base/SOURCES/0025-curl-7.29.0-3f430c9c.p...

From 7ab0810c977cec1135d9b5bd85b012ca9e6173cc Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 29 Oct 2014 14:14:23 +0100
Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3

This code was already deactivated by commit
ec783dc142129d3860e542b443caaa78a6172d56.

Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/nss.c | 52 ----------------------------------------------------
 1 file changed, 52 deletions(-)

diff --git a/lib/nss.c b/lib/nss.c
index 36fa097..0691394 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void *arg, PRFileDesc *sock,
   return SECSuccess;
 }
 
-/* This function is supposed to decide, which error codes should be used
- * to conclude server is TLS intolerant.
- *
- * taken from xulrunner - nsNSSIOLayer.cpp
- */
-static PRBool
-isTLSIntoleranceError(PRInt32 err)
-{
-  switch (err) {
-  case SSL_ERROR_BAD_MAC_ALERT:
-  case SSL_ERROR_BAD_MAC_READ:
-  case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:
-  case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:
-  case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:
-  case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:
-  case SSL_ERROR_NO_CYPHER_OVERLAP:
-  case SSL_ERROR_BAD_SERVER:
-  case SSL_ERROR_BAD_BLOCK_PADDING:
-  case SSL_ERROR_UNSUPPORTED_VERSION:
-  case SSL_ERROR_PROTOCOL_VERSION_ALERT:
-  case SSL_ERROR_RX_MALFORMED_FINISHED:
-  case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:
-  case SSL_ERROR_DECODE_ERROR_ALERT:
-  case SSL_ERROR_RX_UNKNOWN_ALERT:
-    return PR_TRUE;
-  default:
-    return PR_FALSE;
-  }
-}
-
 /* update blocking direction in case of PR_WOULD_BLOCK_ERROR */
 static void nss_update_connecting_state(ssl_connect_state state, void *secret)
 {
@@ -1236,10 +1206,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
   switch (data->set.ssl.version) {
   default:
   case CURL_SSLVERSION_DEFAULT:
-    if(data->state.ssl_connect_retry) {
-      infof(data, "TLS disabled due to previous handshake failure\n");
-      sslver->max = SSL_LIBRARY_VERSION_3_0;
-    }
     return CURLE_OK;
 
   case CURL_SSLVERSION_TLSv1:
@@ -1293,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
                                  struct SessionHandle *data,
                                  CURLcode curlerr)
 {
-  SSLVersionRange sslver;
   PRErrorCode err = 0;
 
-  /* reset the flag to avoid an infinite loop */
-  data->state.ssl_connect_retry = FALSE;
-
   if(is_nss_error(curlerr)) {
     /* read NSPR error code */
     err = PR_GetError();
@@ -1315,17 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,
   /* cleanup on connection failure */
   Curl_llist_destroy(connssl->obj_list, NULL);
   connssl->obj_list = NULL;
-
-  if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)
-      && (sslver.min == SSL_LIBRARY_VERSION_3_0)
-      && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)
-      && isTLSIntoleranceError(err)) {
-    /* schedule reconnect through Curl_retry_request() */
-    data->state.ssl_connect_retry = TRUE;
-    infof(data, "Error in TLS handshake, trying SSLv3...\n");
-    return CURLE_OK;
-  }
-
   return curlerr;
 }
 
@@ -1434,9 +1385,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)
     infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");
 #endif
 
-  /* reset the flag to avoid an infinite loop */
-  data->state.ssl_connect_retry = FALSE;
-
   if(data->set.ssl.cipher_list) {
     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
       curlerr = CURLE_SSL_CIPHER;
-- 
2.1.0


From e21cf86258c3cc2042dfb531cbf94ce2f5405d8c Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Wed, 29 Oct 2014 14:24:54 +0100
Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry
 flag

Its last use has been removed by the previous commit.

Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/transfer.c | 12 ++++--------
 lib/urldata.h  |  3 ---
 2 files changed, 4 insertions(+), 11 deletions(-)

diff --git a/lib/transfer.c b/lib/transfer.c
index 330b37a..dff6838 100644
--- a/lib/transfer.c
+++ b/lib/transfer.c
@@ -1269,8 +1269,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)
   data->state.errorbuf = FALSE; /* no error has occurred */
   data->state.httpversion = 0; /* don't assume any particular server version */
 
-  data->state.ssl_connect_retry = FALSE;
-
   data->state.authproblem = FALSE;
   data->state.authhost.want = data->set.httpauth;
   data->state.authproxy.want = data->set.proxyauth;
@@ -1848,12 +1846,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,
      !(conn->handler->protocol&(CURLPROTO_HTTP|CURLPROTO_RTSP)))
     return CURLE_OK;
 
-  if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry ||
-      ((data->req.bytecount +
-        data->req.headerbytecount == 0) &&
-        conn->bits.reuse &&
-        !data->set.opt_no_body &&
-        data->set.rtspreq != RTSPREQ_RECEIVE)) {
+  if((data->req.bytecount + data->req.headerbytecount == 0) &&
+      conn->bits.reuse &&
+      !data->set.opt_no_body &&
+      (data->set.rtspreq != RTSPREQ_RECEIVE)) {
     /* We got no data, we attempted to re-use a connection and yet we want a
        "body". This might happen if the connection was left alive when we were
        done using it before, but that was closed when we wanted to read from
diff --git a/lib/urldata.h b/lib/urldata.h
index c91bcff..04f590d 100644
--- a/lib/urldata.h
+++ b/lib/urldata.h
@@ -1288,9 +1288,6 @@ struct UrlState {
   } proto;
   /* current user of this SessionHandle instance, or NULL */
   struct connectdata *current_conn;
-
-  /* if true, force SSL connection retry (workaround for certain servers) */
-  bool ssl_connect_retry;
 };
 
 
-- 
2.1.0
curl package update Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org> 6 years ago			`From 7ab0810c977cec1135d9b5bd85b012ca9e6173cc Mon Sep 17 00:00:00 2001`
			`From: Kamil Dudka <kdudka@redhat.com>`
			`Date: Wed, 29 Oct 2014 14:14:23 +0100`
			`Subject: [PATCH 1/2] nss: drop the code for libcurl-level downgrade to SSLv3`

			`This code was already deactivated by commit`
			`ec783dc142129d3860e542b443caaa78a6172d56.`

			`Upstream-commit: 3f430c9c3a4e3748bc075b633a9324c5037c9fe7`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/nss.c \| 52 ----------------------------------------------------`
			`1 file changed, 52 deletions(-)`

			`diff --git a/lib/nss.c b/lib/nss.c`
			`index 36fa097..0691394 100644`
			`--- a/lib/nss.c`
			`+++ b/lib/nss.c`
			`@@ -835,36 +835,6 @@ static SECStatus SelectClientCert(void arg, PRFileDesc sock,`
			`return SECSuccess;`
			`}`

			`-/* This function is supposed to decide, which error codes should be used`
			`- * to conclude server is TLS intolerant.`
			`- *`
			`- * taken from xulrunner - nsNSSIOLayer.cpp`
			`- */`
			`-static PRBool`
			`-isTLSIntoleranceError(PRInt32 err)`
			`-{`
			`- switch (err) {`
			`- case SSL_ERROR_BAD_MAC_ALERT:`
			`- case SSL_ERROR_BAD_MAC_READ:`
			`- case SSL_ERROR_HANDSHAKE_FAILURE_ALERT:`
			`- case SSL_ERROR_HANDSHAKE_UNEXPECTED_ALERT:`
			`- case SSL_ERROR_CLIENT_KEY_EXCHANGE_FAILURE:`
			`- case SSL_ERROR_ILLEGAL_PARAMETER_ALERT:`
			`- case SSL_ERROR_NO_CYPHER_OVERLAP:`
			`- case SSL_ERROR_BAD_SERVER:`
			`- case SSL_ERROR_BAD_BLOCK_PADDING:`
			`- case SSL_ERROR_UNSUPPORTED_VERSION:`
			`- case SSL_ERROR_PROTOCOL_VERSION_ALERT:`
			`- case SSL_ERROR_RX_MALFORMED_FINISHED:`
			`- case SSL_ERROR_BAD_HANDSHAKE_HASH_VALUE:`
			`- case SSL_ERROR_DECODE_ERROR_ALERT:`
			`- case SSL_ERROR_RX_UNKNOWN_ALERT:`
			`- return PR_TRUE;`
			`- default:`
			`- return PR_FALSE;`
			`- }`
			`-}`
			`-`
			`/* update blocking direction in case of PR_WOULD_BLOCK_ERROR */`
			`static void nss_update_connecting_state(ssl_connect_state state, void *secret)`
			`{`
			`@@ -1236,10 +1206,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,`
			`switch (data->set.ssl.version) {`
			`default:`
			`case CURL_SSLVERSION_DEFAULT:`
			`- if(data->state.ssl_connect_retry) {`
			`- infof(data, "TLS disabled due to previous handshake failure\n");`
			`- sslver->max = SSL_LIBRARY_VERSION_3_0;`
			`- }`
			`return CURLE_OK;`

			`case CURL_SSLVERSION_TLSv1:`
			`@@ -1293,12 +1259,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,`
			`struct SessionHandle *data,`
			`CURLcode curlerr)`
			`{`
			`- SSLVersionRange sslver;`
			`PRErrorCode err = 0;`

			`- /* reset the flag to avoid an infinite loop */`
			`- data->state.ssl_connect_retry = FALSE;`
			`-`
			`if(is_nss_error(curlerr)) {`
			`/* read NSPR error code */`
			`err = PR_GetError();`
			`@@ -1315,17 +1277,6 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl,`
			`/* cleanup on connection failure */`
			`Curl_llist_destroy(connssl->obj_list, NULL);`
			`connssl->obj_list = NULL;`
			`-`
			`- if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess)`
			`- && (sslver.min == SSL_LIBRARY_VERSION_3_0)`
			`- && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0)`
			`- && isTLSIntoleranceError(err)) {`
			`- /* schedule reconnect through Curl_retry_request() */`
			`- data->state.ssl_connect_retry = TRUE;`
			`- infof(data, "Error in TLS handshake, trying SSLv3...\n");`
			`- return CURLE_OK;`
			`- }`
			`-`
			`return curlerr;`
			`}`

			`@@ -1434,9 +1385,6 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex)`
			`infof(data, "warning: support for SSL_CBC_RANDOM_IV not compiled in\n");`
			`#endif`

			`- /* reset the flag to avoid an infinite loop */`
			`- data->state.ssl_connect_retry = FALSE;`
			`-`
			`if(data->set.ssl.cipher_list) {`
			`if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {`
			`curlerr = CURLE_SSL_CIPHER;`
			`--`
			`2.1.0`


			`From e21cf86258c3cc2042dfb531cbf94ce2f5405d8c Mon Sep 17 00:00:00 2001`
			`From: Kamil Dudka <kdudka@redhat.com>`
			`Date: Wed, 29 Oct 2014 14:24:54 +0100`
			`Subject: [PATCH 2/2] transfer: drop the code handling the ssl_connect_retry`
			`flag`

			`Its last use has been removed by the previous commit.`

			`Upstream-commit: 276741af4ddebe0cc0d446712fb8dfdf0c140e7b`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/transfer.c \| 12 ++++--------`
			`lib/urldata.h \| 3 ---`
			`2 files changed, 4 insertions(+), 11 deletions(-)`

			`diff --git a/lib/transfer.c b/lib/transfer.c`
			`index 330b37a..dff6838 100644`
			`--- a/lib/transfer.c`
			`+++ b/lib/transfer.c`
			`@@ -1269,8 +1269,6 @@ CURLcode Curl_pretransfer(struct SessionHandle *data)`
			`data->state.errorbuf = FALSE; /* no error has occurred */`
			`data->state.httpversion = 0; /* don't assume any particular server version */`

			`- data->state.ssl_connect_retry = FALSE;`
			`-`
			`data->state.authproblem = FALSE;`
			`data->state.authhost.want = data->set.httpauth;`
			`data->state.authproxy.want = data->set.proxyauth;`
			`@@ -1848,12 +1846,10 @@ CURLcode Curl_retry_request(struct connectdata *conn,`
			`!(conn->handler->protocol&(CURLPROTO_HTTP\|CURLPROTO_RTSP)))`
			`return CURLE_OK;`

			`- if(/* workaround for broken TLS servers */ data->state.ssl_connect_retry \|\|`
			`- ((data->req.bytecount +`
			`- data->req.headerbytecount == 0) &&`
			`- conn->bits.reuse &&`
			`- !data->set.opt_no_body &&`
			`- data->set.rtspreq != RTSPREQ_RECEIVE)) {`
			`+ if((data->req.bytecount + data->req.headerbytecount == 0) &&`
			`+ conn->bits.reuse &&`
			`+ !data->set.opt_no_body &&`
			`+ (data->set.rtspreq != RTSPREQ_RECEIVE)) {`
			`/* We got no data, we attempted to re-use a connection and yet we want a`
			`"body". This might happen if the connection was left alive when we were`
			`done using it before, but that was closed when we wanted to read from`
			`diff --git a/lib/urldata.h b/lib/urldata.h`
			`index c91bcff..04f590d 100644`
			`--- a/lib/urldata.h`
			`+++ b/lib/urldata.h`
			`@@ -1288,9 +1288,6 @@ struct UrlState {`
			`} proto;`
			`/* current user of this SessionHandle instance, or NULL */`
			`struct connectdata *current_conn;`
			`-`
			`- /* if true, force SSL connection retry (workaround for certain servers) */`
			`- bool ssl_connect_retry;`
			`};`


			`--`
			`2.1.0`