[curl/f19] Resolves: #1166567 - disable libcurl-level downgrade to SSLv3
Kamil Dudka
kdudka at fedoraproject.org
Mon Nov 24 13:59:14 UTC 2014
commit 8f7375785b456fe79b4a522c3c734503041da58e
Author: Kamil Dudka <kdudka at redhat.com>
Date: Fri Nov 21 13:03:43 2014 +0100
Resolves: #1166567 - disable libcurl-level downgrade to SSLv3
0030-curl-7.29.0-3f430c9c.patch | 176 +++++++++++++++++++++++++++++++++++++++
curl.spec | 5 +
2 files changed, 181 insertions(+), 0 deletions(-)
---
diff --git a/0030-curl-7.29.0-3f430c9c.patch b/0030-curl-7.29.0-3f430c9c.patch
new file mode 100644
index 0000000..daabad2
--- /dev/null
+++ b/0030-curl-7.29.0-3f430c9c.patch
@@ -0,0 +1,176 @@
+From 4356faee49e7a36ff10054dd9804d72cfd25bb27 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 29 Oct 2014 14:14:23 +0100
+Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3
+
+This code was already deactivated by commit
+ec783dc142129d3860e542b443caaa78a6172d56.
+
+Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/nss.c | 55 -------------------------------------------------------
+ 1 file changed, 55 deletions(-)
+
+diff --git a/lib/nss.c b/lib/nss.c
+index a2e5c79..13a0622 100644
+--- a/lib/nss.c
++++ b/lib/nss.c
+@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
+ return SECSuccess;
+ }
+
+-/* This function is supposed to decide, which error codes should be used
+- * to conclude server is TLS intolerant.
+- *
+- * taken from xulrunner - nsNSSIOLayer.cpp
+- */
+-static PRBool
+-isTLSIntoleranceError(PRInt32 err)
+-{
+- switch (err) {
+- case SSL_ERROR_BAD_MAC_ALERT:
+- case SSL_ERROR_BAD_MAC_READ:
+- case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
+- case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
+- case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
+- case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
+- case SSL_ERROR_NO_CYPHER_OVERLAP:
+- case SSL_ERROR_BAD_SERVER:
+- case SSL_ERROR_BAD_BLOCK_PADDING:
+- case SSL_ERROR_UNSUPPORTED_VERSION:
+- case SSL_ERROR_PROTOCOL_VERSION_ALERT:
+- case SSL_ERROR_RX_MALFORMED_FINISHED:
+- case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
+- case SSL_ERROR_DECODE_ERROR_ALERT:
+- case SSL_ERROR_RX_UNKNOWN_ALERT:
+- return PR_TRUE;
+- default:
+- return PR_FALSE;
+- }
+-}
+-
+ /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
+ static void nss_update_connecting_state(ssl_connect_state state, void *secret)
+ {
+@@ -1237,12 +1207,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ default:
+ case CURL_SSLVERSION_DEFAULT:
+ sslver->min = SSL_LIBRARY_VERSION_3_0;
+- if(data->state.ssl_connect_retry) {
+- infof(data, "TLS disabled due to previous handshake failure\n");
+- sslver->max = SSL_LIBRARY_VERSION_3_0;
+- }
+- else
+- sslver->max = SSL_LIBRARY_VERSION_TLS_1_0;
+ return CURLE_OK;
+
+ case CURL_SSLVERSION_TLSv1:
+@@ -1295,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
+ struct SessionHandle *data,
+ CURLcode curlerr)
+ {
+- SSLVersionRange sslver;
+ PRErrorCode err = 0;
+
+- /* reset the flag to avoid an infinite loop */
+- data->state.ssl_connect_retry = FALSE;
+-
+ if(is_nss_error(curlerr)) {
+ /* read NSPR error code */
+ err = PR_GetError();
+@@ -1317,18 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
+ /* cleanup on connection failure */
+ Curl_llist_destroy(connssl->obj_list, NULL);
+ connssl->obj_list = NULL;
+-
+- if(connssl->handle
+- && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
+- && (sslver.min == SSL_LIBRARY_VERSION_3_0)
+- && (sslver.max != SSL_LIBRARY_VERSION_3_0)
+- && isTLSIntoleranceError(err)) {
+- /* schedule reconnect through Curl_retry_request() */
+- data->state.ssl_connect_retry = TRUE;
+- infof(data, "Error in TLS handshake, trying SSLv3...\n");
+- return CURLE_OK;
+- }
+-
+ return curlerr;
+ }
+
+@@ -1438,9 +1386,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
+ infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
+ #endif
+
+- /* reset the flag to avoid an infinite loop */
+- data->state.ssl_connect_retry = FALSE;
+-
+ if(data->set.ssl.cipher_list) {
+ if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
+ curlerr = CURLE_SSL_CIPHER;
+--
+2.1.0
+
+
+From bee7fdee7c4cab213151963142b2ae560e1f25b0 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka at redhat.com>
+Date: Wed, 29 Oct 2014 14:24:54 +0100
+Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry
+ flag
+
+Its last use has been removed by the previous commit.
+
+Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b
+Signed-off-by: Kamil Dudka <kdudka at redhat.com>
+---
+ lib/transfer.c | 12 ++++--------
+ lib/urldata.h | 3 ---
+ 2 files changed, 4 insertions(+), 11 deletions(-)
+
+diff --git a/lib/transfer.c b/lib/transfer.c
+index 330b37a..dff6838 100644
+--- a/lib/transfer.c
++++ b/lib/transfer.c
+@@ -1269,8 +1269,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
+ data->state.errorbuf = FALSE; /* no error has occurred */
+ data->state.httpversion = 0; /* don't assume any particular server version */
+
+- data->state.ssl_connect_retry = FALSE;
+-
+ data->state.authproblem = FALSE;
+ data->state.authhost.want = data->set.httpauth;
+ data->state.authproxy.want = data->set.proxyauth;
+@@ -1848,12 +1846,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,
+ !(conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_RTSP)))
+ return CURLE_OK;
+
+- if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||
+- ((data->req.bytecount +
+- data->req.headerbytecount == 0) &&
+- conn->bits.reuse &&
+- !data->set.opt_no_body &&
+- data->set.rtspreq != RTSPREQ_RECEIVE)) {
++ if((data->req.bytecount + data->req.headerbytecount == 0) &&
++ conn->bits.reuse &&
++ !data->set.opt_no_body &&
++ (data->set.rtspreq != RTSPREQ_RECEIVE)) {
+ /* We got no data, we attempted to re-use a connection and yet we want a
+ "body". This might happen if the connection was left alive when we were
+ done using it before, but that was closed when we wanted to read from
+diff --git a/lib/urldata.h b/lib/urldata.h
+index dd78992..26bc89f 100644
+--- a/lib/urldata.h
++++ b/lib/urldata.h
+@@ -1288,9 +1288,6 @@ struct UrlState {
+ } proto;
+ /* current user of this SessionHandle instance, or NULL */
+ struct connectdata *current_conn;
+-
+- /* if true, force SSL connection retry (workaround for certain servers) */
+- bool ssl_connect_retry;
+ };
+
+
+--
+2.1.0
+
diff --git a/curl.spec b/curl.spec
index c81ba64..336eb69 100644
--- a/curl.spec
+++ b/curl.spec
@@ -91,6 +91,9 @@ Patch28: 0028-curl-7.29.0-b3875606.patch
# allow to use TLS 1.1 and TLS 1.2 (#1153814)
Patch29: 0029-curl-7.29.0-tls12.patch
+# disable libcurl-level downgrade to SSLv3 (#1166567)
+Patch30: 0030-curl-7.29.0-3f430c9c.patch
+
# patch making libcurl multilib ready
Patch101: 0101-curl-7.29.0-multilib.patch
@@ -227,6 +230,7 @@ documentation of the library, too.
%patch27 -p1
%patch28 -p1
%patch29 -p1
+%patch30 -p1
# Fedora patches
%patch101 -p1
@@ -349,6 +353,7 @@ rm -rf $RPM_BUILD_ROOT
%changelog
* Mon Nov 24 2014 Kamil Dudka <kdudka at redhat.com> 7.29.0-26
- allow to use TLS 1.1 and TLS 1.2 (#1153814)
+- disable libcurl-level downgrade to SSLv3 (#1166567)
* Wed Nov 05 2014 Kamil Dudka <kdudka at redhat.com> 7.29.0-25
- fix handling of CURLOPT_COPYPOSTFIELDS in curl_easy_duphandle (CVE-2014-3707)
More information about the scm-commits
mailing list