From 7ab0810c977cec1135d9b5bd85b012ca9e6173cc Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Wed, 29 Oct 2014 14:14:23 +0100

Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3

This code was already deactivated by commit

ec783dc142129d3860e542b443caaa78a6172d56.

Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/nss.c | 52 ----------------------------------------------------

 1 file changed, 52 deletions(-)

diff --git a/lib/nss.c b/lib/nss.c

index 36fa097..0691394 100644

--- a/lib/nss.c

+++ b/lib/nss.c

@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,

   return SECSuccess;

 }

-/* This function is supposed to decide, which error codes should be used

- * to conclude server is TLS intolerant.

- *

- * taken from xulrunner - nsNSSIOLayer.cpp

- */

-static PRBool

-isTLSIntoleranceError(PRInt32 err)

-{

-  switch (err) {

-  case SSL_ERROR_BAD_MAC_ALERT:

-  case SSL_ERROR_BAD_MAC_READ:

-  case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:

-  case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:

-  case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:

-  case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:

-  case SSL_ERROR_NO_CYPHER_OVERLAP:

-  case SSL_ERROR_BAD_SERVER:

-  case SSL_ERROR_BAD_BLOCK_PADDING:

-  case SSL_ERROR_UNSUPPORTED_VERSION:

-  case SSL_ERROR_PROTOCOL_VERSION_ALERT:

-  case SSL_ERROR_RX_MALFORMED_FINISHED:

-  case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:

-  case SSL_ERROR_DECODE_ERROR_ALERT:

-  case SSL_ERROR_RX_UNKNOWN_ALERT:

-    return PR_TRUE;

-  default:

-    return PR_FALSE;

-  }

-}

-

 /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */

 static void nss_update_connecting_state(ssl_connect_state state, void *secret)

 {

@@ -1236,10 +1206,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,

   switch (data->set.ssl.version) {

   default:

   case CURL_SSLVERSION_DEFAULT:

-    if(data->state.ssl_connect_retry) {

-      infof(data, "TLS disabled due to previous handshake failure\n");

-      sslver->max = SSL_LIBRARY_VERSION_3_0;

-    }

     return CURLE_OK;

   case CURL_SSLVERSION_TLSv1:

@@ -1293,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,

                                  struct SessionHandle *data,

                                  CURLcode curlerr)

 {

-  SSLVersionRange sslver;

   PRErrorCode err = 0;

-  /* reset the flag to avoid an infinite loop */

-  data->state.ssl_connect_retry = FALSE;

-

   if(is_nss_error(curlerr)) {

     /* read NSPR error code */

     err = PR_GetError();

@@ -1315,17 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,

   /* cleanup on connection failure */

   Curl_llist_destroy(connssl->obj_list, NULL);

   connssl->obj_list = NULL;

-

-  if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)

-      && (sslver.min == SSL_LIBRARY_VERSION_3_0)

-      && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)

-      && isTLSIntoleranceError(err)) {

-    /* schedule reconnect through Curl_retry_request() */

-    data->state.ssl_connect_retry = TRUE;

-    infof(data, "Error in TLS handshake, trying SSLv3...\n");

-    return CURLE_OK;

-  }

-

   return curlerr;

 }

@@ -1434,9 +1385,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)

     infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");

 #endif

-  /* reset the flag to avoid an infinite loop */

-  data->state.ssl_connect_retry = FALSE;

-

   if(data->set.ssl.cipher_list) {

     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {

       curlerr = CURLE_SSL_CIPHER;

-- 

2.1.0

From e21cf86258c3cc2042dfb531cbf94ce2f5405d8c Mon Sep 17 00:00:00 2001

From: Kamil Dudka <kdudka@redhat.com>

Date: Wed, 29 Oct 2014 14:24:54 +0100

Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry

 flag

Its last use has been removed by the previous commit.

Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b

Signed-off-by: Kamil Dudka <kdudka@redhat.com>

---

 lib/transfer.c | 12 ++++--------

 lib/urldata.h  |  3 ---

 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/lib/transfer.c b/lib/transfer.c

index 330b37a..dff6838 100644

--- a/lib/transfer.c

+++ b/lib/transfer.c

@@ -1269,8 +1269,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)

   data->state.errorbuf = FALSE; /* no error has occurred */

   data->state.httpversion = 0; /* don't assume any particular server version */

-  data->state.ssl_connect_retry = FALSE;

-

   data->state.authproblem = FALSE;

   data->state.authhost.want = data->set.httpauth;

   data->state.authproxy.want = data->set.proxyauth;

@@ -1848,12 +1846,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,

      !(conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_RTSP)))

     return CURLE_OK;

-  if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||

-      ((data->req.bytecount +

-        data->req.headerbytecount == 0) &&

-        conn->bits.reuse &&

-        !data->set.opt_no_body &&

-        data->set.rtspreq != RTSPREQ_RECEIVE)) {

+  if((data->req.bytecount + data->req.headerbytecount == 0) &&

+      conn->bits.reuse &&

+      !data->set.opt_no_body &&

+      (data->set.rtspreq != RTSPREQ_RECEIVE)) {

     /* We got no data, we attempted to re-use a connection and yet we want a

        "body". This might happen if the connection was left alive when we were

        done using it before, but that was closed when we wanted to read from

diff --git a/lib/urldata.h b/lib/urldata.h

index c91bcff..04f590d 100644

--- a/lib/urldata.h

+++ b/lib/urldata.h

@@ -1288,9 +1288,6 @@ struct UrlState {

   } proto;

   /* current user of this SessionHandle instance, or NULL */

   struct connectdata *current_conn;

-

-  /* if true, force SSL connection retry (workaround for certain servers) */

-  bool ssl_connect_retry;

 };

-- 

2.1.0