */ +- ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb); +- ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data); ++#ifdef USE_SSL ++ if(ssl_installed(conn)) { ++ Sockbuf *sb; ++ /* re-install the libcurl SSL handlers into the sockbuf. */ ++ ldap_get_option(li->ld, LDAP_OPT_SOCKBUF, &sb); ++ ber_sockbuf_add_io(sb, &ldapsb_tls, LBER_SBIOD_LEVEL_TRANSPORT, data); ++ } ++#endif + + rc = ldap_search_ext(li->ld, lud->lud_dn, lud->lud_scope, + lud->lud_filter, lud->lud_attrs, 0, diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 00000000000000..416b683b5188be --- /dev/null +++ b/debian/patches/series @@ -0,0 +1,10 @@ +# Packaging patches. +08_enable-zsh.patch +build-Divide-mit-krb5-gssapi-link-flags-between-LDFLAGS-a.patch +11_omit-directories-from-config.patch +Remove-curl-s-LDFLAGS-from-curl-config-static-libs.patch + +# Do not add patches below. +# Used to generate packages for the other crypto libraries. +add_errorcodes_upstream_file.patch +90_gnutls.patch diff --git a/debian/rules b/debian/rules new file mode 100755 index 00000000000000..03488a6a9a4b48 --- /dev/null +++ b/debian/rules @@ -0,0 +1,184 @@ +#! /usr/bin/make -f + +# Include pkg-info to make use of DEB_VERSION +include /usr/share/dpkg/pkg-info.mk + +# enable all hardening options (see #763372) +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +DEB_BUILD_GNU_TYPE ?= $(shell dpkg-architecture -qDEB_BUILD_GNU_TYPE) +DEB_HOST_MULTIARCH ?= $(shell dpkg-architecture -qDEB_HOST_MULTIARCH) + +CONFIGURE_ARGS = -- --disable-dependency-tracking \ + --disable-symbol-hiding --enable-versioned-symbols \ + --enable-threaded-resolver --with-lber-lib=lber \ + --with-gssapi=/usr --with-nghttp2 \ + --includedir=/usr/include/$(DEB_HOST_MULTIARCH) \ + --with-zsh-functions-dir=/usr/share/zsh/vendor-completions + +# disable libssh2 on Ubuntu (see #888449) +ifeq ($(shell dpkg-vendor --derives-from Ubuntu && echo yes),yes) + CONFIGURE_ARGS += --with-libssh --without-libssh2 +else + CONFIGURE_ARGS += --without-libssh --with-libssh2 +endif + + +ifneq (,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + NUMJOBS = $(patsubst parallel=%,%,$(filter parallel=%,$(DEB_BUILD_OPTIONS))) + MAKEFLAGS += -j$(NUMJOBS) +endif + +export DEB_CFLAGS_MAINT_APPEND = -D_DEB_HOST_ARCH=\"$(DEB_HOST_MULTIARCH)\" -DCURL_PATCHSTAMP=\"$(DEB_VERSION)\" +export DEB_CXXFLAGS_MAINT_APPEND = -D_DEB_HOST_ARCH=\"$(DEB_HOST_MULTIARCH)\" -DCURL_PATCHSTAMP=\"$(DEB_VERSION)\" + +ifneq ($(filter pkg.curl.openssl-only,$(DEB_BUILD_PROFILES)),) + DEB_BUILD_PROFILES += pkg.curl.no-gnutls +endif +ifneq ($(filter pkg.curl.gnutls-only,$(DEB_BUILD_PROFILES)),) + DEB_BUILD_PROFILES += pkg.curl.no-openssl +endif + +%: + dh $@ + +override_dh_auto_configure: +ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) + mkdir -p debian/build +endif +ifeq ($(filter pkg.curl.no-gnutls,$(DEB_BUILD_PROFILES)),) + mkdir -p debian/build-gnutls +endif +# pop the last patch (gnutls) + quilt pop +ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) +# get the source without gnutls patch + tar -cf - --exclude=debian/build* --exclude=.pc . \ + | tar -xf - -C debian/build +endif +# push the last patch which must be gnutls + quilt push +ifeq ($(filter pkg.curl.no-gnutls,$(DEB_BUILD_PROFILES)),) +# get the source with gnutls patch applied + tar -cf - --exclude=debian/build* --exclude=.pc . \ + | tar -xf - -C debian/build-gnutls +endif +ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) + cd debian/build && \ + ./buildconf && \ + cp ../../ltmain.sh . && \ + dh_auto_configure ${CONFIGURE_ARGS} --with-openssl \ + --with-ca-path=/etc/ssl/certs \ + --enable-ech --enable-httpsrr \ + --with-ca-bundle=/etc/ssl/certs/ca-certificates.crt +endif +ifeq ($(filter pkg.curl.no-gnutls,$(DEB_BUILD_PROFILES)),) + cd debian/build-gnutls && \ + ./buildconf && \ + cp ../../ltmain.sh . && \ + dh_auto_configure ${CONFIGURE_ARGS} --with-gnutls \ + --with-ca-path=/etc/ssl/certs +endif + +override_dh_auto_build: +ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) + cd debian/build && dh_auto_build +endif +ifeq ($(filter pkg.curl.no-gnutls,$(DEB_BUILD_PROFILES)),) + cd debian/build-gnutls && dh_auto_build +endif + +# Test parameters that are passed to runtests.pl. +# -n disables valgrind usage +TESTS_GENERAL_PARAMETERS += -n + +# These tests fail if a IPv6-only builder is used: +# https://bugs.debian.org/1032343 +# https://github.com/curl/curl/issues/10682 +TESTS_FAILS_ON_IPV6_ONLY_MACHINES ?= $(addprefix ~, 300 301 303 304 306 309 310 325 364 400 401 403 406 407 408 409 410 414 417 560 678 987 988 989 1112 1272 1470 1561 1562 1630 1631 1632 2034 2037 2041 3000 3001 3102) + +TESTS_GENERAL_PARAMETERS += $(TESTS_FAILS_ON_IPV6_ONLY_MACHINES) + +# ignore ECH symbol +TESTS_GENERAL_PARAMETERS += ~1119 ~1139 ~1477 ~1478 ~1538 + +override_dh_auto_test: +ifeq ($(filter nocheck,$(DEB_BUILD_PROFILES)),) +ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) +# OpenSSL tests. + cd debian/build && VERBOSE=1 \ + TFLAGS="$(TESTS_GENERAL_PARAMETERS)" \ + $(MAKE) test-nonflaky +endif +ifeq ($(filter pkg.curl.no-gnutls,$(DEB_BUILD_PROFILES)),) +# GnuTLS tests. + cd debian/build-gnutls && VERBOSE=1 \ + TFLAGS="$(TESTS_GENERAL_PARAMETERS)" \ + $(MAKE) test-nonflaky +endif +endif + +override_dh_install: +ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) + ${MAKE} -C debian/build \ + DESTDIR=$(shell pwd)/debian/tmp install +endif +ifeq ($(filter pkg.curl.no-gnutls,$(DEB_BUILD_PROFILES)),) + ${MAKE} -C debian/build-gnutls \ + DESTDIR=$(shell pwd)/debian/tmp-gnutls install +endif + find debian/tmp* -name '*.la' -delete +ifeq ($(filter pkg.curl.no-openssl,$(DEB_BUILD_PROFILES)),) + dh_install -pcurl -plibcurl4 -plibcurl4-openssl-dev -plibcurl4-doc \ + --sourcedir=debian/tmp +endif +ifeq ($(filter pkg.curl.no-gnutls,$(DEB_BUILD_PROFILES)),) + dh_install -plibcurl3-gnutls -plibcurl4-gnutls-dev \ + --sourcedir=debian/tmp-gnutls +endif +# Modify curl-config to make it architecture-independent: +# 1. In --static-libs output, replace the output of krb5-config (which +# currently includes architecture-specific paths) with a call at +# runtime to krb5-config. Of course, this will only work correctly +# if the installed libkrb5-dev matches the architecture of the +# program you're linking, or if libkrb5-dev is made +# multiarch-compatible at some point in the future. For dynamic +# linking this has no impact. +# 2. In --configure output, replace the architecture-specific paths +# used for --libdir and --libexecdir with a literal backquoted call +# to dpkg-architecture. This is functionally equivalent to the way +# debhelper actually invokes configure, and indicates to the user +# (who runs curl-config --configure in order to learn about how the +# library was compiled) that they are in fact using a multi-arch +# package. +# 3. Likewise, replace the architecture name used for --build (and +# build_alias) with a literal backquoted call to dpkg-architecture. +# 4. In --configure output, remove +# -fdebug-prefix-map=/buildd/specific/random/path=. and +# -ffile-prefix-map=/buildd/specific/random/path=. +# 5. Remove -D_DEB_HOST_ARCH from CFLAGS. This is a (hopefully +# temporary) hack needed to properly build curl with NSS PEM +# support in Debian. + sed -e "/-lcurl /s|`krb5-config --libs gssapi`|\`krb5-config --libs gssapi\`|" \ + -e "/--prefix/s|/$(DEB_HOST_MULTIARCH)'|/'\\\\\`dpkg-architecture -qDEB_HOST_MULTIARCH\\\\\`|g" \ + -e "/--prefix/s|=$(DEB_BUILD_GNU_TYPE)'|='\\\\\`dpkg-architecture -qDEB_BUILD_GNU_TYPE\\\\\`|g" \ + -e "/-fdebug-prefix-map=/s|\(-fdebug-prefix-map=\)/[^ ]*=.||" \ + -e "/-ffile-prefix-map=/s|\(-ffile-prefix-map=\)/[^ ]*=.||" \ + -e "/-D_DEB_HOST_ARCH=/s|-D_DEB_HOST_ARCH=\\\\\"[^ ']*\\\\\"||" \ + -i `find . -name curl-config` +# When we get here, everything has been properly installed. Because +# of debhelper-compat 13, we have to remove some files that are +# otherwise flagged as not installed and will cause the build to fail. + rm -rfv debian/tmp/usr/share/man/* \ + debian/tmp/usr/share/fish/* \ + debian/tmp/usr/share/aclocal/* + +override_dh_installchangelogs: + dh_installchangelogs CHANGES + +override_dh_compress: + dh_compress -X.pdf + +override_dh_auto_clean: + $(RM) -r debian/build* debian/tmp* + dh_auto_clean diff --git a/debian/salsa-ci.yml b/debian/salsa-ci.yml new file mode 100644 index 00000000000000..5d783e88992698 --- /dev/null +++ b/debian/salsa-ci.yml @@ -0,0 +1,6 @@ +--- +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/recipes/debian.yml + +variables: + DEB_BUILD_OPTIONS: nocheck diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 00000000000000..163aaf8d82b6c5 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/tests/LDAP-bindata.c b/debian/tests/LDAP-bindata.c new file mode 100644 index 00000000000000..b3180d193d9c02 --- /dev/null +++ b/debian/tests/LDAP-bindata.c @@ -0,0 +1,354 @@ +/* SPDX-FileCopyrightText: 2019 Ryan Tandy + * SPDX-FileCopyrightText: 2023 John Scott + * SPDX-License-Identifier: OLDAP-2.8 */ + +/* This test will spin up slapd, set a binary attribute, and check that libcurl can read it. */ +#define _POSIX_C_SOURCE 200809L +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#if __STDC_NO_VLA__ +#error VLA support is required +#endif + +/* Note that this is different from the ldap_perror() that older LDAP APIs traditionally ship with. */ +static void ldap_perror(int p, const char msg[restrict static 1]) { + const char *const u8details = ldap_err2string(p); + const int r = ldap_x_utf8s_to_mbs(NULL, u8details, 0, NULL); + if(r == -1) { + fputs("Failed to convert LDAP error message string to the locale's multibyte encoding\n", stderr); + /* The converter function doesn't need to allocate any resources and the strings + * we get from OpenLDAP obviously should be valid UTF-8, so this should be impossible. */ + abort(); + } + + assert(r < INT_MAX); + char mbsdetails[r+1]; + const int c = ldap_x_utf8s_to_mbs(mbsdetails, u8details, sizeof(mbsdetails), NULL); + if(c == -1) { + fputs("Failed to convert LDAP error message string to the locale's multibyte encoding\n", stderr); + abort(); + } + assert(c == r); + if(fprintf(stderr, "%s: %s\n", msg, mbsdetails) < 0) { + perror("Failed to print error message"); + /* If we can't print to standard error, this might be the only error indication we get. */ + abort(); + } +} + +int main(void) { + if(!setlocale(LC_ALL, "")) { + fputs("Failed to enable default locale\n", stderr); + exit(EXIT_FAILURE); + } + /* Note that OpenLDAP (and often libcurl) handle UTF-8 strings regardless of the locale. + * That's why ldap_perror() does the conversion. */ + + /* This needs to be run as root. */ + assert(!geteuid()); + + if(setenv("DEBIAN_FRONTEND", "noninteractive", true) == -1) { + perror("Failed to set DEBIAN_FRONTEND environment variable"); + exit(EXIT_FAILURE); + } + if(setenv("DEBCONF_DEBUG", "user|developer", true) == -1) { + perror("Failed to set DEBCONF_DEBUG environment variable"); + exit(EXIT_FAILURE); + } + + FILE *const debconf = popen("debconf-set-selections --verbose", "w"); + if(!debconf) { + perror("Failed to open pipe and invoke debconf-set-selections"); + exit(EXIT_FAILURE); + } + + if(fputs("slapd slapd/password1 password Password\n" + "slapd slapd/password2 password Password\n" + "slapd slapd/domain string example.com\n" + "slapd slapd/organization string example.com\n", debconf) == EOF) { + perror("Failed to send slapd configuration parameters over pipe"); + if(pclose(debconf) == -1) { + perror("Failed to close pipe"); + } + exit(EXIT_FAILURE); + } + + int w = pclose(debconf); + if(w == -1) { + perror("Failed to close pipe"); + exit(EXIT_FAILURE); + } + if(!WIFEXITED(w) || WEXITSTATUS(w) != EXIT_SUCCESS) { + fputs("debconf-set-selections terminated abnormally\n", stderr); + exit(EXIT_FAILURE); + } + + w = system("dpkg-reconfigure --frontend=noninteractive --priority=critical slapd && service slapd restart"); + if(w == -1) { + perror("Failed to reconfigure and restart slapd"); + exit(EXIT_FAILURE); + } + if(!WIFEXITED(w) || WEXITSTATUS(w) != EXIT_SUCCESS) { + fputs("dpkg-reconfigure failed abnormally or we failed to restart slapd\n", stderr); + exit(EXIT_FAILURE); + } + + /* Now slapd should be running so we can add an entry */ + int p; + if((p = ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, &(int){0xFFFF})) + || (p = ldap_set_option(NULL, LDAP_OPT_PROTOCOL_VERSION, &(int){LDAP_VERSION3}))) { + ldap_perror(p, "Failed to set libldap option"); + exit(EXIT_FAILURE); + } + LDAP *ldp; + if(p = ldap_initialize(&ldp, u8"ldapi:///")) { + ldap_perror(p, "Failed to initialize libldap"); + exit(EXIT_FAILURE); + } + unsigned int counter = 0; + while (p = ldap_connect(ldp)) { + counter++; + fprintf(stderr, "ldapi:// connection failed, retrying (count=%u)\n", counter); + if (counter >= 10) { + ldap_perror(p, "Failed to connect to slapd over UNIX domain socket"); + if (p = ldap_unbind_ext(ldp, NULL, NULL)) { + ldap_perror(p, "Failed to deinitialize libldap"); + } + exit(EXIT_FAILURE); + } + sleep(1); + } + if(p = ldap_sasl_bind_s(ldp, u8"CN=admin,DC=example,DC=com", LDAP_SASL_SIMPLE, &(struct berval){.bv_len = strlen(u8"Password"), .bv_val = u8"Password"}, NULL, NULL, NULL)) { + ldap_perror(p, "Failed to bind to directory server"); + if(p = ldap_unbind_ext(ldp, NULL, NULL)) { + ldap_perror(p, "Failed to deinitialize libldap"); + } + exit(EXIT_FAILURE); + } + + /* The compound literals are necessary for const-correctness. */ + LDAPMod *makeorg[] = { + &(LDAPMod) { + .mod_type = (char[]) { + u8"ou" + }, + .mod_values = (char *[]) { + (char[]) { + u8"Accounts" + }, + NULL + } + }, + &(LDAPMod) { + .mod_type = (char[]) { + u8"objectClass" + }, + .mod_values = (char *[]) { + (char[]) { + u8"top" + }, + (char[]) { + u8"organizationalUnit" + }, + NULL + } + }, + &(LDAPMod) { + .mod_op = LDAP_MOD_BVALUES, + .mod_type = (char[]) { + u8"description" + }, + .mod_bvalues = (struct berval *[]) { + &(struct berval) { + /* Do not include the null character. */ + .bv_len = sizeof(U"Hello, world") - sizeof(char32_t), + .bv_val = (char *)(char32_t[]) { + U"Hello, world" + } + }, + NULL + } + }, + NULL + }; + + if(p = ldap_add_ext_s(ldp, u8"OU=Accounts,DC=example,DC=com", makeorg, NULL, NULL)) { + ldap_perror(p, "Failed to create organizational unit"); + if(p = ldap_unbind_ext(ldp, NULL, NULL)) { + ldap_perror(p, "Failed to unbind from directory server"); + } + exit(EXIT_FAILURE); + } + + if(p = ldap_unbind_ext(ldp, NULL, NULL)) { + ldap_perror(p, "Failed to unbind from directory server"); + exit(EXIT_FAILURE); + } + + const char *tmpdir = getenv("TMPDIR"); + if(!tmpdir) { + tmpdir = "/tmp/"; + } + if(setenv("AUTOPKGTEST_ARTIFACTS", tmpdir, false) == -1) { + perror("Failed to set environment variable"); + exit(EXIT_FAILURE); + } + const char *const autopkgtest_artifacts = getenv("AUTOPKGTEST_ARTIFACTS"); + assert(autopkgtest_artifacts); + if(chdir(autopkgtest_artifacts) == -1) { + fprintf(stderr, "Failed to change directory into %s: %s\n", autopkgtest_artifacts, strerror(errno)); + exit(EXIT_FAILURE); + } + + /* Now here's where libcurl comes in. */ + CURLcode s = curl_global_init(CURL_GLOBAL_DEFAULT); + if(s) { + fprintf(stderr, "Failed to initialize libcurl: %s\n", curl_easy_strerror(s)); + exit(EXIT_FAILURE); + } + if(atexit(curl_global_cleanup)) { + fputs("Failed to register exit handler\n", stderr); + curl_global_cleanup(); + exit(EXIT_FAILURE); + } + + LDAPURLDesc url_desc = { + /* This really should be ldapi, but libcurl knows we're using a UNIX domain socket anyway and we don't want to confuse it. */ + .lud_scheme = (char[]){ u8"ldap" }, + .lud_host = (char[]){ u8"localhost" }, + .lud_dn = (char[]){ u8"DC=example,DC=com" }, + .lud_attrs = (char *[]){ (char[]){ u8"description" }, NULL }, + .lud_scope = LDAP_SCOPE_ONELEVEL, + .lud_filter = (char[]){ u8"(description=*)" } + }; + char *const u8url = ldap_url_desc2str(&url_desc); + if(!u8url) { + fputs("Failed to generate LDAP URL\n", stderr); + exit(EXIT_FAILURE); + } + + CURL *const c = curl_easy_init(); + if(!c) { + fputs("Failed to get libcurl handle\n", stderr); + ldap_memfree(u8url); + exit(EXIT_FAILURE); + } + + FILE *const ldif = fopen("curl.ldif", "w+x"); + if(!ldif) { + fprintf(stderr, "Failed to create curl.ldif in %s: %s\n", autopkgtest_artifacts, strerror(errno)); + curl_easy_cleanup(c); + ldap_memfree(u8url); + exit(EXIT_FAILURE); + } + char errbuf[CURL_ERROR_SIZE]; + if((s = curl_easy_setopt(c, CURLOPT_VERBOSE, 1L)) + || (s = curl_easy_setopt(c, CURLOPT_WRITEDATA, (void *)ldif)) + || (s = curl_easy_setopt(c, CURLOPT_ERRORBUFFER, errbuf)) + || (s = curl_easy_setopt(c, CURLOPT_UNIX_SOCKET_PATH, "/run/slapd/ldapi")) + || (s = curl_easy_setopt(c, CURLOPT_URL, u8url))) { + fprintf(stderr, "Failed to set libcurl option: %s\n", curl_easy_strerror(s)); + curl_easy_cleanup(c); + ldap_memfree(u8url); + if(fclose(ldif) == EOF) { + perror("Failed to close file"); + } + exit(EXIT_FAILURE); + } + ldap_memfree(u8url); + + if(s = curl_easy_perform(c)) { + fprintf(stderr, "Failed to fetch LDAP data with libcurl: %s: %s\n", curl_easy_strerror(s), errbuf); + curl_easy_cleanup(c); + if(fclose(ldif) == EOF) { + perror("Failed to close file"); + } + exit(EXIT_FAILURE); + } + curl_easy_cleanup(c); + + const long ldif_size = ftell(ldif); + if(ldif_size == -1) { + perror("Failed to determine position on stream"); + if(fclose(ldif) == EOF) { + perror("Failed to close file"); + } + exit(EXIT_FAILURE); + } + if(fseek(ldif, 0, SEEK_SET) == -1) { + perror("Failed to change position on stream"); + if(fclose(ldif) == EOF) { + perror("Failed to close file"); + } + exit(EXIT_FAILURE); + } + + /* Now let's use getdelim() to try reading the entire file. + * Since LDIF is a text format, there shouldn't be any NULL bytes in it, + * but we're still going to check since that's the purpose of this test. */ + char *u8ldif = NULL; + ssize_t u8ldifreadlen = getdelim(&u8ldif, &(size_t){0}, '\0', ldif); + if(u8ldifreadlen == -1) { + free(u8ldif); + if(ferror(ldif)) { + perror("Failed to read from LDIF file"); + } else { + fputs("Failed to read from LDIF file: empty file\n", stderr); + } + if(fclose(ldif) == EOF) { + perror("Failed to close file"); + } + exit(EXIT_FAILURE); + } + + if(fclose(ldif) == EOF) { + perror("Failed to close file"); + free(u8ldif); + exit(EXIT_FAILURE); + } + + if(u8ldifreadlen != ldif_size) { + fputs("The LDIF from CURL contains null bytes! That's not right.\n", stderr); + free(u8ldif); + exit(EXIT_FAILURE); + } + + /* Finally, let's see if we can read the attribute without loss of information. */ + struct berval attrname, attrvalue; + char *cookie = u8ldif; + for(char *line = ldif_getline(&cookie); line; line = ldif_getline(&cookie)) { + if(!(p = ldif_parse_line2(line, &attrname, &attrvalue, NULL))) { + if(!strncmp(attrname.bv_val, u8"description", attrname.bv_len)) { + break; + } + ldap_memfree(attrname.bv_val); + ldap_memfree(attrvalue.bv_val); + } + } + free(u8ldif); + if(p) { + ldap_perror(p, "Failed to parse LDIF line"); + exit(EXIT_FAILURE); + } + + ldap_memfree(attrname.bv_val); + if(memcmp(attrvalue.bv_val, U"Hello, world", sizeof(U"Hello, world") - sizeof(char32_t))) { + ldap_memfree(attrvalue.bv_val); + fputs("Binary attribute comparison failed!\n", stderr); + exit(EXIT_FAILURE); + } + ldap_memfree(attrvalue.bv_val); + /* success */ +} diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 00000000000000..74b3de9cddba11 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,11 @@ +Tests: upstream-tests-openssl +Depends: curl, @builddeps@ +Restrictions: allow-stderr + +Tests: upstream-tests-gnutls +Depends: @builddeps@ +Restrictions: allow-stderr + +Tests: curl-ldapi-test +Depends: gcc, libc-dev, libcurl4-openssl-dev | libcurl-dev, libldap-dev, slapd, pkgconf +Restrictions: allow-stderr, isolation-container, needs-root diff --git a/debian/tests/curl-ldapi-test b/debian/tests/curl-ldapi-test new file mode 100644 index 00000000000000..44554316de44d4 --- /dev/null +++ b/debian/tests/curl-ldapi-test @@ -0,0 +1,24 @@ +#!/bin/sh + +set -e + +cleanup() { + if [ $? -ne 0 ]; then + set +e + echo "## Something failed, gathering logs" + echo + echo "## syslog" + tail -n 50 /var/log/syslog + echo + echo "## slapd journal" + journalctl -u slapd + fi +} + +trap cleanup EXIT + +echo "## Building ldap-test app" +gcc debian/tests/LDAP-bindata.c $(pkgconf --cflags --libs ldap libcurl) -o "$AUTOPKGTEST_TMP"/ldap-test + +echo "## calling ldap-test" +"$AUTOPKGTEST_TMP"/ldap-test diff --git a/debian/tests/upstream-tests-gnutls b/debian/tests/upstream-tests-gnutls new file mode 100644 index 00000000000000..2f8a53c4a833dc --- /dev/null +++ b/debian/tests/upstream-tests-gnutls @@ -0,0 +1,37 @@ +#!/bin/sh +set -e + +# Building curl is required because libauthretry (from "make test") requires +# libcurl. +# +# It might be possible to patch the makefile to have libauthretry link against +# the system's installed libcurl, patches welcome. +# +# gnutls tests run against the built curl and libcurl rather than the installed +# one as we don't ship a curl linked against gnutls (only gnutls libraries). + +export DEB_BUILD_PROFILES="pkg.curl.gnutls-only" +export VERBOSE=1 + +# Don't skip tests which fail on ipv6-only environments for autopkgtests. +# I'm not aware of runners with this configuration for debci, and a retry +# should be easy enough it it happens. +# References: +# https://bugs.debian.org/1032343 +# https://github.com/curl/curl/issues/10682 +export TESTS_FAILS_ON_IPV6_ONLY_MACHINES="" + +echo "dh_update_autotools_config" +dh_update_autotools_config + +echo "dh_autoreconf" +dh_autoreconf + +echo "debian/rules override_dh_auto_configure " +debian/rules override_dh_auto_configure + +echo "debian/rules override_dh_auto_build" +debian/rules override_dh_auto_build + +echo "debian/rules override_dh_auto_test" +debian/rules override_dh_auto_test diff --git a/debian/tests/upstream-tests-openssl b/debian/tests/upstream-tests-openssl new file mode 100644 index 00000000000000..2ede329ad603cd --- /dev/null +++ b/debian/tests/upstream-tests-openssl @@ -0,0 +1,40 @@ +#!/bin/sh +set -e + +# Building curl is required because libauthretry (from "make test") requires +# libcurl. +# +# It might be possible to patch the makefile to have libauthretry link against +# the system's installed libcurl, patches welcome. +# +# openssl tests run against the system's installed curl. + +export DEB_BUILD_PROFILES="pkg.curl.openssl-only" +export VERBOSE=1 +TESTS_GENERAL_PARAMETERS="-c /usr/bin/curl" +TESTS_GENERAL_PARAMETERS="-vc /usr/bin/curl" +export TESTS_GENERAL_PARAMETERS + +# Don't skip tests which fail on ipv6-only environments for autopkgtests. +# I'm not aware of runners with this configuration for debci, and a retry +# should be easy enough it it happens. +# References: +# https://bugs.debian.org/1032343 +# https://github.com/curl/curl/issues/10682 +export TESTS_FAILS_ON_IPV6_ONLY_MACHINES="" + +echo "dh_update_autotools_config" +dh_update_autotools_config + +echo "dh_autoreconf" +dh_autoreconf + +echo "debian/rules override_dh_auto_configure " +debian/rules override_dh_auto_configure + +echo "debian/rules override_dh_auto_build" +debian/rules override_dh_auto_build + +echo "debian/rules override_dh_auto_test" +debian/rules override_dh_auto_test + diff --git a/debian/upstream/metadata b/debian/upstream/metadata new file mode 100644 index 00000000000000..6734e7fa22fe3c --- /dev/null +++ b/debian/upstream/metadata @@ -0,0 +1,5 @@ +--- +Bug-Database: https://github.com/bagder/curl/issues +Bug-Submit: https://github.com/curl/curl/issues +Repository: https://github.com/curl/curl.git +Repository-Browse: https://github.com/curl/curl diff --git a/debian/watch b/debian/watch new file mode 100644 index 00000000000000..16554190532f18 --- /dev/null +++ b/debian/watch @@ -0,0 +1,3 @@ +version=4 +opts=pgpmode=auto \ + https://curl.se/download/ download/curl-([\d\.]+).tar.gz From 2962198d42d57c7365ebcd9428b66fa1d6ef388b Mon Sep 17 00:00:00 2001 From: Stephen Farrell Date: Tue, 20 Feb 2024 20:59:27 +0000 Subject: [PATCH 21/21] add cron for packages --- .github/workflows/packages.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/packages.yaml b/.github/workflows/packages.yaml index 990b39ea3d61e9..c6567b8ba6ba05 100644 --- a/.github/workflows/packages.yaml +++ b/.github/workflows/packages.yaml @@ -3,6 +3,8 @@ name: builder on: workflow_dispatch: push: + schedule: + - cron: '30 5 * * *' jobs: build: