Resolves: #1396719 - map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3

2016-11-21 09:54:16 +01:00 · 2016-11-21 09:54:16 +01:00 · c38149da81
parent 40b1d9916f
commit c38149da81
2 changed files with 293 additions and 1 deletions
--- a/0003-curl-7.51.0-tls-version.patch
+++ b/0003-curl-7.51.0-tls-version.patch
@ -0,0 +1,285 @@
+From 53782619bae773a4034bc53b3b0bd858f90190dc Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 27 Oct 2016 14:27:25 +0200
+Subject: [PATCH 1/4] nss: map CURL_SSLVERSION_DEFAULT to NSS default
+
+... but make sure we use at least TLSv1.0 according to libcurl API
+
+Reported-by: Cure53
+Reviewed-by: Ray Satiro
+
+Upstream-commit: 5d45ced7a45ea38e32f1cbf73d7c63a3e4f241e7
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ lib/vtls/nss.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index dff1575..5abb574 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -1489,10 +1489,18 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+                                 struct Curl_easy *data)
+ {
+   switch(data->set.ssl.version) {
+-  default:
+   case CURL_SSLVERSION_DEFAULT:
+    /* map CURL_SSLVERSION_DEFAULT to NSS default */
+    if(SSL_VersionRangeGetDefault(ssl_variant_stream, sslver) != SECSuccess)
+      return CURLE_SSL_CONNECT_ERROR;
+    /* ... but make sure we use at least TLSv1.0 according to libcurl API */
+    if(sslver->min < SSL_LIBRARY_VERSION_TLS_1_0)
+      sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    return CURLE_OK;
+
+   case CURL_SSLVERSION_TLSv1:
+     sslver->min = SSL_LIBRARY_VERSION_TLS_1_0;
+    /* TODO: set sslver->max to SSL_LIBRARY_VERSION_TLS_1_3 once stable */
+ #ifdef SSL_LIBRARY_VERSION_TLS_1_2
+     sslver->max = SSL_LIBRARY_VERSION_TLS_1_2;
+ #elif defined SSL_LIBRARY_VERSION_TLS_1_1
+@@ -1532,6 +1540,10 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+     return CURLE_OK;
+ #endif
+     break;
+
+  default:
+    /* unsupported SSL/TLS version */
+    break;
+   }
+ 
+   failf(data, "TLS minor version cannot be set");
+-- 
+2.7.4
+
+
+From 6a42abb03de6e5afe859313b236f2b776ca51722 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 27 Oct 2016 14:57:11 +0200
+Subject: [PATCH 2/4] vtls: support TLS 1.3 via CURL_SSLVERSION_TLSv1_3
+
+Fully implemented with the NSS backend only for now.
+
+Reviewed-by: Ray Satiro
+
+Upstream-commit: 6ad3add60654182a747f5971afb40817488ef0e8
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 ++
+ docs/libcurl/symbols-in-versions       | 1 +
+ include/curl/curl.h                    | 1 +
+ lib/vtls/nss.c                         | 8 ++++++++
+ 4 files changed, 12 insertions(+)
+
+diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+index 2f40e46..1854af0 100644
+--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+@@ -48,6 +48,8 @@ TLSv1.0 (Added in 7.34.0)
+ TLSv1.1 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_2
+ TLSv1.2 (Added in 7.34.0)
+.IP CURL_SSLVERSION_TLSv1_3
+TLSv1.3 (Added in 7.51.1)
+ .RE
+ .SH DEFAULT
+ CURL_SSLVERSION_DEFAULT
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index f6365ae..a77fde4 100644
+--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
+@@ -773,6 +773,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
+ CURL_SSLVERSION_TLSv1_0         7.34.0
+ CURL_SSLVERSION_TLSv1_1         7.34.0
+ CURL_SSLVERSION_TLSv1_2         7.34.0
+CURL_SSLVERSION_TLSv1_3         7.51.1
+ CURL_TIMECOND_IFMODSINCE        7.9.7
+ CURL_TIMECOND_IFUNMODSINCE      7.9.7
+ CURL_TIMECOND_LASTMOD           7.9.7
+diff --git a/include/curl/curl.h b/include/curl/curl.h
+index 9c09cb9..03fcfeb 100644
+--- a/include/curl/curl.h
+++ b/include/curl/curl.h
+@@ -1805,6 +1805,7 @@ enum {
+   CURL_SSLVERSION_TLSv1_0,
+   CURL_SSLVERSION_TLSv1_1,
+   CURL_SSLVERSION_TLSv1_2,
+  CURL_SSLVERSION_TLSv1_3,
+ 
+   CURL_SSLVERSION_LAST /* never use, keep last */
+ };
+diff --git a/lib/vtls/nss.c b/lib/vtls/nss.c
+index 5abb574..5e52727 100644
+--- a/lib/vtls/nss.c
+++ b/lib/vtls/nss.c
+@@ -1541,6 +1541,14 @@ static CURLcode nss_init_sslver(SSLVersionRange *sslver,
+ #endif
+     break;
+ 
+  case CURL_SSLVERSION_TLSv1_3:
+#ifdef SSL_LIBRARY_VERSION_TLS_1_3
+    sslver->min = SSL_LIBRARY_VERSION_TLS_1_3;
+    sslver->max = SSL_LIBRARY_VERSION_TLS_1_3;
+    return CURLE_OK;
+#endif
+    break;
+
+   default:
+     /* unsupported SSL/TLS version */
+     break;
+-- 
+2.7.4
+
+
+From d930268ab522ac7ea7ccd83671d22f57148f3d21 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Thu, 27 Oct 2016 14:58:43 +0200
+Subject: [PATCH 3/4] curl: introduce the --tlsv1.3 option to force TLS 1.3
+
+Fully implemented with the NSS backend only for now.
+
+Reviewed-by: Ray Satiro
+
+Upstream-commit: a110a03b43057879643046538c79cc9dd20d399a
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/curl.1         | 10 +++++++---
+ src/tool_getparam.c |  5 +++++
+ src/tool_help.c     |  1 +
+ src/tool_setopt.c   |  1 +
+ 4 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index f5375ed..e9c6150 100644
+--- a/docs/curl.1
+++ b/docs/curl.1
+@@ -176,9 +176,9 @@ HTTP 2 to negotiate HTTP 2 support with the server during https sessions.
+ .IP "-1, --tlsv1"
+ (SSL)
+ Forces curl to use TLS version 1.x when negotiating with a remote TLS server.
+-You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, and \fI--tlsv1.2\fP to
+-control the TLS version more precisely (if the SSL backend in use supports such
+-a level of control).
+You can use options \fI--tlsv1.0\fP, \fI--tlsv1.1\fP, \fI--tlsv1.2\fP, and
+\fI--tlsv1.3\fP to control the TLS version more precisely (if the SSL backend
+in use supports such a level of control).
+ .IP "-2, --sslv2"
+ (SSL) Forces curl to use SSL version 2 when negotiating with a remote SSL
+ server. Sometimes curl is built without SSLv2 support. SSLv2 is widely
+@@ -1820,6 +1820,10 @@ Forces curl to use TLS version 1.1 when negotiating with a remote TLS server.
+ (SSL)
+ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
+ (Added in 7.34.0)
+.IP "--tlsv1.3"
+(SSL)
+Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+(Added in 7.51.1)
+ .IP "--tr-encoding"
+ (HTTP) Request a compressed Transfer-Encoding response using one of the
+ algorithms curl supports, and uncompress the data while receiving it.
+diff --git a/src/tool_getparam.c b/src/tool_getparam.c
+index 95dd455..2d16e06 100644
+--- a/src/tool_getparam.c
+++ b/src/tool_getparam.c
+@@ -190,6 +190,7 @@ static const struct LongShort aliases[]= {
+   {"10",  "tlsv1.0",                 FALSE},
+   {"11",  "tlsv1.1",                 FALSE},
+   {"12",  "tlsv1.2",                 FALSE},
+  {"13",  "tlsv1.3",                 FALSE},
+   {"2",  "sslv2",                    FALSE},
+   {"3",  "sslv3",                    FALSE},
+   {"4",  "ipv4",                     FALSE},
+@@ -1061,6 +1062,10 @@ ParameterError getparameter(char *flag,    /* f or -long-flag */
+         /* TLS version 1.2 */
+         config->ssl_version = CURL_SSLVERSION_TLSv1_2;
+         break;
+      case '3':
+        /* TLS version 1.3 */
+        config->ssl_version = CURL_SSLVERSION_TLSv1_3;
+        break;
+       }
+       break;
+     case '2':
+diff --git a/src/tool_help.c b/src/tool_help.c
+index fb428c9..9890cc8 100644
+--- a/src/tool_help.c
+++ b/src/tool_help.c
+@@ -232,6 +232,7 @@ static const char *const helptext[] = {
+   "     --tlsv1.0       Use TLSv1.0 (SSL)",
+   "     --tlsv1.1       Use TLSv1.1 (SSL)",
+   "     --tlsv1.2       Use TLSv1.2 (SSL)",
+  "     --tlsv1.3       Use TLSv1.3 (SSL)",
+   "     --trace FILE    Write a debug trace to FILE",
+   "     --trace-ascii FILE  Like --trace, but without hex output",
+   "     --trace-time    Add time stamps to trace/verbose output",
+diff --git a/src/tool_setopt.c b/src/tool_setopt.c
+index c854225..f3de09d 100644
+--- a/src/tool_setopt.c
+++ b/src/tool_setopt.c
+@@ -83,6 +83,7 @@ const NameValue setopt_nv_CURL_SSLVERSION[] = {
+   NV(CURL_SSLVERSION_TLSv1_0),
+   NV(CURL_SSLVERSION_TLSv1_1),
+   NV(CURL_SSLVERSION_TLSv1_2),
+  NV(CURL_SSLVERSION_TLSv1_3),
+   NVEND,
+ };
+ 
+-- 
+2.7.4
+
+
+From 2fce531638a12f44ea1fbc52e86ca795a3a4e4e2 Mon Sep 17 00:00:00 2001
+From: Kamil Dudka <kdudka@redhat.com>
+Date: Tue, 15 Nov 2016 12:21:00 +0100
+Subject: [PATCH 4/4] docs: the next release will be 7.52.0
+
+Upstream-commit: cfd69c133984a5df3de63b4f8c5f64885c6e33ae
+Signed-off-by: Kamil Dudka <kdudka@redhat.com>
+---
+ docs/curl.1                            | 2 +-
+ docs/libcurl/opts/CURLOPT_SSLVERSION.3 | 2 +-
+ docs/libcurl/symbols-in-versions       | 2 +-
+ 3 files changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/docs/curl.1 b/docs/curl.1
+index e9c6150..05d1a8d 100644
+--- a/docs/curl.1
+++ b/docs/curl.1
+@@ -1823,7 +1823,7 @@ Forces curl to use TLS version 1.2 when negotiating with a remote TLS server.
+ .IP "--tlsv1.3"
+ (SSL)
+ Forces curl to use TLS version 1.3 when negotiating with a remote TLS server.
+-(Added in 7.51.1)
+(Added in 7.52.0)
+ .IP "--tr-encoding"
+ (HTTP) Request a compressed Transfer-Encoding response using one of the
+ algorithms curl supports, and uncompress the data while receiving it.
+diff --git a/docs/libcurl/opts/CURLOPT_SSLVERSION.3 b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+index 1854af0..77dfcd4 100644
+--- a/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+++ b/docs/libcurl/opts/CURLOPT_SSLVERSION.3
+@@ -49,7 +49,7 @@ TLSv1.1 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_2
+ TLSv1.2 (Added in 7.34.0)
+ .IP CURL_SSLVERSION_TLSv1_3
+-TLSv1.3 (Added in 7.51.1)
+TLSv1.3 (Added in 7.52.0)
+ .RE
+ .SH DEFAULT
+ CURL_SSLVERSION_DEFAULT
+diff --git a/docs/libcurl/symbols-in-versions b/docs/libcurl/symbols-in-versions
+index a77fde4..ef730c8 100644
+--- a/docs/libcurl/symbols-in-versions
+++ b/docs/libcurl/symbols-in-versions
+@@ -773,7 +773,7 @@ CURL_SSLVERSION_TLSv1           7.9.2
+ CURL_SSLVERSION_TLSv1_0         7.34.0
+ CURL_SSLVERSION_TLSv1_1         7.34.0
+ CURL_SSLVERSION_TLSv1_2         7.34.0
+-CURL_SSLVERSION_TLSv1_3         7.51.1
+CURL_SSLVERSION_TLSv1_3         7.52.0
+ CURL_TIMECOND_IFMODSINCE        7.9.7
+ CURL_TIMECOND_IFUNMODSINCE      7.9.7
+ CURL_TIMECOND_LASTMOD           7.9.7
+-- 
+2.7.4
+
--- a/curl.spec
+++ b/curl.spec
@ -1,7 +1,7 @@
 Summary: A utility for getting files from remote servers (FTP, HTTP, and others)
 Name: curl
 Version: 7.51.0
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: MIT
 Group: Applications/Internet
 Source: http://curl.haxx.se/download/%{name}-%{version}.tar.lzma
@ -12,6 +12,9 @@ Patch1:   0001-curl-7.51.0-ssh-md5.patch
 # stricter host name checking for file:// URLs
 Patch2:   0002-curl-7.51.0-file-host.patch

+# map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
+Patch3:   0003-curl-7.51.0-tls-version.patch
+
 # patch making libcurl multilib ready
 Patch101: 0101-curl-7.32.0-multilib.patch

@ -130,6 +133,7 @@ documentation of the library, too.
 # upstream patches
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1

 # Fedora patches
 %patch101 -p1
@ -237,6 +241,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_datadir}/aclocal/libcurl.m4

 %changelog
+* Mon Nov 21 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-3
+- map CURL_SSLVERSION_DEFAULT to NSS default, add support for TLS 1.3 (#1396719)
+
 * Tue Nov 15 2016 Kamil Dudka <kdudka@redhat.com> 7.51.0-2
 - stricter host name checking for file:// URLs
 - ssh: check md5 fingerprints case insensitively