From 966d16fd676e29040fc0357e3457f05c9d4b327e Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Aug 01 2017 03:37:09 +0000
Subject: import wget-1.14-15.el7


---

diff --git a/SOURCES/wget-1.14-add-openssl-tlsv11-tlsv12-support.patch b/SOURCES/wget-1.14-add-openssl-tlsv11-tlsv12-support.patch
new file mode 100644
index 0000000..634cb97
--- /dev/null
+++ b/SOURCES/wget-1.14-add-openssl-tlsv11-tlsv12-support.patch
@@ -0,0 +1,122 @@
+diff --git a/doc/wget.texi b/doc/wget.texi
+index 118fce9..3bd8dd7 100644
+--- a/doc/wget.texi
++++ b/doc/wget.texi
+@@ -1555,16 +1555,17 @@ without SSL support, none of these options are available.
+ @cindex SSL protocol, choose
+ @item --secure-protocol=@var{protocol}
+ Choose the secure protocol to be used.  Legal values are @samp{auto},
+-@samp{SSLv2}, @samp{SSLv3}, and @samp{TLSv1}.  If @samp{auto} is used,
+-the SSL library is given the liberty of choosing the appropriate
+-protocol automatically, which is achieved by sending an SSLv2 greeting
+-and announcing support for SSLv3 and TLSv1.  This is the default.
+-
+-Specifying @samp{SSLv2}, @samp{SSLv3}, or @samp{TLSv1} forces the use
+-of the corresponding protocol.  This is useful when talking to old and
+-buggy SSL server implementations that make it hard for OpenSSL to
+-choose the correct protocol version.  Fortunately, such servers are
+-quite rare.
++@samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1} and
++@samp{TLSv1_2}.  If @samp{auto} is used, the SSL library is given the
++liberty of choosing the appropriate protocol automatically, which is
++achieved by sending a SSLv2 greeting and announcing support for SSLv3
++and TLSv1.  This is the default.
++
++Specifying @samp{SSLv2}, @samp{SSLv3}, @samp{TLSv1}, @samp{TLSv1_1} or
++@samp{TLSv1_2} forces the use of the corresponding protocol.  This is
++useful when talking to old and buggy SSL server implementations that
++make it hard for the underlying SSL library to choose the correct
++protocol version.  Fortunately, such servers are quite rare.
+ 
+ @cindex SSL certificate, check
+ @item --no-check-certificate
+diff --git a/src/init.c b/src/init.c
+index 4cee677..f160bec 100644
+--- a/src/init.c
++++ b/src/init.c
+@@ -1488,6 +1488,8 @@ cmd_spec_secure_protocol (const char *com, const char *val, void *place)
+     { "sslv2", secure_protocol_sslv2 },
+     { "sslv3", secure_protocol_sslv3 },
+     { "tlsv1", secure_protocol_tlsv1 },
++    { "tlsv1_1", secure_protocol_tlsv1_1 },
++    { "tlsv1_2", secure_protocol_tlsv1_2 },
+   };
+   int ok = decode_string (val, choices, countof (choices), place);
+   if (!ok)
+diff --git a/src/main.c b/src/main.c
+index 9cbad9f..3d50dad 100644
+--- a/src/main.c
++++ b/src/main.c
+@@ -625,7 +625,7 @@ HTTP options:\n"),
+ HTTPS (SSL/TLS) options:\n"),
+     N_("\
+        --secure-protocol=PR     choose secure protocol, one of auto, SSLv2,\n\
+-                                SSLv3, and TLSv1.\n"),
++                                SSLv3, TLSv1, TLSv1_1 and TLSv1_2.\n"),
+     N_("\
+        --no-check-certificate   don't validate the server's certificate.\n"),
+     N_("\
+diff --git a/src/openssl.c b/src/openssl.c
+index b3c31ce..141a8a3 100644
+--- a/src/openssl.c
++++ b/src/openssl.c
+@@ -40,6 +40,9 @@ as that of the covered work.  */
+ #include <openssl/x509v3.h>
+ #include <openssl/err.h>
+ #include <openssl/rand.h>
++#if OPENSSL_VERSION_NUMBER >= 0x00907000
++#include <openssl/conf.h>
++#endif
+ 
+ #include "utils.h"
+ #include "connect.h"
+@@ -176,6 +179,12 @@ ssl_init (void)
+       goto error;
+     }
+ 
++#if OPENSSL_VERSION_NUMBER >= 0x00907000
++  OPENSSL_load_builtin_modules();
++  ENGINE_load_builtin_engines();
++  CONF_modules_load_file(NULL, NULL,
++      CONF_MFLAGS_DEFAULT_SECTION|CONF_MFLAGS_IGNORE_MISSING_FILE);
++#endif
+   SSL_library_init ();
+   SSL_load_error_strings ();
+   SSLeay_add_all_algorithms ();
+@@ -197,6 +206,21 @@ ssl_init (void)
+     case secure_protocol_tlsv1:
+       meth = TLSv1_client_method ();
+       break;
++#if OPENSSL_VERSION_NUMBER >= 0x10001000
++    case secure_protocol_tlsv1_1:
++      meth = TLSv1_1_client_method ();
++      break;
++    case secure_protocol_tlsv1_2:
++      meth = TLSv1_2_client_method ();
++      break;
++#else
++    case secure_protocol_tlsv1_1:
++      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.1\n"));
++      goto error;
++    case secure_protocol_tlsv1_2:
++      logprintf (LOG_NOTQUIET, _("Your OpenSSL version is too old to support TLSv1.2\n"));
++      goto error;
++#endif
+     default:
+       abort ();
+     }
+diff --git a/src/options.h b/src/options.h
+index 326123a..575e647 100644
+--- a/src/options.h
++++ b/src/options.h
+@@ -200,7 +200,9 @@ struct options
+     secure_protocol_auto,
+     secure_protocol_sslv2,
+     secure_protocol_sslv3,
+-    secure_protocol_tlsv1
++    secure_protocol_tlsv1,
++    secure_protocol_tlsv1_1,
++    secure_protocol_tlsv1_2
+   } secure_protocol;		/* type of secure protocol to use. */
+   bool check_cert;		/* whether to validate the server's cert */
+   char *cert_file;		/* external client certificate to use. */
diff --git a/SOURCES/wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch b/SOURCES/wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch
new file mode 100644
index 0000000..b0a3f87
--- /dev/null
+++ b/SOURCES/wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch
@@ -0,0 +1,164 @@
+From 082e7194605e99f0e50f8909fcaf10adee747cc8 Mon Sep 17 00:00:00 2001
+From: Tomas Hozza <thozza@redhat.com>
+Date: Fri, 5 May 2017 13:46:11 +0200
+Subject: [PATCH] Fix client/server synchronization in
+ Test-proxied-https-auth.px test
+
+Combination of upstream commits vithout adding support for Valgrind:
+3eff3ad69a46364475e1f4abdf9412cfa87e3d6c
+2303793a626158627bdb2ac255e0f58697682b24
+
+Signed-off-by: Tomas Hozza <thozza@redhat.com>
+---
+ tests/Test-proxied-https-auth.px | 82 +++++++++++++++++++++++-----------------
+ 1 file changed, 48 insertions(+), 34 deletions(-)
+
+diff --git a/tests/Test-proxied-https-auth.px b/tests/Test-proxied-https-auth.px
+index 1de5357..e1a6c44 100755
+--- a/tests/Test-proxied-https-auth.px
++++ b/tests/Test-proxied-https-auth.px
+@@ -1,4 +1,6 @@
+ #!/usr/bin/env perl
++# Simulate a tunneling proxy to a HTTPS URL that needs authentication.
++# Use two connections (Connection: close)
+ 
+ use strict;
+ use warnings;
+@@ -39,31 +41,33 @@ sub get_request {
+ }
+ 
+ sub do_server {
+-    my $alrm = alarm 10;
+-
++    my ($synch_callback) = @_;
+     my $s = $SOCKET;
+     my $conn;
+     my $rqst;
+     my $rspn;
++
++    my %options = (
++        SSL_server => 1,
++        SSL_passwd_cb => sub { return "Hello"; });
++    $options{SSL_cert_file} = $cert_path if ($cert_path);
++    $options{SSL_key_file} = $key_path if ($key_path);
++    my @options = %options;
++
++    # sync with the parent
++    $synch_callback->();
++
++    # Simulate a HTTPS proxy server with tunneling.
++
+     for my $expect_inner_auth (0, 1) {
+         $conn = $s->accept;
+         $rqst = $conn->get_request;
+-
+-        # TODO: expect no auth the first time, request it, expect it the second
+-        #   time.
+-
+         die "Method not CONNECT\n" if ($rqst->method ne 'CONNECT');
+         $rspn = HTTP::Response->new(200, 'OK');
+         $conn->send_response($rspn);
+ 
+-        my %options = (
+-            SSL_server => 1,
+-            SSL_passwd_cb => sub { return "Hello"; });
+-
+-        $options{SSL_cert_file} = $cert_path if ($cert_path);
+-        $options{SSL_key_file} = $key_path if ($key_path);
+-
+-        my @options = %options;
++        # Now switch from plain to SSL (for simulating a transparent tunnel
++        # to an HTTPS server).
+ 
+         $conn = IO::Socket::SSL->new_from_fd($conn->fileno, @options)
+             or die "Couldn't initiate SSL";
+@@ -74,14 +78,10 @@ sub do_server {
+         unless ($expect_inner_auth) {
+             die "Early proxied auth\n" if $rqst->header('Authorization');
+ 
+-            # TODO: handle non-persistent connection here.
+             $rspn = HTTP::Response->new(401, 'Unauthorized', [
+                 'WWW-Authenticate' => 'Basic realm="gondor"',
+                 Connection => 'close'
+                 ]);
+-            $rspn->protocol('HTTP/1.0');
+-            print $rspn->as_string;
+-            print $conn $rspn->as_string;
+         } else {
+             die "No proxied auth\n" unless $rqst->header('Authorization');
+ 
+@@ -89,41 +89,55 @@ sub do_server {
+                 'Content-Type' => 'text/plain',
+                 'Connection' => 'close',
+                 ], "foobarbaz\n");
+-            $rspn->protocol('HTTP/1.0');
+-            print "=====\n";
+-            print $rspn->as_string;
+-            print "\n=====\n";
+-            print $conn $rspn->as_string;
+         }
++
++        $rspn->protocol('HTTP/1.0');
++        print STDERR "=====\n";
++        print STDERR $rspn->as_string;
++        print STDERR "\n=====\n";
++        print $conn $rspn->as_string;
++
+         $conn->close;
+     }
++
+     undef $conn;
+     undef $s;
+-    alarm $alrm;
+ }
+ 
+ sub fork_server {
+-    my $pid = fork;
+-    die "Couldn't fork" if ($pid < 0);
+-    return $pid if $pid;
++    pipe(FROM_CHILD, TO_PARENT) or die "Cannot create pipe!";
++    select((select(TO_PARENT), $| = 1)[0]);
++
++    my $pid = fork();
++    if ($pid < 0) {
++        die "Cannot fork";
++    } elsif ($pid == 0) {
++        # child
++        close FROM_CHILD;
++        do_server(sub { print TO_PARENT "SYNC\n"; close TO_PARENT });
++        exit 0;
++    } else {
++        # parent
++        close TO_PARENT;
++        chomp(my $line = <FROM_CHILD>);
++        close FROM_CHILD;
++    }
+ 
+-    &do_server;
+-    exit;
++    return $pid;
+ }
+ 
+-system ('rm -f needs-auth.txt');
++unlink "needs-auth.txt";
+ my $pid = &fork_server;
+ 
+-sleep 1;
+ my $cmdline = $WgetTest::WGETPATH . " --user=fiddle-dee-dee"
+     . " --password=Dodgson -e https_proxy=localhost:{{port}}"
+     . " --no-check-certificate"
+     . " https://no.such.domain/needs-auth.txt";
+ $cmdline =~ s/{{port}}/$SOCKET->sockport()/e;
+ 
+-my $code = system($cmdline);
+-system ('rm -f needs-auth.txt');
++my $code = system($cmdline . " 2>&1") >> 8;
++unlink "needs-auth.txt";
+ 
+ warn "Got code: $code\n" if $code;
+ kill ('TERM', $pid);
+-exit ($code >> 8);
++exit ($code != 0);
+-- 
+2.7.4
+
diff --git a/SPECS/wget.spec b/SPECS/wget.spec
index 49393b6..1cd541a 100644
--- a/SPECS/wget.spec
+++ b/SPECS/wget.spec
@@ -1,7 +1,7 @@
 Summary: A utility for retrieving files using the HTTP or FTP protocols
 Name: wget
 Version: 1.14
-Release: 13%{?dist}
+Release: 15%{?dist}
 License: GPLv3+
 Group: Applications/Internet
 Url: http://www.gnu.org/software/wget/
@@ -28,6 +28,12 @@ Patch16: wget-1.14-CVE-2016-4971.patch
 # Test-ftp-iri-fallback test to fail. This additional change makes
 # Test-ftp-iri-fallback test pass again.
 Patch17: wget-1.14-support-non-ASCII-characters.patch
+Patch18: wget-1.14-add-openssl-tlsv11-tlsv12-support.patch
+# Fix for randomly failing unit test
+# combination of upstream commits without the support for Valgrind
+# commit 3eff3ad69a46364475e1f4abdf9412cfa87e3d6c
+# commit 2303793a626158627bdb2ac255e0f58697682b24
+Patch19: wget-1.14-fix-synchronization-in-Test-proxied-https-auth.patch
 
 Provides: webclient
 Provides: bundled(gnulib) 
@@ -66,6 +72,8 @@ support for Proxy servers, and configurability.
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1 -b tls11_tls12
+%patch19 -p1 -b test_synch_fix
 
 %build
 if pkg-config openssl ; then
@@ -105,6 +113,13 @@ make check
 %{_infodir}/*
 
 %changelog
+* Fri May 05 2017 Tomas Hozza <thozza@redhat.com> - 1.14-15
+- Added TLSv1_1 and TLSv1_2 as secure-protocol values to help (#1439811)
+- Fixed synchronization in randomly failing unit test Test-proxied-https-auth (#1448440)
+
+* Wed Apr 12 2017 Tomas Hozza <thozza@redhat.com> - 1.14-14
+- TLS v1.1 and v1.2 can now be specified with --secure-protocol option (#1439811)
+
 * Mon Jun 20 2016 Tomas Hozza <thozza@redhat.com> - 1.14-13
 - Fix CVE-2016-4971 (#1345778)
 - Added support for non-ASCII URLs (Related: CVE-2016-4971)