diff --git a/SOURCES/0066-curl-7.29.0-tls13-opt.patch b/SOURCES/0066-curl-7.29.0-tls13-opt.patch new file mode 100644 index 0000000..5d42d4d --- /dev/null +++ b/SOURCES/0066-curl-7.29.0-tls13-opt.patch @@ -0,0 +1,704 @@ +From 0c36569c6541ed1eb924ccd60dea5caca0d1e957 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 27 Oct 2016 14:57:11 +0200 +Subject: [PATCH 1/5] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3 + +Fully implemented with the NSS backend only for now. + +Reviewed-by: Ray Satiro + +Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8 +Signed-off-by: Kamil Dudka +--- + docs/libcurl/curl_easy_setopt.3 | 2 ++ + docs/libcurl/symbols-in-versions | 1 + + include/curl/curl.h | 1 + + lib/nss.c | 8 ++++++++ + packages/OS400/curl.inc.in | 2 ++ + 5 files changed, 14 insertions(+) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 17b632f..226e0ca 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2262,6 +2262,8 @@ Force TLSv1.0 (Added in 7.34.0) + Force TLSv1.1 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_2 + Force TLSv1.2 (Added in 7.34.0) ++.IP CURL_SSLVERSION_TLSv1_3 ++Force TLSv1.3 (Added in 7.51.1) + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index e2cce4c..a66bd97 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -685,6 +685,7 @@ CURL_SSLVERSION_TLSv1 7.9.2 + CURL_SSLVERSION_TLSv1_0 7.34.0 + CURL_SSLVERSION_TLSv1_1 7.34.0 + CURL_SSLVERSION_TLSv1_2 7.34.0 ++CURL_SSLVERSION_TLSv1_3 7.51.1 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 8b639fa..0fb1885 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -1645,6 +1645,7 @@ enum { + CURL_SSLVERSION_TLSv1_0, + CURL_SSLVERSION_TLSv1_1, + CURL_SSLVERSION_TLSv1_2, ++ CURL_SSLVERSION_TLSv1_3, + + CURL_SSLVERSION_LAST /* never use, keep last */ + }; +diff --git a/lib/nss.c b/lib/nss.c +index 31e5d75..8e26d1f 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1331,6 +1331,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; + sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; + return CURLE_OK; ++#endif ++ break; ++ ++ case CURL_SSLVERSION_TLSv1_3: ++#ifdef SSL_LIBRARY_VERSION_TLS_1_3 ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_3; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_3; ++ return CURLE_OK; + #endif + break; + } +diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in +index 22a5511..30e6506 100644 +--- a/packages/OS400/curl.inc.in ++++ b/packages/OS400/curl.inc.in +@@ -232,6 +232,8 @@ + d c 5 + d CURL_SSLVERSION_TLSv1_2... + d c 6 ++ d CURL_SSLVERSION_TLSv1_3... ++ d c 7 + * + d CURL_TLSAUTH_NONE... + d c 0 +-- +2.17.2 + + +From d18da081cc26df5605b5a2995615660eb3270712 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Thu, 27 Oct 2016 14:58:43 +0200 +Subject: [PATCH 2/5] curl: introduce the --tlsv1.3 option to force TLS 1.3 + +Fully implemented with the NSS backend only for now. + +Reviewed-by: Ray Satiro + +Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a +Signed-off-by: Kamil Dudka +--- + docs/curl.1 | 10 +++++++--- + src/tool_getparam.c | 5 +++++ + src/tool_help.c | 1 + + src/tool_setopt.c | 1 + + 4 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index a26b03c..0c5ed9a 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -118,9 +118,9 @@ internally preferred: HTTP 1.1. + .IP "-1, --tlsv1" + (SSL) + Forces curl to use TLS version 1.x when negotiating with a remote TLS server. +-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to +-control the TLS version more precisely (if the SSL backend in use supports such +-a level of control). ++You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and ++\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend ++in use supports such a level of control). + .IP "-2, --sslv2" + (SSL) + Forces curl to use SSL version 2 when negotiating with a remote SSL server. +@@ -1469,6 +1469,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server. + (SSL) + Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. + (Added in 7.34.0) ++.IP "--tlsv1.3" ++(SSL) ++Forces curl to use TLS version 1.3 when negotiating with a remote TLS server. ++(Added in 7.51.1) + .IP "--tr-encoding" + (HTTP) Request a compressed Transfer-Encoding response using one of the + algorithms curl supports, and uncompress the data while receiving it. +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 32fc68b..86a7bb6 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -179,6 +179,7 @@ static const struct LongShort aliases[]= { + {"10", "tlsv1.0", FALSE}, + {"11", "tlsv1.1", FALSE}, + {"12", "tlsv1.2", FALSE}, ++ {"13", "tlsv1.3", FALSE}, + {"2", "sslv2", FALSE}, + {"3", "sslv3", FALSE}, + {"4", "ipv4", FALSE}, +@@ -1000,6 +1001,10 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ + /* TLS version 1.2 */ + config->ssl_version = CURL_SSLVERSION_TLSv1_2; + break; ++ case '3': ++ /* TLS version 1.3 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_3; ++ break; + } + break; + case '2': +diff --git a/src/tool_help.c b/src/tool_help.c +index c2883eb..0659db6 100644 +--- a/src/tool_help.c ++++ b/src/tool_help.c +@@ -205,6 +205,7 @@ static const char *const helptext[] = { + " --tlsv1.0 Use TLSv1.0 (SSL)", + " --tlsv1.1 Use TLSv1.1 (SSL)", + " --tlsv1.2 Use TLSv1.2 (SSL)", ++ " --tlsv1.3 Use TLSv1.3 (SSL)", + " --trace FILE Write a debug trace to the given file", + " --trace-ascii FILE Like --trace but without the hex output", + " --trace-time Add time stamps to trace/verbose output", +diff --git a/src/tool_setopt.c b/src/tool_setopt.c +index 5ae32cd..0534118 100644 +--- a/src/tool_setopt.c ++++ b/src/tool_setopt.c +@@ -81,6 +81,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = { + NV(CURL_SSLVERSION_TLSv1_0), + NV(CURL_SSLVERSION_TLSv1_1), + NV(CURL_SSLVERSION_TLSv1_2), ++ NV(CURL_SSLVERSION_TLSv1_3), + NVEND, + }; + +-- +2.17.2 + + +From 6ffdc6a1ca867c0ed228ffba172cb910b77011f0 Mon Sep 17 00:00:00 2001 +From: Jozef Kralik +Date: Tue, 13 Dec 2016 21:10:00 +0100 +Subject: [PATCH 3/5] vtls: add options to specify range of enabled TLS + versions + +This commit introduces the CURL_SSLVERSION_MAX_* constants as well as +the --tls-max option of the curl tool. + +Closes https://github.com/curl/curl/pull/1166 + +Upstream-commit: 6448f98c1857de521fb2dd3f9d4e5659845b5474 +Signed-off-by: Kamil Dudka +--- + docs/curl.1 | 21 ++++++- + docs/libcurl/curl_easy_setopt.3 | 18 +++++- + docs/libcurl/symbols-in-versions | 8 ++- + include/curl/curl.h | 12 ++++ + lib/nss.c | 94 ++++++++++++++++++++++---------- + lib/sslgen.c | 2 + + lib/url.c | 7 ++- + lib/urldata.h | 1 + + src/tool_cfgable.h | 1 + + src/tool_getparam.c | 6 ++ + src/tool_help.c | 1 + + src/tool_operate.c | 3 +- + src/tool_paramhlp.c | 32 +++++++++++ + src/tool_paramhlp.h | 2 + + 14 files changed, 175 insertions(+), 33 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 0c5ed9a..35fae14 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1472,7 +1472,26 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. + .IP "--tlsv1.3" + (SSL) + Forces curl to use TLS version 1.3 when negotiating with a remote TLS server. +-(Added in 7.51.1) ++(Added in 7.52.0) ++.IP "--tls-max " ++(SSL) VERSION defines maximum supported TLS version. The minimum acceptable version ++is set by tlsv1.0, tlsv1.1, tlsv1.2 or tlsv1.3. ++ ++.RS ++.IP "default" ++Use up to recommended TLS version. ++.IP "1.0" ++Use up to TLSv1.0. ++.IP "1.1" ++Use up to TLSv1.1. ++.IP "1.2" ++Use up to TLSv1.2. ++.IP "1.3" ++Use up to TLSv1.3. ++.RE ++ ++See also \fI--tlsv1.0\fP and \fI--tlsv1.1\fP and \fI--tlsv1.2\fP and ++\fI--tlsv1.3\fP. Added in 7.54.0. + .IP "--tr-encoding" + (HTTP) Request a compressed Transfer-Encoding response using one of the + algorithms curl supports, and uncompress the data while receiving it. +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 226e0ca..55d207e 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2263,7 +2263,23 @@ Force TLSv1.1 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_2 + Force TLSv1.2 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_3 +-Force TLSv1.3 (Added in 7.51.1) ++Force TLSv1.3 (Added in 7.52.0) ++.IP CURL_SSLVERSION_MAX_DEFAULT ++The flag defines maximum supported TLS version as TLSv1.2 or default ++value from SSL library. ++(Added in 7.54.0) ++.IP CURL_SSLVERSION_MAX_TLSv1_0 ++The flag defines maximum supported TLS version as TLSv1.0. ++(Added in 7.54.0) ++.IP CURL_SSLVERSION_MAX_TLSv1_1 ++The flag defines maximum supported TLS version as TLSv1.1. ++(Added in 7.54.0) ++.IP CURL_SSLVERSION_MAX_TLSv1_2 ++The flag defines maximum supported TLS version as TLSv1.2. ++(Added in 7.54.0) ++.IP CURL_SSLVERSION_MAX_TLSv1_3 ++The flag defines maximum supported TLS version as TLSv1.3. ++(Added in 7.54.0) + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index a66bd97..34e0ac3 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -685,7 +685,13 @@ CURL_SSLVERSION_TLSv1 7.9.2 + CURL_SSLVERSION_TLSv1_0 7.34.0 + CURL_SSLVERSION_TLSv1_1 7.34.0 + CURL_SSLVERSION_TLSv1_2 7.34.0 +-CURL_SSLVERSION_TLSv1_3 7.51.1 ++CURL_SSLVERSION_TLSv1_3 7.52.0 ++CURL_SSLVERSION_MAX_NONE 7.54.0 ++CURL_SSLVERSION_MAX_DEFAULT 7.54.0 ++CURL_SSLVERSION_MAX_TLSv1_0 7.54.0 ++CURL_SSLVERSION_MAX_TLSv1_1 7.54.0 ++CURL_SSLVERSION_MAX_TLSv1_2 7.54.0 ++CURL_SSLVERSION_MAX_TLSv1_3 7.54.0 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 0fb1885..5a46925 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -1650,6 +1650,18 @@ enum { + CURL_SSLVERSION_LAST /* never use, keep last */ + }; + ++enum { ++ CURL_SSLVERSION_MAX_NONE = 0, ++ CURL_SSLVERSION_MAX_DEFAULT = (CURL_SSLVERSION_TLSv1 << 16), ++ CURL_SSLVERSION_MAX_TLSv1_0 = (CURL_SSLVERSION_TLSv1_0 << 16), ++ CURL_SSLVERSION_MAX_TLSv1_1 = (CURL_SSLVERSION_TLSv1_1 << 16), ++ CURL_SSLVERSION_MAX_TLSv1_2 = (CURL_SSLVERSION_TLSv1_2 << 16), ++ CURL_SSLVERSION_MAX_TLSv1_3 = (CURL_SSLVERSION_TLSv1_3 << 16), ++ ++ /* never use, keep last */ ++ CURL_SSLVERSION_MAX_LAST = (CURL_SSLVERSION_LAST << 16) ++}; ++ + enum CURL_TLSAUTH { + CURL_TLSAUTH_NONE, + CURL_TLSAUTH_SRP, +diff --git a/lib/nss.c b/lib/nss.c +index 8e26d1f..d8e481b 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1284,67 +1284,105 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, + return CURLE_OK; + } + +-static CURLcode nss_init_sslver(SSLVersionRange *sslver, +- struct SessionHandle *data) ++static CURLcode nss_sslver_from_curl(PRUint16 *nssver, long version) + { +- switch (data->set.ssl.version) { +- default: +- case CURL_SSLVERSION_DEFAULT: +- break; +- ++ switch(version) { + case CURL_SSLVERSION_TLSv1: +- sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + #ifdef SSL_LIBRARY_VERSION_TLS_1_2 +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++ *nssver = SSL_LIBRARY_VERSION_TLS_1_2; + #elif defined SSL_LIBRARY_VERSION_TLS_1_1 +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++ *nssver = SSL_LIBRARY_VERSION_TLS_1_1; + #else +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ *nssver = SSL_LIBRARY_VERSION_TLS_1_0; + #endif + return CURLE_OK; + + case CURL_SSLVERSION_SSLv2: +- sslver->min = SSL_LIBRARY_VERSION_2; +- sslver->max = SSL_LIBRARY_VERSION_2; ++ *nssver = SSL_LIBRARY_VERSION_2; + return CURLE_OK; + + case CURL_SSLVERSION_SSLv3: +- sslver->min = SSL_LIBRARY_VERSION_3_0; +- sslver->max = SSL_LIBRARY_VERSION_3_0; ++ *nssver = SSL_LIBRARY_VERSION_3_0; + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1_0: +- sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ *nssver = SSL_LIBRARY_VERSION_TLS_1_0; + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1_1: + #ifdef SSL_LIBRARY_VERSION_TLS_1_1 +- sslver->min = SSL_LIBRARY_VERSION_TLS_1_1; +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++ *nssver = SSL_LIBRARY_VERSION_TLS_1_1; + return CURLE_OK; ++#else ++ return CURLE_SSL_CONNECT_ERROR; + #endif +- break; + + case CURL_SSLVERSION_TLSv1_2: + #ifdef SSL_LIBRARY_VERSION_TLS_1_2 +- sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++ *nssver = SSL_LIBRARY_VERSION_TLS_1_2; + return CURLE_OK; ++#else ++ return CURLE_SSL_CONNECT_ERROR; + #endif +- break; + + case CURL_SSLVERSION_TLSv1_3: + #ifdef SSL_LIBRARY_VERSION_TLS_1_3 +- sslver->min = SSL_LIBRARY_VERSION_TLS_1_3; +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_3; ++ *nssver = SSL_LIBRARY_VERSION_TLS_1_3; + return CURLE_OK; ++#else ++ return CURLE_SSL_CONNECT_ERROR; + #endif ++ ++ default: ++ return CURLE_SSL_CONNECT_ERROR; ++ } ++} ++ ++static CURLcode nss_init_sslver(SSLVersionRange *sslver, ++ struct SessionHandle *data) ++{ ++ CURLcode result; ++ const long min = data->set.ssl.version; ++ const long max = data->set.ssl.version_max; ++ ++ if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) { ++ /* map CURL_SSLVERSION_DEFAULT to NSS default */ ++ if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) ++ return CURLE_SSL_CONNECT_ERROR; ++ /* ... but make sure we use at least TLSv1.0 according to libcurl API */ ++ if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0) ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++ } ++ ++ switch(min) { ++ case CURL_SSLVERSION_DEFAULT: ++ break; ++ case CURL_SSLVERSION_TLSv1: ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + break; ++ default: ++ result = nss_sslver_from_curl(&sslver->min, min); ++ if(result) { ++ failf(data, "unsupported min version passed via CURLOPT_SSLVERSION"); ++ return result; ++ } ++ if(max == CURL_SSLVERSION_MAX_NONE) ++ sslver->max = sslver->min; ++ } ++ ++ switch(max) { ++ case CURL_SSLVERSION_MAX_NONE: ++ case CURL_SSLVERSION_MAX_DEFAULT: ++ break; ++ default: ++ result = nss_sslver_from_curl(&sslver->max, max >> 16); ++ if(result) { ++ failf(data, "unsupported max version passed via CURLOPT_SSLVERSION"); ++ return result; ++ } + } + +- failf(data, "TLS minor version cannot be set"); +- return CURLE_SSL_CONNECT_ERROR; ++ return CURLE_OK; + } + + static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, +@@ -1400,7 +1438,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) + CURLcode curlerr; + + SSLVersionRange sslver = { +- SSL_LIBRARY_VERSION_3_0, /* min */ ++ SSL_LIBRARY_VERSION_TLS_1_0, /* min */ + SSL_LIBRARY_VERSION_TLS_1_0 /* max */ + }; + +diff --git a/lib/sslgen.c b/lib/sslgen.c +index 79cbb6f..d917f05 100644 +--- a/lib/sslgen.c ++++ b/lib/sslgen.c +@@ -86,6 +86,7 @@ Curl_ssl_config_matches(struct ssl_config_data* data, + struct ssl_config_data* needle) + { + if((data->version == needle->version) && ++ (data->version_max == needle->version_max) && + (data->verifypeer == needle->verifypeer) && + (data->verifyhost == needle->verifyhost) && + safe_strequal(data->CApath, needle->CApath) && +@@ -107,6 +108,7 @@ Curl_clone_ssl_config(struct ssl_config_data *source, + dest->verifyhost = source->verifyhost; + dest->verifypeer = source->verifypeer; + dest->version = source->version; ++ dest->version_max = source->version_max; + + if(source->CAfile) { + dest->CAfile = strdup(source->CAfile); +diff --git a/lib/url.c b/lib/url.c +index cb3f3c3..cc099a5 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -667,6 +667,9 @@ CURLcode Curl_open(struct SessionHandle **curl) + return res; + } + ++#define C_SSLVERSION_VALUE(x) (x & 0xffff) ++#define C_SSLVERSION_MAX_VALUE(x) (x & 0xffff0000) ++ + CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + va_list param) + { +@@ -882,7 +885,9 @@ CURLcode Curl_setopt(struct SessionHandle *data, CURLoption option, + * Set explicit SSL version to try to connect with, as some SSL + * implementations are lame. + */ +- data->set.ssl.version = va_arg(param, long); ++ arg = va_arg(param, long); ++ data->set.ssl.version = C_SSLVERSION_VALUE(arg); ++ data->set.ssl.version_max = C_SSLVERSION_MAX_VALUE(arg); + break; + + #ifndef CURL_DISABLE_HTTP +diff --git a/lib/urldata.h b/lib/urldata.h +index d10c784..a5027ed 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -335,6 +335,7 @@ struct ssl_connect_data { + + struct ssl_config_data { + long version; /* what version the client wants to use */ ++ long version_max; /* max supported version the client wants to use*/ + long certverifyresult; /* result from the certificate verification */ + + bool verifypeer; /* set TRUE if this is desired */ +diff --git a/src/tool_cfgable.h b/src/tool_cfgable.h +index 68d0297..5f45f63 100644 +--- a/src/tool_cfgable.h ++++ b/src/tool_cfgable.h +@@ -146,6 +146,7 @@ struct Configurable { + struct curl_slist *postquote; + struct curl_slist *prequote; + long ssl_version; ++ long ssl_version_max; + long ip_version; + curl_TimeCond timecond; + time_t condtime; +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 86a7bb6..9a228b9 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -174,6 +174,7 @@ static const struct LongShort aliases[]= { + {"$I", "post303", FALSE}, + {"$J", "metalink", FALSE}, + {"$M", "unix-socket", TRUE}, ++ {"$X", "tls-max", TRUE}, + {"0", "http1.0", FALSE}, + {"1", "tlsv1", FALSE}, + {"10", "tlsv1.0", FALSE}, +@@ -968,6 +969,11 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ + case 'M': /* --unix-socket */ + GetStr(&config->unix_socket_path, nextarg); + break; ++ case 'X': /* --tls-max */ ++ err = str2tls_max(&config->ssl_version_max, nextarg); ++ if(err) ++ return err; ++ break; + } + break; + case '#': /* --progress-bar */ +diff --git a/src/tool_help.c b/src/tool_help.c +index 0659db6..3eeef6d 100644 +--- a/src/tool_help.c ++++ b/src/tool_help.c +@@ -206,6 +206,7 @@ static const char *const helptext[] = { + " --tlsv1.1 Use TLSv1.1 (SSL)", + " --tlsv1.2 Use TLSv1.2 (SSL)", + " --tlsv1.3 Use TLSv1.3 (SSL)", ++ " --tls-max VERSION Use TLS up to VERSION (SSL)", + " --trace FILE Write a debug trace to the given file", + " --trace-ascii FILE Like --trace but without the hex output", + " --trace-time Add time stamps to trace/verbose output", +diff --git a/src/tool_operate.c b/src/tool_operate.c +index 185f9c6..052def1 100644 +--- a/src/tool_operate.c ++++ b/src/tool_operate.c +@@ -1109,7 +1109,8 @@ int operate(struct Configurable *config, int argc, argv_item_t argv[]) + } + #endif + +- my_setopt_enum(curl, CURLOPT_SSLVERSION, config->ssl_version); ++ my_setopt_enum(curl, CURLOPT_SSLVERSION, ++ config->ssl_version | config->ssl_version_max); + my_setopt_enum(curl, CURLOPT_TIMECONDITION, config->timecond); + my_setopt(curl, CURLOPT_TIMEVALUE, config->condtime); + my_setopt_str(curl, CURLOPT_CUSTOMREQUEST, config->customrequest); +diff --git a/src/tool_paramhlp.c b/src/tool_paramhlp.c +index 5d6f8bb..5ceddb2 100644 +--- a/src/tool_paramhlp.c ++++ b/src/tool_paramhlp.c +@@ -405,3 +405,35 @@ long delegation(struct Configurable *config, char *str) + return CURLGSSAPI_DELEGATION_NONE; + } + ++/* ++ * Parse the string and modify ssl_version in the val argument. Return PARAM_OK ++ * on success, otherwise a parameter error enum. ONLY ACCEPTS POSITIVE NUMBERS! ++ * ++ * Since this function gets called with the 'nextarg' pointer from within the ++ * getparameter a lot, we must check it for NULL before accessing the str ++ * data. ++ */ ++ ++ParameterError str2tls_max(long *val, const char *str) ++{ ++ static struct s_tls_max { ++ const char *tls_max_str; ++ long tls_max; ++ } const tls_max_array[] = { ++ { "default", CURL_SSLVERSION_MAX_DEFAULT }, ++ { "1.0", CURL_SSLVERSION_MAX_TLSv1_0 }, ++ { "1.1", CURL_SSLVERSION_MAX_TLSv1_1 }, ++ { "1.2", CURL_SSLVERSION_MAX_TLSv1_2 }, ++ { "1.3", CURL_SSLVERSION_MAX_TLSv1_3 } ++ }; ++ size_t i = 0; ++ if(!str) ++ return PARAM_REQUIRES_PARAMETER; ++ for(i = 0; i < sizeof(tls_max_array)/sizeof(tls_max_array[0]); i++) { ++ if(!strcmp(str, tls_max_array[i].tls_max_str)) { ++ *val = tls_max_array[i].tls_max; ++ return PARAM_OK; ++ } ++ } ++ return PARAM_BAD_USE; ++} +diff --git a/src/tool_paramhlp.h b/src/tool_paramhlp.h +index de1604e..c848d1c 100644 +--- a/src/tool_paramhlp.h ++++ b/src/tool_paramhlp.h +@@ -48,5 +48,7 @@ int ftpcccmethod(struct Configurable *config, const char *str); + + long delegation(struct Configurable *config, char *str); + ++ParameterError str2tls_max(long *val, const char *str); ++ + #endif /* HEADER_CURL_TOOL_PARAMHLP_H */ + +-- +2.20.1 + + +From 6a332224ba66b7ad21f6a874af94c1b7441ca19f Mon Sep 17 00:00:00 2001 +From: Hubert Kario +Date: Fri, 17 May 2019 17:15:24 +0000 +Subject: [PATCH 4/5] nss: allow to specify TLS 1.3 ciphers if supported by NSS + +Closes #3916 + +Upstream-commit: 319ae9075efba769c9d5e98e827bb325ad0fcb6f +Signed-off-by: Kamil Dudka +--- + lib/nss.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/lib/nss.c b/lib/nss.c +index d8e481b..330387c 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -195,6 +195,11 @@ static const cipher_s cipherlist[] = { + {"dhe_rsa_chacha20_poly1305_sha_256", + TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256}, + #endif ++#ifdef TLS_AES_256_GCM_SHA384 ++ {"aes_128_gcm_sha_256", TLS_AES_128_GCM_SHA256}, ++ {"aes_256_gcm_sha_384", TLS_AES_256_GCM_SHA384}, ++ {"chacha20_poly1305_sha_256", TLS_CHACHA20_POLY1305_SHA256}, ++#endif + }; + + static const char* pem_library = "libnsspem.so"; +-- +2.20.1 + + +From 268dcd88beb3d270d5aaeda473d51550ea9a3f84 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 3 Jun 2019 12:31:21 +0200 +Subject: [PATCH 5/5] nss: make `curl --tlsv1` compatible with + curl-7.29.0-52.el7 + +--- + lib/nss.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 330387c..f963c63 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1350,7 +1350,9 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + const long min = data->set.ssl.version; + const long max = data->set.ssl.version_max; + +- if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT) { ++ if(min == CURL_SSLVERSION_DEFAULT || max == CURL_SSLVERSION_MAX_DEFAULT ++ || min == CURL_SSLVERSION_TLSv1) ++ { + /* map CURL_SSLVERSION_DEFAULT to NSS default */ + if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess) + return CURLE_SSL_CONNECT_ERROR; +-- +2.20.1 + diff --git a/SOURCES/0067-curl-7.29.0-CVE-2018-16842.patch b/SOURCES/0067-curl-7.29.0-CVE-2018-16842.patch new file mode 100644 index 0000000..b24e232 --- /dev/null +++ b/SOURCES/0067-curl-7.29.0-CVE-2018-16842.patch @@ -0,0 +1,33 @@ +From 1a7533244a1e158ee071e821bbb05cb31c16d25e Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Sun, 28 Oct 2018 01:33:23 +0200 +Subject: [PATCH] voutf: fix bad arethmetic when outputting warnings to stderr + +CVE-2018-16842 +Reported-by: Brian Carpenter +Bug: https://curl.haxx.se/docs/CVE-2018-16842.html + +Upstream-commit: d530e92f59ae9bb2d47066c3c460b25d2ffeb211 +Signed-off-by: Kamil Dudka +--- + src/tool_msgs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/tool_msgs.c b/src/tool_msgs.c +index 80fdf4e..ce47e9a 100644 +--- a/src/tool_msgs.c ++++ b/src/tool_msgs.c +@@ -67,8 +67,8 @@ void warnf(struct Configurable *config, const char *fmt, ...) + + (void)fwrite(ptr, cut + 1, 1, config->errors); + fputs("\n", config->errors); +- ptr += cut+1; /* skip the space too */ +- len -= cut; ++ ptr += cut + 1; /* skip the space too */ ++ len -= cut + 1; + } + else { + fputs(ptr, config->errors); +-- +2.17.2 + diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 98b2fea..0535712 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.29.0 -Release: 51%{?dist}.3 +Release: 54%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -202,12 +202,18 @@ Patch64: 0064-curl-7.29.0-CVE-2018-1000301.patch # make curl --speed-limit work with TFTP (#1584750) Patch65: 0065-curl-7.29.0-tftp-speed-limit.patch -# prevent curl --rate-limit from hanging on file URLs (#1281969) -Patch69: 0069-curl-7.29.0-file-limit-rate.patch +# backport options to force TLS 1.3 in curl and libcurl (#1672639) +Patch66: 0066-curl-7.29.0-tls13-opt.patch + +# fix bad arithmetic when outputting warnings to stderr (CVE-2018-16842) +Patch67: 0067-curl-7.29.0-CVE-2018-16842.patch # fix NTLM password overflow via integer overflow (CVE-2018-14618) Patch68: 0068-curl-7.29.0-CVE-2018-14618.patch +# prevent curl --rate-limit from hanging on file URLs (#1281969) +Patch69: 0069-curl-7.29.0-file-limit-rate.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.29.0-multilib.patch @@ -403,6 +409,8 @@ documentation of the library, too. %patch63 -p1 %patch64 -p1 %patch65 -p1 +%patch66 -p1 +%patch67 -p1 %patch68 -p1 %patch69 -p1 @@ -520,14 +528,18 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog -* Mon May 27 2019 Kamil Dudka - 7.29.0-51.el7_6.3 -- fix NTLM password overflow via integer overflow (CVE-2018-14618) +* Mon Jun 03 2019 Kamil Dudka - 7.29.0-54 +- make `curl --tlsv1` backward compatible (#1672639) -* Mon May 20 2019 Kamil Dudka - 7.29.0-51.el7_6.2 -- prevent curl --rate-limit from crashing on https URLs (#1683292) +* Mon May 27 2019 Kamil Dudka - 7.29.0-53 +- backport the --tls-max option of curl and TLS 1.3 ciphers (#1672639) -* Mon May 13 2019 Kamil Dudka - 7.29.0-51.el7_6.1 +* Fri Mar 01 2019 Kamil Dudka - 7.29.0-52 - prevent curl --rate-limit from hanging on file URLs (#1281969) +- fix NTLM password overflow via integer overflow (CVE-2018-14618) +- fix bad arithmetic when outputting warnings to stderr (CVE-2018-16842) +- backport options to force TLS 1.3 in curl and libcurl (#1672639) +- prevent curl --rate-limit from crashing on https URLs (#1683292) * Wed Aug 08 2018 Kamil Dudka - 7.29.0-51 - require a new enough version of nss-pem to avoid regression in yum (#1610998)