From 014599c14b4be3191b9d95364e05f2cff8b71d06 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 4 Nov 2009 14:05:38 +0000 Subject: [PATCH] - new upstream release, dropped applied patches - workaround for broken TLS servers (#525496, #527771) --- .cvsignore | 2 +- curl-7.15.3-multilib.patch | 13 +- curl-7.16.0-privlibs.patch | 8 +- curl-7.19.4-debug.patch | 9 +- curl-7.19.6-autoconf.patch | 95 -------------- curl-7.19.6-nss-cn.patch | 45 ------- curl-7.19.6-nss-guenter.patch | 94 ------------- curl-7.19.6-nss-warnings.diff | 94 ------------- curl-7.19.6-verifyhost.patch | 54 -------- ...ock.diff => curl-7.19.7-nss-nonblock.patch | 18 +-- curl-7.19.7-ssl-retry.patch | 123 ++++++++++++++++++ curl.spec | 28 ++-- sources | 2 +- 13 files changed, 162 insertions(+), 423 deletions(-) delete mode 100644 curl-7.19.6-autoconf.patch delete mode 100644 curl-7.19.6-nss-cn.patch delete mode 100644 curl-7.19.6-nss-guenter.patch delete mode 100644 curl-7.19.6-nss-warnings.diff delete mode 100644 curl-7.19.6-verifyhost.patch rename curl-7.19.7-nss-nonblock.diff => curl-7.19.7-nss-nonblock.patch (82%) create mode 100644 curl-7.19.7-ssl-retry.patch diff --git a/.cvsignore b/.cvsignore index 3b1fddf..13f9762 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1 +1 @@ -curl-7.19.6.tar.lzma +curl-7.19.7.tar.lzma diff --git a/curl-7.15.3-multilib.patch b/curl-7.15.3-multilib.patch index 5670a76..0332142 100644 --- a/curl-7.15.3-multilib.patch +++ b/curl-7.15.3-multilib.patch @@ -1,7 +1,8 @@ -diff -up curl-7.18.0/curl-config.in.multilib curl-7.18.0/curl-config.in ---- curl-7.18.0/curl-config.in.multilib 2008-01-10 23:14:02.000000000 +0100 -+++ curl-7.18.0/curl-config.in 2008-02-16 06:48:14.000000000 +0100 -@@ -45,7 +45,6 @@ +diff --git a/curl-config.in b/curl-config.in +index 1c439a1..9d675ae 100644 +--- a/curl-config.in ++++ b/curl-config.in +@@ -42,7 +42,6 @@ Available values for OPTION include: --libs library linking information --prefix curl install prefix --protocols newline separated list of enabled protocols @@ -9,7 +10,7 @@ diff -up curl-7.18.0/curl-config.in.multilib curl-7.18.0/curl-config.in --version output version information --vernum output the version information as a number (hexadecimal) EOF -@@ -72,7 +71,7 @@ +@@ -69,7 +68,7 @@ while test $# -gt 0; do ;; --cc) @@ -18,7 +19,7 @@ diff -up curl-7.18.0/curl-config.in.multilib curl-7.18.0/curl-config.in ;; --prefix) -@@ -189,20 +188,7 @@ +@@ -130,20 +129,7 @@ while test $# -gt 0; do ;; --libs) diff --git a/curl-7.16.0-privlibs.patch b/curl-7.16.0-privlibs.patch index f3d2ece..5276e14 100644 --- a/curl-7.16.0-privlibs.patch +++ b/curl-7.16.0-privlibs.patch @@ -1,6 +1,8 @@ ---- curl-7.16.2/libcurl.pc.in.privlibs 2007-02-18 10:41:27.000000000 +0100 -+++ curl-7.16.2/libcurl.pc.in 2007-04-11 20:02:34.000000000 +0200 -@@ -33,6 +33,6 @@ +diff --git a/libcurl.pc.in b/libcurl.pc.in +index 25beadd..d7c0805 100644 +--- a/libcurl.pc.in ++++ b/libcurl.pc.in +@@ -35,6 +35,6 @@ Name: libcurl URL: http://curl.haxx.se/ Description: Library to transfer files with ftp, http, etc. Version: @VERSION@ diff --git a/curl-7.19.4-debug.patch b/curl-7.19.4-debug.patch index d67f2ea..d9cbf71 100644 --- a/curl-7.19.4-debug.patch +++ b/curl-7.19.4-debug.patch @@ -1,7 +1,8 @@ -diff -ruNp curl-7.19.4.orig/configure.ac curl-7.19.4/configure.ac ---- curl-7.19.4.orig/configure.ac 2009-02-13 15:25:15.000000000 +0100 -+++ curl-7.19.4/configure.ac 2009-04-22 11:56:32.171305420 +0200 -@@ -241,7 +241,10 @@ dnl ************************************ +diff --git a/configure.ac b/configure.ac +index e575a20..81a7772 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -228,7 +228,10 @@ dnl ********************************************************************** CURL_CHECK_COMPILER CURL_SET_COMPILER_BASIC_OPTS diff --git a/curl-7.19.6-autoconf.patch b/curl-7.19.6-autoconf.patch deleted file mode 100644 index a08660d..0000000 --- a/curl-7.19.6-autoconf.patch +++ /dev/null @@ -1,95 +0,0 @@ -diff -rup curl-7.19.6.orig/configure.ac curl-7.19.6/configure.ac ---- curl-7.19.6.orig/configure.ac 2009-09-02 15:46:09.396519773 +0200 -+++ curl-7.19.6/configure.ac 2009-09-02 15:56:18.750831674 +0200 -@@ -1455,22 +1455,37 @@ if test X"$OPT_LIBSSH2" != Xno; then - case "$OPT_LIBSSH2" in - yes) - dnl --with-libssh2 (without path) used -- PREFIX_LIBSSH2=/usr/local/lib -- LIB_LIBSSH2="$PREFIX_LIBSSH2$libsuff" -+ CURL_CHECK_PKGCONFIG(libssh2) -+ -+ if test "$PKGCONFIG" != "no" ; then -+ LIB_SSH2=`$PKGCONFIG --libs-only-l libssh2` -+ LD_SSH2=`$PKGCONFIG --libs-only-L libssh2` -+ CPP_SSH2=`$PKGCONFIG --cflags-only-I libssh2` -+ version=`$PKGCONFIG --modversion libssh2` -+ DIR_SSH2=`echo $LD_SSH2 | $SED -e 's/-L//'` -+ fi -+ - ;; - off) - dnl no --with-libssh2 option given, just check default places -- PREFIX_LIBSSH2= - ;; - *) - dnl use the given --with-libssh2 spot -- PREFIX_LIBSSH2=$OPT_LIBSSH2 -- LIB_LIBSSH2="$PREFIX_LIBSSH2/lib$libsuff" -- LDFLAGS="$LDFLAGS -L$LIB_LIBSSH2" -- CPPFLAGS="$CPPFLAGS -I$PREFIX_LIBSSH2/include" -+ PREFIX_SSH2=$OPT_LIBSSH2 - ;; - esac - -+ dnl if given with a prefix, we set -L and -I based on that -+ if test -n "$PREFIX_SSH2"; then -+ LD_SSH2=-L${PREFIX_SSH2}/lib -+ CPP_SSH2=-I${PREFIX_SSH2}/include -+ DIR_SSH2=${PREFIX_SSH2}/lib -+ fi -+ -+ LDFLAGS="$LDFLAGS $LD_SSH2" -+ CPPFLAGS="$CPPFLAGS $CPP_SSH2" -+ LIBS="$LIBS $LIB_SSH2" -+ - AC_CHECK_LIB(ssh2, libssh2_channel_open_ex) - - AC_CHECK_HEADERS(libssh2.h, -@@ -1494,10 +1509,15 @@ if test X"$OPT_LIBSSH2" != Xno; then - dnl libssh2_version is a post 1.0 addition - AC_CHECK_FUNCS( libssh2_version ) - -- LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$LIB_LIBSSH2" -+ LD_LIBRARY_PATH="$LD_LIBRARY_PATH:$DIR_SSH2" - export LD_LIBRARY_PATH -- AC_MSG_NOTICE([Added $LIB_LIBSSH2 to LD_LIBRARY_PATH]) -+ AC_MSG_NOTICE([Added $DIR_SSH2 to LD_LIBRARY_PATH]) - fi -+ else -+ dnl no libssh2, revert back to clean variables -+ LDFLAGS=$CLEANLDFLAGS -+ CPPFLAGS=$CLEANCPPFLAGS -+ LIBS=$CLEANLIBS - fi - fi - -@@ -1665,13 +1685,21 @@ if test "$OPENSSL_ENABLED" != "1" -a "$G - addcflags=`$PKGCONFIG --cflags nss` - version=`$PKGCONFIG --modversion nss` - nssprefix=`$PKGCONFIG --variable=prefix nss` -+ else -+ dnl Without pkg-config, we check for nss-config -+ -+ check=`nss-config --version 2>/dev/null` -+ if test -n "$check"; then -+ addlib=`nss-config --libs` -+ addcflags=`nss-config --cflags` -+ version=`nss-config --version` -+ nssprefix=`nss-config --prefix` -+ else -+ addlib="-lnss3" -+ addcflags="" -+ version="unknown" -+ fi - fi -- else -- # Without pkg-config, we'll kludge in some defaults -- addlib="-L$OPT_NSS/lib -lssl3 -lsmime3 -lnss3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl" -- addcflags="-I$OPT_NSS/include" -- version="unknown" -- nssprefix=$OPT_NSS - fi - - dnl Check for functionPK11_CreateGenericObject -Only in curl-7.19.6.orig: configure.ac.orig diff --git a/curl-7.19.6-nss-cn.patch b/curl-7.19.6-nss-cn.patch deleted file mode 100644 index 83520ee..0000000 --- a/curl-7.19.6-nss-cn.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c ---- curl-7.19.6.orig/lib/nss.c 2009-08-25 12:27:08.664828503 +0200 -+++ curl-7.19.6/lib/nss.c 2009-08-28 11:51:37.764523702 +0200 -@@ -591,7 +591,7 @@ static SECStatus BadCertHandler(void *ar - struct connectdata *conn = (struct connectdata *)arg; - PRErrorCode err = PR_GetError(); - CERTCertificate *cert = NULL; -- char *subject, *issuer; -+ char *subject, *subject_cn, *issuer; - - if(conn->data->set.ssl.certverifyresult!=0) - return success; -@@ -599,6 +599,7 @@ static SECStatus BadCertHandler(void *ar - conn->data->set.ssl.certverifyresult=err; - cert = SSL_PeerCertificate(sock); - subject = CERT_NameToAscii(&cert->subject); -+ subject_cn = CERT_GetCommonName(&cert->subject); - issuer = CERT_NameToAscii(&cert->issuer); - CERT_DestroyCertificate(cert); - -@@ -616,12 +617,12 @@ static SECStatus BadCertHandler(void *ar - break; - case SSL_ERROR_BAD_CERT_DOMAIN: - if(conn->data->set.ssl.verifyhost) { -- failf(conn->data, "common name '%s' does not match '%s'", -- subject, conn->host.dispname); -+ failf(conn->data, "SSL: certificate subject name '%s' does not match " -+ "target host name '%s'", subject_cn, conn->host.dispname); - success = SECFailure; - } else { -- infof(conn->data, "warning: common name '%s' does not match '%s'\n", -- subject, conn->host.dispname); -+ infof(conn->data, "warning: SSL: certificate subject name '%s' does not " -+ "match target host name '%s'\n", subject_cn, conn->host.dispname); - } - break; - case SEC_ERROR_EXPIRED_CERTIFICATE: -@@ -645,6 +646,7 @@ static SECStatus BadCertHandler(void *ar - if(success == SECSuccess) - infof(conn->data, "SSL certificate verify ok.\n"); - PR_Free(subject); -+ PR_Free(subject_cn); - PR_Free(issuer); - - return success; diff --git a/curl-7.19.6-nss-guenter.patch b/curl-7.19.6-nss-guenter.patch deleted file mode 100644 index f9b8205..0000000 --- a/curl-7.19.6-nss-guenter.patch +++ /dev/null @@ -1,94 +0,0 @@ ---- curl-7.19.6/lib/nss.c 2009-09-30 15:29:35.965297742 +0200 -+++ /tmp/nss.c 2009-09-30 15:23:05.000000000 +0200 -@@ -63,6 +63,7 @@ - #include - #include - #include -+#include - - #include "curl_memory.h" - #include "rawstr.h" -@@ -265,7 +266,7 @@ static int num_enabled_ciphers(void) - */ - static int is_file(const char *filename) - { -- struct stat st; -+ struct_stat st; - - if(filename == NULL) - return 0; -@@ -963,26 +964,38 @@ CURLcode Curl_nss_connect(struct connect - /* FIXME. NSS doesn't support multiple databases open at the same time. */ - PR_Lock(nss_initlock); - if(!initialized) { -+ struct_stat st; - -- certDir = getenv("SSL_DIR"); /* Look in $SSL_DIR */ -+ /* First we check if $SSL_DIR points to a valid dir */ -+ certDir = getenv("SSL_DIR"); -+ if(certDir) { -+ if((stat(certDir, &st) != 0) || -+ (!S_ISDIR(st.st_mode))) { -+ certDir = NULL; -+ } -+ } - -+ /* Now we check if the default location is a valid dir */ - if(!certDir) { -- struct stat st; -- -- if(stat(SSL_DIR, &st) == 0) -- if(S_ISDIR(st.st_mode)) { -- certDir = (char *)SSL_DIR; -- } -+ if((stat(SSL_DIR, &st) == 0) && -+ (S_ISDIR(st.st_mode))) { -+ certDir = (char *)SSL_DIR; -+ } - } - - if (!NSS_IsInitialized()) { - initialized = 1; -+ infof(conn->data, "Initializing NSS with certpath: %s\n", -+ certDir ? certDir : "none"); - if(!certDir) { - rv = NSS_NoDB_Init(NULL); - } - else { -- rv = NSS_Initialize(certDir, NULL, NULL, "secmod.db", -- NSS_INIT_READONLY); -+ char *certpath = PR_smprintf("%s%s", -+ NSS_VersionCheck("3.12.0") ? "sql:" : "", -+ certDir); -+ rv = NSS_Initialize(certpath, "", "", "", NSS_INIT_READONLY); -+ PR_smprintf_free(certpath); - } - if(rv != SECSuccess) { - infof(conn->data, "Unable to initialize NSS database\n"); -@@ -1103,7 +1116,7 @@ CURLcode Curl_nss_connect(struct connect - } - } - else if(data->set.ssl.CApath) { -- struct stat st; -+ struct_stat st; - PRDir *dir; - PRDirEntry *entry; - -@@ -1282,7 +1295,7 @@ int Curl_nss_send(struct connectdata *co - int rc; - - if(data->set.timeout) -- timeout = PR_MillisecondsToInterval(data->set.timeout); -+ timeout = PR_MillisecondsToInterval((PRUint32)data->set.timeout); - else - timeout = PR_MillisecondsToInterval(DEFAULT_CONNECT_TIMEOUT); - -@@ -1318,7 +1331,7 @@ ssize_t Curl_nss_recv(struct connectdata - PRInt32 timeout; - - if(data->set.timeout) -- timeout = PR_SecondsToInterval(data->set.timeout); -+ timeout = PR_SecondsToInterval((PRUint32)data->set.timeout); - else - timeout = PR_MillisecondsToInterval(DEFAULT_CONNECT_TIMEOUT); - diff --git a/curl-7.19.6-nss-warnings.diff b/curl-7.19.6-nss-warnings.diff deleted file mode 100644 index 966b744..0000000 --- a/curl-7.19.6-nss-warnings.diff +++ /dev/null @@ -1,94 +0,0 @@ -diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c ---- curl-7.19.6.orig/lib/nss.c 2009-10-14 17:24:48.863839812 +0200 -+++ curl-7.19.6/lib/nss.c 2009-10-14 17:25:29.192777766 +0200 -@@ -278,6 +278,24 @@ static int is_file(const char *filename) - return 0; - } - -+static char *fmt_nickname(char *str, bool *nickname_alloc) -+{ -+ char *nickname = NULL; -+ *nickname_alloc = FALSE; -+ -+ if(is_file(str)) { -+ char *n = strrchr(str, '/'); -+ if(n) { -+ *nickname_alloc = TRUE; -+ n++; /* skip last slash */ -+ nickname = aprintf("PEM Token #%d:%s", 1, n); -+ } -+ return nickname; -+ } -+ -+ return str; -+} -+ - static int nss_load_cert(struct ssl_connect_data *ssl, - const char *filename, PRBool cacert) - { -@@ -795,7 +813,7 @@ static SECStatus SelectClientCert(void * - return SECFailure; - } - -- infof(data, "NSS: Client client certificate: %s\n", nickname); -+ infof(data, "NSS: client certificate: %s\n", nickname); - display_cert_info(data, *pRetCert); - return SECSuccess; - } -@@ -1164,24 +1182,10 @@ CURLcode Curl_nss_connect(struct connect - } - - if(data->set.str[STRING_CERT]) { -- char *n; -- char *nickname; - bool nickname_alloc = FALSE; -- -- if(is_file(data->set.str[STRING_CERT])) { -- n = strrchr(data->set.str[STRING_CERT], '/'); -- if(n) { -- n++; /* skip last slash */ -- nickname = aprintf("PEM Token #%d:%s", 1, n); -- if(!nickname) -- return CURLE_OUT_OF_MEMORY; -- -- nickname_alloc = TRUE; -- } -- } -- else { -- nickname = data->set.str[STRING_CERT]; -- } -+ char *nickname = fmt_nickname(data->set.str[STRING_CERT], &nickname_alloc); -+ if(!nickname) -+ return CURLE_OUT_OF_MEMORY; - - if(!cert_stuff(conn, sockindex, data->set.str[STRING_CERT], - data->set.str[STRING_KEY])) { -@@ -1240,23 +1244,13 @@ CURLcode Curl_nss_connect(struct connect - display_conn_info(conn, connssl->handle); - - if (data->set.str[STRING_SSL_ISSUERCERT]) { -- char *n; -- char *nickname; -- bool nickname_alloc = FALSE; - SECStatus ret; -+ bool nickname_alloc = FALSE; -+ char *nickname = fmt_nickname(data->set.str[STRING_SSL_ISSUERCERT], -+ &nickname_alloc); - -- if(is_file(data->set.str[STRING_SSL_ISSUERCERT])) { -- n = strrchr(data->set.str[STRING_SSL_ISSUERCERT], '/'); -- if (n) { -- n++; /* skip last slash */ -- nickname = aprintf("PEM Token #%d:%s", 1, n); -- if(!nickname) -- return CURLE_OUT_OF_MEMORY; -- nickname_alloc = TRUE; -- } -- } -- else -- nickname = data->set.str[STRING_SSL_ISSUERCERT]; -+ if(!nickname) -+ return CURLE_OUT_OF_MEMORY; - - ret = check_issuer_cert(connssl->handle, nickname); - diff --git a/curl-7.19.6-verifyhost.patch b/curl-7.19.6-verifyhost.patch deleted file mode 100644 index ce0abd1..0000000 --- a/curl-7.19.6-verifyhost.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -rup curl-7.19.6.orig/lib/nss.c curl-7.19.6/lib/nss.c ---- curl-7.19.6.orig/lib/nss.c 2009-08-14 11:14:45.423733097 +0200 -+++ curl-7.19.6/lib/nss.c 2009-08-14 11:15:04.142733360 +0200 -@@ -615,16 +615,26 @@ static SECStatus BadCertHandler(void *ar - issuer); - break; - case SSL_ERROR_BAD_CERT_DOMAIN: -- if(conn->data->set.ssl.verifypeer) -+ if(conn->data->set.ssl.verifyhost) { -+ failf(conn->data, "common name '%s' does not match '%s'", -+ subject, conn->host.dispname); - success = SECFailure; -- infof(conn->data, "common name: %s (does not match '%s')\n", -- subject, conn->host.dispname); -+ } else { -+ infof(conn->data, "warning: common name '%s' does not match '%s'\n", -+ subject, conn->host.dispname); -+ } - break; - case SEC_ERROR_EXPIRED_CERTIFICATE: - if(conn->data->set.ssl.verifypeer) - success = SECFailure; - infof(conn->data, "Remote Certificate has expired.\n"); - break; -+ case SEC_ERROR_UNKNOWN_ISSUER: -+ if(conn->data->set.ssl.verifypeer) -+ success = SECFailure; -+ infof(conn->data, "Peer's certificate issuer is not recognized: '%s'\n", -+ issuer); -+ break; - default: - if(conn->data->set.ssl.verifypeer) - success = SECFailure; -@@ -1067,6 +1077,9 @@ CURLcode Curl_nss_connect(struct connect - } - } - -+ if(data->set.ssl.verifyhost == 1) -+ infof(data, "warning: ignoring unsupported value (1) of ssl.verifyhost\n"); -+ - data->set.ssl.certverifyresult=0; /* not checked yet */ - if(SSL_BadCertHook(model, (SSLBadCertHandler) BadCertHandler, conn) - != SECSuccess) { -@@ -1200,7 +1213,9 @@ CURLcode Curl_nss_connect(struct connect - if(SSL_ForceHandshakeWithTimeout(connssl->handle, - PR_SecondsToInterval(HANDSHAKE_TIMEOUT)) - != SECSuccess) { -- if(conn->data->set.ssl.certverifyresult!=0) -+ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) -+ curlerr = CURLE_PEER_FAILED_VERIFICATION; -+ else if(conn->data->set.ssl.certverifyresult!=0) - curlerr = CURLE_SSL_CACERT; - goto error; - } diff --git a/curl-7.19.7-nss-nonblock.diff b/curl-7.19.7-nss-nonblock.patch similarity index 82% rename from curl-7.19.7-nss-nonblock.diff rename to curl-7.19.7-nss-nonblock.patch index f42b585..461b41b 100644 --- a/curl-7.19.7-nss-nonblock.diff +++ b/curl-7.19.7-nss-nonblock.patch @@ -1,5 +1,7 @@ ---- curl-7.19.6.orig/lib/nss.c 2009-10-07 21:41:55.213109928 +0200 -+++ curl-7.19.6/lib/nss.c 2009-10-08 19:48:05.379110326 +0200 +diff --git a/lib/nss.c b/lib/nss.c +index ea904af..6e8d242 100644 +--- a/lib/nss.c ++++ b/lib/nss.c @@ -83,8 +83,6 @@ PRLock * nss_initlock = NULL; volatile int initialized = 0; @@ -9,7 +11,7 @@ typedef struct { const char *name; int num; -@@ -947,6 +945,8 @@ CURLcode Curl_nss_connect(struct connect +@@ -970,6 +968,8 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) char *certDir = NULL; int curlerr; const int *cipher_to_enable; @@ -18,7 +20,7 @@ curlerr = CURLE_SSL_CONNECT_ERROR; -@@ -1040,6 +1040,12 @@ CURLcode Curl_nss_connect(struct connect +@@ -1063,6 +1063,12 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) goto error; model = SSL_ImportFD(NULL, model); @@ -31,7 +33,7 @@ if(SSL_OptionSet(model, SSL_SECURITY, PR_TRUE) != SECSuccess) goto error; if(SSL_OptionSet(model, SSL_HANDSHAKE_AS_SERVER, PR_FALSE) != SECSuccess) -@@ -1225,9 +1231,8 @@ CURLcode Curl_nss_connect(struct connect +@@ -1234,9 +1240,8 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) SSL_SetURL(connssl->handle, conn->host.name); /* Force the handshake now */ @@ -43,7 +45,7 @@ if(conn->data->set.ssl.certverifyresult == SSL_ERROR_BAD_CERT_DOMAIN) curlerr = CURLE_PEER_FAILED_VERIFICATION; else if(conn->data->set.ssl.certverifyresult!=0) -@@ -1289,27 +1294,12 @@ int Curl_nss_send(struct connectdata *co +@@ -1288,27 +1293,12 @@ int Curl_nss_send(struct connectdata *conn, /* connection data */ const void *mem, /* send this data */ size_t len) /* amount to write */ { @@ -73,7 +75,7 @@ return -1; } return rc; /* number of bytes */ -@@ -1327,15 +1317,8 @@ ssize_t Curl_nss_recv(struct connectdata +@@ -1326,15 +1316,8 @@ ssize_t Curl_nss_recv(struct connectdata * conn, /* connection data */ bool * wouldblock) { ssize_t nread; @@ -90,7 +92,7 @@ *wouldblock = FALSE; if(nread < 0) { /* failed SSL read */ -@@ -1345,10 +1328,6 @@ ssize_t Curl_nss_recv(struct connectdata +@@ -1344,10 +1327,6 @@ ssize_t Curl_nss_recv(struct connectdata * conn, /* connection data */ *wouldblock = TRUE; return -1; /* basically EWOULDBLOCK */ } diff --git a/curl-7.19.7-ssl-retry.patch b/curl-7.19.7-ssl-retry.patch new file mode 100644 index 0000000..c26b10c --- /dev/null +++ b/curl-7.19.7-ssl-retry.patch @@ -0,0 +1,123 @@ +diff --git a/lib/nss.c b/lib/nss.c +index 6e8d242..93dfe16 100644 +--- a/lib/nss.c ++++ b/lib/nss.c +@@ -844,6 +844,36 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock, + return SECSuccess; + } + ++/* This function is supposed to decide, which error codes should be used ++ * to conclude server is TLS intolerant. ++ * ++ * taken from xulrunner - nsNSSIOLayer.cpp ++ */ ++static PRBool ++isTLSIntoleranceError(PRInt32 err) ++{ ++ switch (err) { ++ case SSL_ERROR_BAD_MAC_ALERT: ++ case SSL_ERROR_BAD_MAC_READ: ++ case SSL_ERROR_HANDSHAKE_FAILURE_ALERT: ++ case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT: ++ case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE: ++ case SSL_ERROR_ILLEGAL_PARAMETER_ALERT: ++ case SSL_ERROR_NO_CYPHER_OVERLAP: ++ case SSL_ERROR_BAD_SERVER: ++ case SSL_ERROR_BAD_BLOCK_PADDING: ++ case SSL_ERROR_UNSUPPORTED_VERSION: ++ case SSL_ERROR_PROTOCOL_VERSION_ALERT: ++ case SSL_ERROR_RX_MALFORMED_FINISHED: ++ case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE: ++ case SSL_ERROR_DECODE_ERROR_ALERT: ++ case SSL_ERROR_RX_UNKNOWN_ALERT: ++ return PR_TRUE; ++ default: ++ return PR_FALSE; ++ } ++} ++ + /** + * Global SSL init + * +@@ -1081,7 +1111,11 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: +- ssl3 = tlsv1 = PR_TRUE; ++ ssl3 = PR_TRUE; ++ if (data->state.ssl_connect_retry) ++ infof(data, "TLS disabled due to previous handshake failure\n"); ++ else ++ tlsv1 = PR_TRUE; + break; + case CURL_SSLVERSION_TLSv1: + tlsv1 = PR_TRUE; +@@ -1101,9 +1135,13 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + if(SSL_OptionSet(model, SSL_ENABLE_TLS, tlsv1) != SECSuccess) + goto error; + +- if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess) ++ if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2 ++ || data->state.ssl_connect_retry) != SECSuccess) + goto error; + ++ /* reset the flag to avoid an infinite loop */ ++ data->state.ssl_connect_retry = FALSE; ++ + /* enable all ciphers from enable_ciphers_by_default */ + cipher_to_enable = enable_ciphers_by_default; + while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) { +@@ -1280,10 +1318,21 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex) + return CURLE_OK; + + error: ++ /* reset the flag to avoid an infinite loop */ ++ data->state.ssl_connect_retry = FALSE; ++ + err = PR_GetError(); + infof(data, "NSS error %d\n", err); + if(model) + PR_Close(model); ++ ++ if (ssl3 && tlsv1 && isTLSIntoleranceError(err)) { ++ /* schedule reconnect through Curl_retry_request() */ ++ data->state.ssl_connect_retry = TRUE; ++ infof(data, "Error in TLS handshake, trying SSLv3...\n"); ++ return CURLE_OK; ++ } ++ + return curlerr; + } + +diff --git a/lib/transfer.c b/lib/transfer.c +index 1f69706..c3a1976 100644 +--- a/lib/transfer.c ++++ b/lib/transfer.c +@@ -2572,10 +2572,11 @@ CURLcode Curl_retry_request(struct connectdata *conn, + if(data->set.upload && !(conn->protocol&PROT_HTTP)) + return CURLE_OK; + +- if((data->req.bytecount + ++ if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry || ++ ((data->req.bytecount + + data->req.headerbytecount == 0) && + conn->bits.reuse && +- !data->set.opt_no_body) { ++ !data->set.opt_no_body)) { + /* We got no data, we attempted to re-use a connection and yet we want a + "body". This might happen if the connection was left alive when we were + done using it before, but that was closed when we wanted to read from +diff --git a/lib/urldata.h b/lib/urldata.h +index b9e5c24..b181e3f 100644 +--- a/lib/urldata.h ++++ b/lib/urldata.h +@@ -1331,6 +1331,9 @@ struct UrlState { + } proto; + /* current user of this SessionHandle instance, or NULL */ + struct connectdata *current_conn; ++ ++ /* if true, force SSL connection retry (workaround for certain servers) */ ++ bool ssl_connect_retry; + }; + + diff --git a/curl.spec b/curl.spec index 5ca3755..d4c02b1 100644 --- a/curl.spec +++ b/curl.spec @@ -1,18 +1,13 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl -Version: 7.19.6 -Release: 13%{?dist} +Version: 7.19.7 +Release: 1%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h -Patch1: curl-7.19.6-verifyhost.patch -Patch2: curl-7.19.6-nss-cn.patch -Patch3: curl-7.19.6-poll.patch -Patch4: curl-7.19.6-autoconf.patch -Patch5: curl-7.19.6-nss-guenter.patch -Patch6: curl-7.19.6-nss-warnings.diff -Patch7: curl-7.19.7-nss-nonblock.diff +Patch1: curl-7.19.7-nss-nonblock.patch +Patch2: curl-7.19.7-ssl-retry.patch Patch101: curl-7.15.3-multilib.patch Patch102: curl-7.16.0-privlibs.patch Patch103: curl-7.19.4-debug.patch @@ -74,21 +69,15 @@ use cURL's capabilities internally. %prep %setup -q -# upstream patches (already applied) +# upstream patches (not yet applied) %patch1 -p1 %patch2 -p1 -%patch3 -p1 -%patch4 -p1 -%patch5 -p1 -%patch6 -p1 - -# upstream patches (not yet applied) -%patch7 -p1 # Fedora patches %patch101 -p1 %patch102 -p1 %patch103 -p1 +autoconf # Convert docs to UTF-8 for f in CHANGES README; do @@ -97,7 +86,6 @@ for f in CHANGES README; do done %build -autoconf %configure --without-ssl --with-nss --enable-ipv6 \ --with-ca-bundle=%{_sysconfdir}/pki/tls/certs/ca-bundle.crt \ --with-gssapi=%{_prefix}/kerberos --with-libidn \ @@ -172,6 +160,10 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Wed Nov 04 2009 Kamil Dudka 7.19.7-1 +- new upstream release, dropped applied patches +- workaround for broken TLS servers (#525496, #527771) + * Wed Oct 14 2009 Kamil Dudka 7.19.6-13 - fix timeout issues and gcc warnings within lib/nss.c diff --git a/sources b/sources index 9eaf34a..7280ede 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -9351ad8ee0bea75015dfa9ec6248e055 curl-7.19.6.tar.lzma +26124caef7359de6338172abafa98dc0 curl-7.19.7.tar.lzma