diff --git a/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch b/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch new file mode 100644 index 0000000..a80fe11 --- /dev/null +++ b/SOURCES/openscap-1.3.4-add_compression_support-PR_1557.patch @@ -0,0 +1,70 @@ +From d8518b70b912aa55fc47400173bf6229e40b71d0 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?=C5=A0imon=20Luka=C5=A1=C3=ADk?= +Date: Wed, 8 Jul 2020 15:17:31 +0200 +Subject: [PATCH] Make a use of HTTP header content-encoding: gzip if available + +When fetching remote resources, some servers/CDNs may be able to serve us +compressed http response even in cases when the original file is not compressed +XML. libcurl is able to process encoded html for us with no added maintenance +costs. + +Attached please find a CURL log of fetching plain XML file from Red Hat CDN: + +Downloading: https://www.redhat.com/security/data/oval/com.redhat.rhsa-RHEL7.xml +... +* Trying 104.90.105.254:443... +* Connected to www.redhat.com (104.90.105.254) port 443 (#0) +* ALPN, offering h2 +* ALPN, offering http/1.1 +* successfully set certificate verify locations: +* CAfile: /etc/pki/tls/certs/ca-bundle.crt + CApath: none +* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 +* ALPN, server accepted to use h2 +* Server certificate: +* subject: businessCategory=Private Organization; jurisdictionC=US; jurisdictionST=Delaware; serialNumber=2945436; C=US; ST=North Carolina; L=Raleigh; O=Red Hat, Inc.; CN=www.redhat.com +* start date: Feb 24 00:00:00 2020 GMT +* expire date: May 24 12:00:00 2022 GMT +* subjectAltName: host "www.redhat.com" matched cert's "www.redhat.com" +* issuer: C=US; O=DigiCert Inc; OU=www.digicert.com; CN=DigiCert SHA2 Extended Validation Server CA +* SSL certificate verify ok. +* Using HTTP2, server supports multi-use +* Connection state changed (HTTP/2 confirmed) +* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0 +* Using Stream ID: 1 (easy handle 0x776c3b0) +> GET /security/data/oval/com.redhat.rhsa-RHEL7.xml HTTP/2 +Host: www.redhat.com +accept: */* +accept-encoding: gzip + +* old SSL session ID is stale, removing +* Connection state changed (MAX_CONCURRENT_STREAMS == 100)! +< HTTP/2 200 +< server: Apache +< last-modified: Wed, 08 Jul 2020 12:41:28 GMT +< etag: "7f694279-fca5e0-5a9ed6d376a08" +< accept-ranges: bytes +< content-type: text/xml +< content-encoding: gzip +< content-length: 1766376 +< date: Wed, 08 Jul 2020 13:15:29 GMT +< vary: Accept-Encoding +< strict-transport-security: max-age=31536000 +< +* Connection #0 to host www.redhat.com left intact +--- + src/common/oscap_acquire.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c +index 60ab62c05..551da43f0 100644 +--- a/src/common/oscap_acquire.c ++++ b/src/common/oscap_acquire.c +@@ -302,6 +302,7 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) + curl_easy_setopt(curl, CURLOPT_URL, url); + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); ++ curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); + + CURLcode res = curl_easy_perform(curl); diff --git a/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch b/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch new file mode 100644 index 0000000..e35e0f3 --- /dev/null +++ b/SOURCES/openscap-1.3.4-add_compression_test-PR_1564.patch @@ -0,0 +1,168 @@ +From 12ccadd9f9cd30143b3af6feced58f8da636e9d2 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Mon, 20 Jul 2020 07:45:05 +0200 +Subject: [PATCH] Add test for cURL "Accept-Encoding" header + +--- + tests/CMakeLists.txt | 1 + + tests/curl/CMakeLists.txt | 1 + + tests/curl/ds.xml | 99 ++++++++++++++++++++++++++++++++ + tests/curl/test_curl_encoding.sh | 23 ++++++++ + 4 files changed, 124 insertions(+) + create mode 100644 tests/curl/CMakeLists.txt + create mode 100644 tests/curl/ds.xml + create mode 100755 tests/curl/test_curl_encoding.sh + +diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt +index b7ca6cd79..6948cd260 100644 +--- a/tests/CMakeLists.txt ++++ b/tests/CMakeLists.txt +@@ -26,6 +26,7 @@ add_subdirectory("API") + add_subdirectory("bindings") + add_subdirectory("bz2") + add_subdirectory("codestyle") ++add_subdirectory("curl") + add_subdirectory("CPE") + add_subdirectory("DS") + add_subdirectory("mitre") +diff --git a/tests/curl/CMakeLists.txt b/tests/curl/CMakeLists.txt +new file mode 100644 +index 000000000..9c3d90d74 +--- /dev/null ++++ b/tests/curl/CMakeLists.txt +@@ -0,0 +1 @@ ++add_oscap_test("test_curl_encoding.sh") +diff --git a/tests/curl/ds.xml b/tests/curl/ds.xml +new file mode 100644 +index 000000000..f33cb475d +--- /dev/null ++++ b/tests/curl/ds.xml +@@ -0,0 +1,99 @@ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ 5.11 ++ 2009-01-12T10:41:00-05:00 ++ ++ ++ ++ ++ ++ PASS ++ pass ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ oval:x:var:1 ++ ++ ++ ++ ++ ++ 100 ++ ++ ++ ++ ++ ++ ++ ++ ++ accepted ++ 1.0 ++ ++ ++ xccdf_test_profile ++ This profile is for testing. ++ ++ ++ ++ ++ test value ++ foo ++ 50 ++ 100 ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ This rule checks remote resource ++ ++ ++ ++ ++ ++ This rule always pass ++ ++ ++ ++ ++ ++ ++ +diff --git a/tests/curl/test_curl_encoding.sh b/tests/curl/test_curl_encoding.sh +new file mode 100755 +index 000000000..6d82f9569 +--- /dev/null ++++ b/tests/curl/test_curl_encoding.sh +@@ -0,0 +1,23 @@ ++#!/bin/bash ++ ++set -e -o pipefail ++ ++. $builddir/tests/test_common.sh ++ ++function curl_accept_encoding { ++ local DF="${srcdir}/ds.xml" ++ local RF="results.xml" ++ local LOG="verbose.log" ++ ++ $OSCAP xccdf --verbose=DEVEL eval --fetch-remote-resources --results $RF $DF 2>$LOG || echo "OK" ++ ++ grep -P "Accept-Encoding.*gzip" $LOG ++ ++ return 0 ++} ++ ++test_init ++ ++test_run "cURL: Accept-Encoding" curl_accept_encoding ++ ++test_exit diff --git a/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch b/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch new file mode 100644 index 0000000..af4b663 --- /dev/null +++ b/SOURCES/openscap-1.3.4-add_compression_tracing-PR_1561.patch @@ -0,0 +1,76 @@ +From aab536acdd4b08e2e8c3d4ac43981dfcaf1cc9f8 Mon Sep 17 00:00:00 2001 +From: Evgeny Kolesnikov +Date: Mon, 13 Jul 2020 14:09:52 +0200 +Subject: [PATCH] Add CURLOPT_TRANSFER_ENCODING, enable CURLOPT_VERBOSE with + CURLOPT_DEBUGFUNCTION + +Adds a request for compressed Transfer Encoding in the outgoing +HTTP request. If the server supports this and so desires, it can +respond with the HTTP response sent using a compressed +Transfer-Encoding that will be automatically uncompressed by +libcurl on reception. + +The CURLOPT_DEBUGFUNCTION callback is used for printing headers and +connection information on VERBOSE level (dD). +--- + src/common/oscap_acquire.c | 32 ++++++++++++++++++++++++++++++++ + 1 file changed, 32 insertions(+) + +diff --git a/src/common/oscap_acquire.c b/src/common/oscap_acquire.c +index 551da43f0..666f4f5c9 100644 +--- a/src/common/oscap_acquire.c ++++ b/src/common/oscap_acquire.c +@@ -49,6 +49,7 @@ + #include "common/_error.h" + #include "oscap_string.h" + #include "oscap_helpers.h" ++#include "debug_priv.h" + + #ifndef OSCAP_TEMP_DIR + #define OSCAP_TEMP_DIR "/tmp" +@@ -288,6 +289,34 @@ oscap_acquire_url_to_filename(const char *url) + return filename; + } + ++static int _curl_trace(CURL *handle, curl_infotype type, char *data, size_t size, void *userp) ++{ ++ const char *title; ++ ++ switch (type) { ++ case CURLINFO_TEXT: ++ title = "== cURL info"; ++ break; ++ case CURLINFO_HEADER_OUT: ++ title = "=> cURL header (out)"; ++ break; ++ case CURLINFO_HEADER_IN: ++ title = "<= cURL header (in)"; ++ break; ++ case CURLINFO_DATA_OUT: ++ case CURLINFO_SSL_DATA_OUT: ++ case CURLINFO_DATA_IN: ++ case CURLINFO_SSL_DATA_IN: ++ default: ++ return 0; ++ break; ++ } ++ ++ dD("%s: %s", title, data); ++ ++ return 0; ++} ++ + char* oscap_acquire_url_download(const char *url, size_t* memory_size) + { + CURL *curl; +@@ -303,7 +332,10 @@ char* oscap_acquire_url_download(const char *url, size_t* memory_size) + curl_easy_setopt(curl, CURLOPT_WRITEFUNCTION, write_to_memory_callback); + curl_easy_setopt(curl, CURLOPT_WRITEDATA, buffer); + curl_easy_setopt(curl, CURLOPT_ACCEPT_ENCODING, ""); ++ curl_easy_setopt(curl, CURLOPT_TRANSFER_ENCODING, true); + curl_easy_setopt(curl, CURLOPT_FOLLOWLOCATION, true); ++ curl_easy_setopt(curl, CURLOPT_VERBOSE, true); ++ curl_easy_setopt(curl, CURLOPT_DEBUGFUNCTION, _curl_trace); + + CURLcode res = curl_easy_perform(curl); + curl_easy_cleanup(curl); diff --git a/SPECS/openscap.spec b/SPECS/openscap.spec index 7288d8c..1095a6b 100644 --- a/SPECS/openscap.spec +++ b/SPECS/openscap.spec @@ -1,6 +1,6 @@ Name: openscap Version: 1.3.3 -Release: 2%{?dist} +Release: 3%{?dist} Summary: Set of open source libraries enabling integration of the SCAP line of standards Group: System Environment/Libraries License: LGPLv2+ @@ -8,6 +8,9 @@ URL: http://www.open-scap.org/ Source0: https://github.com/OpenSCAP/%{name}/releases/download/%{version}/%{name}-%{version}.tar.gz Patch1: openscap-1.3.4-fix-environmentvariable58-regression.patch Patch2: openscap-1.3.4-fix-no-more-recursion.patch +Patch3: openscap-1.3.4-add_compression_support-PR_1557.patch +Patch4: openscap-1.3.4-add_compression_test-PR_1564.patch +Patch5: openscap-1.3.4-add_compression_tracing-PR_1561.patch BuildRequires: cmake >= 2.6 BuildRequires: swig libxml2-devel libxslt-devel perl-generators perl-XML-Parser @@ -130,6 +133,9 @@ for developing applications that use %{name}-engine-sce. %setup -q %patch1 -p1 %patch2 -p1 +%patch3 -p1 +%patch4 -p1 +%patch5 -p1 mkdir build %build @@ -217,6 +223,9 @@ rm -rf $RPM_BUILD_ROOT %{_bindir}/oscap-run-sce-script %changelog +* Tue Jul 21 2020 Matěj Týč - 1.3.3-3 +- Added support for fetching remote content with compression (RHBZ#1855708) + * Thu Jun 25 2020 Matěj Týč - 1.3.3-2 - Prevent unwanted recursion that could crash the scanner (RHBZ#1686370)