Blame SOURCES/0025-curl-7.29.0-3f430c9c.patch

9d7d3f
From 7ab0810c977cec1135d9b5bd85b012ca9e6173cc Mon Sep 17 00:00:00 2001
9d7d3f
From: Kamil Dudka <kdudka@redhat.com>
9d7d3f
Date: Wed, 29 Oct 2014 14:14:23 +0100
9d7d3f
Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3
9d7d3f
9d7d3f
This code was already deactivated by commit
9d7d3f
ec783dc142129d3860e542b443caaa78a6172d56.
9d7d3f
9d7d3f
Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7
9d7d3f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9d7d3f
---
9d7d3f
 lib/nss.c | 52 ----------------------------------------------------
9d7d3f
 1 file changed, 52 deletions(-)
9d7d3f
9d7d3f
diff --git a/lib/nss.c b/lib/nss.c
9d7d3f
index 36fa097..0691394 100644
9d7d3f
--- a/lib/nss.c
9d7d3f
+++ b/lib/nss.c
9d7d3f
@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
9d7d3f
   return SECSuccess;
9d7d3f
 }
9d7d3f
 
9d7d3f
-/* This function is supposed to decide, which error codes should be used
9d7d3f
- * to conclude server is TLS intolerant.
9d7d3f
- *
9d7d3f
- * taken from xulrunner - nsNSSIOLayer.cpp
9d7d3f
- */
9d7d3f
-static PRBool
9d7d3f
-isTLSIntoleranceError(PRInt32 err)
9d7d3f
-{
9d7d3f
-  switch (err) {
9d7d3f
-  case SSL_ERROR_BAD_MAC_ALERT:
9d7d3f
-  case SSL_ERROR_BAD_MAC_READ:
9d7d3f
-  case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
9d7d3f
-  case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
9d7d3f
-  case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
9d7d3f
-  case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
9d7d3f
-  case SSL_ERROR_NO_CYPHER_OVERLAP:
9d7d3f
-  case SSL_ERROR_BAD_SERVER:
9d7d3f
-  case SSL_ERROR_BAD_BLOCK_PADDING:
9d7d3f
-  case SSL_ERROR_UNSUPPORTED_VERSION:
9d7d3f
-  case SSL_ERROR_PROTOCOL_VERSION_ALERT:
9d7d3f
-  case SSL_ERROR_RX_MALFORMED_FINISHED:
9d7d3f
-  case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
9d7d3f
-  case SSL_ERROR_DECODE_ERROR_ALERT:
9d7d3f
-  case SSL_ERROR_RX_UNKNOWN_ALERT:
9d7d3f
-    return PR_TRUE;
9d7d3f
-  default:
9d7d3f
-    return PR_FALSE;
9d7d3f
-  }
9d7d3f
-}
9d7d3f
-
9d7d3f
 /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
9d7d3f
 static void nss_update_connecting_state(ssl_connect_state state, void *secret)
9d7d3f
 {
9d7d3f
@@ -1236,10 +1206,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
9d7d3f
   switch (data->set.ssl.version) {
9d7d3f
   default:
9d7d3f
   case CURL_SSLVERSION_DEFAULT:
9d7d3f
-    if(data->state.ssl_connect_retry) {
9d7d3f
-      infof(data, "TLS disabled due to previous handshake failure\n");
9d7d3f
-      sslver->max = SSL_LIBRARY_VERSION_3_0;
9d7d3f
-    }
9d7d3f
     return CURLE_OK;
9d7d3f
 
9d7d3f
   case CURL_SSLVERSION_TLSv1:
9d7d3f
@@ -1293,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
9d7d3f
                                  struct SessionHandle *data,
9d7d3f
                                  CURLcode curlerr)
9d7d3f
 {
9d7d3f
-  SSLVersionRange sslver;
9d7d3f
   PRErrorCode err = 0;
9d7d3f
 
9d7d3f
-  /* reset the flag to avoid an infinite loop */
9d7d3f
-  data->state.ssl_connect_retry = FALSE;
9d7d3f
-
9d7d3f
   if(is_nss_error(curlerr)) {
9d7d3f
     /* read NSPR error code */
9d7d3f
     err = PR_GetError();
9d7d3f
@@ -1315,17 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
9d7d3f
   /* cleanup on connection failure */
9d7d3f
   Curl_llist_destroy(connssl->obj_list, NULL);
9d7d3f
   connssl->obj_list = NULL;
9d7d3f
-
9d7d3f
-  if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
9d7d3f
-      && (sslver.min == SSL_LIBRARY_VERSION_3_0)
9d7d3f
-      && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
9d7d3f
-      && isTLSIntoleranceError(err)) {
9d7d3f
-    /* schedule reconnect through Curl_retry_request() */
9d7d3f
-    data->state.ssl_connect_retry = TRUE;
9d7d3f
-    infof(data, "Error in TLS handshake, trying SSLv3...\n");
9d7d3f
-    return CURLE_OK;
9d7d3f
-  }
9d7d3f
-
9d7d3f
   return curlerr;
9d7d3f
 }
9d7d3f
 
9d7d3f
@@ -1434,9 +1385,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
9d7d3f
     infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
9d7d3f
 #endif
9d7d3f
 
9d7d3f
-  /* reset the flag to avoid an infinite loop */
9d7d3f
-  data->state.ssl_connect_retry = FALSE;
9d7d3f
-
9d7d3f
   if(data->set.ssl.cipher_list) {
9d7d3f
     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
9d7d3f
       curlerr = CURLE_SSL_CIPHER;
9d7d3f
-- 
9d7d3f
2.1.0
9d7d3f
9d7d3f
9d7d3f
From e21cf86258c3cc2042dfb531cbf94ce2f5405d8c Mon Sep 17 00:00:00 2001
9d7d3f
From: Kamil Dudka <kdudka@redhat.com>
9d7d3f
Date: Wed, 29 Oct 2014 14:24:54 +0100
9d7d3f
Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry
9d7d3f
 flag
9d7d3f
9d7d3f
Its last use has been removed by the previous commit.
9d7d3f
9d7d3f
Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b
9d7d3f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
9d7d3f
---
9d7d3f
 lib/transfer.c | 12 ++++--------
9d7d3f
 lib/urldata.h  |  3 ---
9d7d3f
 2 files changed, 4 insertions(+), 11 deletions(-)
9d7d3f
9d7d3f
diff --git a/lib/transfer.c b/lib/transfer.c
9d7d3f
index 330b37a..dff6838 100644
9d7d3f
--- a/lib/transfer.c
9d7d3f
+++ b/lib/transfer.c
9d7d3f
@@ -1269,8 +1269,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
9d7d3f
   data->state.errorbuf = FALSE; /* no error has occurred */
9d7d3f
   data->state.httpversion = 0; /* don't assume any particular server version */
9d7d3f
 
9d7d3f
-  data->state.ssl_connect_retry = FALSE;
9d7d3f
-
9d7d3f
   data->state.authproblem = FALSE;
9d7d3f
   data->state.authhost.want = data->set.httpauth;
9d7d3f
   data->state.authproxy.want = data->set.proxyauth;
9d7d3f
@@ -1848,12 +1846,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,
9d7d3f
      !(conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_RTSP)))
9d7d3f
     return CURLE_OK;
9d7d3f
 
9d7d3f
-  if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||
9d7d3f
-      ((data->req.bytecount +
9d7d3f
-        data->req.headerbytecount == 0) &&
9d7d3f
-        conn->bits.reuse &&
9d7d3f
-        !data->set.opt_no_body &&
9d7d3f
-        data->set.rtspreq != RTSPREQ_RECEIVE)) {
9d7d3f
+  if((data->req.bytecount + data->req.headerbytecount == 0) &&
9d7d3f
+      conn->bits.reuse &&
9d7d3f
+      !data->set.opt_no_body &&
9d7d3f
+      (data->set.rtspreq != RTSPREQ_RECEIVE)) {
9d7d3f
     /* We got no data, we attempted to re-use a connection and yet we want a
9d7d3f
        "body". This might happen if the connection was left alive when we were
9d7d3f
        done using it before, but that was closed when we wanted to read from
9d7d3f
diff --git a/lib/urldata.h b/lib/urldata.h
9d7d3f
index c91bcff..04f590d 100644
9d7d3f
--- a/lib/urldata.h
9d7d3f
+++ b/lib/urldata.h
9d7d3f
@@ -1288,9 +1288,6 @@ struct UrlState {
9d7d3f
   } proto;
9d7d3f
   /* current user of this SessionHandle instance, or NULL */
9d7d3f
   struct connectdata *current_conn;
9d7d3f
-
9d7d3f
-  /* if true, force SSL connection retry (workaround for certain servers) */
9d7d3f
-  bool ssl_connect_retry;
9d7d3f
 };
9d7d3f
 
9d7d3f
 
9d7d3f
-- 
9d7d3f
2.1.0
9d7d3f