diff --git a/SOURCES/0013-curl-7.29.0-665c160f.patch b/SOURCES/0013-curl-7.29.0-665c160f.patch new file mode 100644 index 0000000..d7c2ddf --- /dev/null +++ b/SOURCES/0013-curl-7.29.0-665c160f.patch @@ -0,0 +1,86 @@ +From 311a22b801693bf8b748169f35bde7bef744da8c Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 29 Jan 2014 12:55:36 +0100 +Subject: [PATCH 1/2] nss: do not fail if NSS does not implement a cipher + +... that the user does not ask for + +[upstream commit e15e73b741a2ddc88d166d2cec86d2bebb5d349e] +--- + lib/nss.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index a2c5c63..c4ffe7b 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -192,14 +192,13 @@ static SECStatus set_ciphers(struct SessionHandle *data, PRFileDesc * model, + PRBool cipher_state[NUM_OF_CIPHERS]; + PRBool found; + char *cipher; +- SECStatus rv; + + /* First disable all ciphers. This uses a different max value in case + * NSS adds more ciphers later we don't want them available by + * accident + */ + for(i=0; i +Date: Wed, 29 Jan 2014 13:03:46 +0100 +Subject: [PATCH 2/2] nss: do not use the NSS_ENABLE_ECC define + +It is not provided by NSS public headers. + +Bug: https://bugzilla.redhat.com/1058776 + +[upstream commit 665c160f0a4635565b44704ca281d2a03e715d6d] +--- + lib/nss.c | 2 -- + 1 files changed, 0 insertions(+), 2 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index c4ffe7b..111982f 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -126,7 +126,6 @@ static const cipher_s cipherlist[] = { + /* AES ciphers. */ + {"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA}, + {"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA}, +-#ifdef NSS_ENABLE_ECC + /* ECC ciphers. */ + {"ecdh_ecdsa_null_sha", TLS_ECDH_ECDSA_WITH_NULL_SHA}, + {"ecdh_ecdsa_rc4_128_sha", TLS_ECDH_ECDSA_WITH_RC4_128_SHA}, +@@ -153,7 +152,6 @@ static const cipher_s cipherlist[] = { + {"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA}, + {"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA}, + {"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA}, +-#endif + }; + + /* following ciphers are new in NSS 3.4 and not enabled by default, therefore +-- +1.7.1 + diff --git a/SOURCES/0014-curl-7.29.0-8ae35102.patch b/SOURCES/0014-curl-7.29.0-8ae35102.patch new file mode 100644 index 0000000..9daa26d --- /dev/null +++ b/SOURCES/0014-curl-7.29.0-8ae35102.patch @@ -0,0 +1,42 @@ +From 8683703ef3978983e61329801aecc554aec06055 Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 7 Jan 2014 09:33:54 +0100 +Subject: [PATCH] ConnectionExists: fix NTLM check for new connection + +When the requested authentication bitmask includes NTLM, we cannot +re-use a connection for another username/password as we then risk +re-using NTLM (connection-based auth). + +This has the unfortunate downside that if you include NTLM as a possible +auth, you cannot re-use connections for other usernames/passwords even +if NTLM doesn't end up the auth type used. + +Reported-by: Paras S +Patched-by: Paras S +Bug: http://curl.haxx.se/mail/lib-2014-01/0046.html + +[upstream commit 8ae35102c43d8d06572c3a1292eb6e27e663c78d] + +Signed-off-by: Kamil Dudka +--- + lib/url.c | 4 ++-- + 1 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/url.c b/lib/url.c +index bddbd91..313ec3e 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2782,8 +2782,8 @@ ConnectionExists(struct SessionHandle *data, + struct connectdata *check; + struct connectdata *chosen = 0; + bool canPipeline = IsPipeliningPossible(data, needle); +- bool wantNTLM = (data->state.authhost.want==CURLAUTH_NTLM) || +- (data->state.authhost.want==CURLAUTH_NTLM_WB) ? TRUE : FALSE; ++ bool wantNTLM = (data->state.authhost.want & CURLAUTH_NTLM) || ++ (data->state.authhost.want & CURLAUTH_NTLM_WB) ? TRUE : FALSE; + struct connectbundle *bundle; + + /* Look up the bundle with all the connections to this +-- +1.7.1 + diff --git a/SOURCES/0015-curl-7.29.0-7fc9325a.patch b/SOURCES/0015-curl-7.29.0-7fc9325a.patch new file mode 100644 index 0000000..7b6c5fe --- /dev/null +++ b/SOURCES/0015-curl-7.29.0-7fc9325a.patch @@ -0,0 +1,1090 @@ +From a7b1ea3537b30450ad82d2c64d31dcecaed60fca Mon Sep 17 00:00:00 2001 +From: Gergely Nagy +Date: Thu, 19 Sep 2013 15:17:13 +0200 +Subject: [PATCH 1/9] SSL: protocol version can be specified more precisely + +CURL_SSLVERSION_TLSv1_0, CURL_SSLVERSION_TLSv1_1, +CURL_SSLVERSION_TLSv1_2 enum values are added to force exact TLS version +(CURL_SSLVERSION_TLSv1 means TLS 1.x). + +axTLS: +axTLS only supports TLS 1.0 and 1.1 but it cannot be set that only one +of these should be used, so we don't allow the new enum values. + +darwinssl: +Added support for the new enum values. + +SChannel: +Added support for the new enum values. + +CyaSSL: +Added support for the new enum values. +Bug: The original CURL_SSLVERSION_TLSv1 value enables only TLS 1.0 (it +did the same before this commit), because CyaSSL cannot be configured to +use TLS 1.0-1.2. + +GSKit: +GSKit doesn't seem to support TLS 1.1 and TLS 1.2, so we do not allow +those values. +Bugfix: There was a typo that caused wrong SSL versions to be passed to +GSKit. + +NSS: +TLS minor version cannot be set, so we don't allow the new enum values. + +QsoSSL: +TLS minor version cannot be set, so we don't allow the new enum values. + +OpenSSL: +Added support for the new enum values. +Bugfix: The original CURL_SSLVERSION_TLSv1 value enabled only TLS 1.0, +now it enables 1.0-1.2. + +Command-line tool: +Added command line options for the new values. + +[upstream commit ad34a2d5c87c7f4b14e8dded34569395de0d8c5b] +--- + docs/libcurl/curl_easy_setopt.3 | 8 +++++- + docs/libcurl/symbols-in-versions | 3 ++ + include/curl/curl.h | 5 +++- + lib/axtls.c | 3 +- + lib/curl_darwinssl.c | 34 +++++++++++++++++++++++++ + lib/curl_schannel.c | 9 ++++++ + lib/cyassl.c | 13 +++++++++- + lib/nss.c | 6 ++++ + lib/qssl.c | 6 ++++ + lib/ssluse.c | 51 +++++++++++++++++++++++++++---------- + packages/OS400/curl.inc.in | 6 ++++ + src/tool_getparam.c | 25 ++++++++++++++++-- + src/tool_setopt.c | 3 ++ + 13 files changed, 151 insertions(+), 21 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 3d31aef..92db8f4 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2219,11 +2219,17 @@ The default action. This will attempt to figure out the remote SSL protocol + version, i.e. either SSLv3 or TLSv1 (but not SSLv2, which became disabled + by default with 7.18.1). + .IP CURL_SSLVERSION_TLSv1 +-Force TLSv1 ++Force TLSv1.x + .IP CURL_SSLVERSION_SSLv2 + Force SSLv2 + .IP CURL_SSLVERSION_SSLv3 + Force SSLv3 ++.IP CURL_SSLVERSION_TLSv1_0 ++Force TLSv1.0 ++.IP CURL_SSLVERSION_TLSv1_1 ++Force TLSv1.1 ++.IP CURL_SSLVERSION_TLSv1_2 ++Force TLSv1.2 + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 37b5e27..57fa6eb 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -678,6 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 + CURL_SSLVERSION_SSLv2 7.9.2 + CURL_SSLVERSION_SSLv3 7.9.2 + CURL_SSLVERSION_TLSv1 7.9.2 ++CURL_SSLVERSION_TLSv1_0 7.33.0 ++CURL_SSLVERSION_TLSv1_1 7.33.0 ++CURL_SSLVERSION_TLSv1_2 7.33.0 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +diff --git a/include/curl/curl.h b/include/curl/curl.h +index 80e4cf5..8e548e3 100644 +--- a/include/curl/curl.h ++++ b/include/curl/curl.h +@@ -1625,9 +1625,12 @@ enum CURL_NETRC_OPTION { + + enum { + CURL_SSLVERSION_DEFAULT, +- CURL_SSLVERSION_TLSv1, ++ CURL_SSLVERSION_TLSv1, /* TLS 1.x */ + CURL_SSLVERSION_SSLv2, + CURL_SSLVERSION_SSLv3, ++ CURL_SSLVERSION_TLSv1_0, ++ CURL_SSLVERSION_TLSv1_1, ++ CURL_SSLVERSION_TLSv1_2, + + CURL_SSLVERSION_LAST /* never use, keep last */ + }; +diff --git a/lib/axtls.c b/lib/axtls.c +index d512950..68794b5 100644 +--- a/lib/axtls.c ++++ b/lib/axtls.c +@@ -169,7 +169,8 @@ Curl_axtls_connect(struct connectdata *conn, + case CURL_SSLVERSION_TLSv1: + break; + default: +- failf(data, "axTLS only supports TLSv1"); ++ failf(data, "axTLS only supports TLS 1.0 and 1.1, " ++ "and it cannot be specified which one to use"); + return CURLE_SSL_CONNECT_ERROR; + } + +diff --git a/lib/curl_darwinssl.c b/lib/curl_darwinssl.c +index 827c876..69eff8a 100644 +--- a/lib/curl_darwinssl.c ++++ b/lib/curl_darwinssl.c +@@ -719,6 +719,18 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); + (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol1); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol1); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol11); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol11); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kTLSProtocol12); ++ (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kTLSProtocol12); ++ break; + case CURL_SSLVERSION_SSLv3: + (void)SSLSetProtocolVersionMin(connssl->ssl_ctx, kSSLProtocol3); + (void)SSLSetProtocolVersionMax(connssl->ssl_ctx, kSSLProtocol3); +@@ -759,6 +771,21 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + kTLSProtocol12, + true); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol1, ++ true); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol11, ++ true); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, ++ kTLSProtocol12, ++ true); ++ break; + case CURL_SSLVERSION_SSLv3: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kSSLProtocol3, +@@ -785,10 +812,17 @@ static CURLcode darwinssl_connect_step1(struct connectdata *conn, + true); + break; + case CURL_SSLVERSION_TLSv1: ++ case CURL_SSLVERSION_TLSv1_0: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kTLSProtocol1, + true); + break; ++ case CURL_SSLVERSION_TLSv1_1: ++ failf(data, "Your version of the OS does not support TLSv1.1"); ++ return CURLE_SSL_CONNECT_ERROR; ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "Your version of the OS does not support TLSv1.2"); ++ return CURLE_SSL_CONNECT_ERROR; + case CURL_SSLVERSION_SSLv2: + (void)SSLSetProtocolVersionEnabled(connssl->ssl_ctx, + kSSLProtocol2, +diff --git a/lib/curl_schannel.c b/lib/curl_schannel.c +index a615f57..19b7f71 100644 +--- a/lib/curl_schannel.c ++++ b/lib/curl_schannel.c +@@ -180,6 +180,15 @@ schannel_connect_step1(struct connectdata *conn, int sockindex) + SP_PROT_TLS1_1_CLIENT | + SP_PROT_TLS1_2_CLIENT; + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_0_CLIENT; ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_1_CLIENT; ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ schannel_cred.grbitEnabledProtocols = SP_PROT_TLS1_2_CLIENT; ++ break; + case CURL_SSLVERSION_SSLv3: + schannel_cred.grbitEnabledProtocols = SP_PROT_SSL3_CLIENT; + break; +diff --git a/lib/cyassl.c b/lib/cyassl.c +index 7c78464..ff11bdd 100644 +--- a/lib/cyassl.c ++++ b/lib/cyassl.c +@@ -5,7 +5,7 @@ + * | (__| |_| | _ <| |___ + * \___|\___/|_| \_\_____| + * +- * Copyright (C) 1998 - 2012, Daniel Stenberg, , et al. ++ * Copyright (C) 1998 - 2013, Daniel Stenberg, , et al. + * + * This software is licensed as described in the file COPYING, which + * you should have received as part of this distribution. The terms +@@ -98,8 +98,19 @@ cyassl_connect_step1(struct connectdata *conn, + req_method = SSLv23_client_method(); + break; + case CURL_SSLVERSION_TLSv1: ++ infof(data, "CyaSSL cannot be configured to use TLS 1.0-1.2, " ++ "TLS 1.0 is used exclusively\n"); + req_method = TLSv1_client_method(); + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ req_method = TLSv1_client_method(); ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ req_method = TLSv1_1_client_method(); ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ req_method = TLSv1_2_client_method(); ++ break; + case CURL_SSLVERSION_SSLv3: + req_method = SSLv3_client_method(); + break; +diff --git a/lib/nss.c b/lib/nss.c +index 111982f..ff93a38 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1266,6 +1266,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + case CURL_SSLVERSION_SSLv3: + ssl3 = PR_TRUE; + break; ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "TLS minor version cannot be set\n"); ++ curlerr = CURLE_SSL_CONNECT_ERROR; ++ goto error; + } + + if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) +diff --git a/lib/qssl.c b/lib/qssl.c +index 8ef6fec..8b5e499 100644 +--- a/lib/qssl.c ++++ b/lib/qssl.c +@@ -206,6 +206,12 @@ static CURLcode Curl_qsossl_handshake(struct connectdata * conn, int sockindex) + case CURL_SSLVERSION_SSLv3: + h->protocol = SSL_VERSION_3; + break; ++ ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ failf(data, "TLS minor version cannot be set"); ++ return CURLE_SSL_CONNECT_ERROR; + } + + rc = SSL_Handshake(h, SSL_HANDSHAKE_AS_CLIENT); +diff --git a/lib/ssluse.c b/lib/ssluse.c +index 4a0dba7..dd99435 100644 +--- a/lib/ssluse.c ++++ b/lib/ssluse.c +@@ -1389,19 +1389,12 @@ ossl_connect_step1(struct connectdata *conn, + switch(data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +-#ifdef USE_TLS_SRP +- if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { +- infof(data, "Set version TLSv1 for SRP authorisation\n"); +- req_method = TLSv1_client_method() ; +- } +- else +-#endif +- /* we try to figure out version */ +- req_method = SSLv23_client_method(); +- use_sni(TRUE); +- break; + case CURL_SSLVERSION_TLSv1: +- req_method = TLSv1_client_method(); ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ /* it will be handled later with the context options */ ++ req_method = SSLv23_client_method(); + use_sni(TRUE); + break; + case CURL_SSLVERSION_SSLv2: +@@ -1514,9 +1507,39 @@ ossl_connect_step1(struct connectdata *conn, + ctx_options &= ~SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS; + #endif + +- /* disable SSLv2 in the default case (i.e. allow SSLv3 and TLSv1) */ +- if(data->set.ssl.version == CURL_SSLVERSION_DEFAULT) ++ switch(data->set.ssl.version) { ++ case CURL_SSLVERSION_DEFAULT: ++ ctx_options |= SSL_OP_NO_SSLv2; ++#ifdef USE_TLS_SRP ++ if(data->set.ssl.authtype == CURL_TLSAUTH_SRP) { ++ infof(data, "Set version TLSv1.x for SRP authorisation\n"); ++ ctx_options |= SSL_OP_NO_SSLv3; ++ } ++#endif ++ break; ++ case CURL_SSLVERSION_TLSv1: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ break; ++ case CURL_SSLVERSION_TLSv1_0: + ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1_1; ++ ctx_options |= SSL_OP_NO_TLSv1_2; ++ break; ++ case CURL_SSLVERSION_TLSv1_1: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1; ++ ctx_options |= SSL_OP_NO_TLSv1_2; ++ break; ++ case CURL_SSLVERSION_TLSv1_2: ++ ctx_options |= SSL_OP_NO_SSLv2; ++ ctx_options |= SSL_OP_NO_SSLv3; ++ ctx_options |= SSL_OP_NO_TLSv1; ++ ctx_options |= SSL_OP_NO_TLSv1_1; ++ break; ++ } + + SSL_CTX_set_options(connssl->ctx, ctx_options); + +diff --git a/packages/OS400/curl.inc.in b/packages/OS400/curl.inc.in +index 33ca12a..22a5511 100644 +--- a/packages/OS400/curl.inc.in ++++ b/packages/OS400/curl.inc.in +@@ -226,6 +226,12 @@ + d c 2 + d CURL_SSLVERSION_SSLv3... + d c 3 ++ d CURL_SSLVERSION_TLSv1_0... ++ d c 4 ++ d CURL_SSLVERSION_TLSv1_1... ++ d c 5 ++ d CURL_SSLVERSION_TLSv1_2... ++ d c 6 + * + d CURL_TLSAUTH_NONE... + d c 0 +diff --git a/src/tool_getparam.c b/src/tool_getparam.c +index 297b986..98d53a7 100644 +--- a/src/tool_getparam.c ++++ b/src/tool_getparam.c +@@ -175,6 +175,9 @@ static const struct LongShort aliases[]= { + {"$J", "metalink", FALSE}, + {"0", "http1.0", FALSE}, + {"1", "tlsv1", FALSE}, ++ {"10", "tlsv1.0", FALSE}, ++ {"11", "tlsv1.1", FALSE}, ++ {"12", "tlsv1.2", FALSE}, + {"2", "sslv2", FALSE}, + {"3", "sslv3", FALSE}, + {"4", "ipv4", FALSE}, +@@ -873,9 +876,25 @@ ParameterError getparameter(char *flag, /* f or -long-flag */ + /* HTTP version 1.0 */ + config->httpversion = CURL_HTTP_VERSION_1_0; + break; +- case '1': +- /* TLS version 1 */ +- config->ssl_version = CURL_SSLVERSION_TLSv1; ++ case '1': /* --tlsv1* options */ ++ switch(subletter) { ++ case '\0': ++ /* TLS version 1.x */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1; ++ break; ++ case '0': ++ /* TLS version 1.0 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_0; ++ break; ++ case '1': ++ /* TLS version 1.1 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_1; ++ break; ++ case '2': ++ /* TLS version 1.2 */ ++ config->ssl_version = CURL_SSLVERSION_TLSv1_2; ++ break; ++ } + break; + case '2': + /* SSL version 2 */ +diff --git a/src/tool_setopt.c b/src/tool_setopt.c +index 4014177..9860117 100644 +--- a/src/tool_setopt.c ++++ b/src/tool_setopt.c +@@ -78,6 +78,9 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = { + NV(CURL_SSLVERSION_TLSv1), + NV(CURL_SSLVERSION_SSLv2), + NV(CURL_SSLVERSION_SSLv3), ++ NV(CURL_SSLVERSION_TLSv1_0), ++ NV(CURL_SSLVERSION_TLSv1_1), ++ NV(CURL_SSLVERSION_TLSv1_2), + NVEND, + }; + +-- +1.7.1 + + +From 350765306d7e2946fc8295fa2bfc2fe0c14651fc Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Tue, 15 Oct 2013 20:31:04 +0200 +Subject: [PATCH 2/9] curl: document the new --tlsv1.[012] options + +[upstream commit 076726f1412205622414abd908723c4b33ca12cb] +--- + docs/curl.1 | 20 ++++++++++++++++---- + 1 files changed, 16 insertions(+), 4 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index b350865..53b378c 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -1419,14 +1419,26 @@ Set TLS authentication type. Currently, the only supported option is "SRP", + for TLS-SRP (RFC 5054). If \fI--tlsuser\fP and \fI--tlspassword\fP are + specified but \fI--tlsauthtype\fP is not, then this option defaults to "SRP". + (Added in 7.21.4) +-.IP "--tlsuser " +-Set username for use with the TLS authentication method specified with +-\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in +-7.21.4) + .IP "--tlspassword " + Set password for use with the TLS authentication method specified with + \fI--tlsauthtype\fP. Requires that \fI--tlsuser\fP also be set. (Added in + 7.21.4) ++.IP "--tlsuser " ++Set username for use with the TLS authentication method specified with ++\fI--tlsauthtype\fP. Requires that \fI--tlspassword\fP also be set. (Added in ++7.21.4) ++.IP "--tlsv1.0" ++(SSL) ++Forces curl to use TLS version 1.0 when negotiating with a remote TLS server. ++(Added in 7.34.0) ++.IP "--tlsv1.1" ++(SSL) ++Forces curl to use TLS version 1.1 when negotiating with a remote TLS server. ++(Added in 7.34.0) ++.IP "--tlsv1.2" ++(SSL) ++Forces curl to use TLS version 1.2 when negotiating with a remote TLS server. ++(Added in 7.34.0) + .IP "--tr-encoding" + (HTTP) Request a compressed Transfer-Encoding response using one of the + algorithms curl supports, and uncompress the data while receiving it. +-- +1.7.1 + + +From ba2b4e87b396faab9ccb5a3ca9aca935a7a78a1b Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Wed, 16 Oct 2013 20:06:23 +0100 +Subject: [PATCH 3/9] SSL: Corrected version number for new symbols from commit ad34a2d5c87c7f + +[upstream commit 2c84ffe1549ea7d5029ba7863f53013562e6758d] +--- + docs/libcurl/symbols-in-versions | 6 +++--- + 1 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions +index 57fa6eb..b275900 100644 +--- a/docs/libcurl/symbols-in-versions ++++ b/docs/libcurl/symbols-in-versions +@@ -678,9 +678,9 @@ CURL_SSLVERSION_DEFAULT 7.9.2 + CURL_SSLVERSION_SSLv2 7.9.2 + CURL_SSLVERSION_SSLv3 7.9.2 + CURL_SSLVERSION_TLSv1 7.9.2 +-CURL_SSLVERSION_TLSv1_0 7.33.0 +-CURL_SSLVERSION_TLSv1_1 7.33.0 +-CURL_SSLVERSION_TLSv1_2 7.33.0 ++CURL_SSLVERSION_TLSv1_0 7.34.0 ++CURL_SSLVERSION_TLSv1_1 7.34.0 ++CURL_SSLVERSION_TLSv1_2 7.34.0 + CURL_TIMECOND_IFMODSINCE 7.9.7 + CURL_TIMECOND_IFUNMODSINCE 7.9.7 + CURL_TIMECOND_LASTMOD 7.9.7 +-- +1.7.1 + + +From 5f908139b4e56c969bf6ef06c115a0a12353c827 Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Wed, 16 Oct 2013 20:18:15 +0100 +Subject: [PATCH 4/9] DOCS: Added libcurl version number to CURLOPT_SSLVERSION + +[upstream commit 75b9b26465d5f01b52564293c2d553649f801f70] +--- + docs/libcurl/curl_easy_setopt.3 | 8 +++++--- + 1 files changed, 5 insertions(+), 3 deletions(-) + +diff --git a/docs/libcurl/curl_easy_setopt.3 b/docs/libcurl/curl_easy_setopt.3 +index 92db8f4..d73b664 100644 +--- a/docs/libcurl/curl_easy_setopt.3 ++++ b/docs/libcurl/curl_easy_setopt.3 +@@ -2212,6 +2212,8 @@ Even though this option doesn't need any parameter, in some configurations + arguments. Therefore, it's recommended to pass 1 as parameter to this option. + .IP CURLOPT_SSLVERSION + Pass a long as parameter to control what version of SSL/TLS to attempt to use. ++(Added in 7.9.2) ++ + The available options are: + .RS + .IP CURL_SSLVERSION_DEFAULT +@@ -2225,11 +2227,11 @@ Force SSLv2 + .IP CURL_SSLVERSION_SSLv3 + Force SSLv3 + .IP CURL_SSLVERSION_TLSv1_0 +-Force TLSv1.0 ++Force TLSv1.0 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_1 +-Force TLSv1.1 ++Force TLSv1.1 (Added in 7.34.0) + .IP CURL_SSLVERSION_TLSv1_2 +-Force TLSv1.2 ++Force TLSv1.2 (Added in 7.34.0) + .RE + .IP CURLOPT_SSL_VERIFYPEER + Pass a long as parameter. By default, curl assumes a value of 1. +-- +1.7.1 + + +From 7940044fc233f626b912b5f51a7a0111a4c145d3 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 25 Nov 2013 16:03:52 +0100 +Subject: [PATCH 5/9] nss: use a better API for controlling SSL version + +This change introduces a dependency on NSS 3.14+. + +[upstream commit 30e7e7552ba4397896ecac82ea04f38d52c4cc8f] +--- + configure | 20 ++++++++++---------- + configure.ac | 4 ++-- + docs/INTERNALS | 2 +- + lib/nss.c | 40 +++++++++++++++++++--------------------- + 4 files changed, 32 insertions(+), 34 deletions(-) + +diff --git a/configure b/configure +index 2496b3c..ebde78a 100755 +--- a/configure ++++ b/configure +@@ -23641,9 +23641,9 @@ $as_echo "found" >&6; } + CPPFLAGS="$CPPFLAGS $addcflags" + fi + +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for PK11_CreateGenericObject in -lnss3" >&5 +-$as_echo_n "checking for PK11_CreateGenericObject in -lnss3... " >&6; } +-if ${ac_cv_lib_nss3_PK11_CreateGenericObject+:} false; then : ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for SSL_VersionRangeSet in -lnss3" >&5 ++$as_echo_n "checking for SSL_VersionRangeSet in -lnss3... " >&6; } ++if ${ac_cv_lib_nss3_SSL_VersionRangeSet+:} false; then : + $as_echo_n "(cached) " >&6 + else + ac_check_lib_save_LIBS=$LIBS +@@ -23655,26 +23655,26 @@ cat confdefs.h - <<_ACEOF >conftest.$ac_ext + #ifdef __cplusplus + extern "C" + #endif +-char PK11_CreateGenericObject (); ++char SSL_VersionRangeSet (); + int main (void) + { +-return PK11_CreateGenericObject (); ++return SSL_VersionRangeSet (); + ; + return 0; + } + _ACEOF + if ac_fn_c_try_link "$LINENO"; then : +- ac_cv_lib_nss3_PK11_CreateGenericObject=yes ++ ac_cv_lib_nss3_SSL_VersionRangeSet=yes + else +- ac_cv_lib_nss3_PK11_CreateGenericObject=no ++ ac_cv_lib_nss3_SSL_VersionRangeSet=no + fi + rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LIBS=$ac_check_lib_save_LIBS + fi +-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_PK11_CreateGenericObject" >&5 +-$as_echo "$ac_cv_lib_nss3_PK11_CreateGenericObject" >&6; } +-if test "x$ac_cv_lib_nss3_PK11_CreateGenericObject" = xyes; then : ++{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_cv_lib_nss3_SSL_VersionRangeSet" >&5 ++$as_echo "$ac_cv_lib_nss3_SSL_VersionRangeSet" >&6; } ++if test "x$ac_cv_lib_nss3_SSL_VersionRangeSet" = xyes; then : + + + $as_echo "#define USE_NSS 1" >>confdefs.h +diff --git a/configure.ac b/configure.ac +index 5970188..c81c879 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2194,8 +2194,8 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then + CPPFLAGS="$CPPFLAGS $addcflags" + fi + +- dnl The function PK11_CreateGenericObject is needed to load libnsspem.so +- AC_CHECK_LIB(nss3, PK11_CreateGenericObject, ++ dnl The function SSL_VersionRangeSet() is needed to enable TLS > 1.0 ++ AC_CHECK_LIB(nss3, SSL_VersionRangeSet, + [ + AC_DEFINE(USE_NSS, 1, [if NSS is enabled]) + AC_SUBST(USE_NSS, [1]) +diff --git a/docs/INTERNALS b/docs/INTERNALS +index 03839c3..581b22d 100644 +--- a/docs/INTERNALS ++++ b/docs/INTERNALS +@@ -43,7 +43,7 @@ Portability + openldap 2.0 + MIT krb5 lib 1.2.4 + qsossl V5R2M0 +- NSS 3.12.x ++ NSS 3.14.x + axTLS 1.2.7 + Heimdal ? + +diff --git a/lib/nss.c b/lib/nss.c +index ff93a38..14a0b0c 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1175,9 +1175,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; + PRFileDesc *model = NULL; +- PRBool ssl2 = PR_FALSE; +- PRBool ssl3 = PR_FALSE; +- PRBool tlsv1 = PR_FALSE; ++ SSLVersionRange sslver; + PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; + struct SessionHandle *data = conn->data; +@@ -1251,20 +1249,25 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +- ssl3 = PR_TRUE; +- if(data->state.ssl_connect_retry) ++ sslver.min = SSL_LIBRARY_VERSION_3_0; ++ if(data->state.ssl_connect_retry) { + infof(data, "TLS disabled due to previous handshake failure\n"); ++ sslver.max = SSL_LIBRARY_VERSION_3_0; ++ } + else +- tlsv1 = PR_TRUE; ++ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; + break; + case CURL_SSLVERSION_TLSv1: +- tlsv1 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; + break; + case CURL_SSLVERSION_SSLv2: +- ssl2 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_2; ++ sslver.max = SSL_LIBRARY_VERSION_2; + break; + case CURL_SSLVERSION_SSLv3: +- ssl3 = PR_TRUE; ++ sslver.min = SSL_LIBRARY_VERSION_3_0; ++ sslver.max = SSL_LIBRARY_VERSION_3_0; + break; + case CURL_SSLVERSION_TLSv1_0: + case CURL_SSLVERSION_TLSv1_1: +@@ -1274,14 +1277,7 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + goto error; + } + +- if(SSL_OptionSet(model, SSL_ENABLE_SSL2, ssl2) != SECSuccess) +- goto error; +- if(SSL_OptionSet(model, SSL_ENABLE_SSL3, ssl3) != SECSuccess) +- goto error; +- if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) +- goto error; +- +- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) ++ if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) + goto error; + + ssl_cbc_random_iv = !data->set.ssl_enable_beast; +@@ -1467,11 +1463,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + if(model) + PR_Close(model); + +- /* cleanup on connection failure */ +- Curl_llist_destroy(connssl->obj_list, NULL); +- connssl->obj_list = NULL; ++ /* cleanup on connection failure */ ++ Curl_llist_destroy(connssl->obj_list, NULL); ++ connssl->obj_list = NULL; + +- if(ssl3 && tlsv1 && isTLSIntoleranceError(err)) { ++ if((sslver.min == SSL_LIBRARY_VERSION_3_0) ++ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) ++ && isTLSIntoleranceError(err)) { + /* schedule reconnect through Curl_retry_request() */ + data->state.ssl_connect_retry = TRUE; + infof(data, "Error in TLS handshake, trying SSLv3...\n"); +-- +1.7.1 + + +From 08398e7a8a8ba4e6fef1557392e3c0104cc3550f Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 25 Nov 2013 16:14:55 +0100 +Subject: [PATCH 6/9] nss: put SSL version selection into separate fnc + +[upstream commit 4fb8241add5b68e95fbf44d3c2bf470201a9915d] +--- + lib/nss.c | 72 +++++++++++++++++++++++++++++++++++------------------------- + 1 files changed, 42 insertions(+), 30 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 14a0b0c..2e2240b 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1171,6 +1171,46 @@ static CURLcode nss_load_ca_certificates(struct connectdata *conn, + return CURLE_OK; + } + ++static CURLcode nss_init_sslver(SSLVersionRange *sslver, ++ struct SessionHandle *data) ++{ ++ switch (data->set.ssl.version) { ++ default: ++ case CURL_SSLVERSION_DEFAULT: ++ sslver->min = SSL_LIBRARY_VERSION_3_0; ++ if(data->state.ssl_connect_retry) { ++ infof(data, "TLS disabled due to previous handshake failure\n"); ++ sslver->max = SSL_LIBRARY_VERSION_3_0; ++ } ++ else ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_TLSv1: ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_SSLv2: ++ sslver->min = SSL_LIBRARY_VERSION_2; ++ sslver->max = SSL_LIBRARY_VERSION_2; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_SSLv3: ++ sslver->min = SSL_LIBRARY_VERSION_3_0; ++ sslver->max = SSL_LIBRARY_VERSION_3_0; ++ return CURLE_OK; ++ ++ case CURL_SSLVERSION_TLSv1_0: ++ case CURL_SSLVERSION_TLSv1_1: ++ case CURL_SSLVERSION_TLSv1_2: ++ break; ++ } ++ ++ failf(data, "TLS minor version cannot be set"); ++ return CURLE_SSL_CONNECT_ERROR; ++} ++ + CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; +@@ -1246,37 +1286,9 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + if(SSL_OptionSet(model, SSL_NO_CACHE, ssl_no_cache) != SECSuccess) + goto error; + +- switch (data->set.ssl.version) { +- default: +- case CURL_SSLVERSION_DEFAULT: +- sslver.min = SSL_LIBRARY_VERSION_3_0; +- if(data->state.ssl_connect_retry) { +- infof(data, "TLS disabled due to previous handshake failure\n"); +- sslver.max = SSL_LIBRARY_VERSION_3_0; +- } +- else +- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; +- break; +- case CURL_SSLVERSION_TLSv1: +- sslver.min = SSL_LIBRARY_VERSION_TLS_1_0; +- sslver.max = SSL_LIBRARY_VERSION_TLS_1_0; +- break; +- case CURL_SSLVERSION_SSLv2: +- sslver.min = SSL_LIBRARY_VERSION_2; +- sslver.max = SSL_LIBRARY_VERSION_2; +- break; +- case CURL_SSLVERSION_SSLv3: +- sslver.min = SSL_LIBRARY_VERSION_3_0; +- sslver.max = SSL_LIBRARY_VERSION_3_0; +- break; +- case CURL_SSLVERSION_TLSv1_0: +- case CURL_SSLVERSION_TLSv1_1: +- case CURL_SSLVERSION_TLSv1_2: +- failf(data, "TLS minor version cannot be set\n"); +- curlerr = CURLE_SSL_CONNECT_ERROR; ++ /* enable/disable the requested SSL version(s) */ ++ if(nss_init_sslver(&sslver, data) != CURLE_OK) + goto error; +- } +- + if(SSL_VersionRangeSet(model, &sslver) != SECSuccess) + goto error; + +-- +1.7.1 + + +From 91a3d58fc48f0d08ab81f1e013b2d58a7ccd7146 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 25 Nov 2013 16:25:15 +0100 +Subject: [PATCH 7/9] nss: allow to use TLS > 1.0 if built against recent NSS + +Bug: http://curl.haxx.se/mail/lib-2013-11/0162.html + +[upstream commit 7fc9325a52a6dad1f8b859a3269472ffc125edd0] +--- + lib/nss.c | 22 ++++++++++++++++++++++ + 1 files changed, 22 insertions(+), 0 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 2e2240b..5cd33d8 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1188,7 +1188,13 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + + case CURL_SSLVERSION_TLSv1: + sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++#ifdef SSL_LIBRARY_VERSION_TLS_1_2 ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++#elif defined SSL_LIBRARY_VERSION_TLS_1_1 ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++#else + sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++#endif + return CURLE_OK; + + case CURL_SSLVERSION_SSLv2: +@@ -1202,8 +1208,24 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1_0: ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; ++ return CURLE_OK; ++ + case CURL_SSLVERSION_TLSv1_1: ++#ifdef SSL_LIBRARY_VERSION_TLS_1_1 ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_1; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_1; ++ return CURLE_OK; ++#endif ++ break; ++ + case CURL_SSLVERSION_TLSv1_2: ++#ifdef SSL_LIBRARY_VERSION_TLS_1_2 ++ sslver->min = SSL_LIBRARY_VERSION_TLS_1_2; ++ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; ++ return CURLE_OK; ++#endif + break; + } + +-- +1.7.1 + + +From 404492a5a815b83fab58ce60434c01c270b6bc73 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 2 Dec 2013 14:25:07 +0100 +Subject: [PATCH 8/9] nss: unconditionally require NSS_InitContext() + +... since we depend on NSS 3.14+ because of SSL_VersionRangeSet() anyway + +[upstream commit 865666afca926faa1c721020fc54364540caf734] +--- + configure | 12 ------------ + configure.ac | 8 -------- + lib/nss.c | 26 -------------------------- + 3 files changed, 0 insertions(+), 46 deletions(-) + +diff --git a/configure b/configure +index ebde78a..8741e21 100755 +--- a/configure ++++ b/configure +@@ -23697,18 +23697,6 @@ fi + { $as_echo "$as_me:${as_lineno-$LINENO}: detected NSS version $version" >&5 + $as_echo "$as_me: detected NSS version $version" >&6;} + +- ac_fn_c_check_func "$LINENO" "NSS_InitContext" "ac_cv_func_NSS_InitContext" +-if test "x$ac_cv_func_NSS_InitContext" = xyes; then : +- +- +-$as_echo "#define HAVE_NSS_INITCONTEXT 1" >>confdefs.h +- +- HAVE_NSS_INITCONTEXT=1 +- +- +-fi +- +- + if test "x$cross_compiling" != "xyes"; then + LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$nssprefix/lib$libsuff" + export LD_LIBRARY_PATH +diff --git a/configure.ac b/configure.ac +index c81c879..70ef0b7 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -2211,14 +2211,6 @@ if test "$curl_ssl_msg" = "$init_ssl_msg"; then + if test "x$USE_NSS" = "xyes"; then + AC_MSG_NOTICE([detected NSS version $version]) + +- dnl NSS_InitContext() was introduced in NSS 3.12.5 and helps to prevent +- dnl collisions on NSS initialization/shutdown with other libraries +- AC_CHECK_FUNC(NSS_InitContext, +- [ +- AC_DEFINE(HAVE_NSS_INITCONTEXT, 1, [if you have the NSS_InitContext function]) +- AC_SUBST(HAVE_NSS_INITCONTEXT, [1]) +- ]) +- + dnl when shared libs were found in a path that the run-time + dnl linker doesn't search through, we need to add it to + dnl LD_LIBRARY_PATH to prevent further configure tests to fail +diff --git a/lib/nss.c b/lib/nss.c +index 5cd33d8..7b49c20 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -76,9 +76,7 @@ PRFileDesc *PR_ImportTCPSocket(PRInt32 osfd); + + PRLock * nss_initlock = NULL; + PRLock * nss_crllock = NULL; +-#ifdef HAVE_NSS_INITCONTEXT + NSSInitContext * nss_context = NULL; +-#endif + + volatile int initialized = 0; + +@@ -853,7 +851,6 @@ isTLSIntoleranceError(PRInt32 err) + + static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + { +-#ifdef HAVE_NSS_INITCONTEXT + NSSInitParameters initparams; + + if(nss_context != NULL) +@@ -861,12 +858,6 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + + memset((void *) &initparams, '\0', sizeof(initparams)); + initparams.length = sizeof(initparams); +-#else /* HAVE_NSS_INITCONTEXT */ +- SECStatus rv; +- +- if(NSS_IsInitialized()) +- return CURLE_OK; +-#endif + + if(cert_dir) { + const bool use_sql = NSS_VersionCheck("3.12.0"); +@@ -875,35 +866,22 @@ static CURLcode nss_init_core(struct SessionHandle *data, const char *cert_dir) + return CURLE_OUT_OF_MEMORY; + + infof(data, "Initializing NSS with certpath: %s\n", certpath); +-#ifdef HAVE_NSS_INITCONTEXT + nss_context = NSS_InitContext(certpath, "", "", "", &initparams, + NSS_INIT_READONLY | NSS_INIT_PK11RELOAD); + free(certpath); + + if(nss_context != NULL) + return CURLE_OK; +-#else /* HAVE_NSS_INITCONTEXT */ +- rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); +- free(certpath); +- +- if(rv == SECSuccess) +- return CURLE_OK; +-#endif + + infof(data, "Unable to initialize NSS database\n"); + } + + infof(data, "Initializing NSS with certpath: none\n"); +-#ifdef HAVE_NSS_INITCONTEXT + nss_context = NSS_InitContext("", "", "", "", &initparams, NSS_INIT_READONLY + | NSS_INIT_NOCERTDB | NSS_INIT_NOMODDB | NSS_INIT_FORCEOPEN + | NSS_INIT_NOROOTINIT | NSS_INIT_OPTIMIZESPACE | NSS_INIT_PK11RELOAD); + if(nss_context != NULL) + return CURLE_OK; +-#else /* HAVE_NSS_INITCONTEXT */ +- if(NSS_NoDB_Init(NULL) == SECSuccess) +- return CURLE_OK; +-#endif + + infof(data, "Unable to initialize NSS\n"); + return CURLE_SSL_CACERT_BADFILE; +@@ -999,12 +977,8 @@ void Curl_nss_cleanup(void) + SECMOD_DestroyModule(mod); + mod = NULL; + } +-#ifdef HAVE_NSS_INITCONTEXT + NSS_ShutdownContext(nss_context); + nss_context = NULL; +-#else /* HAVE_NSS_INITCONTEXT */ +- NSS_Shutdown(); +-#endif + } + PR_Unlock(nss_initlock); + +-- +1.7.1 + + +From a643c75662b6909a5be1bed8273ed1273ab2b3f4 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 2 Dec 2013 16:09:12 +0100 +Subject: [PATCH 9/9] nss: make sure that 'sslver' is always initialized + +[upstream commit e221b55f67a2e12717e911f25d1bb6c85fcebfab] +--- + lib/nss.c | 9 +++++---- + 1 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/lib/nss.c b/lib/nss.c +index 7b49c20..abc8a91 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -1151,13 +1151,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +- sslver->min = SSL_LIBRARY_VERSION_3_0; + if(data->state.ssl_connect_retry) { + infof(data, "TLS disabled due to previous handshake failure\n"); + sslver->max = SSL_LIBRARY_VERSION_3_0; + } +- else +- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0; + return CURLE_OK; + + case CURL_SSLVERSION_TLSv1: +@@ -1211,7 +1208,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + { + PRErrorCode err = 0; + PRFileDesc *model = NULL; +- SSLVersionRange sslver; + PRBool ssl_no_cache; + PRBool ssl_cbc_random_iv; + struct SessionHandle *data = conn->data; +@@ -1223,6 +1219,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + long time_left; + PRUint32 timeout; + ++ SSLVersionRange sslver = { ++ SSL_LIBRARY_VERSION_3_0, /* min */ ++ SSL_LIBRARY_VERSION_TLS_1_0 /* max */ ++ }; ++ + if(connssl->state == ssl_connection_complete) + return CURLE_OK; + +-- +1.7.1 + diff --git a/SOURCES/0016-curl-7.29.0-1cf71bd7.patch b/SOURCES/0016-curl-7.29.0-1cf71bd7.patch new file mode 100644 index 0000000..31c4e08 --- /dev/null +++ b/SOURCES/0016-curl-7.29.0-1cf71bd7.patch @@ -0,0 +1,27 @@ +From cf8b6a21f1e9af984cfef417e83ca06b64565215 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 20 Jan 2014 20:24:05 +0100 +Subject: [PATCH] Curl_is_connected: use proxy name in error message when proxy is used + +Backport of upstream commit 1cf71bd76e4a330e5b7824014c2605e4bfe1a0a5. +--- + lib/connect.c | 3 ++- + 1 files changed, 2 insertions(+), 1 deletions(-) + +diff --git a/lib/connect.c b/lib/connect.c +index 0afb1ee..ba9ab92 100644 +--- a/lib/connect.c ++++ b/lib/connect.c +@@ -758,7 +758,8 @@ CURLcode Curl_is_connected(struct connectdata *conn, + error = SOCKERRNO; + data->state.os_errno = error; + failf(data, "Failed connect to %s:%ld; %s", +- conn->host.name, conn->port, Curl_strerror(conn, error)); ++ conn->bits.proxy?conn->proxy.name:conn->host.name, ++ conn->port, Curl_strerror(conn, error)); + } + + return code; +-- +1.7.1 + diff --git a/SOURCES/0017-curl-7.29.0-ffb8a21d.patch b/SOURCES/0017-curl-7.29.0-ffb8a21d.patch new file mode 100644 index 0000000..5f35a9a --- /dev/null +++ b/SOURCES/0017-curl-7.29.0-ffb8a21d.patch @@ -0,0 +1,36 @@ +From 93b06606d7ee483567770deda967985e8377debb Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Sun, 2 Feb 2014 11:01:10 +0000 +Subject: [PATCH] tests: Fixed test172 cookie expiry + +The test contains a cookie jar file where one of the cookies has an +expiry date of 1391252187 -- Sat, 1 Feb 2014 10:56:27 GMT which has +now expired. Updated to Wed, 14 Oct 2037 16:36:33 GMT as per test +179. + +Reported-by: Adam Sampson +Bug: http://curl.haxx.se/bug/view.cgi?id=1330 + +[upstream commit ffb8a21d85bde8b626e5dc52ce25f0447ee49f89] + +Signed-off-by: Kamil Dudka +--- + tests/data/test172 | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/tests/data/test172 b/tests/data/test172 +index b3efae9..3d53418 100644 +--- a/tests/data/test172 ++++ b/tests/data/test172 +@@ -36,7 +36,7 @@ http://%HOSTIP:%HTTPPORT/we/want/172 -b log/jar172.txt -b "tool=curl; name=fool" + + .%HOSTIP TRUE /silly/ FALSE 0 ismatch this + .%HOSTIP TRUE / FALSE 0 partmatch present +-%HOSTIP FALSE /we/want/ FALSE 1391252187 nodomain value ++%HOSTIP FALSE /we/want/ FALSE 2139150993 nodomain value + + + +-- +1.7.1 + diff --git a/SOURCES/0018-curl-7.29.0-03c28820.patch b/SOURCES/0018-curl-7.29.0-03c28820.patch new file mode 100644 index 0000000..09a7391 --- /dev/null +++ b/SOURCES/0018-curl-7.29.0-03c28820.patch @@ -0,0 +1,67 @@ +From fbbbf6a3daa7949cfb0fbd9731a80649ce717e6d Mon Sep 17 00:00:00 2001 +From: Daniel Stenberg +Date: Fri, 7 Feb 2014 20:28:53 +0100 +Subject: [PATCH 1/2] --help: add missing --tlsv1.x options + +[upstream commit 67d14ab98f8b819ee6f5e6a4a2770d311c6bf13b] + +Signed-off-by: Kamil Dudka +--- + src/tool_help.c | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +diff --git a/src/tool_help.c b/src/tool_help.c +index 124f640..f7cd618 100644 +--- a/src/tool_help.c ++++ b/src/tool_help.c +@@ -199,7 +199,10 @@ static const char *const helptext[] = { + " -t, --telnet-option OPT=VAL Set telnet option", + " --tftp-blksize VALUE Set TFTP BLKSIZE option (must be >512)", + " -z, --time-cond TIME Transfer based on a time condition", +- " -1, --tlsv1 Use TLSv1 (SSL)", ++ " -1, --tlsv1 Use => TLSv1 (SSL)", ++ " --tlsv1.0 Use TLSv1.0 (SSL)", ++ " --tlsv1.1 Use TLSv1.1 (SSL)", ++ " --tlsv1.2 Use TLSv1.2 (SSL)", + " --trace FILE Write a debug trace to the given file", + " --trace-ascii FILE Like --trace but without the hex output", + " --trace-time Add time stamps to trace/verbose output", +-- +1.7.1 + + +From cc28ee70fcc2222646eef4f2b2ab3cc207c6112a Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Mon, 17 Feb 2014 16:55:10 +0100 +Subject: [PATCH 2/2] curl.1: update the description of --tlsv1 + +... and mention the --tlsv1.[0-2] options in the --tslv1 entry + +Reported-by: Hubert Kario + +[upstream commit 03c288202ed159a2a9e953f59e58f69a86eda79b] + +Signed-off-by: Kamil Dudka +--- + docs/curl.1 | 5 ++++- + 1 files changed, 4 insertions(+), 1 deletions(-) + +diff --git a/docs/curl.1 b/docs/curl.1 +index 53b378c..7f3571b 100644 +--- a/docs/curl.1 ++++ b/docs/curl.1 +@@ -117,7 +117,10 @@ more informational, meter. + internally preferred: HTTP 1.1. + .IP "-1, --tlsv1" + (SSL) +-Forces curl to use TLS version 1 when negotiating with a remote TLS server. ++Forces curl to use TLS version 1.x when negotiating with a remote TLS server. ++You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to ++control the TLS version more precisely (if the SSL backend in use supports such ++a level of control). + .IP "-2, --sslv2" + (SSL) + Forces curl to use SSL version 2 when negotiating with a remote SSL server. +-- +1.7.1 + diff --git a/SOURCES/0018-curl-7.29.0-517b06d6.patch b/SOURCES/0018-curl-7.29.0-517b06d6.patch new file mode 100644 index 0000000..b56875e --- /dev/null +++ b/SOURCES/0018-curl-7.29.0-517b06d6.patch @@ -0,0 +1,68 @@ +From 46e85fee025964dd9a8ce2d615bc5f8ece530519 Mon Sep 17 00:00:00 2001 +From: Steve Holme +Date: Thu, 20 Feb 2014 23:51:36 +0000 +Subject: [PATCH] url: Fixed connection re-use when using different log-in credentials + +In addition to FTP, other connection based protocols such as IMAP, POP3, +SMTP, SCP, SFTP and LDAP require a new connection when different log-in +credentials are specified. Fixed the detection logic to include these +other protocols. + +Bug: http://curl.haxx.se/docs/adv_20140326A.html + +[upstream commit 517b06d657aceb11a234b05cc891170c367ab80d] + +Signed-off-by: Kamil Dudka +--- + lib/http.c | 2 +- + lib/url.c | 6 +++--- + lib/urldata.h | 2 ++ + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/lib/http.c b/lib/http.c +index f4b7a48..c78036b 100644 +--- a/lib/http.c ++++ b/lib/http.c +@@ -142,7 +142,7 @@ const struct Curl_handler Curl_handler_https = { + ZERO_NULL, /* readwrite */ + PORT_HTTPS, /* defport */ + CURLPROTO_HTTP | CURLPROTO_HTTPS, /* protocol */ +- PROTOPT_SSL /* flags */ ++ PROTOPT_SSL | PROTOPT_CREDSPERREQUEST /* flags */ + }; + #endif + +diff --git a/lib/url.c b/lib/url.c +index 9690dfa..0174ff4 100644 +--- a/lib/url.c ++++ b/lib/url.c +@@ -2961,10 +2961,10 @@ ConnectionExists(struct SessionHandle *data, + continue; + } + } +- if((needle->handler->protocol & CURLPROTO_FTP) || ++ if((!(needle->handler->flags & PROTOPT_CREDSPERREQUEST)) || + ((needle->handler->protocol & CURLPROTO_HTTP) && wantNTLM)) { +- /* This is FTP or HTTP+NTLM, verify that we're using the same name +- and password as well */ ++ /* This protocol requires credentials per connection or is HTTP+NTLM, ++ so verify that we're using the same name and password as well */ + if(!strequal(needle->user, check->user) || + !strequal(needle->passwd, check->passwd)) { + /* one of them was different */ +diff --git a/lib/urldata.h b/lib/urldata.h +index d597c67..cbf4102 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -755,6 +755,8 @@ struct Curl_handler { + gets a default */ + #define PROTOPT_NOURLQUERY (1<<6) /* protocol can't handle + url query strings (?foo=bar) ! */ ++#define PROTOPT_CREDSPERREQUEST (1<<7) /* requires login creditials per request ++ as opposed to per connection */ + + + /* return the count of bytes sent, or -1 on error */ +-- +1.7.1 + diff --git a/SOURCES/0105-curl-7.32.0-scp-upload.patch b/SOURCES/0105-curl-7.32.0-scp-upload.patch index 73c8aee..c0fb0bf 100644 --- a/SOURCES/0105-curl-7.32.0-scp-upload.patch +++ b/SOURCES/0105-curl-7.32.0-scp-upload.patch @@ -6,7 +6,7 @@ Subject: [PATCH] ssh: improve the logic for detecting blocking direction This fixes a regression introduced by commit 0feeab78 limiting the speed of SCP upload to 16384 B/s on a fast connection (such as localhost). -http://thread.gmane.org/gmane.comp.web.curl.library/40551/focus=40561 +[upstream commit d015f4ccac627852869cb45e31ccdc9fbd97dc47] --- lib/ssh.c | 8 +++++--- 1 files changed, 5 insertions(+), 3 deletions(-) diff --git a/SPECS/curl.spec b/SPECS/curl.spec index 968364d..e7c93e2 100644 --- a/SPECS/curl.spec +++ b/SPECS/curl.spec @@ -1,7 +1,7 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.29.0 -Release: 12%{?dist} +Release: 19%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma @@ -43,6 +43,27 @@ Patch11: 0011-curl-7.29.0-0feeab78.patch # avoid delay if FTP is aborted in CURLOPT_HEADERFUNCTION callback (#1005686) Patch12: 0012-curl-7.29.0-c639d725.patch +# allow to use ECC ciphers if NSS implements them (#1058776) +Patch13: 0013-curl-7.29.0-665c160f.patch + +# re-use of wrong HTTP NTLM connection in libcurl (CVE-2014-0015) +Patch14: 0014-curl-7.29.0-8ae35102.patch + +# allow to use TLS > 1.0 if built against recent NSS (#1036789) +Patch15: 0015-curl-7.29.0-7fc9325a.patch + +# use proxy name in error message when proxy is used (#1042831) +Patch16: 0016-curl-7.29.0-1cf71bd7.patch + +# refresh expired cookie in test172 from upstream test-suite (#1063693) +Patch17: 0017-curl-7.29.0-ffb8a21d.patch + +# fix documentation of curl's options --tlsv1.[0-2] (#1066364) +Patch18: 0018-curl-7.29.0-03c28820.patch + +# fix connection re-use when using different log-in credentials (CVE-2014-0138) +Patch19: 0018-curl-7.29.0-517b06d6.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.29.0-multilib.patch @@ -80,6 +101,21 @@ BuildRequires: pkgconfig BuildRequires: stunnel BuildRequires: zlib-devel +# perl modules used in the test suite +BuildRequires: perl(Cwd) +BuildRequires: perl(Digest::MD5) +BuildRequires: perl(Exporter) +BuildRequires: perl(File::Basename) +BuildRequires: perl(File::Copy) +BuildRequires: perl(File::Spec) +BuildRequires: perl(IPC::Open2) +BuildRequires: perl(MIME::Base64) +BuildRequires: perl(strict) +BuildRequires: perl(Time::Local) +BuildRequires: perl(Time::HiRes) +BuildRequires: perl(warnings) +BuildRequires: perl(vars) + # require valgrind to boost test coverage on i386 and x86_64 %ifarch %{ix86} x86_64 BuildRequires: valgrind @@ -151,9 +187,14 @@ documentation of the library, too. %patch10 -p1 %patch11 -p1 %patch12 -p1 - -# patches not yet upstream +%patch13 -p1 +%patch14 -p1 +%patch15 -p1 +%patch16 -p1 +%patch17 -p1 +%patch18 -p1 %patch105 -p1 +%patch19 -p1 # Fedora patches %patch101 -p1 @@ -271,6 +312,30 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Mar 26 2014 Kamil Dudka 7.29.0-19 +- fix connection re-use when using different log-in credentials (CVE-2014-0138) + +* Mon Mar 17 2014 Paul Howarth 7.29.0-18 +- add all perl build requirements for the test suite, in a portable way + +* Tue Feb 18 2014 Kamil Dudka 7.29.0-17 +- fix documentation of curl's options --tlsv1.[0-2] (#1066364) + +* Tue Feb 11 2014 Kamil Dudka 7.29.0-16 +- allow to use TLS > 1.0 if built against recent NSS (#1036789) +- use proxy name in error message when proxy is used (#1042831) +- refresh expired cookie in test172 from upstream test-suite (#1063693) + +* Fri Jan 31 2014 Kamil Dudka 7.29.0-15 +- allow to use ECC ciphers if NSS implements them (#1058776) +- re-use of wrong HTTP NTLM connection in libcurl (CVE-2014-0015) + +* Fri Jan 24 2014 Daniel Mach - 7.29.0-14 +- Mass rebuild 2014-01-24 + +* Fri Dec 27 2013 Daniel Mach - 7.29.0-13 +- Mass rebuild 2013-12-27 + * Fri Oct 11 2013 Kamil Dudka 7.29.0-12 - do not limit the speed of SCP upload on a fast connection (#1014928)