Blame SOURCES/0025-curl-7.29.0-3f430c9c.patch

92baa4
From 7ab0810c977cec1135d9b5bd85b012ca9e6173cc Mon Sep 17 00:00:00 2001
92baa4
From: Kamil Dudka <kdudka@redhat.com>
92baa4
Date: Wed, 29 Oct 2014 14:14:23 +0100
92baa4
Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3
92baa4
92baa4
This code was already deactivated by commit
92baa4
ec783dc142129d3860e542b443caaa78a6172d56.
92baa4
92baa4
Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7
92baa4
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
92baa4
---
92baa4
 lib/nss.c | 52 ----------------------------------------------------
92baa4
 1 file changed, 52 deletions(-)
92baa4
92baa4
diff --git a/lib/nss.c b/lib/nss.c
92baa4
index 36fa097..0691394 100644
92baa4
--- a/lib/nss.c
92baa4
+++ b/lib/nss.c
92baa4
@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
92baa4
   return SECSuccess;
92baa4
 }
92baa4
 
92baa4
-/* This function is supposed to decide, which error codes should be used
92baa4
- * to conclude server is TLS intolerant.
92baa4
- *
92baa4
- * taken from xulrunner - nsNSSIOLayer.cpp
92baa4
- */
92baa4
-static PRBool
92baa4
-isTLSIntoleranceError(PRInt32 err)
92baa4
-{
92baa4
-  switch (err) {
92baa4
-  case SSL_ERROR_BAD_MAC_ALERT:
92baa4
-  case SSL_ERROR_BAD_MAC_READ:
92baa4
-  case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
92baa4
-  case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
92baa4
-  case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
92baa4
-  case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
92baa4
-  case SSL_ERROR_NO_CYPHER_OVERLAP:
92baa4
-  case SSL_ERROR_BAD_SERVER:
92baa4
-  case SSL_ERROR_BAD_BLOCK_PADDING:
92baa4
-  case SSL_ERROR_UNSUPPORTED_VERSION:
92baa4
-  case SSL_ERROR_PROTOCOL_VERSION_ALERT:
92baa4
-  case SSL_ERROR_RX_MALFORMED_FINISHED:
92baa4
-  case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
92baa4
-  case SSL_ERROR_DECODE_ERROR_ALERT:
92baa4
-  case SSL_ERROR_RX_UNKNOWN_ALERT:
92baa4
-    return PR_TRUE;
92baa4
-  default:
92baa4
-    return PR_FALSE;
92baa4
-  }
92baa4
-}
92baa4
-
92baa4
 /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
92baa4
 static void nss_update_connecting_state(ssl_connect_state state, void *secret)
92baa4
 {
92baa4
@@ -1236,10 +1206,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
92baa4
   switch (data->set.ssl.version) {
92baa4
   default:
92baa4
   case CURL_SSLVERSION_DEFAULT:
92baa4
-    if(data->state.ssl_connect_retry) {
92baa4
-      infof(data, "TLS disabled due to previous handshake failure\n");
92baa4
-      sslver->max = SSL_LIBRARY_VERSION_3_0;
92baa4
-    }
92baa4
     return CURLE_OK;
92baa4
 
92baa4
   case CURL_SSLVERSION_TLSv1:
92baa4
@@ -1293,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
92baa4
                                  struct SessionHandle *data,
92baa4
                                  CURLcode curlerr)
92baa4
 {
92baa4
-  SSLVersionRange sslver;
92baa4
   PRErrorCode err = 0;
92baa4
 
92baa4
-  /* reset the flag to avoid an infinite loop */
92baa4
-  data->state.ssl_connect_retry = FALSE;
92baa4
-
92baa4
   if(is_nss_error(curlerr)) {
92baa4
     /* read NSPR error code */
92baa4
     err = PR_GetError();
92baa4
@@ -1315,17 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
92baa4
   /* cleanup on connection failure */
92baa4
   Curl_llist_destroy(connssl->obj_list, NULL);
92baa4
   connssl->obj_list = NULL;
92baa4
-
92baa4
-  if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
92baa4
-      && (sslver.min == SSL_LIBRARY_VERSION_3_0)
92baa4
-      && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
92baa4
-      && isTLSIntoleranceError(err)) {
92baa4
-    /* schedule reconnect through Curl_retry_request() */
92baa4
-    data->state.ssl_connect_retry = TRUE;
92baa4
-    infof(data, "Error in TLS handshake, trying SSLv3...\n");
92baa4
-    return CURLE_OK;
92baa4
-  }
92baa4
-
92baa4
   return curlerr;
92baa4
 }
92baa4
 
92baa4
@@ -1434,9 +1385,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
92baa4
     infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
92baa4
 #endif
92baa4
 
92baa4
-  /* reset the flag to avoid an infinite loop */
92baa4
-  data->state.ssl_connect_retry = FALSE;
92baa4
-
92baa4
   if(data->set.ssl.cipher_list) {
92baa4
     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
92baa4
       curlerr = CURLE_SSL_CIPHER;
92baa4
-- 
92baa4
2.1.0
92baa4
92baa4
92baa4
From e21cf86258c3cc2042dfb531cbf94ce2f5405d8c Mon Sep 17 00:00:00 2001
92baa4
From: Kamil Dudka <kdudka@redhat.com>
92baa4
Date: Wed, 29 Oct 2014 14:24:54 +0100
92baa4
Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry
92baa4
 flag
92baa4
92baa4
Its last use has been removed by the previous commit.
92baa4
92baa4
Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b
92baa4
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
92baa4
---
92baa4
 lib/transfer.c | 12 ++++--------
92baa4
 lib/urldata.h  |  3 ---
92baa4
 2 files changed, 4 insertions(+), 11 deletions(-)
92baa4
92baa4
diff --git a/lib/transfer.c b/lib/transfer.c
92baa4
index 330b37a..dff6838 100644
92baa4
--- a/lib/transfer.c
92baa4
+++ b/lib/transfer.c
92baa4
@@ -1269,8 +1269,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
92baa4
   data->state.errorbuf = FALSE; /* no error has occurred */
92baa4
   data->state.httpversion = 0; /* don't assume any particular server version */
92baa4
 
92baa4
-  data->state.ssl_connect_retry = FALSE;
92baa4
-
92baa4
   data->state.authproblem = FALSE;
92baa4
   data->state.authhost.want = data->set.httpauth;
92baa4
   data->state.authproxy.want = data->set.proxyauth;
92baa4
@@ -1848,12 +1846,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,
92baa4
      !(conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_RTSP)))
92baa4
     return CURLE_OK;
92baa4
 
92baa4
-  if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||
92baa4
-      ((data->req.bytecount +
92baa4
-        data->req.headerbytecount == 0) &&
92baa4
-        conn->bits.reuse &&
92baa4
-        !data->set.opt_no_body &&
92baa4
-        data->set.rtspreq != RTSPREQ_RECEIVE)) {
92baa4
+  if((data->req.bytecount + data->req.headerbytecount == 0) &&
92baa4
+      conn->bits.reuse &&
92baa4
+      !data->set.opt_no_body &&
92baa4
+      (data->set.rtspreq != RTSPREQ_RECEIVE)) {
92baa4
     /* We got no data, we attempted to re-use a connection and yet we want a
92baa4
        "body". This might happen if the connection was left alive when we were
92baa4
        done using it before, but that was closed when we wanted to read from
92baa4
diff --git a/lib/urldata.h b/lib/urldata.h
92baa4
index c91bcff..04f590d 100644
92baa4
--- a/lib/urldata.h
92baa4
+++ b/lib/urldata.h
92baa4
@@ -1288,9 +1288,6 @@ struct UrlState {
92baa4
   } proto;
92baa4
   /* current user of this SessionHandle instance, or NULL */
92baa4
   struct connectdata *current_conn;
92baa4
-
92baa4
-  /* if true, force SSL connection retry (workaround for certain servers) */
92baa4
-  bool ssl_connect_retry;
92baa4
 };
92baa4
 
92baa4
 
92baa4
-- 
92baa4
2.1.0
92baa4