make the --tls13-ciphers option work

This commit is contained in:
Kamil Dudka 2018-09-04 15:20:55 +02:00
parent 8bff7e0d6b
commit e7b6b91818
2 changed files with 109 additions and 1 deletions

View File

@ -0,0 +1,101 @@
From 426b00d0587797d79806f9682b058d5c90a0ab79 Mon Sep 17 00:00:00 2001
From: Jay Satiro <raysatiro@yahoo.com>
Date: Fri, 31 Aug 2018 19:46:29 -0400
Subject: [PATCH 1/2] openssl: Fix setting TLS 1.3 cipher suites
The flag indicating TLS 1.3 cipher support in the OpenSSL backend was
missing.
Bug: https://github.com/curl/curl/pull/2607#issuecomment-417283187
Reported-by: Kamil Dudka
Closes #2926
Upstream-commit: 978574b502294ae06eb97d4f590b54ed5d24cd7f
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/vtls/openssl.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index bc46eca..fad4287 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -3804,6 +3804,9 @@ const struct Curl_ssl Curl_ssl_openssl = {
SSLSUPP_CERTINFO |
SSLSUPP_PINNEDPUBKEY |
SSLSUPP_SSL_CTX |
+#ifdef HAVE_SSL_CTX_SET_CIPHERSUITES
+ SSLSUPP_TLS13_CIPHERSUITES |
+#endif
SSLSUPP_HTTPS_PROXY,
sizeof(struct ssl_backend_data),
--
2.17.1
From 081afa4e2eb5e853833bd87ca43f48ab550fe657 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Mon, 3 Sep 2018 13:04:00 +0200
Subject: [PATCH 2/2] url, vtls: make CURLOPT{,_PROXY}_TLS13_CIPHERS work
This is a follow-up to PR #2607 and PR #2926.
Closes #2936
Upstream-commit: 52c13d6328ff56b2d2e8313e88cfdfc78acda365
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
lib/url.c | 4 ++++
lib/vtls/vtls.c | 5 ++++-
2 files changed, 8 insertions(+), 1 deletion(-)
diff --git a/lib/url.c b/lib/url.c
index 27b2c1e..46898c4 100644
--- a/lib/url.c
+++ b/lib/url.c
@@ -4356,6 +4356,10 @@ static CURLcode create_conn(struct Curl_easy *data,
data->set.str[STRING_SSL_CIPHER_LIST_ORIG];
data->set.proxy_ssl.primary.cipher_list =
data->set.str[STRING_SSL_CIPHER_LIST_PROXY];
+ data->set.ssl.primary.cipher_list13 =
+ data->set.str[STRING_SSL_CIPHER13_LIST_ORIG];
+ data->set.proxy_ssl.primary.cipher_list13 =
+ data->set.str[STRING_SSL_CIPHER13_LIST_PROXY];
data->set.ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_ORIG];
data->set.proxy_ssl.CRLfile = data->set.str[STRING_SSL_CRLFILE_PROXY];
diff --git a/lib/vtls/vtls.c b/lib/vtls/vtls.c
index bf96518..b61c640 100644
--- a/lib/vtls/vtls.c
+++ b/lib/vtls/vtls.c
@@ -96,7 +96,8 @@ Curl_ssl_config_matches(struct ssl_primary_config* data,
Curl_safe_strcasecompare(data->clientcert, needle->clientcert) &&
Curl_safe_strcasecompare(data->random_file, needle->random_file) &&
Curl_safe_strcasecompare(data->egdsocket, needle->egdsocket) &&
- Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list))
+ Curl_safe_strcasecompare(data->cipher_list, needle->cipher_list) &&
+ Curl_safe_strcasecompare(data->cipher_list13, needle->cipher_list13))
return TRUE;
return FALSE;
@@ -119,6 +120,7 @@ Curl_clone_primary_ssl_config(struct ssl_primary_config *source,
CLONE_STRING(random_file);
CLONE_STRING(egdsocket);
CLONE_STRING(cipher_list);
+ CLONE_STRING(cipher_list13);
return TRUE;
}
@@ -131,6 +133,7 @@ void Curl_free_primary_ssl_config(struct ssl_primary_config* sslc)
Curl_safefree(sslc->random_file);
Curl_safefree(sslc->egdsocket);
Curl_safefree(sslc->cipher_list);
+ Curl_safefree(sslc->cipher_list13);
}
#ifdef USE_SSL
--
2.17.1

View File

@ -1,7 +1,7 @@
Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
Name: curl Name: curl
Version: 7.61.0 Version: 7.61.0
Release: 7%{?dist} Release: 8%{?dist}
License: MIT License: MIT
Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz Source: https://curl.haxx.se/download/%{name}-%{version}.tar.xz
@ -11,6 +11,9 @@ Patch1: 0001-curl-7.61.0-pkcs11.patch
# scp/sftp: fix infinite connect loop on invalid private key (#1595135) # scp/sftp: fix infinite connect loop on invalid private key (#1595135)
Patch2: 0002-curl-7.61.0-libssh.patch Patch2: 0002-curl-7.61.0-libssh.patch
# make the --tls13-ciphers option work
Patch3: 0003-curl-7.61.0-tls13-ciphers.patch
# patch making libcurl multilib ready # patch making libcurl multilib ready
Patch101: 0101-curl-7.32.0-multilib.patch Patch101: 0101-curl-7.32.0-multilib.patch
@ -166,6 +169,7 @@ be installed.
# upstream patches # upstream patches
%patch1 -p1 %patch1 -p1
%patch2 -p1 %patch2 -p1
%patch3 -p1
# Fedora patches # Fedora patches
%patch101 -p1 %patch101 -p1
@ -333,6 +337,9 @@ rm -f ${RPM_BUILD_ROOT}%{_libdir}/libcurl.la
%{_libdir}/libcurl.so.4.[0-9].[0-9].minimal %{_libdir}/libcurl.so.4.[0-9].[0-9].minimal
%changelog %changelog
* Tue Sep 04 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-8
- make the --tls13-ciphers option work
* Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-7 * Mon Aug 27 2018 Kamil Dudka <kdudka@redhat.com> - 7.61.0-7
- tests: make ssh-keygen always produce PEM format (#1622594) - tests: make ssh-keygen always produce PEM format (#1622594)