From b9027004c3b739cf0088b2f3ab7618dd5faa630a Mon Sep 17 00:00:00 2001
From: Kamil Dudka <kdudka@fedoraproject.org>
Date: Wed, 18 Mar 2009 17:01:02 +0000
Subject: [PATCH] enable 6 additional crypto algorithms by default (#436781)

---
 curl-7.19.4-enable-aes.patch | 47 ++++++++++++++++++++++++++++++++++++
 curl.spec                    |  8 +++++-
 2 files changed, 54 insertions(+), 1 deletion(-)
 create mode 100644 curl-7.19.4-enable-aes.patch

diff --git a/curl-7.19.4-enable-aes.patch b/curl-7.19.4-enable-aes.patch
new file mode 100644
index 0000000..06351d8
--- /dev/null
+++ b/curl-7.19.4-enable-aes.patch
@@ -0,0 +1,47 @@
+diff -ruNp curl.orig/lib/nss.c curl/lib/nss.c
+--- curl.orig/lib/nss.c	2009-03-04 17:54:28.459240000 +0100
++++ curl/lib/nss.c	2009-03-18 11:38:34.245797020 +0100
+@@ -162,6 +162,18 @@ static const cipher_s cipherlist[] = {
+ #endif
+ };
+ 
++/* following ciphers are new in NSS 3.4 and not enabled by default, therefor
++   they are enabled explicitly */
++static const int enable_ciphers_by_default[] = {
++  TLS_DHE_DSS_WITH_AES_128_CBC_SHA,
++  TLS_DHE_DSS_WITH_AES_256_CBC_SHA,
++  TLS_DHE_RSA_WITH_AES_128_CBC_SHA,
++  TLS_DHE_RSA_WITH_AES_256_CBC_SHA,
++  TLS_RSA_WITH_AES_128_CBC_SHA,
++  TLS_RSA_WITH_AES_256_CBC_SHA,
++  SSL_NULL_WITH_NULL_NULL
++};
++
+ #ifdef HAVE_PK11_CREATEGENERICOBJECT
+ static const char* pem_library = "libnsspem.so";
+ #endif
+@@ -954,6 +966,7 @@ CURLcode Curl_nss_connect(struct connect
+ #endif
+   char *certDir = NULL;
+   int curlerr;
++  const int *cipher_to_enable;
+ 
+   curlerr = CURLE_SSL_CONNECT_ERROR;
+ 
+@@ -1057,6 +1070,16 @@ CURLcode Curl_nss_connect(struct connect
+   if(SSL_OptionSet(model, SSL_V2_COMPATIBLE_HELLO, ssl2) != SECSuccess)
+     goto error;
+ 
++  /* enable all ciphers from enable_ciphers_by_default */
++  cipher_to_enable = enable_ciphers_by_default;
++  while (SSL_NULL_WITH_NULL_NULL != *cipher_to_enable) {
++    if (SSL_CipherPrefSet(model, *cipher_to_enable, PR_TRUE) != SECSuccess) {
++      curlerr = CURLE_SSL_CIPHER;
++      goto error;
++    }
++    cipher_to_enable++;
++  }
++
+   if(data->set.ssl.cipher_list) {
+     if(set_ciphers(data, model, data->set.ssl.cipher_list) != SECSuccess) {
+       curlerr = CURLE_SSL_CIPHER;
diff --git a/curl.spec b/curl.spec
index 68851ad..7ef1593 100644
--- a/curl.spec
+++ b/curl.spec
@@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.19.4
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.bz2
@@ -9,6 +9,7 @@ Patch1: curl-7.15.3-multilib.patch
 Patch2: curl-7.16.0-privlibs.patch
 Patch3: curl-7.17.1-badsocket.patch
 Patch4: curl-7.19.4-tool-leak.patch
+Patch5: curl-7.19.4-enable-aes.patch
 Provides: webclient
 URL: http://curl.haxx.se/
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -54,6 +55,7 @@ use cURL's capabilities internally.
 %patch2 -p1 -b .privlibs
 %patch3 -p1 -b .badsocket
 %patch4 -p1 -b .toolleak
+%patch5 -p1 -b .enableaes
 
 # Convert docs to UTF-8
 for f in CHANGES README; do
@@ -145,6 +147,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4
 
 %changelog
+* Wed Mar 18 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-5
+- enable 6 additional crypto algorithms by default (#436781,
+  accepted by upstream)
+
 * Thu Mar 12 2009 Kamil Dudka <kdudka@redhat.com> 7.19.4-4
 - fix memory leak in src/main.c (accepted by upstream)
 - avoid using %ifarch