base/SOURCES/0021-curl-7.29.0-67061e3f.p...

From 6c5bb879f09c490ad9aebf50670cbe546d0aba4a Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 7 Mar 2014 13:02:03 +0100
Subject: [PATCH 1/3] nss: do not enable AES cipher-suites by default

... but allow them to be enabled/disabled explicitly.  The default
policy should be maintained at the NSS level.

Upstream-commit: b4f6cd46eb1b5a98573e0c0e619dc71646affdc8
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/nss.c | 27 ++++-----------------------
 1 file changed, 4 insertions(+), 23 deletions(-)

diff --git a/lib/nss.c b/lib/nss.c
index abc8a91..289c55b 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -122,6 +122,10 @@ static const cipher_s cipherlist[] = {
   {"rsa_des_56_sha",             TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},
   {"rsa_rc4_56_sha",             TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},
   /* AES ciphers. */
+  {"dhe_dss_aes_128_cbc_sha",    TLS_DHE_DSS_WITH_AES_128_CBC_SHA},
+  {"dhe_dss_aes_256_cbc_sha",    TLS_DHE_DSS_WITH_AES_256_CBC_SHA},
+  {"dhe_rsa_aes_128_cbc_sha",    TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
+  {"dhe_rsa_aes_256_cbc_sha",    TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
   {"rsa_aes_128_sha",            TLS_RSA_WITH_AES_128_CBC_SHA},
   {"rsa_aes_256_sha",            TLS_RSA_WITH_AES_256_CBC_SHA},
   /* ECC ciphers. */
@@ -152,18 +156,6 @@ static const cipher_s cipherlist[] = {
   {"ecdh_anon_aes_256_sha",      TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
 };
 
-/* following ciphers are new in NSS 3.4 and not enabled by default, therefore
-   they are enabled explicitly */
-static const int enable_ciphers_by_default[] = {
-  TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
-  TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
-  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
-  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
-  TLS_RSA_WITH_AES_128_CBC_SHA,
-  TLS_RSA_WITH_AES_256_CBC_SHA,
-  SSL_NULL_WITH_NULL_NULL
-};
-
 static const char* pem_library = "libnsspem.so";
 SECMODModule* mod = NULL;
 
@@ -1214,7 +1206,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   curl_socket_t sockfd = conn->sock[sockindex];
   struct ssl_connect_data *connssl = &conn->ssl[sockindex];
   CURLcode curlerr;
-  const int *cipher_to_enable;
   PRSocketOptionData sock_opt;
   long time_left;
   PRUint32 timeout;
@@ -1304,16 +1295,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)
   /* reset the flag to avoid an infinite loop */
   data->state.ssl_connect_retry = FALSE;
 
-  /* enable all ciphers from enable_ciphers_by_default */
-  cipher_to_enable = enable_ciphers_by_default;
-  while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
-    if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
-      curlerr = CURLE_SSL_CIPHER;
-      goto error;
-    }
-    cipher_to_enable++;
-  }
-
   if(data->set.ssl.cipher_list) {
     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
       curlerr = CURLE_SSL_CIPHER;
-- 
2.1.0


From 0dac41d2469fe2990197912f4e2d58e1de6957e6 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 7 Mar 2014 13:10:54 +0100
Subject: [PATCH 2/3] nss: allow to enable/disable new HMAC-SHA256
 cipher-suites

... if built against a new enough version of NSS

Upstream-commit: c864d81289297b04dbbca14e3c5307ef15e6f258
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/nss.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/nss.c b/lib/nss.c
index 289c55b..ea0d4ef 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -154,6 +154,16 @@ static const cipher_s cipherlist[] = {
   {"ecdh_anon_3des_sha",         TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA},
   {"ecdh_anon_aes_128_sha",      TLS_ECDH_anon_WITH_AES_128_CBC_SHA},
   {"ecdh_anon_aes_256_sha",      TLS_ECDH_anon_WITH_AES_256_CBC_SHA},
+#ifdef TLS_RSA_WITH_NULL_SHA256
+  /* new HMAC-SHA256 cipher suites specified in RFC */
+  {"rsa_null_sha_256",                TLS_RSA_WITH_NULL_SHA256},
+  {"rsa_aes_128_cbc_sha_256",         TLS_RSA_WITH_AES_128_CBC_SHA256},
+  {"rsa_aes_256_cbc_sha_256",         TLS_RSA_WITH_AES_256_CBC_SHA256},
+  {"dhe_rsa_aes_128_cbc_sha_256",     TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
+  {"dhe_rsa_aes_256_cbc_sha_256",     TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
+  {"ecdhe_ecdsa_aes_128_cbc_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
+  {"ecdhe_rsa_aes_128_cbc_sha_256",   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
+#endif
 };
 
 static const char* pem_library = "libnsspem.so";
-- 
2.1.0


From f9c89d4cf767a7e2ae39ae668ec30a71513a3d98 Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@redhat.com>
Date: Fri, 7 Mar 2014 13:14:08 +0100
Subject: [PATCH 3/3] nss: allow to enable/disable new AES GCM cipher-suites

... if built against a new enough version of NSS

Upstream-commit: 67061e3f4ec1c2f3b4bb02bbe2d91ccdeb147c60
Signed-off-by: Kamil Dudka <kdudka@redhat.com>
---
 lib/nss.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/lib/nss.c b/lib/nss.c
index ea0d4ef..1381dc4 100644
--- a/lib/nss.c
+++ b/lib/nss.c
@@ -164,6 +164,16 @@ static const cipher_s cipherlist[] = {
   {"ecdhe_ecdsa_aes_128_cbc_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
   {"ecdhe_rsa_aes_128_cbc_sha_256",   TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
 #endif
+#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256
+  /* AES GCM cipher suites in RFC 5288 and RFC 5289 */
+  {"rsa_aes_128_gcm_sha_256",         TLS_RSA_WITH_AES_128_GCM_SHA256},
+  {"dhe_rsa_aes_128_gcm_sha_256",     TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
+  {"dhe_dss_aes_128_gcm_sha_256",     TLS_DHE_DSS_WITH_AES_128_GCM_SHA256},
+  {"ecdhe_ecdsa_aes_128_gcm_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
+  {"ecdh_ecdsa_aes_128_gcm_sha_256",  TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256},
+  {"ecdhe_rsa_aes_128_gcm_sha_256",   TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
+  {"ecdh_rsa_aes_128_gcm_sha_256",    TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256},
+#endif
 };
 
 static const char* pem_library = "libnsspem.so";
-- 
2.1.0
curl package update Signed-off-by: basebuilder_pel7x64builder0 <basebuilder@powerel.org> 6 years ago			`From 6c5bb879f09c490ad9aebf50670cbe546d0aba4a Mon Sep 17 00:00:00 2001`
			`From: Kamil Dudka <kdudka@redhat.com>`
			`Date: Fri, 7 Mar 2014 13:02:03 +0100`
			`Subject: [PATCH 1/3] nss: do not enable AES cipher-suites by default`

			`... but allow them to be enabled/disabled explicitly. The default`
			`policy should be maintained at the NSS level.`

			`Upstream-commit: b4f6cd46eb1b5a98573e0c0e619dc71646affdc8`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/nss.c \| 27 ++++-----------------------`
			`1 file changed, 4 insertions(+), 23 deletions(-)`

			`diff --git a/lib/nss.c b/lib/nss.c`
			`index abc8a91..289c55b 100644`
			`--- a/lib/nss.c`
			`+++ b/lib/nss.c`
			`@@ -122,6 +122,10 @@ static const cipher_s cipherlist[] = {`
			`{"rsa_des_56_sha", TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA},`
			`{"rsa_rc4_56_sha", TLS_RSA_EXPORT1024_WITH_RC4_56_SHA},`
			`/* AES ciphers. */`
			`+ {"dhe_dss_aes_128_cbc_sha", TLS_DHE_DSS_WITH_AES_128_CBC_SHA},`
			`+ {"dhe_dss_aes_256_cbc_sha", TLS_DHE_DSS_WITH_AES_256_CBC_SHA},`
			`+ {"dhe_rsa_aes_128_cbc_sha", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},`
			`+ {"dhe_rsa_aes_256_cbc_sha", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},`
			`{"rsa_aes_128_sha", TLS_RSA_WITH_AES_128_CBC_SHA},`
			`{"rsa_aes_256_sha", TLS_RSA_WITH_AES_256_CBC_SHA},`
			`/* ECC ciphers. */`
			`@@ -152,18 +156,6 @@ static const cipher_s cipherlist[] = {`
			`{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA},`
			`};`

			`-/* following ciphers are new in NSS 3.4 and not enabled by default, therefore`
			`- they are enabled explicitly */`
			`-static const int enable_ciphers_by_default[] = {`
			`- TLS_DHE_DSS_WITH_AES_128_CBC_SHA,`
			`- TLS_DHE_DSS_WITH_AES_256_CBC_SHA,`
			`- TLS_DHE_RSA_WITH_AES_128_CBC_SHA,`
			`- TLS_DHE_RSA_WITH_AES_256_CBC_SHA,`
			`- TLS_RSA_WITH_AES_128_CBC_SHA,`
			`- TLS_RSA_WITH_AES_256_CBC_SHA,`
			`- SSL_NULL_WITH_NULL_NULL`
			`-};`
			`-`
			`static const char* pem_library = "libnsspem.so";`
			`SECMODModule* mod = NULL;`

			`@@ -1214,7 +1206,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)`
			`curl_socket_t sockfd = conn->sock[sockindex];`
			`struct ssl_connect_data *connssl = &conn->ssl[sockindex];`
			`CURLcode curlerr;`
			`- const int *cipher_to_enable;`
			`PRSocketOptionData sock_opt;`
			`long time_left;`
			`PRUint32 timeout;`
			`@@ -1304,16 +1295,6 @@ CURLcode Curl_nss_connect(struct connectdata *conn, int sockindex)`
			`/* reset the flag to avoid an infinite loop */`
			`data->state.ssl_connect_retry = FALSE;`

			`- /* enable all ciphers from enable_ciphers_by_default */`
			`- cipher_to_enable = enable_ciphers_by_default;`
			`- while(SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {`
			`- if(SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {`
			`- curlerr = CURLE_SSL_CIPHER;`
			`- goto error;`
			`- }`
			`- cipher_to_enable++;`
			`- }`
			`-`
			`if(data->set.ssl.cipher_list) {`
			`if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {`
			`curlerr = CURLE_SSL_CIPHER;`
			`--`
			`2.1.0`


			`From 0dac41d2469fe2990197912f4e2d58e1de6957e6 Mon Sep 17 00:00:00 2001`
			`From: Kamil Dudka <kdudka@redhat.com>`
			`Date: Fri, 7 Mar 2014 13:10:54 +0100`
			`Subject: [PATCH 2/3] nss: allow to enable/disable new HMAC-SHA256`
			`cipher-suites`

			`... if built against a new enough version of NSS`

			`Upstream-commit: c864d81289297b04dbbca14e3c5307ef15e6f258`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/nss.c \| 10 ++++++++++`
			`1 file changed, 10 insertions(+)`

			`diff --git a/lib/nss.c b/lib/nss.c`
			`index 289c55b..ea0d4ef 100644`
			`--- a/lib/nss.c`
			`+++ b/lib/nss.c`
			`@@ -154,6 +154,16 @@ static const cipher_s cipherlist[] = {`
			`{"ecdh_anon_3des_sha", TLS_ECDH_anon_WITH_3DES_EDE_CBC_SHA},`
			`{"ecdh_anon_aes_128_sha", TLS_ECDH_anon_WITH_AES_128_CBC_SHA},`
			`{"ecdh_anon_aes_256_sha", TLS_ECDH_anon_WITH_AES_256_CBC_SHA},`
			`+#ifdef TLS_RSA_WITH_NULL_SHA256`
			`+ /* new HMAC-SHA256 cipher suites specified in RFC */`
			`+ {"rsa_null_sha_256", TLS_RSA_WITH_NULL_SHA256},`
			`+ {"rsa_aes_128_cbc_sha_256", TLS_RSA_WITH_AES_128_CBC_SHA256},`
			`+ {"rsa_aes_256_cbc_sha_256", TLS_RSA_WITH_AES_256_CBC_SHA256},`
			`+ {"dhe_rsa_aes_128_cbc_sha_256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},`
			`+ {"dhe_rsa_aes_256_cbc_sha_256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},`
			`+ {"ecdhe_ecdsa_aes_128_cbc_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},`
			`+ {"ecdhe_rsa_aes_128_cbc_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},`
			`+#endif`
			`};`

			`static const char* pem_library = "libnsspem.so";`
			`--`
			`2.1.0`


			`From f9c89d4cf767a7e2ae39ae668ec30a71513a3d98 Mon Sep 17 00:00:00 2001`
			`From: Kamil Dudka <kdudka@redhat.com>`
			`Date: Fri, 7 Mar 2014 13:14:08 +0100`
			`Subject: [PATCH 3/3] nss: allow to enable/disable new AES GCM cipher-suites`

			`... if built against a new enough version of NSS`

			`Upstream-commit: 67061e3f4ec1c2f3b4bb02bbe2d91ccdeb147c60`
			`Signed-off-by: Kamil Dudka <kdudka@redhat.com>`
			`---`
			`lib/nss.c \| 10 ++++++++++`
			`1 file changed, 10 insertions(+)`

			`diff --git a/lib/nss.c b/lib/nss.c`
			`index ea0d4ef..1381dc4 100644`
			`--- a/lib/nss.c`
			`+++ b/lib/nss.c`
			`@@ -164,6 +164,16 @@ static const cipher_s cipherlist[] = {`
			`{"ecdhe_ecdsa_aes_128_cbc_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},`
			`{"ecdhe_rsa_aes_128_cbc_sha_256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},`
			`#endif`
			`+#ifdef TLS_RSA_WITH_AES_128_GCM_SHA256`
			`+ /* AES GCM cipher suites in RFC 5288 and RFC 5289 */`
			`+ {"rsa_aes_128_gcm_sha_256", TLS_RSA_WITH_AES_128_GCM_SHA256},`
			`+ {"dhe_rsa_aes_128_gcm_sha_256", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},`
			`+ {"dhe_dss_aes_128_gcm_sha_256", TLS_DHE_DSS_WITH_AES_128_GCM_SHA256},`
			`+ {"ecdhe_ecdsa_aes_128_gcm_sha_256", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},`
			`+ {"ecdh_ecdsa_aes_128_gcm_sha_256", TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256},`
			`+ {"ecdhe_rsa_aes_128_gcm_sha_256", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},`
			`+ {"ecdh_rsa_aes_128_gcm_sha_256", TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256},`
			`+#endif`
			`};`

			`static const char* pem_library = "libnsspem.so";`
			`--`
			`2.1.0`