[curl/f20] Resolves: #1166567 - disable libcurl-level downgrade to SSLv3
Kamil Dudka
kdudka at fedoraproject.org
Mon Nov 24 12:55:18 UTC 2014
commit 2ffe0b692f3b505bc503f68175de289565e4b220
Author: Kamil Dudka <kdudka at redhat.com>
Date: Fri Nov 21 13:03:43 2014 +0100
Resolves: #1166567 - disable libcurl-level downgrade to SSLv3
0018-curl-7.32.0-3f430c9c.patch | 175 +++++++++++++++++++++++++++++++++++++++
curl.spec | 5 +
2 files changed, 180 insertions(+), 0 deletions(-)
---
diff --git a/0018-curl-7.32.0-3f430c9c.patch b/0018-curl-7.32.0-3f430c9c.patch
new file mode 100644
index 0000000..847ce24
--- /dev/null
+++ b/0018-curl-7.32.0-3f430c9c.patch
@@ -0,0 +1,175 @@
+From 12ec95876f5b1cb61ca605279077738175173536 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 29 Oct 2014 14:14:23 +0100
+Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3
+
+This code was already deactivated by commit
+ec783dc142129d3860e542b443caaa78a6172d56.
+
+Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/nss.c | 54 ------------------------------------------------------
+ 1 file changed, 54 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index 7292321..f511e36 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+ return SECSuccess;
+ }
+
+-/* This function is supposed to decide, which error codes should be used
+- * to conclude server is TLS intolerant.
+- *
+- * taken from xulrunner - nsNSSIOLayer.cpp
+- */
+-static PRBool
+-isTLSIntoleranceError(PRInt32 err)
+-{
+- switch (err) {
+- case SSL_ERROR_BAD_MAC_ALERT:
+- case SSL_ERROR_BAD_MAC_READ:
+- case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
+- case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
+- case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
+- case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
+- case SSL_ERROR_NO_CYPHER_OVERLAP:
+- case SSL_ERROR_BAD_SERVER:
+- case SSL_ERROR_BAD_BLOCK_PADDING:
+- case SSL_ERROR_UNSUPPORTED_VERSION:
+- case SSL_ERROR_PROTOCOL_VERSION_ALERT:
+- case SSL_ERROR_RX_MALFORMED_FINISHED:
+- case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
+- case SSL_ERROR_DECODE_ERROR_ALERT:
+- case SSL_ERROR_RX_UNKNOWN_ALERT:
+- return PR_TRUE;
+- default:
+- return PR_FALSE;
+- }
+-}
+-
+ /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
+ static void nss_update_connecting_state(ssl_connect_state state, void *secret)
+ {
+@@ -1237,11 +1207,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ default:
+ case CURL_SSLVERSION_DEFAULT:
+ sslver->min = SSL_LIBRARY_VERSION_3_0;
+- if(data->state.ssl_connect_retry) {
+- infof(data, "TLS disabled due to previous handshake failure\n");
+- sslver->max = SSL_LIBRARY_VERSION_3_0;
+- return CURLE_OK;
+- }
+ /* intentional fall-through to default to highest TLS version if possible */
+
+ case CURL_SSLVERSION_TLSv1:
+@@ -1294,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
+ struct SessionHandle *data,
+ CURLcode curlerr)
+ {
+- SSLVersionRange sslver;
+ PRErrorCode err = 0;
+
+- /* reset the flag to avoid an infinite loop */
+- data->state.ssl_connect_retry = FALSE;
+-
+ if(is_nss_error(curlerr)) {
+ /* read NSPR error code */
+ err = PR_GetError();
+@@ -1316,18 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
+ /* cleanup on connection failure */
+ Curl_llist_destroy(connssl->obj_list, NULL);
+ connssl->obj_list = NULL;
+-
+- if(connssl->handle
+- && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
+- && (sslver.min == SSL_LIBRARY_VERSION_3_0)
+- && (sslver.max != SSL_LIBRARY_VERSION_3_0)
+- && isTLSIntoleranceError(err)) {
+- /* schedule reconnect through Curl_retry_request() */
+- data->state.ssl_connect_retry = TRUE;
+- infof(data, "Error in TLS handshake, trying SSLv3...\n");
+- return CURLE_OK;
+- }
+-
+ return curlerr;
+ }
+
+@@ -1437,9 +1386,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+ infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
+ #endif
+
+- /* reset the flag to avoid an infinite loop */
+- data->state.ssl_connect_retry = FALSE;
+-
+ if(data->set.ssl.cipher_list) {
+ if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
+ curlerr = CURLE_SSL_CIPHER;
+--
+2.1.0
+
+
+From 7045c38b0d303d5126be2772fefe148555e0b414 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 29 Oct 2014 14:24:54 +0100
+Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry
+ flag
+
+Its last use has been removed by the previous commit.
+
+Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/transfer.c | 12 ++++--------
+ lib/urldata.h | 3 ---
+ 2 files changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index db0318d..6517da0 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1268,8 +1268,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
+ data->state.errorbuf = FALSE; /* no error has occurred */
+ data->state.httpversion = 0; /* don't assume any particular server version */
+
+- data->state.ssl_connect_retry = FALSE;
+-
+ data->state.authproblem = FALSE;
+ data->state.authhost.want = data->set.httpauth;
+ data->state.authproxy.want = data->set.proxyauth;
+@@ -1847,12 +1845,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,
+ !(conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_RTSP)))
+ return CURLE_OK;
+
+- if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||
+- ((data->req.bytecount +
+- data->req.headerbytecount == 0) &&
+- conn->bits.reuse &&
+- !data->set.opt_no_body &&
+- data->set.rtspreq != RTSPREQ_RECEIVE)) {
++ if((data->req.bytecount + data->req.headerbytecount == 0) &&
++ conn->bits.reuse &&
++ !data->set.opt_no_body &&
++ (data->set.rtspreq != RTSPREQ_RECEIVE)) {
+ /* We got no data, we attempted to re-use a connection and yet we want a
+ "body". This might happen if the connection was left alive when we were
+ done using it before, but that was closed when we wanted to read from
+diff --git a/lib/urldata.h b/lib/urldata.h
+index 07ea060..d819241 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1298,9 +1298,6 @@ struct UrlState {
+ struct POP3 *pop3;
+ struct SMTP *smtp;
+ } proto;
+-
+- /* if true, force SSL connection retry (workaround for certain servers) */
+- bool ssl_connect_retry;
+ };
+
+
+--
+2.1.0
+
diff --git a/curl.spec b/curl.spec
index 555cbf4..d689328 100644
--- a/curl.spec
+++ b/curl.spec
@@ -58,6 +58,9 @@ Patch16: 0016-curl-7.32.0-b3875606.patch
# allow to use TLS 1.1 and TLS 1.2 (#1153814)
Patch17: 0017-curl-7.32.0-tls12.patch
+# disable libcurl-level downgrade to SSLv3 (#1166567)
+Patch18: 0018-curl-7.32.0-3f430c9c.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch
@@ -187,6 +190,7 @@ documentation of the library, too.
%patch15 -p1
%patch16 -p1
%patch17 -p1
+%patch18 -p1
# Fedora patches
%patch101 -p1
@@ -310,6 +314,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Mon Nov 24 2014 Kamil Dudka <kdudka at redhat.com> 7.32.0-16
- allow to use TLS 1.1 and TLS 1.2 (#1153814)
+- disable libcurl-level downgrade to SSLv3 (#1166567)
* Wed Nov 05 2014 Kamil Dudka <kdudka at redhat.com> 7.32.0-15
- fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)
More information about the scm-commits
mailing list