diff --git a/0001-curl-7.37.0-7c215585.patch b/0001-curl-7.37.0-7c215585.patch new file mode 100644 index 0000000..abad04d --- /dev/null +++ b/0001-curl-7.37.0-7c215585.patch @@ -0,0 +1,136 @@ +From e5a68a65cd567b74573e686bb5f773b482997397 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 2 Jul 2014 17:37:43 +0200 +Subject: [PATCH 1/3] nss: do not abort on connection failure + +... due to calling SSL_VersionRangeGet() with NULL file descriptor + +reported-by: upstream tests 305 and 404 + +[upstream commit 7c21558503cbb10595c345acc7820cb9dc8741d6] + +Signed-off-by: Kamil Dudka +--- + lib/vtls/nss.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index c1eec41..1e41795 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1396,7 +1396,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, + Curl_llist_destroy(connssl->obj_list, NULL); + connssl->obj_list = NULL; + +- if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) ++ if(connssl->handle ++ && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) + && (sslver.min == SSL_LIBRARY_VERSION_3_0) + && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) + && isTLSIntoleranceError(err)) { +-- +1.9.3 + + +From b86de77eda043787edae78c07179f1c06c8c5060 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 2 Jul 2014 17:49:37 +0200 +Subject: [PATCH 2/3] nss: make the fallback to SSLv3 work again + +This feature was unintentionally disabled by commit ff92fcfb. + +[upstream commit 7581dee10aedeb96231dd24e187ff5426fc72469] + +Signed-off-by: Kamil Dudka +--- + lib/vtls/nss.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c +index 1e41795..3613b40 100644 +--- a/lib/vtls/nss.c ++++ b/lib/vtls/nss.c +@@ -1315,6 +1315,7 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + switch (data->set.ssl.version) { + default: + case CURL_SSLVERSION_DEFAULT: ++ sslver->min = SSL_LIBRARY_VERSION_3_0; + if(data->state.ssl_connect_retry) { + infof(data, "TLS disabled due to previous handshake failure\n"); + sslver->max = SSL_LIBRARY_VERSION_3_0; +@@ -1323,7 +1324,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, + /* intentional fall-through to default to highest TLS version if possible */ + + case CURL_SSLVERSION_TLSv1: +- sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; + #ifdef SSL_LIBRARY_VERSION_TLS_1_2 + sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; + #elif defined SSL_LIBRARY_VERSION_TLS_1_1 +@@ -1399,7 +1399,7 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, + if(connssl->handle + && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) + && (sslver.min == SSL_LIBRARY_VERSION_3_0) +- && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) ++ && (sslver.max != SSL_LIBRARY_VERSION_3_0) + && isTLSIntoleranceError(err)) { + /* schedule reconnect through Curl_retry_request() */ + data->state.ssl_connect_retry = TRUE; +@@ -1437,7 +1437,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) + CURLcode curlerr; + + SSLVersionRange sslver = { +- SSL_LIBRARY_VERSION_3_0, /* min */ ++ SSL_LIBRARY_VERSION_TLS_1_0, /* min */ + SSL_LIBRARY_VERSION_TLS_1_0 /* max */ + }; + +-- +1.9.3 + + +From dd54a5dad0b91c6a626912cc83123f103fa63746 Mon Sep 17 00:00:00 2001 +From: Kamil Dudka +Date: Wed, 2 Jul 2014 16:34:48 +0200 +Subject: [PATCH 3/3] tool: call PR_Cleanup() on exit if NSPR is used + +This prevents valgrind from reporting possibly lost memory that NSPR +uses for file descriptor cache and other globally allocated internal +data structures. + +[upstream commit 24c3cdce88f39731506c287cb276e8bf4a1ce393] + +Signed-off-by: Kamil Dudka +--- + src/tool_main.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/src/tool_main.c b/src/tool_main.c +index ef96dc3..dc980e0 100644 +--- a/src/tool_main.c ++++ b/src/tool_main.c +@@ -27,6 +27,10 @@ + #include + #endif + ++#ifdef USE_NSS ++#include ++#endif ++ + #define ENABLE_CURLX_PRINTF + /* use our own printf() functions */ + #include "curlx.h" +@@ -205,6 +209,11 @@ static void main_free(struct GlobalConfig *config) + curl_global_cleanup(); + convert_cleanup(); + metalink_cleanup(); ++#ifdef USE_NSS ++ if(PR_Initialized()) ++ /* prevent valgrind from reporting possibly lost memory (fd cache, ...) */ ++ PR_Cleanup(); ++#endif + free_config_fields(config); + + /* Free the config structures */ +-- +1.9.3 + diff --git a/curl.spec b/curl.spec index 19effb6..0ff595f 100644 --- a/curl.spec +++ b/curl.spec @@ -1,12 +1,15 @@ Summary: A utility for getting files from remote servers (FTP, HTTP, and others) Name: curl Version: 7.37.0 -Release: 2%{?dist} +Release: 3%{?dist} License: MIT Group: Applications/Internet Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma Source2: curlbuild.h +# various SSL-related fixes (mainly crash on connection failure) +Patch1: 0001-curl-7.37.0-7c215585.patch + # patch making libcurl multilib ready Patch101: 0101-curl-7.32.0-multilib.patch @@ -119,6 +122,7 @@ documentation of the library, too. %setup -q # upstream patches +%patch1 -p1 # Fedora patches %patch101 -p1 @@ -240,6 +244,9 @@ rm -rf $RPM_BUILD_ROOT %{_datadir}/aclocal/libcurl.m4 %changelog +* Fri Jul 04 2014 Kamil Dudka 7.37.0-3 +- various SSL-related fixes (mainly crash on connection failure) + * Sat Jun 07 2014 Fedora Release Engineering - 7.37.0-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild