[curl] various SSL-related fixes (mainly crash on connection failure)
Kamil Dudka
kdudka at fedoraproject.org
Fri Jul 4 14:38:14 UTC 2014
commit ff02afad2fef0c7f5e9c1559a6b436ccf78a3aaf
Author: Kamil Dudka <kdudka at redhat.com>
Date: Fri Jul 4 16:27:42 2014 +0200
various SSL-related fixes (mainly crash on connection failure)
0001-curl-7.37.0-7c215585.patch | 136 +++++++++++++++++++++++++++++++++++++++
curl.spec | 9 ++-
2 files changed, 144 insertions(+), 1 deletions(-)
---
diff --git a/0001-curl-7.37.0-7c215585.patch b/0001-curl-7.37.0-7c215585.patch
new file mode 100644
index 0000000..abad04d
--- /dev/null
+++ b/0001-curl-7.37.0-7c215585.patch
@@ -0,0 +1,136 @@
+From e5a68a65cd567b74573e686bb5f773b482997397 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 2 Jul 2014 17:37:43 +0200
+Subject: [PATCH 1/3] nss: do not abort on connection failure
+
+... due to calling SSL_VersionRangeGet() with NULL file descriptor
+
+reported-by: upstream tests 305 and 404
+
+[upstream commit 7c21558503cbb10595c345acc7820cb9dc8741d6]
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/vtls/nss.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index c1eec41..1e41795 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1396,7 +1396,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
+ Curl_llist_destroy(connssl->obj_list, NULL);
+ connssl->obj_list = NULL;
+
+- if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
++ if(connssl->handle
++ && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
+ && (sslver.min == SSL_LIBRARY_VERSION_3_0)
+ && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
+ && isTLSIntoleranceError(err)) {
+--
+1.9.3
+
+
+From b86de77eda043787edae78c07179f1c06c8c5060 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 2 Jul 2014 17:49:37 +0200
+Subject: [PATCH 2/3] nss: make the fallback to SSLv3 work again
+
+This feature was unintentionally disabled by commit ff92fcfb.
+
+[upstream commit 7581dee10aedeb96231dd24e187ff5426fc72469]
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/vtls/nss.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 1e41795..3613b40 100644
+--- a/lib/vtls/nss.c
++++ b/lib/vtls/nss.c
+@@ -1315,6 +1315,7 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ switch (data->set.ssl.version) {
+ default:
+ case CURL_SSLVERSION_DEFAULT:
++ sslver->min = SSL_LIBRARY_VERSION_3_0;
+ if(data->state.ssl_connect_retry) {
+ infof(data, "TLS disabled due to previous handshake failure\n");
+ sslver->max = SSL_LIBRARY_VERSION_3_0;
+@@ -1323,7 +1324,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ /* intentional fall-through to default to highest TLS version if possible */
+
+ case CURL_SSLVERSION_TLSv1:
+- sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+ #ifdef SSL_LIBRARY_VERSION_TLS_1_2
+ sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
+ #elif defined SSL_LIBRARY_VERSION_TLS_1_1
+@@ -1399,7 +1399,7 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
+ if(connssl->handle
+ && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
+ && (sslver.min == SSL_LIBRARY_VERSION_3_0)
+- && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
++ && (sslver.max != SSL_LIBRARY_VERSION_3_0)
+ && isTLSIntoleranceError(err)) {
+ /* schedule reconnect through Curl_retry_request() */
+ data->state.ssl_connect_retry = TRUE;
+@@ -1437,7 +1437,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+ CURLcode curlerr;
+
+ SSLVersionRange sslver = {
+- SSL_LIBRARY_VERSION_3_0, /* min */
++ SSL_LIBRARY_VERSION_TLS_1_0, /* min */
+ SSL_LIBRARY_VERSION_TLS_1_0 /* max */
+ };
+
+--
+1.9.3
+
+
+From dd54a5dad0b91c6a626912cc83123f103fa63746 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 2 Jul 2014 16:34:48 +0200
+Subject: [PATCH 3/3] tool: call PR_Cleanup() on exit if NSPR is used
+
+This prevents valgrind from reporting possibly lost memory that NSPR
+uses for file descriptor cache and other globally allocated internal
+data structures.
+
+[upstream commit 24c3cdce88f39731506c287cb276e8bf4a1ce393]
+
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ src/tool_main.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/tool_main.c b/src/tool_main.c
+index ef96dc3..dc980e0 100644
+--- a/src/tool_main.c
++++ b/src/tool_main.c
+@@ -27,6 +27,10 @@
+ #include <signal.h>
+ #endif
+
++#ifdef USE_NSS
++#include <nspr.h>
++#endif
++
+ #define ENABLE_CURLX_PRINTF
+ /* use our own printf() functions */
+ #include "curlx.h"
+@@ -205,6 +209,11 @@ static void main_free(struct GlobalConfig *config)
+ curl_global_cleanup();
+ convert_cleanup();
+ metalink_cleanup();
++#ifdef USE_NSS
++ if(PR_Initialized())
++ /* prevent valgrind from reporting possibly lost memory (fd cache, ...) */
++ PR_Cleanup();
++#endif
+ free_config_fields(config);
+
+ /* Free the config structures */
+--
+1.9.3
+
diff --git a/curl.spec b/curl.spec
index 19effb6..0ff595f 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,12 +1,15 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl
Version: 7.37.0
-Release: 2%{?dist}
+Release: 3%{?dist}
License: MIT
Group: Applications/Internet
Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
Source2: curlbuild.h
+# various SSL-related fixes (mainly crash on connection failure)
+Patch1: 0001-curl-7.37.0-7c215585.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -119,6 +122,7 @@ documentation of the library, too.
%setup -q
# upstream patches
+%patch1 -p1
# Fedora patches
%patch101 -p1
@@ -240,6 +244,9 @@ rm -rf $RPM_BUILD_ROOT
%{_datadir}/aclocal/libcurl.m4
%changelog
+* Fri Jul 04 2014 Kamil Dudka <kdudka at redhat.com> 7.37.0-3
+- various SSL-related fixes (mainly crash on connection failure)
+
* Sat Jun 07 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 7.37.0-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
More information about the scm-commits
mailing list