From e5a68a65cd567b74573e686bb5f773b482997397 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 2 Jul 2014 17:37:43 +0200 Subject: [PATCH 1/3] nss: do not abort on connection failure ... due to calling SSL_VersionRangeGet() with NULL file descriptor reported-by: upstream tests 305 and 404 [upstream commit 7c21558503cbb10595c345acc7820cb9dc8741d6] Signed-off-by: Kamil Dudka --- lib/vtls/nss.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index c1eec41..1e41795 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1396,7 +1396,8 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, Curl_llist_destroy(connssl->obj_list, NULL); connssl->obj_list = NULL; - if((SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) + if(connssl->handle + && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) && (sslver.min == SSL_LIBRARY_VERSION_3_0) && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) && isTLSIntoleranceError(err)) { -- 1.9.3 From b86de77eda043787edae78c07179f1c06c8c5060 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 2 Jul 2014 17:49:37 +0200 Subject: [PATCH 2/3] nss: make the fallback to SSLv3 work again This feature was unintentionally disabled by commit ff92fcfb. [upstream commit 7581dee10aedeb96231dd24e187ff5426fc72469] Signed-off-by: Kamil Dudka --- lib/vtls/nss.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c index 1e41795..3613b40 100644 --- a/lib/vtls/nss.c +++ b/lib/vtls/nss.c @@ -1315,6 +1315,7 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, switch (data->set.ssl.version) { default: case CURL_SSLVERSION_DEFAULT: + sslver->min = SSL_LIBRARY_VERSION_3_0; if(data->state.ssl_connect_retry) { infof(data, "TLS disabled due to previous handshake failure\n"); sslver->max = SSL_LIBRARY_VERSION_3_0; @@ -1323,7 +1324,6 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver, /* intentional fall-through to default to highest TLS version if possible */ case CURL_SSLVERSION_TLSv1: - sslver->min = SSL_LIBRARY_VERSION_TLS_1_0; #ifdef SSL_LIBRARY_VERSION_TLS_1_2 sslver->max = SSL_LIBRARY_VERSION_TLS_1_2; #elif defined SSL_LIBRARY_VERSION_TLS_1_1 @@ -1399,7 +1399,7 @@ static CURLcode nss_fail_connect(struct ssl_connect_data *connssl, if(connssl->handle && (SSL_VersionRangeGet(connssl->handle, &sslver) == SECSuccess) && (sslver.min == SSL_LIBRARY_VERSION_3_0) - && (sslver.max == SSL_LIBRARY_VERSION_TLS_1_0) + && (sslver.max != SSL_LIBRARY_VERSION_3_0) && isTLSIntoleranceError(err)) { /* schedule reconnect through Curl_retry_request() */ data->state.ssl_connect_retry = TRUE; @@ -1437,7 +1437,7 @@ static CURLcode nss_setup_connect(struct connectdata *conn, int sockindex) CURLcode curlerr; SSLVersionRange sslver = { - SSL_LIBRARY_VERSION_3_0, /* min */ + SSL_LIBRARY_VERSION_TLS_1_0, /* min */ SSL_LIBRARY_VERSION_TLS_1_0 /* max */ }; -- 1.9.3 From dd54a5dad0b91c6a626912cc83123f103fa63746 Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Wed, 2 Jul 2014 16:34:48 +0200 Subject: [PATCH 3/3] tool: call PR_Cleanup() on exit if NSPR is used This prevents valgrind from reporting possibly lost memory that NSPR uses for file descriptor cache and other globally allocated internal data structures. [upstream commit 24c3cdce88f39731506c287cb276e8bf4a1ce393] Signed-off-by: Kamil Dudka --- src/tool_main.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/tool_main.c b/src/tool_main.c index ef96dc3..dc980e0 100644 --- a/src/tool_main.c +++ b/src/tool_main.c @@ -27,6 +27,10 @@ #include #endif +#ifdef USE_NSS +#include +#endif + #define ENABLE_CURLX_PRINTF /* use our own printf() functions */ #include "curlx.h" @@ -205,6 +209,11 @@ static void main_free(struct GlobalConfig *config) curl_global_cleanup(); convert_cleanup(); metalink_cleanup(); +#ifdef USE_NSS + if(PR_Initialized()) + /* prevent valgrind from reporting possibly lost memory (fd cache, ...) */ + PR_Cleanup(); +#endif free_config_fields(config); /* Free the config structures */ -- 1.9.3