From 8dee10dc35c81be17634838f8723a847cb226ce3 Mon Sep 17 00:00:00 2001
From: AlmaLinux RelEng Bot <eabdullin@almalinux.org>
Date: Tue, 19 May 2026 20:27:08 -0400
Subject: [PATCH] import UBI curl-7.76.1-40.el9

---
 ...-7.76.1-respect-system-crypto-policy.patch | 73 +++++++++++++------
 SPECS/curl.spec                               | 20 +++--
 2 files changed, 65 insertions(+), 28 deletions(-)

diff --git a/SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch b/SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch
index 441bc06..e2da7c2 100644
--- a/SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch
+++ b/SOURCES/0042-curl-7.76.1-respect-system-crypto-policy.patch
@@ -22,26 +22,38 @@ policies are mandatory:
 - RHEL/Fedora cannot achieve government certifications
 - System administrators cannot enforce TLS version restrictions
 
-The fix: only call SSL_CTX_set_max_proto_version() when user explicitly
-requests a specific maximum version. Otherwise, let OpenSSL use its
-configured default from crypto-policy.
+The fix: when user explicitly requests a specific maximum version, honor it.
+Otherwise, query the current crypto-policy setting. If the policy restricts
+TLS to a version lower than 1.3, respect that restriction. If the policy
+allows TLS 1.3 (the highest), use 0 to maintain the original behavior.
+
+This approach:
+- Respects crypto-policy when it actually restricts TLS versions
+- Maintains original behavior (calling with 0) when no restriction applies
+- Preserves compatibility with other libraries like libssh (bz2091512)
+- Ensures SSL_CTX_set_max_proto_version() is always called (RHEL-134721)
+
+Note: Previous versions had issues:
+- v1: Skipped calling SSL_CTX_set_max_proto_version() entirely, breaking libssh
+- v2: Always called with policy_max value, but on DEFAULT policy this returns
+  TLS1_3_VERSION instead of 0, which differs from original behavior and
+  still caused libssh regression
+
+This v3 fix preserves original behavior (call with 0) when crypto-policy
+allows TLS 1.3, and only applies restrictions for FIPS/restrictive policies.
 
 This mirrors the intended behavior of the minimum version logic, where
 explicit user choice overrides defaults, but system configuration is
 respected otherwise.
-
-Tested on RHEL 9.6+, RHEL 10, and Fedora Rawhide.
-
-Bug: https://github.com/curl/curl/issues/XXXXX
 ---
- lib/vtls/openssl.c | 26 +++++++++++++++-----------
- 1 file changed, 15 insertions(+), 11 deletions(-)
+ lib/vtls/openssl.c | 50 +++++++++++++++++++++++++++++++++++-------------
+ 1 file changed, 37 insertions(+), 13 deletions(-)
 
 diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
 index 1234567890..abcdef1234 100644
 --- a/lib/vtls/openssl.c
 +++ b/lib/vtls/openssl.c
-@@ -2354,19 +2354,22 @@ set_ssl_version_min_max(SSL_CTX *ctx, struct connectdata *conn)
+@@ -2354,19 +2354,43 @@
        ossl_ssl_version_max = TLS1_3_VERSION;
        break;
  #endif
@@ -55,25 +67,44 @@ index 1234567890..abcdef1234 100644
 -      ossl_ssl_version_max = 0;
 -      break;
    }
- 
+
 -  if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
 -    return CURLE_SSL_CONNECT_ERROR;
-+  /* Only set max version if user explicitly requested a specific version
-+     via --tls-max option. This honors user intent when specified.
++  /* Set max version based on user choice or crypto-policy.
 +
-+     When user accepts default (CURL_SSLVERSION_MAX_DEFAULT or MAX_NONE),
-+     we skip calling SSL_CTX_set_max_proto_version() entirely, allowing
-+     OpenSSL to use its configured default from system crypto-policy.
++     When user explicitly sets --tls-max, honor that choice (app control).
++     When user accepts default, respect crypto-policy (system policy).
 +
-+     This is a deliberate compromise: explicit user choice overrides system
-+     policy, but system policy is respected when user doesn't specify. */
++     IMPORTANT: We always call SSL_CTX_set_max_proto_version() to maintain
++     compatibility with other libraries like libssh. Skipping this call
++     or calling with different values can affect libraries that depend on
++     specific OpenSSL initialization sequences. See RHEL-134721. */
 +  if(curl_ssl_version_max != CURL_SSLVERSION_MAX_NONE &&
 +     curl_ssl_version_max != CURL_SSLVERSION_MAX_DEFAULT) {
++    /* User explicitly requested a specific max version - honor it */
 +    if(!SSL_CTX_set_max_proto_version(ctx, ossl_ssl_version_max)) {
 +      return CURLE_SSL_CONNECT_ERROR;
++    }
++  }
++  else {
++    /* User didn't specify - check crypto-policy.
++       Query the current max version setting from crypto-policy config.
++       If policy restricts to below TLS 1.3, respect that restriction.
++       Otherwise, use 0 (highest available) to maintain original behavior
++       which is required for libssh compatibility (bz2091512). */
++    long policy_max = SSL_CTX_get_max_proto_version(ctx);
++#ifdef TLS1_3_VERSION
++    if(policy_max == 0 || policy_max >= TLS1_3_VERSION) {
++      /* No restriction or TLS 1.3 allowed - use original behavior */
++      policy_max = 0;
++    }
++    /* else: policy restricts to TLS 1.2 or lower, respect it */
++#else
++    policy_max = 0;
++#endif
++    if(!SSL_CTX_set_max_proto_version(ctx, policy_max)) {
++      return CURLE_SSL_CONNECT_ERROR;
 +    }
    }
- 
+
    return CURLE_OK;
---
-2.45.2
diff --git a/SPECS/curl.spec b/SPECS/curl.spec
index b2c9837..4e49085 100644
--- a/SPECS/curl.spec
+++ b/SPECS/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.76.1
-Release: 35%{?dist}.3
+Release: 40%{?dist}
 License: MIT
 Source: https://curl.se/download/%{name}-%{version}.tar.xz
 
@@ -573,14 +573,20 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
 %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
 
 %changelog
-* Tue Dec 02 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-35.el9_7.3
-- http: fix crash in rate-limited upload (RHEL-129493)
+* Wed Jan 21 2026 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-40
+- openssl: fix libssh compatibility by preserving original SSL_CTX behavior (RHEL-134721)
 
-* Fri Nov 28 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-35.el9_7.2
-- openssl: respect system crypto policy for TLS max version (RHEL-128921)
+* Thu Dec 18 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-39
+- openssl: fix libssh compatibility in crypto-policy patch (RHEL-134721)
 
-* Tue Nov 18 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-35.el9_7.1
-- rebuild for rhel-9.7.0 z-stream (RHEL-121659)
+* Mon Dec 01 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-38
+- http: fix crash in rate-limited upload (RHEL-131696)
+
+* Thu Nov 27 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-37
+- openssl: respect system crypto policy for TLS max version (RHEL-128914)
+
+* Thu Nov 20 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-36
+- rebuild for c9s (RHEL-125838)
 
 * Thu Oct 23 2025 Jacek Migacz <jmigacz@redhat.com> - 7.76.1-35
 - cookie: don't treat the leading slash as trailing (CVE-2025-9086)